Welcome to part five in our Always On VPN series! So far, you have learned how Always On VPN works, configured the Certificate Authority, installed NPS and RRAS for remote connectivity, and set up your network for secure connections. It is now time for your clients to connect!

In this segment, you will set up a client template. After configuring the client template, you will be able to test your setup. Finally, you will need to decide on a client deployment method and roll this out to other machines!

Creating the Always On VPN client template ^

Start with a clean domain-joined machine (physical or virtual). The machine should be running Windows 10 1607 or greater. This computer will be your template machine. It will need a way to connect into your network to your Remote Access/VPN server from an external connection. On this machine, you will manually create the VPN connection and then test it. Although you can manually create the connection template in XML, it is probably easier to configure it through a connection wizard and export it with PowerShell later. We will do that now.

We'll create the VPN Profile.ps1 file near the end of this article

We'll create the VPN Profile.ps1 file near the end of this article

In parts 3 and 4, we reviewed certificate requirements for Network Policy Server (NPS) or Remote Authentication Dial-In User Service (RADIUS). For optimal security, your clients should know the NPS host name when connecting. A certificate issued to the NPS machine will store this exact host name, along with the name of a trusted certificate authority (CA).

Connect to your NPS/RADIUS machine and launch the NPS Microsoft Management Console (MMC). Expand to Policies\Network Policies. Right-click on the Virtual Private Network (VPN) network policy you created in part 3 and select Properties.

Click on the Constraints tab. On the Authentication Methods constraint, select Microsoft: Protected EAP (PEAP) and then click on Edit.

Editing the Microsoft Protected EAP (PEAP) authentication method constraint

Editing the Microsoft Protected EAP (PEAP) authentication method constraint

The Edit Protected EAP Properties window should now be open. Note the certificate issued to value as well as the Issuer value. Once you have these values, you can cancel out of any open windows in the NPS console. You will enter these values in the advanced template configuration section below.

On your template machine, log in as a user that is a member of the VPN Users group. Once logged in, open certmgr.msc and verify a certificate was issued from the VPN Users template. If not, review part 2 of this series. Click on Start and search for VPN. You may need to filter to just Settings to see the Change Virtual Private Network (VPN) option.

Creating the Always On VPN client template manually

Creating the Always On VPN client template manually

Select Add a VPN connection and do the following:

  • Change the VPN Provider to Windows (built-in)
  • Specify a temporary connection name such as template
  • Enter the external fully qualified domain name (FQDN) of your Always On VPN server. This is the DNS value you created in part 4 of this series.
The Always On VPN template is ready for configuration

The Always On VPN template is ready for configuration

Click Save to close the Add a VPN connection window. On the right-hand side under Related Settings, click on Change Adapter options (or navigate to Control Panel\Network and Internet\Network Connections).

Right-click on your template and select Properties. Configure the following on the Security tab:

  • Change the Type of VPN to IKEv2.
  • Change the Data encryption value to Maximum strength encryption.
  • Click the Use Extensible Authentication Protocol (EAP) radio button and select Microsoft: Protected EAP (PEAP) (encryption enabled) from the drop-down list.

While still on the Security tab, click on Properties to launch the Protected EAP Properties window.

  • Enter the certificate issued to value under the Connect to these servers
  • Under Trusted Root Certification Authorities, check the CA name that matches the Issuer value you recorded earlier.
  • On the Notifications before connecting drop-down list, select don't ask user to authorize new servers or trusted CAs.
  • For the Authentication Method, select Smart Card or other Certificate.
Protected EAP Properties for a secure Always On VPN connection

Protected EAP Properties for a secure Always On VPN connection

To the right of Smart Card or other certificate, click the Configure button (as seen in the image above). The options you will configure now control how the client selects a local certificate for authentication.

On the Smart Card or other Certificate Properties window:

  • Select the radio button for Use a certificate on this computer.
  • Enter the certificate issued to value under the Connect to these servers
  • Under Trusted Root Certification Authorities, check the CA name that matches the Issuer value you recorded earlier. This option and the previous option should match the values you entered on the Protected EAP Properties screen above.
  • Check the Don't prompt user to authorize new servers or trusted certification authorities
Controlling the local certificate used for Always On VPN authentication

Controlling the local certificate used for Always On VPN authentication

If your VPN users have multiple user certificates (as seen in certmgr.msc) and are prompted to select one before connecting, you can use the Advanced tab to refine certificate selection.

Testing Always On VPN connections ^

Click OK for all open windows and return to the Network Connections control panel window. Ensure you are connected to an external network. Select your VPN template (either in Settings or from the notification area in the bottom-right section of the taskbar). Click Connect.

Testing the Always On VPN template

Testing the Always On VPN template

Hopefully, your VPN template successfully connected. Proceed to the next section if it did. For anyone else, I'm sorry. The problem is likely a small misconfiguration or missing checkbox somewhere. On the client template machine, open the Application Event Log and look for events with a RasClient source. You should see a message and an error code. Microsoft provides some basic guidance for Always ON VPN 800 X errors here. If you still have a connection issue, leave a detailed comment and upload any logs here.

Deploying Always On VPN connection templates ^

First, we need to export the template file we created and tested above. Download the latest MakeProfile.ps1 script from TechNet. Configure the parameters at the top with the following directions:

  • $Template: the template name you used earlier (such as template)
  • $ProfileName: the final name clients would see (such as AlwaysOn)
  • $Servers: the external FQDN of your Remote Access server (the value you entered on the template)
  • $DnsSuffix: the internal DNS suffix of clients; ipconfig will show the formatting (such as local)
  • $DomainName: the DNS suffix with a leading dot (such as .Test.local)
  • $TrustedNetwork: likely the same as the DnsSuffix

Run this script under the user account that created the VPN template by logging in locally (no Remote Desktop/Hyper-V Enhanced session).

If the script successfully runs, you should see two files on the current user's desktop: VPN_Profile.xml and VPN_Profile.ps1.

Microsoft provides a few ways to deploy Always On VPN connections. Currently, you can deploy them with a PowerShell script, SCCM, or Intune. SCCM uses the VPN_Profile.ps1 file, and Intune uses the VPN_Profile.xml file. Technically, you can use Group Policy since you can use the logon/startup scripts client-side extension (CSE) to run your PowerShell script.

For this deployment, we will use the PowerShell method since it is the simplest to set up. However, it does not scale well. The user running the VPN_Profile.ps1 script needs to log in locally as an administrative user. It is fine to use your template machine for this, but delete the profile you created earlier.

Connect this machine to your internal network. Make sure your logged-in user is an administrator, and then start PowerShell as an administrator. Open up your VPN_Profile.ps1 script and run it. If it successfully runs, it should create a new Always On VPN profile. It will see you are internally connected (through the DNS suffix values you specified earlier). Disconnect from your internal network and connect to an external one. Within a few seconds, Windows 10 should detect the network change and automatically start the Always On VPN profile!

What's next for Always On VPN? ^

In this five-part series, we actually set up a very simple Always On VPN infrastructure. As you learned, tying everything together takes a lot of technical work! You also saw that this technology is not quite perfect. Deployment methods can be a thorn in the side for some organizations. In my opinion, Microsoft should fully support Group Policy as a deployment method.

There is hope! Microsoft has continued to improve Always On VPN in each Windows 10 major update. In fact, Windows 10 1709 brought us device-side connections (your connection above only applies to the current logged-in user).

With your basic Always On VPN setup wrapped up, consider expanding it! You can make the environment redundant for stability, set up device tunnels, configure deployment for all mobile users through SCCM, or even bring in Windows Hello for Business as an authentication method!

Subscribe to 4sysops newsletter!

In my next post I will explain how to troubleshoot Always On VPN if the installations fails or you unable to establish a connection.