Always On VPN is Microsoft's replacement for DirectAccess. Always On VPN device tunnels securely extend your domain to internet-connected clients.

Joseph Moody

Joseph Moody is a network admin for a public school system and helps manage 5,500 PCs. He is a Microsoft Most Valuable Professional (MVP) in Cloud and Datacenter Management and blogs at DeployHappiness.com.

Have you had someone try to log into a laptop at a conference and then receive the "no logon servers are available" error? Ever wish your remote devices could easily update policies, install deployed applications, or configure changes? If so, you will love Always On VPN device tunnels!

When Microsoft first released Always On VPN, it only allowed user connections and did not support device connections. Windows 10 1709 introduced device tunnels, Windows 10 1803 improved the implementation, and development toward Windows 10 1809 ironed out some remaining bugs. Before you dive into the steps below, make sure you have followed this core Always On VPN setup guide.

Requirements for Always On VPN device tunnels ^

Windows 10 currently supports device tunnels on two editions: Education and Enterprise. Unlike user tunnels, device tunnels require a domain-joined client. Although you can use Windows 10 1709, it is better to use clients that are either Windows 10 1803 (fully patched) or Windows 10 1809.

The next requirement is that all remote clients have a machine certificate issued by your public key infrastructure (PKI) for the purpose of client authentication. You can check this by running certlm.msc and opening the local computer's personal certificate store. View the details of the certificate and check that Enhanced Key Usage contains the Client Authentication value.

This client has the correct certification for Always On VPN device tunnels

If you do not see a certificate or do not have one for Client Authentication, you can issue the default machine certificate template and configure client auto-enrollment with these steps.

Finally, no other device VPN profile can exist on the computer. If you are not sure if another profile exists, open PowerShell as an administrator and run this command:

Configuring RRAS for Always On VPN device tunnels ^

Open the Routing and Remote Access service (RRAS) Microsoft Management Console (MMC) and connect to your VPN server. On the left side of the RRAS console, right-click on your server name and select Properties.

Under Properties, select Security and then select Authentication Methods. Check the Allow machine certificate authentication for IKEv2 box and click OK. Restart RRAS.

Enabling device tunnels over IKEv2

Enabling device tunnels over IKEv2

By default, any valid certificate from any trusted certificate authority (CA) can complete machine certificate authentication to your environment. Just guessing here, but you probably only want machines with a certificate from your CA to be able to authenticate. To restrict access to just your CA, run these PowerShell commands on your VPN server:

For reference, you can find the CA common name in the Issuer attribute of the machine certificate you checked earlier. Right-click on the certificate, select Details, and click on the Issuer attribute. The common name is on the first line and is to the right of CN =.

Creating the Always On device tunnel profile ^

Copy this text and save it as an XML file in a location accessible to domain computers:

Edit the XML file and change the <Servers> line and the <TrustedNetworkDetection> line to the correct values in your environment.

Next, list any IP your remote clients will need to access in the <Route> and <RemoteAddressRanges> sections. The sample profile you copied lists four IPs as examples. Ideally, your profile will only contain the critical services a client needs. These might include domain controllers, WSUS/SCCM, or network policy servers. Even though you can include subnets by changing the PrefixSize line below an IP, I recommend scoping route lines down to a single IP.

In the same folder where you saved the XML file, create a new PowerShell script and paste in the following code:

Be sure to copy and paste your device profile XML in the $ProfileXML portion of the PowerShell script. You should now have two files in your folder. The first one is an XML file. The second one is a PowerShell script with the contents of your XML file pasted into it.

Deploying the Always On device tunnel profile ^

To deploy your profile, you just need to run the PowerShell script you created under the System account of a client. There are a few options for doing this.

For a single machine (or for testing), you can use the PSExec tool. Run it with the -S parameter and start PowerShell. Finally, run the PowerShell script you created previously.

The second option is to deploy the PowerShell script as a startup script in Group Policy. Startup and shutdown scripts process under the computer's account and run with the required permissions needed to create the VPN profile.

Always On VPN device profile deployment with Group Policy

Always On VPN device profile deployment with Group Policy

Finally, you can deploy it with SCCM. Create a package for your script and allow it to run with administrative rights whether or not a user is logged on.

Always On VPN device profile deployment with SCCM

Always On VPN device profile deployment with SCCM

After using any of these options, verify that the VPN profile is installed. You can verify that the connection is installed with the Get-VPNConnection -AllUserConnection command.

You should then be able to connect to an external network and communicate with one the IPs listed in the Route section of your profile. If you included a domain controller in that list, restart the client, connect to a remote network, and log on with a new user. It is a beautiful sight to see that a logon server is indeed available!

Win the monthly 4sysops member prize for IT pros

0
Share
17 Comments
  1. pieter72 8 months ago

    Hello Joseph

    Interesting article, thanks for that!

    Have you tried the device tunnel over the Internet? I have a fully functional AlwaysOn VPN in lab. The User Tunnel dials in perfectly over the Internet, but the Device Tunnel keeps on failing. Error 809, indicating connectivity problems, but since the User Tunnel works over the same IKEv2 we can rule that out. Device Tunnel does connect on premise.

    0

  2. Nick W 7 months ago

    Hi!

    Thank you for this article, its great.  But one problem.

    I can make this work with system elevated PSExec, but NOT with the GPO.  You say "run with the required permissions needed to create the VPN profile." but what exactly can I do in the GPO that allows me to change settings?

    I would have thought that simply adding the ps1 script and XML to the server share and calling that in the Computer startup should work?

    0

    • Author
      Joseph Moody 6 months ago

      For a device profile, your  method should work! Try calling PSExec through a batch file - using a startup script (talk about a convoluted solution though).

      0

  3. Luca Fidanza 6 months ago

    Hi, when using Always On VPN configuration how a laptop can undestand that it is connected to the corporate network and so it must not activate the VPN? Viceversa how it can understand that it is outside corporate network so it must activate the VPN?

    1+

  4. Bryan Hall 5 months ago
  5. Ryan Bunce 4 months ago

    Great article, thanks very much.

    I have both device and user tunnels up and running.  After login both a tunnel for the device and one for the user is established and two IPs are given.

    Presuming that's normal behavior - I'm able to ping and interact (RDP, SMB) with the machine using the IP associated with the user tunnel but not the device tunnel.

    Is this also normal?  If so - how does an admin access a machine that is turned on but no one is yet logged in?  If not normal - looking for some troubleshooting steps.

    Thanks much!

    0

  6. Shawn Morris 4 months ago

    @Ryan Bunce -  we have Always On configured for user connection now using a machine cert. You said you have both a machine connection and a user connection. We would like to have this as well, can you provide any links or information to set up Always On this way?

    0

  7. T.J. Smith 4 months ago

    We have this up and running - sort of. 

    If we run the Powershell script using PSExec, the profile gets installed and works like we want. If we run the Powershell script using the newer scripts feature in SCCM, it again works like we want. However, when I deploy the script as a package and have it run as administrator whether a user is logged in or not, it creates the profile but it doesn’t actually work. It doesn’t connect on its own and if you try to manually connect it, it just pops open the list of WiFi signals around you. 

    I have no idea what I’m doing wrong. 

    0

  8. Greg 4 months ago

    So i have user tunnels with both SSTp and IKEV2 working fine

    however i am getting error 809 with the device tunnel, 
    i can also get error 809 if i switch to machine certificates on the user tunnel settings, 

    For our site we already have another computer certificate CA on the laptops that is used for Wi-FI authentication, this is in the computer certificate section, unfortunately when we enroll a computer authentication cert via our CA the wireless profile stops working, so we can't add our certificate and we can't remove the certificate we use for our wifi (its a state wide wifi network) 

    So on our VPN server i just installed the CA the wireless network uses and ran the commands above to only allow that CA to join, 

    Is this what causes a error 809? do i need to install this seperate CA on our NPS for client machine certificate authentication? i dont see any errors in event vewier on the NPS or RAS server, just the client, 

    0

  9. louis 2 months ago

    Is certain traffic restricted to certain tunnels? ie are updates restricted to the computer authenticated tunnel?

    Or is it just a way of authenticating? eg you can just use computer authentication rather than user authentication?

    We also use radius authentication for our wired/wireless clients so I'm wondering if we can use the same certs?

    0

  10. Patrick Pinto 2 months ago

    Hi, great artile. It is working however it does not display under network connections for anyone. If we run get-uservpnconnection it does show up in the list but not displayed in the network connections applet in the bottom right? Any idea why?

    0

    • Author
      Joseph Moody 1 month ago

      Hi Patrick, what did you find out about your problem? Was it due to an older client version of Windows 10?

      0

  11. S 1 month ago

    Great article thank you!

    The powershell script for the device tunnel is missing Get-Content

    $ProfileXML = Get-Content 'file.xml'

    1+

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account