Always On VPN RRAS and Stale Connections

Always On VPN Updates for RRAS and IKEv2

Always On VPN administrators may be familiar with an issue that affects Windows Server Routing and Remote Access Service (RRAS) servers, where many stale VPN connections appear in the list of active connections. The issue is most prevalent when using IKEv2, either for the Always On VPN device tunnel or the user tunnel. Typically, this does not cause problems, but some administrators have reported issues related to port exhaustion or failed IKEv2 connections when many stale connections are present. Stale connections happen so frequently that I created a PowerShell script to clean them up on the RRAS server. Restarting the RemoteAccess service or rebooting the server also clears stale connections.

Microsoft Fix

Thankfully, Microsoft has addressed these issues in Windows Server 2019 and Windows Server 2022 this month. An update is now available in the March 2023 security update that resolves this problem.

You can find more information about the updates here.

The update was not made available for Windows Server 2016, however. Organizations are encouraged to upgrade to Windows Server 2019 or later to address this problem.

Additional Information

Always On VPN Updates for RRAS and IKEv2

Always On VPN IKEv2 Load Balancing and NAT

Always On VPN and IKEv2 Fragmentation

Always On VPN NPS and PEAP Vulnerabilities

The February 2023 security updates for Windows Server address multiple vulnerabilities that affect Microsoft Always On VPN administrators. This latest update addresses multiple critical and important vulnerabilities in the Network Policy Server (NPS), commonly used to perform RADIUS authentication for Always On VPN servers. Specifically, there are several Remote Code Execution (RCE) and Denial of Service (DoS) vulnerabilities with Protected Extensible Authentication Protocol (PEAP). PEAP with user authentication certificates is the authentication protocol of choice for Always On VPN user tunnel authentication.

Vulnerabilities

The following is a list of vulnerabilities in PEAP addressed in the February 2023 security update.

  • CVE-2023-21689Microsoft PEAP Remote Code Execution Vulnerability (critical)
  • CVE-2023-21690Microsoft PEAP Remote Code Execution Vulnerability (critical)
  • CVE-2023-21691Microsoft PEAP Information Disclosure vulnerability (important)
  • CVE-2023-21692Microsoft PEAP Remote Code Execution Vulnerability (critical)
  • CVE-2023-21695Microsoft PEAP Remote Code Execution Vulnerability (important)
  • CVE-2023-21701Microsoft PEAP Denial of Service Vulnerability (important)

Mitigation

Unauthenticated attackers can exploit the RCE vulnerabilities in PEAP on Microsoft Windows NPS servers. However, NPS servers should not be exposed directly to the Internet and would require an attacker to have access to the internal network already. However, administrators are advised to apply this update to their NPS servers as soon as possible. In addition, organizations that deploy the NPS role on enterprise domain controllers should update immediately.

Additional Information

February 2023 Update for Windows Server 2022 (KB5022842)

February 2023 Update for Windows Server 2019 (KB022840)

February 2023 Update for Windows Server 2016 (KB5022838)

NetMotion Mobility Is Now Absolute Secure Access

NetMotion Mobility is a premium enterprise mobility and Zero Trust Network Access (ZTNA) solution that delivers unrivaled capabilities and performance. It includes many features unavailable in any other secure remote access solution. It is software-based, running on Windows Server, and does not require dedicated or proprietary hardware. It also features broad client support, including Windows (Professional and Enterprise), macOS, iOS (iPhone and iPad), and Android phones and tablets.

Absolute Software

Last year NetMotion Software was acquired by Absolute Software, makers of persistent, self-healing security software. Beginning with release 12.70, NetMotion Mobility has been rebranded as Absolute Secure Access. In addition, NetMotion Mobile IQ, a comprehensive visibility and reporting tool that integrates with Mobility is now Absolute Insights for Network.

What’s New in 12.70

Absolute Secure Access v12.70 has been completely rebranded, and the management user interface (UI) has a new look and feel. The UI and endpoint agent also includes new icons. In addition, Absolute Secure Access 12.70 includes the following new features.

  • Formal support for Windows Server 2022
  • Enhanced data warehouse security controls
  • Faster Network Access Control (NAC) checks
  • Improved user and device authentication certificate selection – no more user prompts!
  • Support for iOS 16

Migration Path

Migrating from NetMotion Mobility 12.5x to Absolute Secure Access 12.70 is straightforward. However. Migrating from NetMotion Mobility releases before 12.5x will prove more challenging. Specifically, the 12.5x release introduced some significant architectural changes which prevent in-place upgrades to 12.70. With NetMotion Mobility releases before 12.5x, it is recommended to implement new infrastructure running 12.70 and migrate users to the new infrastructure.

Additional Information

Absolute Enterprise VPN and Zero Trust Network Access (ZTNA)

VIDEO: Introduction to Absolute Secure Access Enterprise VPN and ZTNA

What’s New in Absolute Secure Access 12.70

Absolute Secure Access Purpose-Built Enterprise VPN

Absolute Secure Access Purpose-Built Enterprise VPN Advanced Features In Depth

%d bloggers like this: