- SmartDeploy: Rethinking software deployment to remote workers in times of a pandemic - Thu, Jul 30 2020
- Outlook attachments now blocked in Office 365 - Tue, Nov 19 2019
- PolicyPak MDM Edition: Group Policy and more for BYOD - Tue, Oct 29 2019
In this segment, you will set up a client template. After configuring the client template, you will be able to test your setup. Finally, you will need to decide on a client deployment method and roll this out to other machines!
Creating the Always On VPN client template
Start with a clean domain-joined machine (physical or virtual). The machine should be running Windows 10 1607 or greater. This computer will be your template machine. It will need a way to connect into your network to your Remote Access/VPN server from an external connection. On this machine, you will manually create the VPN connection and then test it. Although you can manually create the connection template in XML, it is probably easier to configure it through a connection wizard and export it with PowerShell later. We will do that now.
We'll create the VPN Profile.ps1 file near the end of this article
In parts 3 and 4, we reviewed certificate requirements for Network Policy Server (NPS) or Remote Authentication Dial-In User Service (RADIUS). For optimal security, your clients should know the NPS host name when connecting. A certificate issued to the NPS machine will store this exact host name, along with the name of a trusted certificate authority (CA).
Connect to your NPS/RADIUS machine and launch the NPS Microsoft Management Console (MMC). Expand to Policies\Network Policies. Right-click on the Virtual Private Network (VPN) network policy you created in part 3 and select Properties.
Click on the Constraints tab. On the Authentication Methods constraint, select Microsoft: Protected EAP (PEAP) and then click on Edit.
Editing the Microsoft Protected EAP (PEAP) authentication method constraint
The Edit Protected EAP Properties window should now be open. Note the certificate issued to value as well as the Issuer value. Once you have these values, you can cancel out of any open windows in the NPS console. You will enter these values in the advanced template configuration section below.
On your template machine, log in as a user that is a member of the VPN Users group. Once logged in, open certmgr.msc and verify a certificate was issued from the VPN Users template. If not, review part 2 of this series. Click on Start and search for VPN. You may need to filter to just Settings to see the Change Virtual Private Network (VPN) option.
Creating the Always On VPN client template manually
Select Add a VPN connection and do the following:
- Change the VPN Provider to Windows (built-in)
- Specify a temporary connection name such as template
- Enter the external fully qualified domain name (FQDN) of your Always On VPN server. This is the DNS value you created in part 4 of this series.
The Always On VPN template is ready for configuration
Click Save to close the Add a VPN connection window. On the right-hand side under Related Settings, click on Change Adapter options (or navigate to Control Panel\Network and Internet\Network Connections).
Right-click on your template and select Properties. Configure the following on the Security tab:
- Change the Type of VPN to IKEv2.
- Change the Data encryption value to Maximum strength encryption.
- Click the Use Extensible Authentication Protocol (EAP) radio button and select Microsoft: Protected EAP (PEAP) (encryption enabled) from the drop-down list.
While still on the Security tab, click on Properties to launch the Protected EAP Properties window.
- Enter the certificate issued to value under the Connect to these servers
- Under Trusted Root Certification Authorities, check the CA name that matches the Issuer value you recorded earlier.
- On the Notifications before connecting drop-down list, select don't ask user to authorize new servers or trusted CAs.
- For the Authentication Method, select Smart Card or other Certificate.
Protected EAP Properties for a secure Always On VPN connection
To the right of Smart Card or other certificate, click the Configure button (as seen in the image above). The options you will configure now control how the client selects a local certificate for authentication.
On the Smart Card or other Certificate Properties window:
- Select the radio button for Use a certificate on this computer.
- Enter the certificate issued to value under the Connect to these servers
- Under Trusted Root Certification Authorities, check the CA name that matches the Issuer value you recorded earlier. This option and the previous option should match the values you entered on the Protected EAP Properties screen above.
- Check the Don't prompt user to authorize new servers or trusted certification authorities
Controlling the local certificate used for Always On VPN authentication
If your VPN users have multiple user certificates (as seen in certmgr.msc) and are prompted to select one before connecting, you can use the Advanced tab to refine certificate selection.
Testing Always On VPN connections
Click OK for all open windows and return to the Network Connections control panel window. Ensure you are connected to an external network. Select your VPN template (either in Settings or from the notification area in the bottom-right section of the taskbar). Click Connect.
Testing the Always On VPN template
Hopefully, your VPN template successfully connected. Proceed to the next section if it did. For anyone else, I'm sorry. The problem is likely a small misconfiguration or missing checkbox somewhere. On the client template machine, open the Application Event Log and look for events with a RasClient source. You should see a message and an error code. Microsoft provides some basic guidance for Always ON VPN 800 X errors here. If you still have a connection issue, leave a detailed comment and upload any logs here.
Deploying Always On VPN connection templates
First, we need to export the template file we created and tested above. Download the latest MakeProfile.ps1 script from TechNet. Configure the parameters at the top with the following directions:
- $Template: the template name you used earlier (such as template)
- $ProfileName: the final name clients would see (such as AlwaysOn)
- $Servers: the external FQDN of your Remote Access server (the value you entered on the template)
- $DnsSuffix: the internal DNS suffix of clients; ipconfig will show the formatting (such as local)
- $DomainName: the DNS suffix with a leading dot (such as .Test.local)
- $TrustedNetwork: likely the same as the DnsSuffix
Run this script under the user account that created the VPN template by logging in locally (no Remote Desktop/Hyper-V Enhanced session).
If the script successfully runs, you should see two files on the current user's desktop: VPN_Profile.xml and VPN_Profile.ps1.
Microsoft provides a few ways to deploy Always On VPN connections. Currently, you can deploy them with a PowerShell script, SCCM, or Intune. SCCM uses the VPN_Profile.ps1 file, and Intune uses the VPN_Profile.xml file. Technically, you can use Group Policy since you can use the logon/startup scripts client-side extension (CSE) to run your PowerShell script.
For this deployment, we will use the PowerShell method since it is the simplest to set up. However, it does not scale well. The user running the VPN_Profile.ps1 script needs to log in locally as an administrative user. It is fine to use your template machine for this, but delete the profile you created earlier.
Connect this machine to your internal network. Make sure your logged-in user is an administrator, and then start PowerShell as an administrator. Open up your VPN_Profile.ps1 script and run it. If it successfully runs, it should create a new Always On VPN profile. It will see you are internally connected (through the DNS suffix values you specified earlier). Disconnect from your internal network and connect to an external one. Within a few seconds, Windows 10 should detect the network change and automatically start the Always On VPN profile!
What's next for Always On VPN?
In this five-part series, we actually set up a very simple Always On VPN infrastructure. As you learned, tying everything together takes a lot of technical work! You also saw that this technology is not quite perfect. Deployment methods can be a thorn in the side for some organizations. In my opinion, Microsoft should fully support Group Policy as a deployment method.
There is hope! Microsoft has continued to improve Always On VPN in each Windows 10 major update. In fact, Windows 10 1709 brought us device-side connections (your connection above only applies to the current logged-in user).
With your basic Always On VPN setup wrapped up, consider expanding it! You can make the environment redundant for stability, set up device tunnels, configure deployment for all mobile users through SCCM, or even bring in Windows Hello for Business as an authentication method!
Subscribe to 4sysops newsletter!
In my next post I will explain how to troubleshoot Always On VPN if the installations fails or you unable to establish a connection.
I know that typically, separate servers are proffered, especially for the CA but, can things like NPS and RRAS be on the same server to consolidate functions so I don’t have to put up another server Virtual server and use more licenses or buy another physical server?
You could certainly combine them. In this case, the NPS and RRAS roles are split out for additional security. It might be better to combine the CA and NPS role instead.
Since this appears to require local admin rights to be installed, and it’s user specific, does this in fact mean that it will only work for users who have local admin rights on their computer? That seems to be a major issue if true. That’s actually one of the big pain points we have now with RRAS in our configuration due to the requirement for us to update route tables when the connection is made.
Without SCCM or intune, you would have to do a one time admin install per user. You can use Group Policy Preferences Local User and Groups to make the user a member of the administrators group only when they are logged in. You can use the common tab to make it apply one time. This + Group Policy Scripts can let you deploy this and ensure that the user is only an admin for the least amount of time possible.
Having some trouble and hope you can point me in the right direction to troubleshoot. I’ve successfully edited the “MakeProfile.ps1” script with my companies parameters and it has successfully created both the VPN_Profile.ps1 script as well as the VPN_Profile.xml file which look correct.
I’ve then successfully run the script on a few test clients while logged in as a local admin running powershell as an admin and… successfully deployed the script via an SCCM package however under both methods, I never see a VPN profile get created or a VPN adapter created in Network connections.
I’ve searched Windows application, system, etc… logs, not sure where to start troubleshooting. The Microsoft deployment guide provides a powershell command to check for successful creation which seems wrong.
Remote Access Always On VPN Deployment Guide for Windows Server 2016 and Windows 10
Get-WmiObject -Namespace root\\cimv2\\mdm\\dmmap -Class MDM_VPNv2_01
I get an error when running the command above from pg 61.
When I run this –
Get-WmiObject -Namespace root\cimv2\mdm\dmmap -Class MDM_VPNv2_01
I get no return .
After running the script manually as admin, teh return is:
Always On:
ByPassForLocal:
DNSSuffix:
EDPModeID:
InstanceID: <CompanyName>%20AlwaysOn%VPN
Lockdown:
ParentID:./Vendor/MSFT/VPNv2
ProfileXML:
RememberCredentials:
TrustedNetworkDetection:
PSComputerName:
“Created <company name> Always On VPN Profile.”
Script Complete
Appreciate suggestions/input.
Thank you,
What progress did you make on this? The deployment method for this technology still needs some work… 🙂
If running the VPN_Profile.ps1 script takes a long time, appears to succeed, but no profile is created, ensure that the dwmappushsvc windows service is running. This service is disabled in a popular Windows 10 Initial Setup Script written by Disassembler used by some SCCM, MDT admins etc.
I added the following to the start of the VPN_Profile.ps1 script to resolve the issue:-
# Enable and start WAP Push Service
Set-Service “dmwappushservice” -StartupType Automatic
Start-Service “dmwappushservice”
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\dmwappushservice” -Name “DelayedAutoStart” -Type DWord -Value 1
This resulted in the script completing in 1-2 seconds and the profile being successfully created.
Is Windows 10 the only supported Always On VPN client? Or is it possible to deploy Server 2012 R2 or Server 2016 as an Always On VPN client?
Right now it is. You may want to look into Site to Site VPNs for remote servers.
We have an offline standalone root CA and an Enterprise subordinate CA. I issue all certificates from our subordinate CA. I verified on the NPS server that the certificate issued to is the NPS server and the issuer is the Enterprise subordinate CA. On the remote client I input the FQDN of the NPS server in the “connect to these servers” text box. Then I have the trusted root Certification authority’s options. How do I make sure that the issuer is the enterprise subordinate CA on the client
Great write up,
Just a question, I have multiple sites around the world and each site would use its own VPN server.
I was planning to allow failover to another site if the users primary site was down. Can this be done without traffic manager?
Can I deploy two client policies one to the primary site and one to the secondary? How would I control which is primary and secondary?
Thanks
You would probably want to deploy a custom vpn template to each client location along with a secondary VPN connection template for backup purposes.
Hey There,
at first thx for your nice work 🙂 but i still have an Error ID 13806 in the Event Log
The Certificates are still there, and issued to the Server but the Issuer is my Enterprise Sub-CA
I have an offline standalone root CA and an Enterprise subordinate CA.
Can you help me by this?
Thx a Lot
Christian
I think this is similar to Pete’s question (above). I don’t have a good answer on this yet. If you do find out a solution, please post it here.
The issue we had with our subordinate CA was with the CDP path not pointing to the proper location. It’s usually published via IIS. For PEAP to work it must be able to contact your CRL. Once I changed the location of the CDP to a folder in IIS and verified everything was fine in the PKI console on the subordinate server all is working perfectly.
Hope this helps
Thanks for the information, Pete!
Setting up my first always on VPN (User only, not device) and hitting a wall. I used Microsoft’s MakeProfile.PS1 to suck the settings out of a working VPN on a Windows 10 1709 machine. Ran successfully and created a VPN_Profile.PS1. I deleted the VPN connection on said machine and ran the VPN_Profile.PS1. Errors out, simply stating “A general error occurred that is not covered by a more specific error code.” Helpful. I am in as a machine admin and running powershell as an admin.
So I removed all of the error catching and diagnosed the script and found it’s breaking on this line – $session.CreateInstance($namespaceName, $newInstance, $options)
I looked at each of the variables being passed and they look good to this untrained eye. Any ideas how to dig deeper?
Check this article out: https://4sysops.com/archives/if-an-always-on-vpn-fails-to-install-and-connect/
Let me know if the first section helps.
No dice, checked the items in your list of things to watch for. We’re logging in interactively, as the admin. Checked for constrained language (New one for me) – machine is full language. Not using applocker or anything else we can think that will keep the script from running. To be clear, it’s choking when do the actual creation of the VPN profile, so I have to imagine something in there is the issue.
Like many before me have stated, the requirement for Local Admin for this is a BIG downfall… I have also tried deploying this via SCCM without success, there is still the requirement to install it in the user’s context and therefor it fails…
I find that this walk through is Extremely good with the exception of the deployment part which is the same for all the documentation surrounding AOVPN even from MS, VERY Frustrating!
Perhaps a separate article on how we can successfully achieve deployment to non-administrative users from SCCM would be nice, do you know where we can find this, or do you have something up your sleeve?
I agree Daniel! This is the worst part about Always On. It is a push to make people adopt Intune or SCCM. I do have a post coming up soon showing how to do this as a non-admin if you have SCCM.
So AutoVPN is working as expected, however as the local personal\Cert store has two certs its prompting to select one, is there a way to Edit the XML to specify some parameters as to which one to use ?
One is for Skype so its “Issued by : Communications Server”
One is for AutoVPN and its “issued by: XXXX CA server”
Did you get this figured out? If not, open your VPN properties (Control Panel\Network and Internet\Network Connections). Go to Security. Properties (under PEAP).
Click configure. Make sure that use simple certificate selection is checked.
Press advanced. Make sure that certificate issuer is checked and check your CA server name.
Run the Make Profile PowerShell script from this computer again (changing any of the properties at the top to match this machine – for example, the template name will be whatever the VPN profile is named on your real machine).
This will give you a new VPN_Profile.ps1 script with that certificate selection built into it. Deploy that script now.
If you had two personal certs issued by the same CA, you would just add the EKU values that are at the bottom of that Configure Certificate Selection screen.
Well… after I got everything working on my Surface (pre last Cumulative Update)…. I encountered this:
On another Windows 10 Enterprise Laptop (post last Cumulative Update) i logged on with the same User i used on my Surface to configure the initial Connection / Template.
The Settings I do on the Template VPN Connection disappear after closing out everything with OK.
Ever after assigning local and Domain Admin Rights to this user and trying 3 different, all completely up to date Windows 10 Enterprise Laptops (post last Cumulative Update) – no luck.
On every Laptop after creating the VPN Template and changing all the Settings – it Forgets them.
Properties -> Security -> Looks ok.
Properties on PEAP -> all blank
When trying to connect with this VPN, a User / PW box Pops up – since it forgot all the Settings.
WOW
Thanks for the article Joseph,
Part 3 talks about setting up the NPS server and step 4 says “Do not worry about the certificate section yet”.
Part 5 talks about creating the VPN template, and as a prerequisite, has you open the PEAP properties dialog on the NPS server’s Network Policy to extract the ‘certificate issued to’, and ‘issuer’ values.
The trouble is, you never specified which cert to select in the NPS network policy. The NPS server’s? The VPN server’s? Suppose they are co-resident on the same server?
Going to start guessing now… 😉
ianc
I am getting error 812 connecting from W10 test. Checked everything
What is the correlation between NPS on the Radius server and NPS on the VPN server? NPS on the VPN server has NPS with “Conditions to Microsoft Routing and Remote Access Server” enabled and Grant Access. From what I’ve read 812 seems to be a mismatch ??
Hi Joseph
Thanks for the good series of articles.
I am in the process of rolling out AOVPN but have some specific questions.
Can a device tunnel be implemented at the same time of a user tunnel ?
If yes can the end user disconnect both as required
Can the AOVPN profile be configured to use captive portals for both Device and User tunnels
Thanks
Pls I need the configuration for the Edge router/firewall and the internal router/firewall concerning vpn filter and vpn traffic as the vpn server is placed in between them.
Thanks
Hello Joseph,
I posted a few months about about issues with rolling out the VPN profile via SCCM. As things turned out, it was me that was causing the issue in part by running a Windows 10 cleanup script. Another issue we had was inconsistent Windows 10 deployments where some of our IT staff were taking notebooks out of the box, joining to the domain and installing the config manager client, not a good idea in an enterprise environment.
Nevertheless, out IT staff has successfully been using AOVPN since Feburary 2018 and I for one love it.
The reason for this post is an issue I’ve never been able to work out. While on AOVPN, when accessing a file share (CIFS) you are prompted to authenticate (user/password). I’ve spent hours on this with no conclusion and am attributing to the cert based authentication when connecting.
Is anyone else experiencing this or does anyone have any suggestions?
Thank you,
Jon
Hey Joseph! First off great guide. I had to augment your instructions a little because we have to us SSTP because of firewall issues as well as employees in China. Everything on the user tunnel is working great. The issue I have is when I run the powershell script to export my template. It exports it but when I run it and it creates the new profile the connection info for type of vpn(SSTP) is gone as well as its set to prompt for a username and password. Anyone else running into this?
Found the issue! In the import script I changed <NativeProtocolType> from IKEv2 to SSTP. Even though SSTP is valid it would stop processing that section of the script. Using Automatic instead of IKEv2 or SSTP let the script completely run through. The resulting profile it created had all my peap info and the automatic setting worked great detecting SSTP.
Now on to device tunnels. I see you were having issues with these. Has anything changed on that front? Anybody on here have any success with those? Figured I would go ahead and ask so the answers will be ready when I run into the issues.
Awesome news! You can do device tunnels and they work relatively well. You do have to use IKEv2 with machine certificate authentication. Be on Windows 10 1803 or 1809 if you can.
Many of our clients are pretty small, so standing up a separate server just for a PKI infrastructure is tough to justify. At the same time, I refuse to put AD certificate services on ANY existing server. What are others doing?
I don’t have a good answer for you on this – you are right about the server setup though. One thing I do highlight is the additional benefits of using PKI in other services (passwordless authentication for wireless as an example).
Interesting that there seems to be no documentation of deploying this as an SCCM compliance profile. Guess I’ll dive in and try it… for science.
Great Series worked well except one thing, how can you allow the remote laptop access to the Internet with the VPN Connected. We have remote users who are in the field and need access to that also. I know you could uncheck the use remote gateway but that then breaks the VPN. Any thoughts would be appreciated. Thanks
Just a few quick additions.
As far as I can tell using computer authentication (Device Tunnels) is only possible in Win 10 Enterprise. MS rightfully thought allowing computer authentication would encroach on DirectAccess. I wasted a lot of time trying to get it to work on Pro before I deciphered it was a licensing issue from their crap documentation.
You CAN install the always on profile to all users. However, you must run the deploy script in a powershell window that is running as SYSTEM. As far as I can tell any VpnConnection created using Add-VpnConnection with the -AllUserConnection flag is inaccessible using get-wmiobject unless you’re running as SYSTEM. If somebody knows a way, please tell me.
In the generated script (VPN_Profile.ps1) I ended up replacing everything underneath
$namespaceName = ‘root\cimv2\mdm\dmmap’
$className = ‘MDM_VPNv2_01’
with
if (-not (Get-VpnConnection $ProfileName -AllUserConnection)) {
Write-Host “Connection $ProfileName does not exist. Creating it!”
Add-VpnConnection -Name $ProfileName -AllUserConnection $True
}
Write-Host “Configuring $ProfileName”
Get-CimInstance -ClassName $className -Namespace $namespaceName -Filter “InstanceID=’$ProfileName'” | Set-CimInstance -Property @{ProfileXML=$ProfileXML}
Get-CimInstance -ClassName $className -Namespace $namespaceName -Filter “InstanceID=’$ProfileName'” | Set-CimInstance -Property @{AlwaysOn=$True}
Write-Host “VPN Setup complete!”
Not only is this vastly simpler but it also installs the profile to all users… Every day I hate MS a little more…
For Roger’s question about Internet access… Make sure you set your VPN to be split tunnel on the client side and then either statically place networks in the client VPN config or use DHCP option 121 Classless Static Routes to advertise what is available via the VPN. Oh and I have found various ISPs that hijack DNS can cause weird issues.
Thanks,
Greg
Thanks Greg I did end up adding a static route on our test machine and got this working using the split route method. Next thing we have ran into is we have one application that when we try and run it with our test user we get “An error occurred when trying to check if Active Directory user credentials are invalid. The server cannot handle directory requests” This is an application that has a SQL Server backend and is routed through an IIS Server for those requests to the SQLK Server is what was explained to me. I am still exploring this issue. If I remove the personal cert for the users VPN connection the application will work properly.
Roger, I ran into a problem with authentication to network resources when using the cert for VPN auth because the VPN credentials are being used and most things don’t accept the cert.
You can test this out by connecting to VPN using password auth and using a domain admin account or something. When you browse around the network you will have permissions based on the VPN creds… not the permissions of the logged in user.
There are two ways to fix this. One is to modify the file containing the vpn profile
Alluser VPN connections: C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
Specific user VPN connections: %userprofile%\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
Find the line: UseRasCredentials=1 and change the 1 to a 0
The 2nd way is with Group policy which will prevent any network creds from being saved:
Computer Configuation > Policies > Windows Settings > Security Settings > LocalPolicies/SecurityOptions > Network Access > Network access: Do not allow storage of passwords and credentials for network authentication
In a 2nd note. It looks like you can use the pbk files to deploy VPN to a bunch of computers. I have not thoroughly tested yet, but in a few quick tests I’ve been able to setup VPN on new computers by simply copying this file to them.
Thanks,
Greg