MVP Profile
Connect
Mailing List

Sign Up Now!
Richard M. Hicks Consulting Newsletter
Buy This!

All New Amazon Echo!
@richardhicks
- Congratulations ladies! Well deserved! :D #gobruins twitter.com/uclagymnastics…:: 2 hours ago
- RT @allthecourses: Introduction to Enterprise Network Infrastructure plrsig.ht/2HgiTNH:: 1 day ago
- RT @allthecourses: Networking Concepts and Protocols plrsig.ht/2qP9vWi:: 1 day ago
- #SSL certificate consideration for #DirectAccess IP-HTTPS. #security rmhci.co/2ho00JG:: 1 day ago
- Managing and Supporting #Microsoft #DirectAccess video training course on @pluralsight. #Windows #Window10 #Win10 rmhci.co/2sctwZq:: 1 day ago
Follow @richardhicks
Facebook

Facebook
RSS Feed
- RSS - Posts
- RSS - Comments
Archives
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- November 2014
- October 2014
- September 2014
- August 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- July 2012
- June 2012
- May 2012
- April 2012
Categories
Tag Cloud
6to4 Active Directory ADC Always On VPN application delivery controller authentication Azure book certificate certificates conference configuration DirectAccess DirectAccess 2012 DNS education encryption error F5 firewall Forefront Forefront UAG Forefront UAG 2010 geographic redundancy group policy high availability hotfix Important Links IP-HTTPS IPsec IPv6 IPv6 transition protocol IPv6 transition technology ISATAP Kemp load balancer load balancing management Manage Out Microsoft multisite Networking network load balancing network location server NLB NLS OTP performance PKI PowerShell redundancy Remote Access scalability security Server 2012 SSL SSTP Teredo TLS training transition technology troubleshooting UAG UAG 2010 update VPN Windows Windows 7 Windows 8 Windows 8.x Windows 10 Windows Server Windows Server 2012 Windows Server 2012 R2 Windows Server 2016

All posts tagged routing and remote access service

Troubleshooting Always On VPN Errors 691 and 812

When configuring Windows 10 Always On VPN using the Routing and Remote Access Service (RRAS) on Windows Server 2012 R2 and Extensible Authentication Protocol (EAP) authentication using client certificates, clients attempting to establish a VPN connection using Internet Key Exchange version 2 (IKEv2) may receive the following error.

“The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile.”

The event log on the client also records RasClient event ID 20227 stating “the error code returned on failure is 812”.

Troubleshooting Always On VPN Errors 691 and 812

Always On VPN clients using the Secure Socket Tunneling Protocol (SSTP) may receive the following error.

“The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.”

Troubleshooting Always On VPN Errors 691 and 812

The event log on the client also records RasClient event ID 20227 stating “the error code returned on failure is 691”.

Troubleshooting Always On VPN Errors 691 and 812

Resolution

These errors can occur when Transport Layer Security (TLS) 1.0 has been disabled on the RRAS server. To restore functionality, enable TLS 1.0 protocol support on the RRAS server. If disabling TLS 1.0 is required for compliance reasons, consider deploying RRAS on Windows Server 2016. TLS 1.0 can be safely disabled on Windows Server 2016 without breaking EAP client certificate authentication for Windows 10 Always On VPN clients.

Additional Information

Windows 10 Always On VPN Hands-On Training

What’s the Difference Between DirectAccess and Windows 10 Always On VPN?

5 Important Things DirectAccess Administrators Should Know About Windows 10 Always On VPN

3 Important Advantages of Windows 10 Always On VPN over DirectAccess

Windows 10 Always On VPN and the Future of DirectAccess

2 Comments

by Richard M. Hicks on February 26, 2018 • Permalink

Posted in Always On VPN, AOVPN, certificates, Compliance, enterprise mobility, Mobility, Remote Access, Security, SSL and TLS, VPN, Windows 10, Windows Server 2012 R2, Windows Server 2016

Posted by Richard M. Hicks on February 26, 2018

https://directaccess.richardhicks.com/2018/02/26/troubleshooting-always-on-vpn-errors-691-and-812/

Always On VPN Protocol Recommendations for Windows Server Routing and Remote Access Service (RRAS)

Always On VPN Protocol Recommendations for Windows Server Routing and Remote Access Service (RRAS) Windows 10 Always On VPN is infrastructure independent and can be implemented using third-party VPN devices. It is not necessary to deploy any Windows servers at all to support an Always On VPN solution. However, in a recent blog post I outlined some compelling reasons to consider using Windows Server 2016’s Routing and Remote Access Service (RRAS) feature to terminate VPN connections. RRAS supports both modern and legacy VPN protocols, each with their own advantages and disadvantages. The choice of which protocols to support will be determined by many factors, but it is important to understand the capabilities of each to make an informed decision.

RRAS VPN Protocols

Windows RRAS supports the following VPN protocols.

Internet Key Exchange version 2 (IKEv2) – RFC7296
Secure Sockets Tunneling Protocol (SSTP) – Microsoft
Layer Two Tunneling Protocol over IPsec (L2TP/IPsec) – RFC2661
Point-to-Point Tunneling Protocol (PPTP) – RFC2637

There are pros and cons associated with each of these VPN protocols. Here’s a breakdown of each.

IKEv2

This IPsec-based VPN protocol is the preferred choice for most deployments. IKEv2 provides the best security and performance, with native features that enhance mobility. This latest version of IKE (v2) features streamlined messaging during connection establishment and enhanced session management that reduce protocol overhead and improve performance.

Advantages: Best security and performance.
Disadvantages: Firewalls may block required UDP ports.

SSTP

SSTP is an excellent alternative to IKEv2. It uses industry standard Transport Layer Security (TLS), making it widely accessible from most locations. It provides good security out of the box, but can be improved upon with additional configuration. SSTP lends itself well to load balancing, making it much easier to scale out than IKEv2. Optionally, TLS can be offloaded to an Application Delivery Controller (ADC) to reduce resource utilization on the RRAS server and further improve performance.

Advantages: Easy to configure with firewall friendly access.
Disadvantages: Not as secure IKEv2.

L2TP

While technically supported for Always On VPN, L2TP is a legacy VPN protocol that offers no real advantages over IKEv2. Its use is unnecessary and should be avoided.

Advantages: None.
Disadvantages: Firewalls may block required UDP ports.

PPTP

PPTP is considered an obsolete VPN protocol with many known security vulnerabilities. Its use should be avoided at all costs.

Advantages: None.
Disadvantages: Insecure.

Summary

Implementation best practices dictate that IKEv2 and SSTP be enabled to support Windows 10 Always On VPN connections when using Windows Server 2016 RRAS. The use of L2TP/IPsec and PPTP should be avoided. The combination of IKEv2 and SSTP will provide the best security and availability for remote workers. Clients that can establish IKEv2 VPN connections can take advantages of the security and performance benefits it provides. SSTP can be enabled as a fallback for clients that are unable to establish an IKEv2 connection due to restricted firewall access.

Always On VPN Hands-On Training

Interested in learning more about Windows 10 Always On VPN? Hands-on training classes are now forming. More details here.

Additional Resources

Frequently Asked Questions about Microsoft’s PPTP Implementation

Always On VPN and Windows Server Routing and Remote Access Services (RRAS)

Windows 10 Always On VPN and the Future of DirectAccess

5 Things DirectAccess Administrators Should Know about Always On VPN

3 Important Advantages of Windows 10 Always On VPN over DirectAccess

Windows 10 Always On VPN Hands-On Training Classes

1 Comment

by Richard M. Hicks on January 22, 2018 • Permalink

Posted in ADC, Always On VPN, AOVPN, application delivery controller, Encryption, Load Balancing, Remote Access, Security, SSL and TLS, VPN, Windows 10, Windows Server 2012 R2, Windows Server 2016

Tagged Always On VPN, AOVPN, IPsec, L2TP, L2TP/IPsec, Microsoft, performance, PPTP, Remote Access, routing and remote access service, RRAS, security, SSL, SSTP, TLS, transport layer security, UDP, VPN, Windows, Windows 10

Posted by Richard M. Hicks on January 22, 2018

https://directaccess.richardhicks.com/2018/01/22/always-on-vpn-protocol-recommendations-for-windows-server-routing-and-remote-access-service-rras/

Always On VPN and Windows Routing and Remote Access Service (RRAS)

Windows 10 Always On VPN hands-on training classes now forming. Details here.

Always On VPN and Windows Routing and Remote Access Service (RRAS)

As I’ve written about in the past, Windows 10 Always On VPN has many advantages over DirectAccess. One of the most important features is that Always On VPN is completely infrastructure independent. Always On VPN is implemented entirely on the client side, so there is no reliance on Windows infrastructure servers at all. In theory, you could deploy an Always On VPN solution using an entirely third-party backend infrastructure. This is crucial because many organizations already have security infrastructure in place today. However, there are still some compelling reasons to choose Windows Server 2016 as the VPN server to support Windows 10 Always On VPN.

Considerations for Windows Server

Windows Server 2016 includes a very capable VPN server in the Routing and Remote Access Service (RRAS) role. Using Windows Server 2016 RRAS will meet the requirements for many deployment scenarios. RRAS also provides some unique advantages too. The following are some important considerations for choosing RRAS for VPN.

Easy to Deploy

The RRAS role in included in all Windows server network operating systems and can be enabled easily using the GUI or PowerShell. RRAS is mature and well-documented, making installation and configuration simpler. In fact, all of the Microsoft Windows 10 Always On VPN documentation guidance references RRAS.

Reduced Costs

No investment in proprietary hardware is required, because RRAS runs on Windows Server 2016 and can be deployed on existing virtual infrastructure. Deploying additional RRAS virtual machines enables quick and efficient scaling up of the solution without the need to deploy additional expensive hardware. Importantly, RRAS requires no additional per-client or per-device licensing. In addition, RRAS can be managed using existing Windows administration skill sets and does not require dedicated, and often expensive solution-specific expertise.

Modern Protocol Support

RRAS includes support for modern VPN protocols such as Internet Key Exchange version 2 (IKEv2) and Secure Socket Tunneling Protocol (SSTP). IKEv2 is the protocol of choice or most deployments, and is required for supporting the device tunnel. SSTP is a firewall-friendly protocol that ensures remote Windows clients can connect from anywhere. Layer Two Tunneling Protocol over IPsec (L2TP/IPsec) and Point-to-Point Tunneling Protocol (PPTP) are also supported for legacy client compatibility.

Summary

Although Windows 10 Always On VPN can be implemented using third-party VPN servers, it’s important not to overlook Windows server either. Windows Server 2016 RRAS has some important advantages over third-party infrastructure. RRAS is mature and well understood, with an abundance of published documentation available. Leveraging RRAS eliminates the need for costly proprietary hardware and client licensing, while at the same time reducing administrative overhead and streamlining support. RRAS also includes native support for modern VPN protocols, ensuring reliable client connectivity from any location.

Additional Resources

3 Important Advantages of Windows 10 Always On VPN over DirectAccess

Windows 10 Always On VPN and the Future of DirectAccess

5 Things DirectAccess Administrators Should Know About Always On VPN

1 Comment

by Richard M. Hicks on January 2, 2018 • Permalink

Posted in Always On VPN, AOVPN, PowerShell, Remote Access, VPN, Windows 10, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

Tagged Always On VPN, AOVPN, IKEv2, L2TP, L2TP/IPsec, PowerShell, PPTP, Remote Access, routing and remote access service, RRAS, SSTP, VPN, VPN server, Widows, Windows 10, Windows 10 Always On VPN, Windows Server 2016, Windows Sever

Posted by Richard M. Hicks on January 2, 2018

https://directaccess.richardhicks.com/2018/01/02/always-on-vpn-and-windows-routing-and-remote-access-service-rras/

Search for:
DirectAccess Book

DirectAccess Book

Available Now!
Consulting

Consulting Services

Now Available!
NetMotion Mobility

DirectAccess-like Remote Access for Windows, Mac, iPhone, iPad, and Android

Learn More!
KEMP Technologies

Modern Application Delivery

Download a free trial!
PointSharp ID

Multifactor Authentication

For all Remote Access!
Recent Posts
DirectAccess Resources

Richard M. Hicks Consulting, Inc.

MVP Profile

Connect

Mailing List

Buy This!

@richardhicks

Facebook

RSS Feed

Archives

Categories

Tag Cloud

All posts tagged routing and remote access service

Troubleshooting Always On VPN Errors 691 and 812

Share this:

Like this:

Always On VPN Protocol Recommendations for Windows Server Routing and Remote Access Service (RRAS)

Share this:

Like this:

Always On VPN and Windows Routing and Remote Access Service (RRAS)

Share this:

Like this:

DirectAccess Book

Consulting

NetMotion Mobility

KEMP Technologies

PointSharp ID

Recent Posts

DirectAccess Resources