Welcome to part five in our Always On VPN series! So far, you have learned how Always On VPN works, configured the Certificate Authority, installed NPS and RRAS for remote connectivity, and set up your network for secure connections. It is now time for your clients to connect!

Joseph Moody

Joseph Moody is a network admin for a public school system and helps manage 5,500 PCs. He is a Microsoft Most Valuable Professional (MVP) in Cloud and Datacenter Management and blogs at DeployHappiness.com.

In this segment, you will set up a client template. After configuring the client template, you will be able to test your setup. Finally, you will need to decide on a client deployment method and roll this out to other machines!

Creating the Always On VPN client template ^

Start with a clean domain-joined machine (physical or virtual). The machine should be running Windows 10 1607 or greater. This computer will be your template machine. It will need a way to connect into your network to your Remote Access/VPN server from an external connection. On this machine, you will manually create the VPN connection and then test it. Although you can manually create the connection template in XML, it is probably easier to configure it through a connection wizard and export it with PowerShell later. We will do that now.

We'll create the VPN Profile.ps1 file near the end of this article

We'll create the VPN Profile.ps1 file near the end of this article

In parts 3 and 4, we reviewed certificate requirements for Network Policy Server (NPS) or Remote Authentication Dial-In User Service (RADIUS). For optimal security, your clients should know the NPS host name when connecting. A certificate issued to the NPS machine will store this exact host name, along with the name of a trusted certificate authority (CA).

Connect to your NPS/RADIUS machine and launch the NPS Microsoft Management Console (MMC). Expand to Policies\Network Policies. Right-click on the Virtual Private Network (VPN) network policy you created in part 3 and select Properties.

Click on the Constraints tab. On the Authentication Methods constraint, select Microsoft: Protected EAP (PEAP) and then click on Edit.

Editing the Microsoft Protected EAP (PEAP) authentication method constraint

Editing the Microsoft Protected EAP (PEAP) authentication method constraint

The Edit Protected EAP Properties window should now be open. Note the certificate issued to value as well as the Issuer value. Once you have these values, you can cancel out of any open windows in the NPS console. You will enter these values in the advanced template configuration section below.

On your template machine, log in as a user that is a member of the VPN Users group. Once logged in, open certmgr.msc and verify a certificate was issued from the VPN Users template. If not, review part 2 of this series. Click on Start and search for VPN. You may need to filter to just Settings to see the Change Virtual Private Network (VPN) option.

Creating the Always On VPN client template manually

Creating the Always On VPN client template manually

Select Add a VPN connection and do the following:

  • Change the VPN Provider to Windows (built-in)
  • Specify a temporary connection name such as template
  • Enter the external fully qualified domain name (FQDN) of your Always On VPN server. This is the DNS value you created in part 4 of this series.
The Always On VPN template is ready for configuration

The Always On VPN template is ready for configuration

Click Save to close the Add a VPN connection window. On the right-hand side under Related Settings, click on Change Adapter options (or navigate to Control Panel\Network and Internet\Network Connections).

Right-click on your template and select Properties. Configure the following on the Security tab:

  • Change the Type of VPN to IKEv2.
  • Change the Data encryption value to Maximum strength encryption.
  • Click the Use Extensible Authentication Protocol (EAP) radio button and select Microsoft: Protected EAP (PEAP) (encryption enabled) from the drop-down list.

While still on the Security tab, click on Properties to launch the Protected EAP Properties window.

  • Enter the certificate issued to value under the Connect to these servers
  • Under Trusted Root Certification Authorities, check the CA name that matches the Issuer value you recorded earlier.
  • On the Notifications before connecting drop-down list, select don't ask user to authorize new servers or trusted CAs.
  • For the Authentication Method, select Smart Card or other Certificate.
Protected EAP Properties for a secure Always On VPN connection

Protected EAP Properties for a secure Always On VPN connection

To the right of Smart Card or other certificate, click the Configure button (as seen in the image above). The options you will configure now control how the client selects a local certificate for authentication.

On the Smart Card or other Certificate Properties window:

  • Select the radio button for Use a certificate on this computer.
  • Enter the certificate issued to value under the Connect to these servers
  • Under Trusted Root Certification Authorities, check the CA name that matches the Issuer value you recorded earlier. This option and the previous option should match the values you entered on the Protected EAP Properties screen above.
  • Check the Don't prompt user to authorize new servers or trusted certification authorities
Controlling the local certificate used for Always On VPN authentication

Controlling the local certificate used for Always On VPN authentication

If your VPN users have multiple user certificates (as seen in certmgr.msc) and are prompted to select one before connecting, you can use the Advanced tab to refine certificate selection.

Testing Always On VPN connections ^

Click OK for all open windows and return to the Network Connections control panel window. Ensure you are connected to an external network. Select your VPN template (either in Settings or from the notification area in the bottom-right section of the taskbar). Click Connect.

Testing the Always On VPN template

Testing the Always On VPN template

Hopefully, your VPN template successfully connected. Proceed to the next section if it did. For anyone else, I'm sorry. The problem is likely a small misconfiguration or missing checkbox somewhere. On the client template machine, open the Application Event Log and look for events with a RasClient source. You should see a message and an error code. Microsoft provides some basic guidance for Always ON VPN 800 X errors here. If you still have a connection issue, leave a detailed comment and upload any logs here.

Deploying Always On VPN connection templates ^

First, we need to export the template file we created and tested above. Download the latest MakeProfile.ps1 script from TechNet. Configure the parameters at the top with the following directions:

  • $Template: the template name you used earlier (such as template)
  • $ProfileName: the final name clients would see (such as AlwaysOn)
  • $Servers: the external FQDN of your Remote Access server (the value you entered on the template)
  • $DnsSuffix: the internal DNS suffix of clients; ipconfig will show the formatting (such as local)
  • $DomainName: the DNS suffix with a leading dot (such as .Test.local)
  • $TrustedNetwork: likely the same as the DnsSuffix

Run this script under the user account that created the VPN template by logging in locally (no Remote Desktop/Hyper-V Enhanced session).

If the script successfully runs, you should see two files on the current user's desktop: VPN_Profile.xml and VPN_Profile.ps1.

Microsoft provides a few ways to deploy Always On VPN connections. Currently, you can deploy them with a PowerShell script, SCCM, or Intune. SCCM uses the VPN_Profile.ps1 file, and Intune uses the VPN_Profile.xml file. Technically, you can use Group Policy since you can use the logon/startup scripts client-side extension (CSE) to run your PowerShell script.

For this deployment, we will use the PowerShell method since it is the simplest to set up. However, it does not scale well. The user running the VPN_Profile.ps1 script needs to log in locally as an administrative user. It is fine to use your template machine for this, but delete the profile you created earlier.

Connect this machine to your internal network. Make sure your logged-in user is an administrator, and then start PowerShell as an administrator. Open up your VPN_Profile.ps1 script and run it. If it successfully runs, it should create a new Always On VPN profile. It will see you are internally connected (through the DNS suffix values you specified earlier). Disconnect from your internal network and connect to an external one. Within a few seconds, Windows 10 should detect the network change and automatically start the Always On VPN profile!

What's next for Always On VPN? ^

In this five-part series, we actually set up a very simple Always On VPN infrastructure. As you learned, tying everything together takes a lot of technical work! You also saw that this technology is not quite perfect. Deployment methods can be a thorn in the side for some organizations. In my opinion, Microsoft should fully support Group Policy as a deployment method.

There is hope! Microsoft has continued to improve Always On VPN in each Windows 10 major update. In fact, Windows 10 1709 brought us device-side connections (your connection above only applies to the current logged-in user).

With your basic Always On VPN setup wrapped up, consider expanding it! You can make the environment redundant for stability, set up device tunnels, configure deployment for all mobile users through SCCM, or even bring in Windows Hello for Business as an authentication method!

In my next post I will explain how to troubleshoot Always On VPN if the installations fails or you unable to establish a connection.

Win the monthly 4sysops member prize for IT pros

0
Share
60 Comments
  1. Rai 8 months ago

    I am getting "A certificate could not be found that can be used with this Extensible Authentication Protocol." what I am doing wrong?

    A troubleshooting guide from MS doesn't help.

    1+

  2. Greg 8 months ago

    Which version of Windows 10 do you have?  If it is anything other than Enterprise or Education then make sure you are using user authentication and not machine authentication.

    0

  3. Phil 8 months ago

    Hi Joseph,

    I can get the VPN to connect but unfortunatly when i connect a network cable the vpn is still staying connected is there a way to disable this ?

    Thanks

    0

    • Author
      Joseph Moody 8 months ago

      You will want to set the Trusted Network Detection options in your VPN profiles. Here is some information on that: https://docs.microsoft.com/en-us/windows/security/identity-protection/vpn/vpn-auto-trigger-profile

      0

  4. Phil 8 months ago

    Hi Joseph,

    I have added it in but it doesnt detect it as a trusted network unless i disconnect it from the VPN.

    Thanks

    0

  5. Phil 8 months ago

    Hi Joseph,

    The LAN nic doesnt get detected as a trusted network unless i disconect the vpn first ?

    Thanks

    0

    • Author
      Joseph Moody 6 months ago

      This sounds like a trusted network detection issue to me. What was your solution though?

      0

  6. Dan 8 months ago

    Same here! Did you ever figure out a solution?  Script runs fine.  I also find it odd I go back on the template machine and in the vpn settings i saved are all gone?  The scalability of this solution makes me want to look elsewhere!

    0

    • Author
      Joseph Moody 6 months ago

      Agreed - Microsoft has some work to do on the client side of this solution.

      0

  7. sebus 7 months ago

    Is there a way to get Maximum strength encryption in XML?
    Each time I create AO VPN with Powershell scipt is go to require & NOT "Maximum strength encryption"

    1+

    • Author
      Joseph Moody 6 months ago

      Hi sebus - I am actually not sure how to do this. Let me know if you find a way though.

      0

    • James Andrews 6 months ago

      Hi Sebus, did you ever find a method for forcing maximum encryption using the XML. Seems to be missing from any profile we generate.

      0

  8. WHess 6 months ago

    In the Edit Protected EAP Properties window on the NPS server, the "Issuer" value lists one of our Intermediate CAs.  "ContosoCA2".

    But when setting up a client, only our Root CA is listed, not the intermediate ones.  So if I check "ContosoRootCA" on the client at that point because "ContosoCA2" isn't listed, is that going to cause a problem?

    (I'm currently getting an 812 error, and was wondering if this is related).

    Thank you.

    1+

    • WHess 6 months ago

      So I got it working.  It actually works with ContosoRootCA checked, but not with just ContosoCA2 checked.   Even though the NPS server lists the latter as the issuer.

      0

  9. Allison Gibb 5 months ago

    "Technically, you can use Group Policy since you can use the logon/startup scripts client-side extension (CSE) to run your PowerShell script" - can anyone tell me if the have successfully manged to deploy through GP?  I have banged my head for several weeks and I am unable to come up with a consistent resolution.  Would be  so grateful if anyone could help me out.  Thanks

    0

  10. Alex Kram 5 months ago

    Hi, i have trubleshot with my Always On VPN.

    User tunnel (IKEv2) connection from Windows 10 (1803) is triggered, routes applied, i see it`s status, packets are sended to interface - but no packets return back (zero at "Received"). Network and Sharing center shows my VPN-connection as "Identifying..." for a minute or two, then changed to "Public network". If i wait 3-5 minutes(or if i reconnect manually) - status changed to "Domain Network" and in same time packets start running in both direction - everything is good now, connection worked.
    Wen i use SSTP protocol all work fine.

    How i can fix it?

    0

  11. Tho Nguyen 4 months ago

    I have weird problems with Always On VPN profile.

    I completed configuring RAS/NPS servers.  I manually created Test VPN Connection, it is working fine.  I followed your document along with Microsoft to use MakeProfile.ps1 to generate VPN_Profile.xml and VPN_Profile.ps1.  I ran VPN_Profile.ps1 to make new VPN Connection on test machine.  The new VPN Connection connected fine, but I couldn’t access network resources.  When I ping our domain controllers, it gave me 198.105.254.104.  I am thinking there is some routing issues.  Do you have any tips for me to troubleshoot this problem?

    Thanks very much for your helps

    Tho

    0

    • Greg 4 months ago

      It looks more like DNS issues than routing issues.  Try to ping a DC using its IP instead of hostname.

      It looks like TMobile hijacks DNS to boost ad revenue and returns 198.105.254.104 as the IP for any nonexistent DNS requests.  This trend of hijacking DNS has been very frustrating as Windows 10 doesn't seem to act predictably when running ipconfig /flushdns 

      0

  12. Tho Nguyen 4 months ago

    Thanks Greg,  I tried to ping IP address, it doesn't go anywhere.  My current problem, event VPN Connection show connected, I cannot access any network resources on this VPN Connection.  I can see it on RSA server with correct IP address.

    However, if I created VPN Connection manually on Windows 10, it is working fine. 

    When I tested the VPN Connection, I connect to my T-mobile hotspot ti simulate external network.

    Here is two VPN Connections.  MPLSVPN is manual one I created and it is working fine.  MPLS Alwayson VPN is the one created by the script and it is not working.  I hope you can detect something that can help me to resolve this problem

    Windows PowerShell
    Copyright (C) Microsoft Corporation. All rights reserved.

    PS C:\WINDOWS\system32> Get-WmiObject -Namespace root\cimv2\mdm\dmmap -class MDM_VPNv2_01

    __GENUS                 : 2
    __CLASS                 : MDM_VPNv2_01
    __SUPERCLASS            :
    __DYNASTY               : MDM_VPNv2_01
    __RELPATH               : MDM_VPNv2_01.InstanceID="MPLSVPN",ParentID="./Vendor/MSFT/VPNv2"
    __PROPERTY_COUNT        : 10
    __DERIVATION            : {}
    __SERVER                : TEST-1848230-L
    __NAMESPACE             : root\cimv2\mdm\dmmap
    __PATH                  : \\TEST-1848230-L\root\cimv2\mdm\dmmap:MDM_VPNv2_01.InstanceID="MPLSVPN",ParentID="./Vendor/MS
                              FT/VPNv2"
    AlwaysOn                :
    ByPassForLocal          :
    DnsSuffix               :
    EdpModeId               :
    InstanceID              : MPLSVPN
    LockDown                :
    ParentID                : ./Vendor/MSFT/VPNv2
    ProfileXML              : <VPNProfile><APNBinding><AuthenticationType>None</AuthenticationType></APNBinding><NativeProf
                              ile><Servers>vpn.minneapolis.edu;vpn.minneapolis.edu</Servers><NativeProtocolType>Ikev2</Nati
                              veProtocolType><Authentication><UserMethod>Eap</UserMethod><MachineMethod>Eap</MachineMethod>
                              <Eap><Configuration><EapHostConfig
                              xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type
                              xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type><VendorId
                              xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType
                              xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId
                              xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config
                              xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.
                              com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://www.mic
                              rosoft.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptFor
                              ServerValidation>true</DisableUserPromptForServerValidation><ServerNames>Elephant2.campus.min
                              neapolis.edu</ServerNames><TrustedRootCA>72 51 82 0d 89 a9 7b a1 49 fb ab 59 b4 9b 4f d5 a8
                              fe 9b 0a </TrustedRootCA></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptio
                              nal>false</InnerEapOptional><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnecti
                              onPropertiesV1"><Type>13</Type><EapType xmlns="http://www.microsoft.com/provisioning/EapTlsCo
                              nnectionPropertiesV1"><CredentialsSource><CertificateStore><SimpleCertSelection>true</SimpleC
                              ertSelection></CertificateStore></CredentialsSource><ServerValidation><DisableUserPromptForSe
                              rverValidation>true</DisableUserPromptForServerValidation><ServerNames>Elephant2.campus.minne
                              apolis.edu</ServerNames><TrustedRootCA>72 51 82 0d 89 a9 7b a1 49 fb ab 59 b4 9b 4f d5 a8 fe
                              9b 0a </TrustedRootCA></ServerValidation><DifferentUsername>false</DifferentUsername><Perform
                              ServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">t
                              rue</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/E
                              apTlsConnectionPropertiesV2">true</AcceptServerName></EapType></Eap><EnableQuarantineChecks>f
                              alse</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtension
                              s><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPrope
                              rtiesV2">true</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/prov
                              isioning/MsPeapConnectionPropertiesV2">true</AcceptServerName></PeapExtensions></EapType></Ea
                              p></Config></EapHostConfig></Configuration></Eap></Authentication></NativeProfile></VPNProfil
                              e>
    RememberCredentials     :
    TrustedNetworkDetection :
    PSComputerName          : TEST-1848230-L

    __GENUS                 : 2
    __CLASS                 : MDM_VPNv2_01
    __SUPERCLASS            :
    __DYNASTY               : MDM_VPNv2_01
    __RELPATH               : MDM_VPNv2_01.InstanceID="MPLS%20AlwaysOn%20VPN",ParentID="./Vendor/MSFT/VPNv2"
    __PROPERTY_COUNT        : 10
    __DERIVATION            : {}
    __SERVER                : TEST-1848230-L
    __NAMESPACE             : root\cimv2\mdm\dmmap
    __PATH                  : \\TEST-1848230-L\root\cimv2\mdm\dmmap:MDM_VPNv2_01.InstanceID="MPLS%20AlwaysOn%20VPN",ParentI
                              D="./Vendor/MSFT/VPNv2"
    AlwaysOn                : False
    ByPassForLocal          :
    DnsSuffix               : campus.minneapolis.edu
    EdpModeId               :
    InstanceID              : MPLS%20AlwaysOn%20VPN
    LockDown                :
    ParentID                : ./Vendor/MSFT/VPNv2
    ProfileXML              : <VPNProfile><RememberCredentials>true</RememberCredentials><AlwaysOn>false</AlwaysOn><DnsSuff
                              ix>campus.minneapolis.edu</DnsSuffix><TrustedNetworkDetection>campus.minneapolis.edu</Trusted
                              NetworkDetection><NativeProfile><Servers>vpn.minneapolis.edu;vpn.minneapolis.edu</Servers><Ro
                              utingPolicyType>SplitTunnel</RoutingPolicyType><NativeProtocolType>Ikev2</NativeProtocolType>
                              <Authentication><UserMethod>Eap</UserMethod><MachineMethod>Eap</MachineMethod><Eap><Configura
                              tion><EapHostConfig
                              xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type
                              xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type><VendorId
                              xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType
                              xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId
                              xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config
                              xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.
                              com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://www.mic
                              rosoft.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptFor
                              ServerValidation>true</DisableUserPromptForServerValidation><ServerNames>Elephant2.campus.min
                              neapolis.edu</ServerNames><TrustedRootCA>72 51 82 0d 89 a9 7b a1 49 fb ab 59 b4 9b 4f d5 a8
                              fe 9b 0a </TrustedRootCA></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptio
                              nal>false</InnerEapOptional><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnecti
                              onPropertiesV1"><Type>13</Type><EapType xmlns="http://www.microsoft.com/provisioning/EapTlsCo
                              nnectionPropertiesV1"><CredentialsSource><CertificateStore><SimpleCertSelection>true</SimpleC
                              ertSelection></CertificateStore></CredentialsSource><ServerValidation><DisableUserPromptForSe
                              rverValidation>true</DisableUserPromptForServerValidation><ServerNames>Elephant2.campus.minne
                              apolis.edu</ServerNames><TrustedRootCA>72 51 82 0d 89 a9 7b a1 49 fb ab 59 b4 9b 4f d5 a8 fe
                              9b 0a </TrustedRootCA></ServerValidation><DifferentUsername>false</DifferentUsername><Perform
                              ServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">t
                              rue</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/E
                              apTlsConnectionPropertiesV2">true</AcceptServerName></EapType></Eap><EnableQuarantineChecks>f
                              alse</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtension
                              s><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPrope
                              rtiesV2">true</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/prov
                              isioning/MsPeapConnectionPropertiesV2">true</AcceptServerName></PeapExtensions></EapType></Ea
                              p></Config></EapHostConfig></Configuration></Eap></Authentication></NativeProfile><DomainName
                              Information><DomainName>campus.minneapolis.edu</DomainName><DnsServers>134.29.***.***</DnsServers></DomainNameInformation></VPNProfile>
    RememberCredentials     : True
    TrustedNetworkDetection : campus.minneapolis.edu
    PSComputerName          : TEST-1848230-L

     

    PS C:\WINDOWS\system32>

     

     

    0

  13. Tho Nguyen 4 months ago

    I believed I found the problem.  The VPN Connection that I created manually used Force Tunneling so it is working fine.  The VPN Connection that I created using VPN_Profile.ps1 using Slipt Tunneling.   I tried to add some static route on RAS server, but it still not working. 

    0

  14. Franics 3 months ago

    Hi Guys 

    I have set up User tunnel AOVPN windows 10 1809  , I have deployed it to few machines using SCCM and it seems to work fine when I manually click on connect . however  Auto connect does not seems to work , we always have to click on the vpn template and click connect to get it working , I though the whole idea of  AOVPN was to automatically connect. I have been trying to troubleshoot this for the last few days with no luck.   I will appreciate any type of advise or assitance. 

     

    Many thanks 

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account