All posts tagged Mobility

Always On VPN at MMSMOA 2022

I am excited to announce that I will be presenting at this year’s Midwest Management Summit at the Mall of America (MMSMOA) in Bloomington, Minnesota. The conference takes place the week of May 2. This is my first time presenting at this event, and I’m looking forward to sharing my experience deploying enterprise mobility and security infrastructure solutions with systems management professionals from around the world.

Sessions

I will be delivering three talks at the conference addressing various secure remote access and certificate services topics.

Managing Always On VPN with Intune

This session will provide administrators with everything they need to know about provisioning and managing Always On VPN client configuration settings using Intune. I’ll be providing tips, tricks, and best practices for Always On VPN profile configuration and demonstrating many of the limitations associated with using Intune. I will provide workarounds whenever possible.

Managing Always On VPN with Intune: The Good, The Bad, and the Ugly

Always On VPN Gateway Options in Azure

Deploying Always On VPN in Azure is increasingly common. However, administrators are unaware of the limitations of supporting Always On VPN connections with native Azure VPN gateway solutions. In this session, I’ll describe in detail what’s required to support Always On VPN and, importantly, what the limitations are.

Always On VPN Gateway Options in Azure

Deploying On-premises PKI Certificates with Intune

As organizations continue to migrate applications, services, and infrastructure to the cloud, the requirement for endpoints to be joined to an on-premises domain is fading. Moving to full Intune management and native Azure Active Directory join for endpoints is increasingly common. However, deploying enterprise PKI certificates o these endpoints is often required. This session will provide detailed guidance for choosing the best solution to deliver on-premises certificates to Azure AD joined devices using Intune.

Deploying on-premises PKI Certificates with Intune

Let’s Connect

I’m looking forward to meeting so many folks who have helped me get up to speed with Microsoft Endpoint Manager/Intune over the years. If you’re attending the conference, or if you are in the area, be sure to reach out. Let’s grab a beer and chat!

Additional Information

Midwest Management Summit at Mall of America (MMSMOA) 2022

Managing Always On VPN with Intune: The Good, The Bad, and the Ugly

Always On VPN Gateway Options in Azure

Deploying on-premises PKI Certificates with Intune

Leave a comment
by Richard M. Hicks on April 11, 2022  •  Permalink
Posted in Always On VPN, AOVPN, Azure, Azure AD, Azure Virtual WAN, Azure VPN, Azure VPN Gateway, certificates, cloud, Conditional Access, Device Management, device tunnel, education, Endpoint Manager, Enterprise, enterprise mobility, InTune, Intune Certificate Connector, Intune PFX Connector, MDM, MEM, MEMCM, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, Network Device Enrollment Service, Network Device Enrollment Services, PFX Connector, PKI, PowerShell, public cloud, public key infrastructure, Remote Access, Security, System Center Configuration Manager, systems management, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 11, 2022

https://directaccess.richardhicks.com/2022/04/11/always-on-vpn-at-mmsmoa-2022/

Always On VPN SSTP Certificate Renewal

Windows Server Routing and Remote Access Service (RRAS) is popular for Always On VPN deployments because it supports the Secure Socket Tunneling Protocol (SSTP). The SSTP VPN protocol is recommended for use with the Always On VPN user tunnel because it is firewall friendly. Installing a TLS certificate on the VPN server is necessary to support SSTP VPN connections. Administrators should use a TLS certificate signed by a public certification authority (CA) for optimal reliability and performance.

Click here to view a video demonstration of the procedures outlined in this article.

Certificate Expiration

Of course, all certificates expire, and the TLS certificate used for SSTP is no exception. When using a public TLS certificate, the certificate lifetime is typically no more than one year, which means Always On VPN administrators will be renewing this certificate regularly.

Certificate Renewal

The process of “renewing” an SSTP TLS certificate is essentially the same as installing a new one, as it is best to create a new public/private key pair when renewing a certificate. The following outlines the steps required to generate a Certificate Signing Request (CSR), import the certificate, then assign the certificate to the SSTP listener on the VPN server.

Note: The guidance provided here assumes using an ECC certificate, which is best for optimal security and performance. More details here.

Certificate Request

Open the local computer certificate store (certlm.msc) on the VPN server and perform the following steps to generate a new CSR.

  1. Expand Certificates – Local Computer > Personal.
  2. Right-click the Certificates folder and choose All Tasks > Advanced Operations > Create Custom Request.
  3. Click Next.
  4. Highlight Proceed without enrollment policy.
  5. Click Next.
    1. Select (No template) CNG key from the Template drop-down list.
    2. Select PKCS #10 in the Request format section.
    3. Click Next.
  6. Click on the down arrow next to Details.
    Always On VPN ECDSA SSL Certificate Request for SSTP
  7. Click on the Properties button.
  8. Select the General tab.
    1. Enter the public hostname for the certificate in the Friendly name field.
  9. Select the Subject tab.
    1. Select Common name from the Type drop-down list in the Subject name section.
    2. Enter the public hostname for the certificate in the Value field.
    3. Click Add.
    4. In the Alternative name section, select DNS from the Type drop-down list.
    5. Enter the public hostname for the certificate in the Value field.
    6. Click Add.
      Always On VPN ECDSA SSL Certificate Request for SSTP
  10. Select the Extensions tab.
    1. Expand the Extended Key Usage section.
    2. Select Server Authentication from the Available options section.
    3. Click Add.
      Always On VPN ECDSA SSL Certificate Request for SSTP
  11. Select the Private Key tab.
    1. Expand the Cryptographic Service Provider section.
      1. Uncheck the box next to RSA,Microsoft Software Key Storage Provider.
      2. Check the box next to ECDSA_P256,Microsoft Software Key Storage Provider.
    2. Expand the Key options section.
      1. Check the box next to Make private key exportable.
        Always On VPN ECDSA SSL Certificate Request for SSTP
  12. Click Ok.
  13. Click Next.
  14. Enter a name for the file in the File Name field.
  15. Select Base 64 in the File format section.
  16. Click Finish.

Import Certificate

Once complete, submit the file created to a public CA for signing. When the CA returns the signed certificate, perform the following steps to import it to the local compute certificate store.

  1. Right-click the Certificates folder and choose All Tasks > Import.
  2. Click Next.
  3. Enter the name of the certificate file returned by the public CA in the File name field.
  4. Click Next.
  5. Select Place all certificates in the following store and ensure that Personal is listed in the Certificate store field.
  6. Click Next.
  7. Click Finish.
  8. Click Ok.

Assign Certificate

After importing the new TLS certificate in the local computer’s certificate store, open the Routing and Remote Access management console (rrasmgmt.msc) and perform the following steps to assign the TLS certificate to the SSTP listener.

  1. Right-click the VPN server and choose Properties.
  2. Select the Security tab.
    1. Select the new TLS certificate from the Certificate drop-down list in the SSL Certificate Binding section. When replacing an existing certificate, you may see a certificate with the same name more than once. Click the View button and ensure the new certificate is selected.
    2. Click Ok.
    3. Click Yes to restart the RemoteAccess service.

Demonstration Video

A recorded video demonstration of this process can be found here. The video recording also includes guidance for making these changes on Windows Server Core servers.

Additional Information

Installing or Renewing an SSL/TLS Certificate on Windows Server for Always On VPN and SSTP.

Microsoft Windows Always On VPN SSTP Security Configuration

Microsoft Windows Always On VPN SSL Certificate Requirements for SSTP

Microsoft Windows Always On VPN ECDSA TLS Certificate Request for SSTP

Microsoft Windows Always On VPN SSTP with Let’s Encrypt Certificates

6 Comments
by Richard M. Hicks on February 10, 2022  •  Permalink
Posted in administration, Always On VPN, AOVPN, Elliptic Curve Cryptography, Encryption, Enterprise, enterprise mobility, Mobility, Operational Support, PKI, PowerShell, public key infrastructure, Remote Access, routing and remote access service, RRAS, Secure Socket Tunneling Protocol, Security, SSL, SSL and TLS, SSTP, TLS, Transport Layer Security, user tunnel, video, VPN, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 10, 2022

https://directaccess.richardhicks.com/2022/02/10/always-on-vpn-sstp-certificate-renewal/

Always On VPN PowerShell Script Issues in Windows 11

Many administrators are now beginning to test Always On VPN functionality on the latest Microsoft Windows client operating system, Windows 11. Initially, Microsoft had some issues with provisioning and managing Always On VPN profiles on Windows 11 using Microsoft Endpoint Manager/Intune, but those have been resolved. However, some lingering problems may delay enterprise deployments of Always On VPN on Windows 11 for some organizations, specifically those using PowerShell with Active Directory group policy startup scripts or System Center Configuration Manager (SCCM).

Important Note: The issues outlined in this article have been resolved! The fix for the WMI enumeration bug is addressed in the following updates:

Windows 11 21H2 – KB5022905 (build 22000.1641)

Windows 11 22H2 – KB5026446 (build 22621.1778)

MakeProfile.ps1

Microsoft has published guidance for deploying Always On VPN profiles using PowerShell with their MakeProfile.ps1 script. This script extracts configuration details from a template VPN profile to create another PowerShell script called VPN_Profile.ps1, which is used to create the Always On VPN profile. SCCM administrators commonly use VPN_Proifle.ps1 to deploy Always On VPN profiles. However, running this script on Windows 11 fails and returns the following error message.

“Unable to create [VPN profile name] profile: A general error occurred that is not covered by a more specific code.”

This issue appears to be related to a problem with the WMI-to-CSP bridge, specifically enumerating the MDM_VPNv2_01 class in the root\cimv2\mdm\dmmap namespace. Here you can see the template VPN profile with PowerShell and Get-VpnConnection.

However, attempts to view the MDM_VPNv2_01 class of this VPN profile using PowerShell and Get-CimInstance fail.

New-AovpnConnection.ps1

Interestingly, administrators may find that my Always On VPN PowerShell deployment script works more reliably on Windows 11, although not always. In my experience, I’ve found that it sometimes fails once (profile is loaded, but the configuration is incomplete), then works after deleting the profile and creating it again. If the Microsoft-provided script isn’t working, give mine a try and see if it works better for you.

Note: When deploying Always On VPN profiles using my PowerShell deployment script via Active Directory startup scripts, it seems to fail consistently for some reason. Go figure. 😉

Remove-AovpnConnection.ps1

The issues described previously with Windows 11 are also negatively affecting some of my other PowerShell scripts. For example, running Remove-Aovpnconnection.ps1 on Windows 11 fails and returns the following error message.

“A general error occurred that is not covered by a more specific error code.”

Current Status

Microsoft is currently aware of this issue. However, I am aware of no timeframe for resolution at the time of this writing. Hopefully, Microsoft addresses this soon so organizations can move forward with their Windows 11 migration projects.

Additional Information

Microsoft Windows Always On VPN Windows 11 Issues with Microsoft Endpoint Manager/Intune

Microsoft Windows Always On VPN Profile Deployment Script

Microsoft Windows Always On VPN Remove Always On VPN Profile Script

Always On VPN PowerShell Script Repository on GitHub

71 Comments
by Richard M. Hicks on February 7, 2022  •  Permalink
Posted in administration, Always On VPN, AOVPN, Deployment, Device Management, device tunnel, Endpoint Manager, enterprise mobility, GitHub, InTune, MDM, MEM, MEMCM, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, Operational Support, PowerShell, ProfileXML, Remote Access, SCCM, System Center Configuration Manager, systems management, troubleshooting, Uncategorized, user tunnel, VPN, Windows 11, XML
Tagged , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 7, 2022

https://directaccess.richardhicks.com/2022/02/07/always-on-vpn-powershell-script-issues-in-windows-11/

« Older Posts
Newer Posts »