Always On VPN Protocol Recommendations for Windows Server Routing and Remote Access Service (RRAS)

Always On VPN Protocol Recommendations for Windows Server Routing and Remote Access Service (RRAS)Windows 10 Always On VPN is infrastructure independent and can be implemented using third-party VPN devices. It is not necessary to deploy any Windows servers at all to support an Always On VPN solution. However, in a recent blog post I outlined some compelling reasons to consider using Windows Server 2016’s Routing and Remote Access Service (RRAS) feature to terminate VPN connections. RRAS supports both modern and legacy VPN protocols, each with their own advantages and disadvantages. The choice of which protocols to support will be determined by many factors, but it is important to understand the capabilities of each to make an informed decision.

RRAS VPN Protocols

Windows RRAS supports the following VPN protocols.

  • Internet Key Exchange version 2 (IKEv2) – RFC7296
  • Secure Sockets Tunneling Protocol (SSTP) – Microsoft
  • Layer Two Tunneling Protocol over IPsec (L2TP/IPsec) – RFC2661
  • Point-to-Point Tunneling Protocol (PPTP) – RFC2637

There are pros and cons associated with each of these VPN protocols. Here’s a breakdown of each.

IKEv2

This IPsec-based VPN protocol is the preferred choice for most deployments. IKEv2 provides the best security and performance, with native features that enhance mobility. This latest version of IKE (v2) features streamlined messaging during connection establishment and enhanced session management that reduce protocol overhead and improve performance.

Advantages: Best security and performance.
Disadvantages: Firewalls may block required UDP ports.

SSTP

SSTP is an excellent alternative to IKEv2. It uses industry standard Transport Layer Security (TLS), making it widely accessible from most locations. It provides good security out of the box, but can be improved upon with additional configuration. SSTP lends itself well to load balancing, making it much easier to scale out than IKEv2. Optionally, TLS can be offloaded to an Application Delivery Controller (ADC) to reduce resource utilization on the RRAS server and further improve performance.

Advantages: Easy to configure with firewall friendly access.
Disadvantages: Not as secure IKEv2.

L2TP

While technically supported for Always On VPN, L2TP is a legacy VPN protocol that offers no real advantages over IKEv2. Its use is unnecessary and should be avoided.

Advantages: None.
Disadvantages: Firewalls may block required UDP ports.

PPTP

PPTP is considered an obsolete VPN protocol with many known security vulnerabilities. Its use should be avoided at all costs.

Advantages: None.
Disadvantages: Insecure.

Summary

Implementation best practices dictate that IKEv2 and SSTP be enabled to support Windows 10 Always On VPN connections when using Windows Server 2016 RRAS. The use of L2TP/IPsec and PPTP should be avoided. The combination of IKEv2 and SSTP will provide the best security and availability for remote workers. Clients that can establish IKEv2 VPN connections can take advantages of the security and performance benefits it provides. SSTP can be enabled as a fallback for clients that are unable to establish an IKEv2 connection due to restricted firewall access.

Always On VPN Hands-On Training

Interested in learning more about Windows 10 Always On VPN? Hands-on training classes are now forming. More details here.

Additional Resources

Frequently Asked Questions about Microsoft’s PPTP Implementation

Always On VPN and Windows Server Routing and Remote Access Services (RRAS)

Windows 10 Always On VPN and the Future of DirectAccess 

5 Things DirectAccess Administrators Should Know about Always On VPN 

3 Important Advantages of Windows 10 Always On VPN over DirectAccess 

Windows 10 Always On VPN Hands-On Training Classes

Always On VPN and Windows Routing and Remote Access Service (RRAS)

Windows 10 Always On VPN hands-on training classes now forming. Details here.

Always On VPN and Windows Routing and Remote Access Service (RRAS)

As I’ve written about in the past, Windows 10 Always On VPN has many advantages over DirectAccess. One of the most important features is that Always On VPN is completely infrastructure independent. Always On VPN is implemented entirely on the client side, so there is no reliance on Windows infrastructure servers at all. In theory, you could deploy an Always On VPN solution using an entirely third-party backend infrastructure. This is crucial because many organizations already have security infrastructure in place today. However, there are still some compelling reasons to choose Windows Server 2016 as the VPN server to support Windows 10 Always On VPN.

Considerations for Windows Server

Windows Server 2016 includes a very capable VPN server in the Routing and Remote Access Service (RRAS) role. Using Windows Server 2016 RRAS will meet the requirements for many deployment scenarios. RRAS also provides some unique advantages too. The following are some important considerations for choosing RRAS for VPN.

Easy to Deploy

The RRAS role in included in all Windows server network operating systems and can be enabled easily using the GUI or PowerShell. RRAS is mature and well-documented, making installation and configuration simpler. In fact, all of the Microsoft Windows 10 Always On VPN documentation guidance references RRAS.

Reduced Costs

No investment in proprietary hardware is required, because RRAS runs on Windows Server 2016 and can be deployed on existing virtual infrastructure. Deploying additional RRAS virtual machines enables quick and efficient scaling up of the solution without the need to deploy additional expensive hardware. Importantly, RRAS requires no additional per-client or per-device licensing. In addition, RRAS can be managed using existing Windows administration skill sets and does not require dedicated, and often expensive solution-specific expertise.

Modern Protocol Support

RRAS includes support for modern VPN protocols such as Internet Key Exchange version 2 (IKEv2) and Secure Socket Tunneling Protocol (SSTP). IKEv2 is the protocol of choice or most deployments, and is required for supporting the device tunnel. SSTP is a firewall-friendly protocol that ensures remote Windows clients can connect from anywhere. Layer Two Tunneling Protocol over IPsec (L2TP/IPsec) and Point-to-Point Tunneling Protocol (PPTP) are also supported for legacy client compatibility.

Summary

Although Windows 10 Always On VPN can be implemented using third-party VPN servers, it’s important not to overlook Windows server either. Windows Server 2016 RRAS has some important advantages over third-party infrastructure. RRAS is mature and well understood, with an abundance of published documentation available. Leveraging RRAS eliminates the need for costly proprietary hardware and client licensing, while at the same time reducing administrative overhead and streamlining support. RRAS also includes native support for modern VPN protocols, ensuring reliable client connectivity from any location.

Additional Resources

3 Important Advantages of Windows 10 Always On VPN over DirectAccess 

Windows 10 Always On VPN and the Future of DirectAccess 

5 Things DirectAccess Administrators Should Know About Always On VPN 

 

 

3 Important Advantages of Always On VPN over DirectAccess

3 Important Advantages of Always On VPN over DirectAccess Windows 10 Always On VPN hands-on training classes now forming. Details here.

Windows 10 Always On VPN provides seamless and transparent, always on remote network access similar to DirectAccess. The mechanics of how it is delivered and managed are fundamentally different, as I discussed here. Some of these changes will no doubt present challenges to our way of thinking, especially in the terms of client provisioning. However, Always On VPN brings along with it some important and significant advantages too.

No More NLS

A Network Location Server (NLS) is used for inside/outside detection by DirectAccess clients. By design, the NLS is reachable by DirectAccess machines only when they are on the internal network. NLS availability is crucial. If the NLS is offline or unreachable for any reason at all, DirectAccess clients on the internal network will mistakenly believe they are outside the network. In this scenario, the client will attempt to establish a DirectAccess connection even though it is inside. This often fails, leaving the DirectAccess client in a state where it cannot connect to any internal resources by name until the NLS is brought back online.

Always On VPN eliminates the frailty of NLS by using the DNS connection suffix for trusted network detection. When a network connection is established, an Always On VPN connection will not be established if the DNS connection suffix matches what the administrator has defined as the internal trusted network.

Full Support for IPv4

DirectAccess uses IPv6 exclusively for communication between remote DirectAccess clients and the DirectAccess server. IPv6 translation technologies allow for communication to internal IPv4 hosts. While this works for the vast majority of scenarios, there are still many challenges with applications that do not support IPv6.

Always On VPN supports both IPv4 and IPv6, so application incompatibility issues will be a thing of the past! With full support for IPv4, the need for IPv6 transition and translation technologies is eliminated. This reduces protocol overhead and improves network performance.

Infrastructure Independent

3 Important Advantages of Always On VPN over DirectAccess Windows servers are required to implement DirectAccess. Always On VPN can be implemented using Windows servers as well, but it isn’t a hard requirement. Always On VPN is implemented entirely on the Windows 10 client, which means any third-party VPN device can be used on the back end, including Cisco, Checkpoint, Juniper, Palo Alto, Fortinet, SonicWALL, F5, strongSwan, OpenVPN, and others! This provides tremendous deployment flexibility, making it possible to mix and match backend infrastructure if required. For example, a Windows RRAS VPN server with Palo Alto and SonicWALL firewalls could all be implemented at the same time (using the Windows built-in VPN client). Importantly, making changes to VPN infrastructure is much less impactful and disruptive to clients in the field. VPN devices can be upgraded, replaced, and moved internally without requiring corresponding policy changes on the client.

Additional Information

Always On VPN and the Future of Microsoft DirectAccess 

5 Things DirectAccess Administrators Should Know about Always On VPN 

Contact Me

Have questions about Windows 10 Always On VPN? Interested in learning more about this new solution? Fill out the form below and I’ll get in touch with you.

DirectAccess and Windows Server 2012 R2 Core

Important Note: The ability to switch back and forth between the full GUI and core versions of Windows was removed from Windows Server 2016. If you are deploying DirectAccess on Windows Server 2016, you must install server core initially. More details here.

DirectAccess and Windows Server 2012 R2 Core

Windows Server Core is an operating system configuration option that does not include a Graphical User Interface (GUI). Server Core was first introduced with Windows Server 2008 and originally included only a limited number of supported roles. With each subsequent release, Microsoft continues to add support for additional roles on Server Core. Beginning with Windows Server 2012, the Routing and Remote Access (RRAS) role, which includes DirectAccess, is a supported workload on Server Core.

Advantages of Server Core

There are a number of important advantages that come with running DirectAccess on Server Core. Server Core has a greatly reduced attack surface compared to the full GUI version, which is positive from a security perspective. Server Core also features a dramatically reduced footprint, consuming less RAM and disk space. System startup times are faster, and this refactored installation option also reduces servicing requirements (patching), eliminating many reboots and increasing availability and overall system uptime.

DirectAccess and Windows Server 2012 R2 Core

Figure 1 – Windows Server 2012 R2 Core Desktop (Yes, that’s it!)

Server Core Configuration

DirectAccess is a workload that lends itself well to running on Server Core, and I highly recommend leveraging this configuration whenever possible. Based on my experience, I suggest performing initial configuration and testing of the DirectAccess solution with the GUI installed, and then removing the GUI just before placing the DirectAccess server in to production. Removing the GUI can be accomplished by executing the following PowerShell command:

Remove-WindowsFeature Server-Gui-Mgmt-Infra –Restart

Once the server has been converted to Server Core, all administration must be performed at the command line on the server, or remotely from a management server or workstation using the command line or GUI administration tools. You can install the Remote Access Management console on any Windows Server 2012 R2 server using the following PowerShell command:

Install-WindowsFeature RSAT-RemoteAccess

Optionally you can download and install the Windows Server Remote Administrations Tools (RSAT) on a Windows client workstation, if desired.

Minimal Server Interface Configuration

If you prefer to be able to manage the DirectAccess server locally using the GUI, consider enabling the Minimal Server Interface. Minimal Server Interface is a configuration option that lies between Server Core and the full GUI interface. It features some of the benefits of Server Core, while at the same time providing local access to GUI management tools such as the Remote Access Management console. You can configure Minimal Server Interface using the following PowerShell command:

Remove-WindowsFeature Server-Gui-Shell -Restart

You can access the Remote Access Management console by entering RaMgmtUI.exe from the command line.

Revert to Full GUI

If at any point in the future you require the GUI for some reason, re-installing it can be accomplished using the following PowerShell command:

Install-WindowsFeature Server-Gui-Shell –Restart

Summary

With the Unified Remote Access role supported on Windows Server Core, consider implementing DirectAccess using this option to improve the security and increase the availability of your remote access solution. You’ll find that almost all ongoing server maintenance and support can be accomplished remotely using GUI tools, or locally using PowerShell. And if you ever need the GUI again, you can always add it back if necessary!

Additional Resources

DirectAccess on Windows Server 2016 Core

System Center Operations Manager 2012 Monitoring Pack for Windows Server 2012 Remote Access

Microsoft recently released a Monitoring Pack for System Center Operations Manager 2012 specifically targets the Remote Access role in Windows Server 2012. With this new monitoring pack, a systems management engineer can monitor a Windows Server 2012 server with the remote access role installed for the following conditions:

DirectAccess

  • Network interface connection and settings issues
  • IPv6 transition protocol configuration
  • DoS, spoof, and replay attack heuristics
  • IPsec state
  • DNS and management server configuration
  • Underlying service status
  • OTP-related heuristics

Remote Access and Site-to-Site VPN

  • Connection failures
  • Improper configuration
  • Hardware device and IPsec related failures
  • Monitoring of performance counters and instrumentation

This management pack leverages PowerShell cmdlets such as Get-RemoteAccess, Get-DAMultisite, and Get-RemoteAccessHealth. As such, only Windows Server 2012 is supported by this management pack. You can download the System Center Operations Manager 2012 Monitoring Pack for the Windows Server 2102 Remote Access role here.

Overview of New DirectAccess Features in Windows Server 2012

Microsoft recently announced the Release to Manufacturing (RTM) for Windows Server 2012. Windows Server 2012 includes a new Unified Remote Access role that provides many new and exciting features. Along with significant enhancements to DirectAccess, the Routing and Remote Access Service (RRAS) can now be co-located with DirectAccess server to provide legacy remote access VPN client connectivity (PPTP, L2TP/IPsec, and SSTP) as well as site-to-site VPN. Windows Server 2012 can now serve as your consolidated remote access solution and can be managed from a single management console. Here’s an overview of some of the compelling new features found in Windows Server 2012 DirectAccess.

Simplified and Flexible Deployment

Windows Server 2012 DirectAccess includes a new simplified deployment model makes implementing DirectAccess incredibly simple. After adding the Remote Access role, configuring DirectAccess can be done, quite literally, in just three mouse clicks. The new simplified deployment model does have some limitations, so the deployment wizard includes the flexibility to fully customize the implementation according to your specific requirements. Also, DirectAccess in Windows Server 2012 now supports deployment behind an existing edge firewall or border router/NAT device. Previous versions of DirectAccess had a hard requirement to be placed directly on the network edge and have two public IPv4 addresses assigned to it. In addition, Windows Server 2012 DirectAccess now also supports a single network adapter configuration, allowing the remote access gateway to be deployed inside of an existing perimeter network or DMZ. Another significant improvement with DirectAccess in Windows Server 2012 is support for multiple network entry points for DirectAccess clients. This feature is essential for large organizations with a requirement for automatic and transparent redundancy and intelligent client roaming. To simplify deployment and management, PowerShell 3.0 included with Windows Server 2012 can be used to fully automate and manage all aspects of the Unified Remote Access and DirectAccess gateway role. Finally, Windows Server 2012 also supports Offline Domain Join which allows administrators to join computers to the domain without having corporate network connectivity.

Reduced Infrastructure Requirements

A major limitation to DirectAccess in Windows Server 2008 R2 was the requirement for running IPv6 on the internal corporate network. As a workaround, Forefront Unified Access Gateway (UAG) 2010 could be deployed in the DirectAccess gateway role as it included protocol translators (DNS64 and NAT64) which allowed DirectAccess clients to communicate with intranet resources that were running only IPv4. However, deploying Forefront UAG added expense and complexity to the solution. Forefront UAG 2010 is no longer required to support this scenario, as the DNS64 and NAT64 protocol translators are now included in Windows Server 2012 DirectAccess. The new simplified deployment model eliminates the requirement for a Public Key Infrastructure (PKI), although certificates are still required for authentication so self-signed certificates are employed. A PKI is still the recommended and preferred way to implement certificates, and in fact a PKI is a requirement in certain deployment scenarios, such as when forced tunneling is configured, or when strong authentication or Network Access Protection integration is required.

Performance, Scalability and High Availability Improvements

The Microsoft core networking team did a tremendous job addressing the performance and scalability limitations of previous iterations of DirectAccess. A common complaint from those who have deployed earlier versions of DirectAccess was the performance of the IP-HTTPS transition protocol. In a nutshell, a DirectAccess client would fall back to using IP-HTTPS for DirectAccess communication when it was located behind a NAT device that was also preventing outbound UDP 3544. When this occurred, IPsec encrypted tunnels would then be encrypted again with SSL/TLS. This placed heavy demands on both the client and server side of the tunnel and severely reduced performance and limited scalability. In Windows Server 2012 DirectAccess, IP-HTTPS performance is on par with that of Teredo, as IP-HTTPS now uses null encryption for DirectAccess communication, eliminating the redundant and needless double encryption. With the simplified deployment scenario, only a single IPsec tunnel is required for DirectAccess corporate network connectivity. Requiring just one IPsec tunnel for each client reduces the processing load on the DirectAccess gateway significantly in large scale deployments. In terms of reliability, true high availability is now included with DirectAccess in Windows Server 2012 with the inclusion of Network Load Balancing (NLB) support for DirectAccess gateways. NLB provides efficient active/active clustering capabilities that offer more flexible scalability than using failover clustering in previous DirectAccess releases.

Security

DirectAccess in Windows Server 2012 includes additional security options. DirectAccess now natively supports strong authentication using RADIUS One-Time Passwords (OTP), and also supports Virtual Smart Cards hosted on the mobile computer’s Trusted Platform Module (TPM). The Unified Remote Access role can be deployed on Server Core, which substantially improves the overall security of the solution by reducing the attack surface, while at the same time decreasing system downtime by reducing the number of updates required by the operating system. In addition, a new feature of the Windows 8 client prompts the user for network credentials, if necessary, to facilitate remote corporate network connectivity when the DirectAccess client is located behind an authenticating proxy.

As you can see, there are many new and exciting features and capabilities included in the new Unified Remote Access role on Windows Server 2012. Many of these features will greatly simplify the configuration, deployment, and management of remote access and DirectAccess. Also, many of the new capabilities provided with Windows Server 2012 DirectAccess effectively eliminate the need to deploy Forefront Unified Access Gateway (UAG) 2010, making the overall solution less complex and more cost effective. Windows Server 2012 DirectAccess will provide support for Windows 7 Enterprise and Ultimate clients. However, Windows 8 Enterprise clients will be required to take full advantage of many of the new advanced features of Windows Server 2012 DirectAccess.

%d bloggers like this: