Deploying NetMotion Mobility in Azure

NetMotion MobilityOne of the many advantages NetMotion Mobility offers is that it requires no proprietary hardware to deliver its advanced capabilities and performance. It is a software solution that can be installed on any physical or virtual Windows server. This provides great deployment flexibility by allowing administrators to deploy this remote access solution on their existing virtual infrastructure, which is much less costly than investing in dedicated hardware or virtual appliances.

Cloud Deployment

As customers begin moving their traditional on-premises infrastructure to the cloud, it’s good to know that NetMotion Mobility is fully supported in popular public cloud platforms such as Microsoft Azure. Installing and configuring Mobility on a server in Azure requires a few important changes to a standard Azure VM deployment however. Below is detailed guidance for installing and configuring NetMotion Mobility on a Windows Server 2016 virtual machine hosted in the Microsoft Azure public cloud.

Azure Networking Configuration

Before installing the NetMotion Mobility software, follow the steps below to configure the Azure VM with a static public IP address and enable IP forwarding on the internal network interface.

  1. In the Azure management portal, select the NetMotion Mobility virtual machine and click Networking.
  2. Click on the public-facing network interface.
  3. In the Settings section click IP configurations.
  4. In the IP configurations section click on the IP configuration for the network interface.
  5. In the Public IP address setting section click Enabled for the Public IP address.
  6. Click Configure required settings for the IP address.
  7. Click Create New.
  8. Enter a descriptive name and select Static as the assignment method.
    Deploying NetMotion Mobility in Azure
  9. Click OK
  10. Click Save.Deploying NetMotion Mobility in AzureNote: The process of saving the network interface configuration takes a few minutes. Be patient!
  11. Note the public IP address, as this will be used later during the Mobility configuration.
  12. Close the IP address configuration blade.
  13. In the IP forwarding settings section click Enabled for IP forwarding.Deploying NetMotion Mobility in Azure
  14. Click Save.

NetMotion Mobility Installation

Proceed with the installation of NetMotion Mobility. When prompted for the external address, enter the public IP address created previously.

Deploying NetMotion Mobility in Azure

Next choose the option to Use pool of virtual IP addresses. Click Add and enter the starting and ending IP addresses, subnet prefix length, and default gateway and click OK.

Deploying NetMotion Mobility in Azure

Complete the remaining NetMotion Mobility configuration as required.

Azure Routing Table

A user defined routing table must be configured to ensure that NetMotion Mobility client traffic is routed correctly in Azure. Follow the steps below to complete the configuration.

  1. In the Azure management portal click New.
  2. In the Search the Marketplace field enter route table.
  3. In the results section click Route table.
  4. Click Create.
  5. Enter a descriptive name and select a subscription, resource group, and location.
  6. Click Create.

Deploying NetMotion Mobility in Azure

Once the deployment has completed successfully, click Go to resource in the notifications list.

Deploying NetMotion Mobility in Azure

Follow the steps below to add a route to the route table.

  1. In the Settings sections click Routes.
  2. Click Add.
  3. Enter a descriptive name.
  4. In the Address prefix field enter the subnet used by mobility clients defined earlier.
  5. Select Virtual appliance as the Next hop type.
  6. Enter the IP address of the NetMotion Mobility server’s internal network interface.
  7. Click OK.Deploying NetMotion Mobility in Azure
  8. Click Subnets.
  9. Click Associate.
  10. Click Choose a virtual network and select the network where the NetMotion Mobility gateway resides.
  11. Click Choose a subnet and select the subnet where the NetMotion Mobility gateway’s internal network interface resides.
  12. Click OK.

Note: If clients connecting to the NetMotion Mobility server need to access resources on-premises via a site-to-site gateway, be sure to associate the route table with the Azure gateway subnet.

Azure Network Security Group

A network security group must be configured to allow inbound UDP port 5008 to allow external clients to reach the NetMotion Mobility gateway server. Follow the steps below to create and assign a network security group.

  1. In the Azure management portal click New.
  2. In the Search the Marketplace field enter network security group.
  3. In the results section click Network security group.
  4. Click Create.
  5. Enter a descriptive name and select a subscription, resource group, and location.
  6. Click Create.

Deploying NetMotion Mobility in Azure

Once the deployment has completed successfully, click Go to resource in the notifications list.

Deploying NetMotion Mobility in Azure

Follow the steps below to configure the network security group.

  1. In the Settings section click Inbound security rules.
  2. Click Add.
  3. Enter 5008 in the Destination port ranges field.
  4. Select UDP for the protocol.
  5. Select Allow for the action.
  6. Enter a descriptive name.
  7. Click OK.
    Deploying NetMotion Mobility in Azure
  8. Click Network Interfaces.
  9. Click Associate.
  10. Select the external network interface of the NetMotion Mobility gateway server.

Summary

After completing the steps above, install the client software and configure it to use the static public IP address created previously. Alternatively, configure a DNS record to point to the public IP address and specify the Fully Qualified Domain Name (FQDN) instead of the IP address itself.

Additional Resources

Enabling Secure Remote Administration for the NetMotion Mobility Console

NetMotion Mobility Device Tunnel Configuration

NetMotion Mobility as an Alternative to Microsoft DirectAccess

NetMotion Mobility and Microsoft DirectAccess Comparison Whitepaper

NetMotion and Microsoft DirectAccess On-Demand Webinar

Enabling Secure Remote Administration for the NetMotion Mobility Console

During the initial setup of a NetMotion Mobility gateway server, the administrator must choose to allow either Secure (HTTPS) or Non-secure (HTTP) connections when using the web-based Mobility Console.

Enabling Secure Remote Administration for the NetMotion Mobility Console

Configuring HTTPS

Security best practices dictate HTTPS should be enabled to protect credentials used to log on to the gateway remotely. Immediately after selecting the Secure (https:) option, the administrator is prompted to enter server certificate information. Enter this information and click OK to continue and complete the rest of the configuration as necessary.

Enabling Secure Remote Administration for the NetMotion Mobility Console

Self-Signed Certificate

When logging in to the Mobility console, the administrator is presented with a certificate error indicating there is a problem with the website’s security certificate. This is because the certificate is self-signed by the NetMotion Mobility gateway server and is not trusted.

Enabling Secure Remote Administration for the NetMotion Mobility Console

PKI Issued Certificate

The recommended way to resolve this is to request a certificate from a trusted certification authority (CA). To do this, open the Mobility Management Tool on the Mobility gateway server and click on the Web Server tab.

Enabling Secure Remote Administration for the NetMotion Mobility Console

Click on the Server Certificate button and then click New in the Certificate Request section.

Enabling Secure Remote Administration for the NetMotion Mobility Console

In the SAN (subject alternative name) field of the Optional Extension section enter the Fully Qualified Domain Name (FQDN) of the server using the syntax dns:fqdn. Include both the FQDN and the single-label hostname (short name) separated by a comma to ensure both names work without issue. For example:

dns:nm1.lab.richardhicks.net,dns:nm1

Enabling Secure Remote Administration for the NetMotion Mobility Console

Before requesting a certificate from a CA, the root and any intermediate CA certificates must first be imported. Click the Import button next to each, as required.

Enabling Secure Remote Administration for the NetMotion Mobility Console

Click Copy in the Certificate Request section to copy the Certificate Signing Request (CSR) to the clipboard and then save it to a text file. Now submit the CSR to be signed by the CA using the certreq.exe command. Open an elevated command or PowerShell window and enter the following commands.

certreq.exe -attrib “CertificateTemplate:[TemplateName]” -submit [Path_to_CSR_file]

For example:

certreq.exe -attrib “CertificateTemplate:LabWebServer” -submit certreq.txt

Select a CA from the list and click OK, then save the certificate response when prompted.

Enabling Secure Remote Administration for the NetMotion Mobility Console

Enabling Secure Remote Administration for the NetMotion Mobility Console

Click Response and specify the location of the certificate response file saved in the previous step.

Enabling Secure Remote Administration for the NetMotion Mobility Console

Once complete, the newly issued certificate will be in place. Click Close to complete the process.

Enabling Secure Remote Administration for the NetMotion Mobility Console

Click Yes when prompted to restart the Mobility console.

Enabling Secure Remote Administration for the NetMotion Mobility Console

Trusted Certificate

Opening the Mobility Console no longer produces a certificate error message with a certificate installed from a trusted CA.

Enabling Secure Remote Administration for the NetMotion Mobility Console

In addition, if you followed the guidance above and included the single-label hostname in the SAN field, accessing the server using the short name will also work without issue.

Enabling Secure Remote Administration for the NetMotion Mobility Console

Summary

Always select the option to use HTTPS to ensure the highest level of security and protection of credentials when remotely administering a NetMotion Mobility gateway server. For optimal security and to provide the best user experience, use a certificate issued and managed by a trusted CA to prevent certificate errors when opening the Mobility console.

Additional Information

NetMotion Mobility as an Alternative to DirectAccess

NetMotion Mobility Device Tunnel Configuration

Comparing NetMotion Mobility and DirectAccess Part 1 – Security

Comparing NetMotion Mobility and DirectAccess Part 2 – Performance

DirectAccess and NetMotion Mobility Webinar

 

NetMotion Mobility Device Tunnel Configuration

NetMotion Mobility Device Tunnel ConfigurationIn its default configuration, NetMotion Mobility connections are established at the user level. In most cases this level of access is sufficient, but there are some common uses cases that require VPN connectivity before the user logs on. Examples include provisioning a new device to a user who has never logged on before, or to allow support engineers to connect to a remote device without requiring a user to log in first.

Infrastructure Requirements

To support NetMotion Mobility’s “unattended mode” (device tunnel) it will be necessary to deploy a Windows Server 2016 (or 2012R2) Network Policy Server (NPS). In addition, an internal private certification authority (CA) will be required to issue certificates to the NPS server and all NetMotion Mobility client computers.

Client Certificate Requirements

A certificate with the Client Authentication Enhanced Key Usage (EKU) must be provisioned to the local computer certificate store on all NetMotion Mobility clients that require a device tunnel (figure 1). The subject name on the certificate must match the fully qualified domain name of the client computer (figure 2). It is recommended that certificate auto enrollment be used to streamline the provisioning process.

NetMotion Mobility Device Tunnel Configuration

Figure 1. Computer certificate with Client Authentication EKU.

NetMotion Mobility Device Tunnel Configuration

Figure 2. Computer certificate with subject name matching the client computer’s hostname.

NPS Server Certificate Requirements

A certificate with the Server Authentication EKU must be provisioned to the local computer certificate store on the NPS server (figure 3). The subject name on the certificate must match the fully qualified domain name of the NPS server (figure 4).

NetMotion Mobility Device Tunnel Configuration

Figure 3. Computer certificate with Server Authentication EKU.

NetMotion Mobility Device Tunnel Configuration

Figure 4. Computer certificate with subject name matching the NPS server’s hostname.

NPS Server Configuration

Next install the NPS server role by running the following PowerShell command.

Install-WindowsFeature NPAS -IncludeMamagementTools

Once complete, open the NPS server management console and perform the following steps.

Note: Below is a highly simplified NPS configuration designed for a single use case. It is provided for demonstration purposes only. The NPS server may be used by more than one network access server (NAS) so the example policies included below may not work in every deployment.

  1. Expand RADIUS Clients and Servers.
  2. Right-click RADIUS clients and choose New.
  3. Select the option to Enable this RADIUS client.
  4. Enter a friendly name.
  5. Enter the IP address or hostname of the NetMotion gateway server.
  6. Click Verify to validate the hostname or IP address.
  7. Select Manual to enter a shared secret, or select Generate to create one automatically.
  8. Copy the shared secret as it will be required when configure the NetMotion Mobility gateway server later.
  9. Click OK.
    NetMotion Mobility Device Tunnel Configuration
  10. Expand Policies.
  11. Right-click Network Policies and choose New.
  12. Enter a descriptive name for the new policy.
  13. Select Type of network access server and choose Unspecified.
  14. Click Next.
    NetMotion Mobility Device Tunnel Configuration
  15. Click Add.
  16. Select Client IPv4 Address.
  17. Click Add.
  18. Enter the internal IPv4 address of the NetMotion Mobility gateway server.
  19. Click OK.
  20. Click Next.
    NetMotion Mobility Device Tunnel Configuration
  21. Select Access granted.
  22. Click Next.
    NetMotion Mobility Device Tunnel Configuration
  23. Click Add.
  24. Choose Microsoft: Protected EAP (PEAP).
  25. Click OK.
  26. Select Microsoft: Protected EAP (PEAP).
  27. Click Edit.
  28. Choose the appropriate certificate in the Certificate issued to drop down list.
  29. Select Secure password (EAP-MSCHAP v2).
  30. Click Remove.
  31. Click Add.
  32. Choose Smart Card or other certificate.
  33. Click OK.
  34. Select Smart Card or other certificate.
  35. Click Edit.
  36. Choose the appropriate certificate in the Certificate issued to drop down list.
  37. Click OK.
    NetMotion Mobility Device Tunnel Configuration
  38. Uncheck all options beneath Less secure authentication methods.
  39. Click Next three times.
  40. Click Finish.
    NetMotion Mobility Device Tunnel Configuration

Mobility Server Configuration

Open the NetMotion Mobility management console and perform the following steps.

  1. In the drop-down menu click Configure.
  2. Click Authentication Settings.
  3. Click New.
  4. Enter a descriptive name for the new authentication profile.
  5. Click OK.
  6. Expand Authentication.
  7. Select Mode.
  8. Select Unattended Mode Authentication Setting Override.
  9. From the Authentication mode drop-down box choose Unattended.
  10. Click Apply.
    NetMotion Mobility Device Tunnel Configuration
  11. Expand RADIUS: Device Authentication.
  12. Select Servers.
  13. Select [Profile Name] Authentication Setting Override.
  14. Click Add.
  15. Enter the IP address of the NPS server.
  16. Enter the port (default is 1812).
  17. Enter the shared secret.
  18. Click OK.
    NetMotion Mobility Device Tunnel Configuration
  19. In the drop-down menu click Configure.
  20. Click Client Settings.
  21. Expand Device Settings.
  22. Select the device group to enable unattended mode for.
  23. Expand Authentication.
  24. Select Settings Profile.
  25. Select [Device Group Name] Group Settings Override.
  26. In the Profile drop-down menu choose the authentication profile created previously.
  27. Click Apply.
    NetMotion Mobility Device Tunnel Configuration

Validation Testing

If everything is configured correctly, the NetMotion Mobility client will now indicate that the user and the device have been authenticated.

NetMotion Mobility Device Tunnel Configuration

Summary

Enabling unattended mode with NetMotion Mobility provides feature parity with DirectAccess machine tunnel and Windows 10 Always On VPN device tunnel. It ensures that domain connectivity is available before the user logs on. This allows users to log on remotely without cached credentials. It also allows administrators to continue working seamlessly on a remote computer after a reboot without having a user present to log on.

Additional Resources

NetMotion Mobility as an Alternative to DirectAccess

 

DirectAccess and NetMotion Mobility Webinar

Update: You can view the on-demand recording of this webinar here.

DirectAccess on Windows Server 2016 CoreFor many years, DirectAccess has been the gold standard for enterprise remote access. Its seamless and transparent operation improves productivity for mobile workers, and since it is always on, administrators enjoy improved visibility and management for their field-based assets.

As incredible as DirectAccess is, it is not without its limitations. For example, DirectAccess works only with Windows Enterprise edition clients that are joined to the domain. Professional Edition and non-domain joined machines are not supported. It also lacks many of the security features enterprise organizations require, such as device health checks and granular network access. In addition, DirectAccess communication is complex, with many different layers of encapsulation, authentication, and encryption. High protocol overhead can lead to poor performance over high latency or low bandwidth connections.

NetMotion Mobility as an Alternative to DirectAccessNetMotion Mobility is a secure remote access solution that is an excellent alternative to DirectAccess. It provides the same seamless, transparent, always on remote connectivity that DirectAccess provides, while at the same time offering much more in terms of features and capabilities. It supports a much broader range of clients, includes native Network Access Control (NAC) and application filtering, and offers enhanced performance.

To learn more about NetMotion Mobility, join me on Wednesday, September 20 at 10:00AM PDT for a free live webinar with NetMotion. I’ll provide an overview of NetMotion Mobility and how it compares with DirectAccess. I’ll also demonstrate how it can help overcome some of the inherent limitations of DirectAccess too. Register today!

DirectAccess and NetMotion Mobility Webinar

NetMotion Mobility as an Alternative to DirectAccess

Learn more about NetMotion Mobility by registering for my free live webinar here!

NetMotion Mobility as an Alternative to DirectAccessAs I outlined in a recent blog post, there has been much speculation surrounding the end of life for Microsoft DirectAccess. This is not surprising, as Microsoft has not made any investments in DirectAccess since the introduction of Windows Server 2012. Recently, Microsoft began promoting its Always On VPN solution as an alternative for DirectAccess. While DirectAccess has not been formally deprecated, Microsoft is actively encouraging organizations considering DirectAccess to deploy Always On VPN instead, as indicated here.

NetMotion Mobility as an Alternative to Microsoft DirectAccess

Source: https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-top#advanced-vpn-connectivity

DirectAccess Alternatives

It’s important to state that, at the time of this writing, DirectAccess is still fully supported in Windows 10 and Windows Server 2016 and will be for quite some time. However, the future for DirectAccess is definitely limited, and customers should start considering alternative remote access solutions.

Always On VPN

Microsoft is positioning Always On VPN as the replacement for DirectAccess. Always On VPN offers some important new capabilities missing from DirectAccess. For example, Always On VPN supports all Windows 10 client SKUs, not just Enterprise and Education as DirectAccess does. Always On VPN includes important security enhancements such as conditional access with system health checks, access control list (ACL) enforcement per device and per application, and more.

Always On VPN Limitations

But Always On VPN has some serious limitations too. For example, Always On VPN works only with Windows 10. Windows 7 is not supported at all. Managing and supporting Always On VPN has its own challenges. It cannot be managed using Active Directory and group policy in the traditional way. You must use System Center Configuration Manager (SCCM), Intune, or PowerShell to configure and manage VPN clients.

NetMotion Mobility

I’m excited to announce I’ve recently partnered with NetMotion to provide their secure remote access solutions to organizations looking for alternatives to DirectAccess and Always On VPN. NetMotion Mobility provides the same seamless and transparent, always on remote access with some additional important features not included in DirectAccess and Always On VPN.

Broad Client Support – NetMotion Mobility can provide DirectAccess-like remote access for all versions and SKUs of Windows as well as Mac, iOS (iPhone and iPad), and Android.

Enhanced Security – NetMotion Mobility includes fine-grained policy enforcement to restrict network access based on a wide range of parameters including IP address, protocol, port, application, time of day, location, and type of network (e.g. wired, Wi-Fi, wireless, etc.). NetMotion Mobility also includes integrated Network Access Control (NAC) to validate device configuration prior to connecting, ensuring the highest level of security for remote endpoints. More details here and here.

Improved Performance – NetMotion Mobility client to server communication is optimized to improve reliability and performance. Network traffic is compressed and prioritized to ensure optimum performance for critical applications. Session persistence allows mobile workers to remain connected during times of poor connectivity or when roaming between different networks. More details here.

Greater Visibility – NetMotion Mobility provides a wealth of detailed information to perform analysis and troubleshooting for remote connections. Performance and diagnostic information is logged in real-time and provides administrators with crucial data and insight to quickly identify and resolve connectivity issues. More details here.

Better Supportability – NetMotion Mobility is supported by dedicated, highly trained support engineers with deep product experience. NetMotion support is not tiered. The support engineer who answers the phone will handle the case until resolution.

Learn More about NetMotion

NetMotion Mobility is a truly comprehensive remote access solution and an excellent alternative to DirectAccess. To learn more about NetMotion Mobility and to see it in action, fill out the form below and I’ll get in touch with you. You can also register for my upcoming free live webinar here.

Additional Information

Webinar: Comparing DirectAccess and NetMotion Mobility

Always On VPN and the Future of DirectAccess

NetMotion and DirectAccess Comparison Whitepaper

NetMotion and Skype for Business demonstration video

NetMotion Website

%d bloggers like this: