Always On VPN and VpnStrategy

NetMotion Mobility for DirectAccess Administrators – Split vs. Force Tunneling

Always On VPN supports a variety of VPN protocols for the user tunnel. Internet Key Exchange version 2 (IKEv2) and Secure Socket Tunneling Protocol (SSTP) are the most common. I wrote about the advantages and disadvantages of each in this post. To summarize, IKEv2 provides the highest security options but suffers from operational limitations. SSTP offers excellent security and is generally more reliable.

VpnStrategy

Always On VPN administrators must choose between IKEv2 and SSTP when configuring the Always On VPN user tunnel. Some administrators may prefer to use IKEv2 when available but then fall back to SSTP if it is not. To accomplish this requires editing the rasphone.pbk file and setting the value of VpnStrategy to 8, as described here.

Challenges

Unfortunately, setting the VpnStrategy value to 8 poses some challenges. Updating rasphone.pbk requires editing a text file on each endpoint post-deployment. Updating rasphone.pbk can be automated using the Update-Rasphone.ps1 script or Microsoft Intune proactive remediation.

Limitations

By default, Windows will overwrite the VpnStrategy setting in rasphone.pbk when fallback occurs. For example, setting VpnStrategy to prefer IKEv2 over SSTP will be reset to use SSTP first if a connection with IKEv2 fails. There’s a registry setting available that’s supposed to prevent this, but it doesn’t always work as expected.

Windows 11

There’s good news for administrators deploying Always On VPN on Windows 11. Microsoft recently introduced support for additional NativeProtocol types in XML. Specifically, VPN protocol preference can now be defined using the ProtocolList native protocol type. When using the ProtocolList native protocol type, each supported VPN protocol is listed in order of preference using the syntax shown below.

In addition, the RetryTimeInHours value defines the time Windows will try the last successful connection protocol. Setting this value to 0 overrides this and ensures the preferred protocol (the first protocol in the list) will always be attempted first.

SSTP Only

Previously the VPNv2CSP only supported IKEv2 or Automatic as values for the native protocol type. Windows 11 now supports SSTP as a native protocol type. Administrators configuring Always On VPN user tunnel connections using SSTP exclusively can now use this option.

Caveats

While the settings above are supported in both Windows 11 21H2 and 22H2, there are some known issues when enabling these settings. Specifically, when administrators define the ProtocolList value for the native protocol type, IKEv2 is always shown as the active protocol, even when an SSTP connection is established.

Also, if ProtocolList is used, the VPN connection cannot be managed using PowerShell. The VPN profile will not be displayed when running Get-VpnConnection at the time of this writing. Hopefully Microsoft will fix this soon.

Additional Information

Always On VPN CSP Updates

Always On VPN IKEv2 and SSTP Fallback

Always On VPN and Intune Proactive Remediation

Always On VPN Protocol Recommendations for Windows Server RRAS

Always On VPN IKEv2 Features and Limitations

Always On VPN CSP Updates

Always On VPN DNS Registration Update Available

Administrators can deploy Always On VPN client configuration settings in several ways. The simplest method is to use the native Microsoft Intune UI and the VPN device configuration profile template. Optionally, administrators can create an XML file that can be deployed with Intune using the Custom template. In addition, the XML file can be deployed using PowerShell, either interactively or with System Center Configuration Manager (SCCM). Administrators can also deploy the XML file using PowerShell via Active Directory group policy startup script or another software provisioning platform.

Custom XML

While using the native Intune VPN device configuration template to deploy and manage Always On VPN client configuration settings is easy and convenient, it lacks support for many crucial configuration settings. Deploying Always On VPN client settings using the Custom template is helpful to overcome these limitations as it enables additional configuration settings not exposed in the Intune VPN template.

VPNv2CSP

The VPNv2 Configuration Service Provider (CSP) is the interface used by Intune to deploy Always On VPN client configuration settings to the endpoint. The WMI-to-CSP bridge enables settings deployment using PowerShell. In either scenario, administrators must create an XML file that includes the settings used for the Always On VPN profile. A reference for all supported settings in the VPNv2 CSP can be found here.

New Settings

Microsoft recently introduced some new settings in the VPNv2 CSP. Beginning with Windows 11 22H2, administrators can disable the disconnect button and prevent access to the advanced settings menu for device and user tunnels in the Windows UI by adding the following entries in the XML configuration file.

<DisableDisconnectButton>true</DisableDisconnectButton>

<DisableAdvancedOptionsEditButton>true
</DisableAdvancedOptionsEditButton>

Additional Updates

Microsoft also added options to define encryption settings, disable IKEv2 fragmentation support, update IPv4 and IPv6 interface metrics, adjust IKEv2 network outage time, and disable the use of RAS credentials in XML for device and user tunnels. These new options eliminate the need to use Intune Proactive Remediation to adjust these VPN client configuration settings post-deployment.

Unfortunately, these settings are not supported in any current release of Windows 10 or 11 today. However, they are available in the latest Windows Insider build (development channel) if you want to test them. I’ve provided example settings below. These settings will be supported in a public release of Windows in the future.

<DataEncryption>Max</DataEncryption>
<DisableIKEv2Fragmentation>true</DisableIKEv2Fragmentation>
<IPv4InterfaceMetric>3</IPv4InterfaceMetric>
<IPv6InterfaceMetric>3</IPv6InterfaceMetric>
<NetworkOutageTime>0</NetworkOutageTime>
<UseRasCredentials>false</UseRasCredentials>

Note: At the time of this writing, the VPNv2 CSP indicates these settings apply to Windows 11 21H2 and later. That is incorrect. Microsoft is aware of the issue and will hopefully correct it soon.

Intune Support

At some point, Microsoft may add these features to the Intune VPN device configuration template. However, XML with the Custom template is the only way to enable these new settings today.

Additional Information

Always On VPN VPNv2 CSP Reference

Deploying Always On VPN with Intune using Custom ProfileXML

Always On VPN and Intune Proactive Remediation

Microsoft Intune Learning Resources for Always On VPN Administrators

Example Always On VPN User Tunnel ProfileXML

Example Always On VPN Device Tunnel ProfileXML

Always On VPN DPC with Intune

In the past, I’ve written about PowerON Platforms’ Always On VPN Dynamic Profile Configurator (DPC), a software solution administrators can use to provision and manage Always On VPN client configuration settings using Active Directory and group policy. In addition to streamlining the deployment and management of Always On VPN client settings, DPC has many advanced features and capabilities to ensure optimal security, performance, and connection reliability.

Optimizations

Many settings required to fine-tune and optimize Always On VPN connections are not exposed in the Intune UI or XML. They must be configured by manipulating configuration files, setting registry keys, and running PowerShell commands. Much of this can be automated using Intune Proactive Remediation, but it is far from ideal. Administrators must configure Always On VPN using one method, then deploy optimizations using another. In addition, Proactive Remediation suffers from timing issues where some settings are not applied immediately, resulting in degraded or inoperable VPN connections until changes take effect.

Always On VPN DPC

Always On VPN DPC allows administrators to configure many advanced settings quickly and conveniently using the familiar Group Policy Management console (gpmc.msc). DPC dramatically reduces the administrative burden associated with Always On VPN client management. In addition, DPC enables many of these options by default, ensuring optimal security and reliable operation. Also, DPC immediately implements all configuration settings, eliminating the need to reboot to apply configuration changes.

Intune and ADMX

Historically, Always On VPN DPC could only be used when managing endpoints exclusively with Active Directory group policy. However, DPC can now be used with Microsoft Endpoint Manager/Intune thanks to a new feature that allows administrators to import custom ADMX and ADML administrative templates to Microsoft Endpoint Manager (MEM).

Note: This feature is in public preview at the time of this writing.

DPC and Intune

The combination of DPC and Intune brings with it many advantages. Using DPC with Microsoft Endpoint Manager/Intune offers administrators simplified deployment and many advanced features provided by Always On VPN DPC. In addition, customers who have deployed DPC on-premises can now migrate seamlessly to Microsoft Endpoint Manager/Intune management without giving up DPC’s valuable features.

Learn More

Enter your contact details in the form below for more information regarding Always On VPN DPC. Also, visit https://aovpndpc.com/ to register for a free Always On VPN DPC trial.

Additional Information

Always On VPN with Active Directory Group Policy

Introduction to Always On VPN DPC

Always On VPN DPC Advanced Features

Always On VPN DPC Video Demonstrations

What’s New in Always On VPN DPC v3.0

Always On VPN DPC Free Trial

%d bloggers like this: