All posts tagged Windows Server 2012 R2

Always On VPN SSTP Certificate Renewal

Windows Server Routing and Remote Access Service (RRAS) is popular for Always On VPN deployments because it supports the Secure Socket Tunneling Protocol (SSTP). The SSTP VPN protocol is recommended for use with the Always On VPN user tunnel because it is firewall friendly. Installing a TLS certificate on the VPN server is necessary to support SSTP VPN connections. Administrators should use a TLS certificate signed by a public certification authority (CA) for optimal reliability and performance.

Click here to view a video demonstration of the procedures outlined in this article.

Certificate Expiration

Of course, all certificates expire, and the TLS certificate used for SSTP is no exception. When using a public TLS certificate, the certificate lifetime is typically no more than one year, which means Always On VPN administrators will be renewing this certificate regularly.

Certificate Renewal

The process of “renewing” an SSTP TLS certificate is essentially the same as installing a new one, as it is best to create a new public/private key pair when renewing a certificate. The following outlines the steps required to generate a Certificate Signing Request (CSR), import the certificate, then assign the certificate to the SSTP listener on the VPN server.

Note: The guidance provided here assumes using an ECC certificate, which is best for optimal security and performance. More details here.

Certificate Request

Open the local computer certificate store (certlm.msc) on the VPN server and perform the following steps to generate a new CSR.

  1. Expand Certificates – Local Computer > Personal.
  2. Right-click the Certificates folder and choose All Tasks > Advanced Operations > Create Custom Request.
  3. Click Next.
  4. Highlight Proceed without enrollment policy.
  5. Click Next.
    1. Select (No template) CNG key from the Template drop-down list.
    2. Select PKCS #10 in the Request format section.
    3. Click Next.
  6. Click on the down arrow next to Details.
    Always On VPN ECDSA SSL Certificate Request for SSTP
  7. Click on the Properties button.
  8. Select the General tab.
    1. Enter the public hostname for the certificate in the Friendly name field.
  9. Select the Subject tab.
    1. Select Common name from the Type drop-down list in the Subject name section.
    2. Enter the public hostname for the certificate in the Value field.
    3. Click Add.
    4. In the Alternative name section, select DNS from the Type drop-down list.
    5. Enter the public hostname for the certificate in the Value field.
    6. Click Add.
      Always On VPN ECDSA SSL Certificate Request for SSTP
  10. Select the Extensions tab.
    1. Expand the Extended Key Usage section.
    2. Select Server Authentication from the Available options section.
    3. Click Add.
      Always On VPN ECDSA SSL Certificate Request for SSTP
  11. Select the Private Key tab.
    1. Expand the Cryptographic Service Provider section.
      1. Uncheck the box next to RSA,Microsoft Software Key Storage Provider.
      2. Check the box next to ECDSA_P256,Microsoft Software Key Storage Provider.
    2. Expand the Key options section.
      1. Check the box next to Make private key exportable.
        Always On VPN ECDSA SSL Certificate Request for SSTP
  12. Click Ok.
  13. Click Next.
  14. Enter a name for the file in the File Name field.
  15. Select Base 64 in the File format section.
  16. Click Finish.

Import Certificate

Once complete, submit the file created to a public CA for signing. When the CA returns the signed certificate, perform the following steps to import it to the local compute certificate store.

  1. Right-click the Certificates folder and choose All Tasks > Import.
  2. Click Next.
  3. Enter the name of the certificate file returned by the public CA in the File name field.
  4. Click Next.
  5. Select Place all certificates in the following store and ensure that Personal is listed in the Certificate store field.
  6. Click Next.
  7. Click Finish.
  8. Click Ok.

Assign Certificate

After importing the new TLS certificate in the local computer’s certificate store, open the Routing and Remote Access management console (rrasmgmt.msc) and perform the following steps to assign the TLS certificate to the SSTP listener.

  1. Right-click the VPN server and choose Properties.
  2. Select the Security tab.
    1. Select the new TLS certificate from the Certificate drop-down list in the SSL Certificate Binding section. When replacing an existing certificate, you may see a certificate with the same name more than once. Click the View button and ensure the new certificate is selected.
    2. Click Ok.
    3. Click Yes to restart the RemoteAccess service.

Demonstration Video

A recorded video demonstration of this process can be found here. The video recording also includes guidance for making these changes on Windows Server Core servers.

Additional Information

Installing or Renewing an SSL/TLS Certificate on Windows Server for Always On VPN and SSTP.

Microsoft Windows Always On VPN SSTP Security Configuration

Microsoft Windows Always On VPN SSL Certificate Requirements for SSTP

Microsoft Windows Always On VPN ECDSA TLS Certificate Request for SSTP

Microsoft Windows Always On VPN SSTP with Let’s Encrypt Certificates

6 Comments
by Richard M. Hicks on February 10, 2022  •  Permalink
Posted in administration, Always On VPN, AOVPN, Elliptic Curve Cryptography, Encryption, Enterprise, enterprise mobility, Mobility, Operational Support, PKI, PowerShell, public key infrastructure, Remote Access, routing and remote access service, RRAS, Secure Socket Tunneling Protocol, Security, SSL, SSL and TLS, SSTP, TLS, Transport Layer Security, user tunnel, video, VPN, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 10, 2022

https://directaccess.richardhicks.com/2022/02/10/always-on-vpn-sstp-certificate-renewal/

Always On VPN and RRAS in Azure

Always On VPN and RRAS in AzureWhen deploying Windows 10 Always On VPN, it may be desirable to host the VPN server in Microsoft’s Azure public cloud. Recently I wrote about Always On VPN deployment options in Azure, and in that post I indicated that deploying Windows Server and the Routing and Remote Access Service (RRAS) was one of those options. Although not formally supported by Microsoft, RRAS is often deployed in Azure because it is cost-effective, easy to manage, and provides flexible scalability.

Supportability

It’s important to state once again that although it is possible to successfully deploy Windows Server with RRAS in Azure to support Always On VPN, as of this writing it is not a formally supported workload. If the administrator makes the decision to deploy RRAS in Azure, they must also accept that Microsoft may refuse to assist with troubleshooting in this specific deployment scenario.

Always On VPN and RRAS in Azure

Reference: https://support.microsoft.com/en-us/help/2721672/microsoft-server-software-support-for-microsoft-azure-virtual-machines

Azure Prerequisites

The configuration of RRAS is identical to on-premises, with a few additional steps required by Azure infrastructure.

Windows Server

RRAS can be configured on any Windows Server virtual machine supported in Microsoft Azure. As with on-premises deployments, Server GUI and Core are supported. Domain-join is optional. The server can be deployed with one network interface or two.

Public IP

A public IP address must be assigned to the VPN server’s external network interface, or the internal interface if the VPN server is configured with a single network adapter. The IP address can be static or dynamic. When using a dynamic IP address, configure a CNAME record in DNS that points to the name configured for the IP address in Azure. If using a static IP address, an A host record can be configured pointing directly to the IP address.

Network Security Group

A Network Security Group (NSG) must be configured and assigned to the VPN server’s external or public-facing network interface that allows the following protocols and ports inbound.

  • TCP port 443 (SSTP)
  • UDP port 500 (IKEv2)
  • UDP port 4500 (IKEv2 NAT traversal)

RRAS in Azure

Below are the infrastructure requirements for supporting Windows Server RRAS VPN in Azure.

Client IP Subnet

Static IP address pool assignment must be used with RRAS. Using DHCP for VPN client IP address assignment in Azure is not supported and will not work. The IP subnet assigned to VPN clients by RRAS must be unique and not overlap with any existing Azure VNet subnets. If more than one VPN server is deployed, each server should be configured to assign a unique subnet for its clients.

IP Forwarding

IP forwarding must be enabled on the VPN server’s internal network interface. Follow the steps below to enable IP forwarding.

1. In the Azure portal, open the properties page for the internal network interface for the VPN server.
2. Click IP configurations in the navigation pane.
3. Click Enabled next to IP forwarding.
4. Click Save.

Always On VPN and RRAS in Azure

Routing

Azure must be configured to route IP traffic from VPN clients back to the VPN server. Follow the steps below to create and assign a routing table in Azure.

1. Click Create Resource.
2. Enter “Route Table” in the search field and press Enter.
3. Click Route Table.
4. Click Create.
5. Enter a descriptive name for the route table in the Name field.
6. Choose an appropriate subscription from the Subscription drop-down list.
7. Select the resource group where the VPN server(s) reside.
8. Select the best location to deploy the route table resource from the Location drop-down list.
9. If the administrator wants to have the VPN client IP subnet route information published automatically, select Enabled for Virtual network gateway route propagation.
10. Click Create.

Always On VPN and RRAS in Azure

Once complete, follow the steps below to define the route for VPN clients.

1. Open the properties page for the route table.
2. Click Routes in the navigation pane.
3. Click Add.
4. Enter a descriptive name in the Route name filed.
5. Enter the IP subnet assigned to VPN clients in the Address prefix field.
6. Select Virtual appliance from the Next hop type drop-down list.
7. Enter the IPv4 address assigned to the VPN server’s internal network interface in the Next hop address field.
8. Click Ok.
9. Repeat the steps above for each VPN server configured in Azure.

Always On VPN and RRAS in Azure

Finally, follow the steps below to assign the route table to an Azure VNet subnet.

1. Open the properties page for the route table.
2. Click Subnets in the navigation pane.
3. Click Associate.
4. Click Virtual network.
5. Choose the appropriate Azure VNet.
6. Click Subnet.
7. Choose an Azure VNet subnet to assign the route table to.
8. Click Ok.
9. Repeat the steps above to assign the route table to any Azure VNet subnet that must be accessible by VPN clients. If VPN clients need access to on-premises resources via Azure site-to-site gateway, assign the route table to the Azure VPN gateway subnet.

Always On VPN and RRAS in Azure

Note: Azure only supports the assignment of one route table per subnet. If a route table is currently assigned, the VPN client subnet route can be added to an existing route table, if necessary.

Summary

Administrators have many choices when it comes to support Always On VPN connections hosted in Azure. RRAS on Windows Server can be an effective solution, assuming you can live without formal support. If having a formally supported solution is a hard requirement, consider deploying Always On VPN using the native Azure VPN gateway or another third-part Network Virtual Appliance (NVA).

Additional Information

Windows 10 Always On VPN with Azure Gateway

Windows 10 Always On VPN Options for Azure Deployments

Windows 10 Always On VPN Multisite with Azure Traffic Manager

46 Comments
by Richard M. Hicks on September 9, 2019  •  Permalink
Posted in Always On VPN, AOVPN, Azure, Azure VPN, Azure VPN Gateway, cloud, Enterprise, enterprise mobility, Mobility, public cloud, Remote Access, routing and remote access service, RRAS, Security, Windows 10, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on September 9, 2019

https://directaccess.richardhicks.com/2019/09/09/always-on-vpn-and-rras-in-azure/

Always On VPN and RRAS with Single NIC

Always On VPN and RRAS with Single NICI’m commonly asked “can Windows Server with Routing and Remote Access Service (RRAS) be configured with a single network interface?” This is likely because the official Microsoft documentation references only a multihomed dual NIC configuration, leading many to believe it is a strict requirement.

Single NIC

Deploying Windows Server RRAS with a single network interface is indeed supported and works without issue. There are no functional limitations imposed by using a single network interface. All features are fully supported in this scenario. The choice to use one or two network interfaces is purely a design choice, driven by several factors such as current network configuration and security requirements.

Dual NIC

Although a single NIC configuration is fully supported, there are some important advantages associated with mulithome dual NIC deployments. The following should be considered when deciding between single NIC and dual NIC VPN configurations.

Traffic Segmentation

Having separate internal and external network connections provides logical and physical separation of trusted and untrusted network traffic. Terminating connections from Always On VPN clients on the Internet in an isolated perimeter or DMZ network yields positive security benefits.

Firewall Configuration

Using two network interfaces allows for a more restrictive Windows Firewall policy to be applied to the external interface. This reduces the exposure of running services on the RRAS server to untrusted networks. This is especially critical if the VPN server is Windows Server RRAS and it is joined to a domain.

Network Performance

For very busy RRAS servers, having two network interfaces can improve network performance. With two network interfaces, network traffic is distributed between two network adapters, reducing utilization on each interface.

Dual NIC Best Practices

When deploying an RRAS server with dual NICs, the following recommendations for network interface configuration should be followed.

IP Addressing

Each network interface must be assigned an IP address from a unique subnet. Having both NICs on the same subnet is not supported.

Default Gateway

The default gateway should be configured on the external facing network interface only. The internal interface should not be configured with a gateway. Rather, static routes to any remote internal networks should be configured.

To add a static route on a Windows Server, open an elevated PowerShell command window and run the following command.

New-NetRoute -AddressFamily IPv4 -DestinationPrefix 10.0.0.0/8 -InterfaceAlias ‘Internal’ -NextHop 172.21.12.254

DNS

For domain-joined RRAS servers, corporate DNS servers should be configured on the Internal network interface only. No DNS servers should be configured on the external interface. If the server is not joined to a domain, DNS servers can be configured on whichever interface has connectivity to the defined DNS servers.

NAT

When the RRAS server is behind a device performing Network Address Translation (NAT), the NAT should be configured to translate only the destination address (DNAT). This allows the VPN server (or load balancer for multiserver deployments) to see the client’s original source IP address, which ensures efficient traffic distribution and meaningful log data.

Client, Service, and Protocol Bindings

All unnecessary clients, services, and protocols should be unbound from the external network interface. It is recommended that only the IPv4 and IPv6 protocols be enabled on the external interface, as shown here. Again, this reduces exposure for the server to the untrusted external network.

Always On VPN and RRAS with Single NIC

Summary

The dual NIC, multihomed configuration is generally recommended for most deployments as it offers security and performance advantages over the single NIC configuration. For organizations with less demanding security requirements, a single NIC deployment can be deployed safely without compromising functionality or supportability. In addition, a single NIC deployment may be the best option when multiple networks aren’t readily available.

Additional Information

Windows 10 Always On VPN and Windows Server Routing and Remote Access (RRAS)

Windows 10 Always On VPN Protocol Recommendations for Windows Server RRAS

Windows 10 Always On VPN Options for Azure Deployments

Windows 10 Always On VPN Hands On Training

75 Comments
by Richard M. Hicks on August 19, 2019  •  Permalink
Posted in Always On VPN, AOVPN, Enterprise, enterprise mobility, Mobility, PowerShell, Remote Access, routing and remote access service, RRAS, Security, VPN, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
Tagged , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on August 19, 2019

https://directaccess.richardhicks.com/2019/08/19/always-on-vpn-and-rras-with-single-nic/

« Older Posts
Newer Posts »