All posts tagged monitoring

Always On VPN SSTP Certificate Automation with CertKit

With public TLS certificates moving to significantly shorter certificate lifetimes, eventually just 47 days, Always On VPN administrators supporting Secure Socket Tunneling Protocol (SSTP) connections must prepare to address this eventuality. The first milestone for shortened public TLS certificate lifetimes is a few months, on March 15, 2026, when public TLS certificate lifetimes will be reduced from a maximum of 398 days to 200 days. One year later, on March 15, 2027, they will be reduced to just 100 days. Now is the time to begin planning an automated certificate enrollment solution to reduce administrative overhead and ensure uninterrupted connectivity for remote users.

Previous Approaches: PowerShell and Posh-ACME

In the past, I’ve written about using Let’s Encrypt Certificates for Always On VPN using the Posh-ACME PowerShell module. I’ve also posted some sample code to demonstrate how to integrate with a DNS provider to automate publishing the ACME challenge to public DNS for certificate enrollment verification. However, this assumes your DNS provider supports this option. Some do not. In addition, granting write permissions to public DNS via an API key introduces significant security risks. So, if direct ACME DNS automation isn’t viable in your environment, CertKit is an excellent alternative.

CertKit: Automated Certificate Issuance, Monitoring, and Alerting

To address these limitations, administrators can use the CertKit service. With CertKit, you delegate the Let’s Encrypt certificate enrollment process to them by simply creating a CNAME record in your public DNS. Once complete, CertKit handles the entire process transparently.

Issuance

Today, CertKit supports issuing certificates using Let’s Encrypt. In the future, support for additional certificate providers such as Google Trust and ZeroSSL will be added. CertKit supports Let’s Encrypt certificates using RSA (2048-bit) and Elliptic Curve (recommended). Certificates can be issued for an individual resource, a group of resources (multi-SAN), and a domain wildcard (e.g., *.example.net).

Monitoring

In addition to certificate issuance and management, CertKit offers domain TLS certificate monitoring to track your public assets. You can monitor your CertKit-managed certificates easily, but you can also add other services using TLS and track them on the same console. In this example, I’m using CertKit to manage certificates for two VPN servers (indicated by solid green dots) and to monitor my public websites, for which certificate management is handled by their respective hosting providers.

Alerts and Notifications

CertKit will automatically send emails to let you know when a certificate is expiring and if a CertKit-managed certificate has been renewed.

Pending certificate expiration.

Successful certificate renewal.

Certificate Retrieval

Once CertKit completes the enrollment process on your behalf, it stores all certificate files (.PFX, .PEM, and .KEY) in a secure S3-compatible storage bucket. While an administrator could easily retrieve and install them manually, automation will help reduce administrative overhead, especially as public TLS certificate lifetimes are further reduced. You can download certificate files programmatically in several ways.

PowerShell

The first way to download the certificate files from CertKit is to use the AWSPowerShell module. However, the AWSPowerShell is relatively heavy and is overkill for this specific use case. A better alternative is to use the MinIO client.

MinIO

The MinIO client (mc.exe) is an open-source command-line tool developed by MinIO. It provides access to any S3-compatible storage, which CertKit uses in its environment. MinIO is a single, portable executable installer that’s easy to use and well-documented.

Sample Code

I’ve published some sample code to demonstrate how to use the MinIO client to retrieve certificates from CertKit and install them on a Windows Server Routing and Remote Access (RRAS) server. You can find the sample code on GitHub here.

https://github.com/richardhicks/aovpn/blob/master/Install-SstpLetsEncryptCertificate-Certkit.ps1

Note: This sample code demonstrates how to download a .PFX file from CertKit and install it on the RRAS server. It is designed to run as a scheduled task in Windows during non-peak times. The code includes robust checks for service viability and will reboot the server if they fail. As such, this sample code could cause service disruptions, so use it with caution.

Cost

Today, CertKit is in beta and is free for everyone to use. In the future, there will be both free and paid tiers. You can learn more about their pricing models and sign up for the service at CertKit.io.

Learn More

If you’d like to learn more about CertKit and how you can leverage it for Always On VPN and other workloads in your environment, or you’d like to see a demonstration of CertKit, fill out the form below, and I’ll provide you with more information.

Additional Information

CertKit

Install-SstpLetsEncryptCertificate-Certkit.ps1 on GitHub

Always On VPN SSTP and 47-Day TLS Certificates

Always On VPN SSTP with Let’s Encrypt Certificates

Leave a comment
by Richard M. Hicks on February 2, 2026  •  Permalink
Posted in administration, Always On VPN, AOVPN, Automation, Certificate Services, certificates, CertKit, cloud, Cloud Service, Cryptography, Deployment, Device Management, Elliptic Curve Cryptography, Encryption, Enterprise, enterprise mobility, GitHub, Operational Support, public cloud, Remote Access, reporting, Security, SSL, SSL and TLS, systems management, TLS, Transport Layer Security, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 2, 2026

https://directaccess.richardhicks.com/2026/02/02/always-on-vpn-sstp-certificate-automation-with-certkit/

Always On VPN RRAS Centralized Monitoring and Reporting

A while back, I wrote about the monitoring and reporting options for Windows Server Routing and Remote Access (RRAS) servers supporting Microsoft Always On VPN. In that article, I outlined how administrators can use the Routing and Remote Access Management console (rrasmgmt.msc) or the Remote Access Management console (ramgmtui.exe) to perform configuration tasks and review current user and device activity. However, neither solution is ideal in a distributed environment with multiple RRAS servers. Thankfully, there’s a new option available to address this crucial limitation today.

Centralized Reporting

I’m excited to announce the availability of a cloud-based, centralized reporting solution for Windows Server RRAS and Always On VPN from the folks at PowerON Platforms. Created by the folks that brought us the Dynamic Profile Configurator (DPC) solution for managing Always On VPN client configuration settings, PowerON Platforms’ new reporting solution allows administrators to aggregate configuration, performance, and user activity data from multiple individual RRAS servers across their organization.

Important! I’ll be joining the folks at PowerON Platforms for a webinar on Thursday, January 18 to introduce and demonstrate this new Always On VPN reporting solution. Register now!

Summary View

The Summary view page provides a consolidated high-level look at the environment’s health status and capacity of VPN servers. Administrators can quickly see if any servers are unhealthy and view current usage details to assess the capacity of the deployment.

Server Overview

The Server Overview page provides a more detailed look at individual server health status and configuration. Here, you’ll find information about the number of active and available connections and the TLS certificate status. In addition, you’ll find detailed information about provisioned CPU and RAM, disk space utilization, and system uptime. You will also see information about the size of the reporting database on disk and the number of IKEv2 and SSTP VPN ports provisioned.

VPN Server Configuration

The VPN Server Configuration page looks into the IP address pool configuration and current utilization. In addition, this page provides an in-depth look at the VPN server TLS certificate health status. Currently, configured authentication and accounting servers are also shown.

Server Performance

The Server Performance page shows granular details about resource utilization on RRAS servers. This includes CPU and memory utilization, disk space usage, and database size. Administrators can view aggregated data or select individual servers. The view can be further customized by filtering by date.

Connection History

The Connection History page details concurrent connections observed on all VPN servers. Data can be filtered by date, individual server, and user or device name.

Client Distribution

The Client Distribution page provides an intuitive graphical display of client activity by server and tunnel type. In addition, it includes details about usage by individual clients and the number of connections made by individual endpoints.

Connection Detail

The Connection Detail page allows administrators to view user activity across all servers in the organization. Once again, data can be filtered by date, individual server, and user or device name. This view provides granular details on user activity, enabling the administrator to drill down to view specific resources accessed over the VPN for individual sessions.

Data Flow

The Data Flow page displays information about data transfer through the VPN server.

Summary

The Always On VPN cloud-based centralized reporting solution for Microsoft Always On VPN by PowerON Platforms is sure to be helpful for organizations managing distributed RRAS server deployments. The reporting solution aggregates data from all RRAS servers in the enterprise, providing a holistic view of configuration, health status, and user activity in one management console. This consolidated visibility is crucial for capacity planning and configuration maintenance, making the identification of performance bottlenecks or misconfigured servers easy. Also, the ability to view certificate expiration status for all servers in the organization is sure to prevent outages. Security administrators will find the solution helpful for forensic reporting and to identify sources of data leakage and exfiltration.

You can contact PowerON Platforms and request additional information here.

More Information

Are you interested in learning more about PowerON Platforms Always On VPN reporting? Would you like an interactive solution demonstration or an evaluation license to trial the product in your environment? Fill out the form below, and I’ll contact you with more details.

← Back

Thank you for your response. ✨

Leave a comment
by Richard M. Hicks on January 9, 2024  •  Permalink
Posted in administration, Always On VPN, AOVPN, AovpnDPC, Azure, DPC, Dynamic Profile Configurator, Enterprise, enterprise mobility, Infrastructure, Microsoft, Mobility, multisite, Operational Support, Remote Access, Remote Administration, reporting, routing and remote access service, RRAS, RSAT, Security, systems management, VPN, webinar, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 9, 2024

https://directaccess.richardhicks.com/2024/01/09/always-on-vpn-rras-centralized-monitoring-and-reporting/

10 PowerShell Commands Always On VPN Administrators Should Know

Managing a secure and reliable VPN infrastructure is critical for supporting today’s highly mobile workforce. For Always On VPN administrators, PowerShell is an indispensable tool for achieving this goal. Not only can PowerShell be used to automate the installation and configuration of Windows Server Routing and Remote Access Service (RRAS) server, but it can also be used to audit configuration and monitor system health and user activity as well. In addition, it is highly recommended that the RRAS role be installed on Server Core for optimum security and performance. Administrators must be familiar with these PowerShell commands and more to support RRAS on Windows Server Core in their environment.

RemoteAccess Module

The RemoteAccess PowerShell module should be installed when the RRAS server is configured. There are 122 commands in this module, but only a subset of those pertain to the VPN server role. Here are ten popular commands for monitoring and managing an Always On VPN RRAS server.

Configuration Review

The following PowerShell commands are useful for reviewing the current RRAS server configuration.

Get-RemoteAccess – Displays the current configuration of the VPN server. Details include installation status, TLS certificate configuration, VPN client IP address assignment method, IPv4 and IPv6 addressing information (if using the static address assignment method), authentication type, and configured RADIUS servers.

Get-VpnAuthProtocol – Displays authentication configuration details such as accepted authentication types for both user and device connections, root certification authority (CA) certificate restrictions (if enabled), and certificate advertisement and EKU restrictions if enabled.

Get-VpnServerConfiguration – Displays additional VPN server configuration information, such as the IPsec configuration for IKEv2, the number of VPN ports configured, and more.

System Health

Get-RemoteAccessHealth – Displays the current health status of various VPN server services. The command’s default output is a little noisy. I recommend filtering it as follows:

Get-RemoteAccessHealth | Where-Object HealthState -NotMatch Disabled | Format-Table -AutoSize

User Activity

The following PowerShell commands can be used to view current and historical user activity details.

Get-RemoteAccessConnectionStatistics – Displays all active VPN connections on the server.

Get-RemoteAccessConnectionStatisticsSummary – Displays cumulative information about VPN connections on the server since the last service restart or reboot, such as the total number of connections, the number of unique users, the maximum number of concurrent connections, and the amount of data transferred.

Get-RemoteAccessUserActivity – Displays all active VPN connections for a specific user or device.

Management

The following PowerShell commands are helpful for reviewing authentication and logging settings.

Get-RemoteAccessRadius – Allows the administrator to view the currently configured RADIUS servers on the VPN server.

Get-RemoteAccessAccounting – Allows the administrator to view the current accounting repository (RADIUS or inbox) on the VPN server.

Clear-RemoteAccessInboxAccountingStore – Allows the administrator to remove log data from the Inbox Accounting database. Removing log data from the database can be helpful when transitioning a test server to production or to free up disk space by reducing the size of the logging database.

Additional Modules

In addition to the PowerShell commands above, Always On VPN administrators can leverage my custom PowerShell modules for advanced server and client configuration. These modules are published in the PowerShell Gallery.

AovpnTools – PowerShell module to configure and optimize Windows RRAS servers to support Always On VPN.

Install-Module -Name AovpnTools

InboxAccountingDatabaseManagement – PowerShell module to configure and manage the Inbox Accounting database for logging system information and user activity on the VPN server.

Install-Module -Name InboxAccountingDatabaseManagement

Additional Information

Always On VPN and RRAS on Windows Server Core

Inbox Accounting Database Management

AovpnTools PowerShell Module on GitHub

Inbox Accounting Database Module on GitHub

2 Comments
by Richard M. Hicks on November 2, 2023  •  Permalink
Posted in administration, Always On VPN, AOVPN, Deployment, Device Management, device tunnel, Enterprise, enterprise mobility, Mobility, Operational Support, PowerShell, Remote Access, routing and remote access service, RRAS, Security, Server Core, systems management, troubleshooting, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on November 2, 2023

https://directaccess.richardhicks.com/2023/11/02/10-powershell-commands-always-on-vpn-administrators-should-know/

« Older Posts