- SmartDeploy: Rethinking software deployment to remote workers in times of a pandemic - Thu, Jul 30 2020
- Outlook attachments now blocked in Office 365 - Tue, Nov 19 2019
- PolicyPak MDM Edition: Group Policy and more for BYOD - Tue, Oct 29 2019
In this segment, you will set up a client template. After configuring the client template, you will be able to test your setup. Finally, you will need to decide on a client deployment method and roll this out to other machines!
Creating the Always On VPN client template
Start with a clean domain-joined machine (physical or virtual). The machine should be running Windows 10 1607 or greater. This computer will be your template machine. It will need a way to connect into your network to your Remote Access/VPN server from an external connection. On this machine, you will manually create the VPN connection and then test it. Although you can manually create the connection template in XML, it is probably easier to configure it through a connection wizard and export it with PowerShell later. We will do that now.
We'll create the VPN Profile.ps1 file near the end of this article
In parts 3 and 4, we reviewed certificate requirements for Network Policy Server (NPS) or Remote Authentication Dial-In User Service (RADIUS). For optimal security, your clients should know the NPS host name when connecting. A certificate issued to the NPS machine will store this exact host name, along with the name of a trusted certificate authority (CA).
Connect to your NPS/RADIUS machine and launch the NPS Microsoft Management Console (MMC). Expand to Policies\Network Policies. Right-click on the Virtual Private Network (VPN) network policy you created in part 3 and select Properties.
Click on the Constraints tab. On the Authentication Methods constraint, select Microsoft: Protected EAP (PEAP) and then click on Edit.
Editing the Microsoft Protected EAP (PEAP) authentication method constraint
The Edit Protected EAP Properties window should now be open. Note the certificate issued to value as well as the Issuer value. Once you have these values, you can cancel out of any open windows in the NPS console. You will enter these values in the advanced template configuration section below.
On your template machine, log in as a user that is a member of the VPN Users group. Once logged in, open certmgr.msc and verify a certificate was issued from the VPN Users template. If not, review part 2 of this series. Click on Start and search for VPN. You may need to filter to just Settings to see the Change Virtual Private Network (VPN) option.
Creating the Always On VPN client template manually
Select Add a VPN connection and do the following:
- Change the VPN Provider to Windows (built-in)
- Specify a temporary connection name such as template
- Enter the external fully qualified domain name (FQDN) of your Always On VPN server. This is the DNS value you created in part 4 of this series.
The Always On VPN template is ready for configuration
Click Save to close the Add a VPN connection window. On the right-hand side under Related Settings, click on Change Adapter options (or navigate to Control Panel\Network and Internet\Network Connections).
Right-click on your template and select Properties. Configure the following on the Security tab:
- Change the Type of VPN to IKEv2.
- Change the Data encryption value to Maximum strength encryption.
- Click the Use Extensible Authentication Protocol (EAP) radio button and select Microsoft: Protected EAP (PEAP) (encryption enabled) from the drop-down list.
While still on the Security tab, click on Properties to launch the Protected EAP Properties window.
- Enter the certificate issued to value under the Connect to these servers
- Under Trusted Root Certification Authorities, check the CA name that matches the Issuer value you recorded earlier.
- On the Notifications before connecting drop-down list, select don't ask user to authorize new servers or trusted CAs.
- For the Authentication Method, select Smart Card or other Certificate.
Protected EAP Properties for a secure Always On VPN connection
To the right of Smart Card or other certificate, click the Configure button (as seen in the image above). The options you will configure now control how the client selects a local certificate for authentication.
On the Smart Card or other Certificate Properties window:
- Select the radio button for Use a certificate on this computer.
- Enter the certificate issued to value under the Connect to these servers
- Under Trusted Root Certification Authorities, check the CA name that matches the Issuer value you recorded earlier. This option and the previous option should match the values you entered on the Protected EAP Properties screen above.
- Check the Don't prompt user to authorize new servers or trusted certification authorities
Controlling the local certificate used for Always On VPN authentication
If your VPN users have multiple user certificates (as seen in certmgr.msc) and are prompted to select one before connecting, you can use the Advanced tab to refine certificate selection.
Testing Always On VPN connections
Click OK for all open windows and return to the Network Connections control panel window. Ensure you are connected to an external network. Select your VPN template (either in Settings or from the notification area in the bottom-right section of the taskbar). Click Connect.
Testing the Always On VPN template
Hopefully, your VPN template successfully connected. Proceed to the next section if it did. For anyone else, I'm sorry. The problem is likely a small misconfiguration or missing checkbox somewhere. On the client template machine, open the Application Event Log and look for events with a RasClient source. You should see a message and an error code. Microsoft provides some basic guidance for Always ON VPN 800 X errors here. If you still have a connection issue, leave a detailed comment and upload any logs here.
Deploying Always On VPN connection templates
First, we need to export the template file we created and tested above. Download the latest MakeProfile.ps1 script from TechNet. Configure the parameters at the top with the following directions:
- $Template: the template name you used earlier (such as template)
- $ProfileName: the final name clients would see (such as AlwaysOn)
- $Servers: the external FQDN of your Remote Access server (the value you entered on the template)
- $DnsSuffix: the internal DNS suffix of clients; ipconfig will show the formatting (such as local)
- $DomainName: the DNS suffix with a leading dot (such as .Test.local)
- $TrustedNetwork: likely the same as the DnsSuffix
Run this script under the user account that created the VPN template by logging in locally (no Remote Desktop/Hyper-V Enhanced session).
If the script successfully runs, you should see two files on the current user's desktop: VPN_Profile.xml and VPN_Profile.ps1.
Microsoft provides a few ways to deploy Always On VPN connections. Currently, you can deploy them with a PowerShell script, SCCM, or Intune. SCCM uses the VPN_Profile.ps1 file, and Intune uses the VPN_Profile.xml file. Technically, you can use Group Policy since you can use the logon/startup scripts client-side extension (CSE) to run your PowerShell script.
For this deployment, we will use the PowerShell method since it is the simplest to set up. However, it does not scale well. The user running the VPN_Profile.ps1 script needs to log in locally as an administrative user. It is fine to use your template machine for this, but delete the profile you created earlier.
Connect this machine to your internal network. Make sure your logged-in user is an administrator, and then start PowerShell as an administrator. Open up your VPN_Profile.ps1 script and run it. If it successfully runs, it should create a new Always On VPN profile. It will see you are internally connected (through the DNS suffix values you specified earlier). Disconnect from your internal network and connect to an external one. Within a few seconds, Windows 10 should detect the network change and automatically start the Always On VPN profile!
What's next for Always On VPN?
In this five-part series, we actually set up a very simple Always On VPN infrastructure. As you learned, tying everything together takes a lot of technical work! You also saw that this technology is not quite perfect. Deployment methods can be a thorn in the side for some organizations. In my opinion, Microsoft should fully support Group Policy as a deployment method.
There is hope! Microsoft has continued to improve Always On VPN in each Windows 10 major update. In fact, Windows 10 1709 brought us device-side connections (your connection above only applies to the current logged-in user).
With your basic Always On VPN setup wrapped up, consider expanding it! You can make the environment redundant for stability, set up device tunnels, configure deployment for all mobile users through SCCM, or even bring in Windows Hello for Business as an authentication method!
Subscribe to 4sysops newsletter!
In my next post I will explain how to troubleshoot Always On VPN if the installations fails or you unable to establish a connection.
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
I am getting “A certificate could not be found that can be used with this Extensible Authentication Protocol.” what I am doing wrong?
A troubleshooting guide from MS doesn’t help.
Which version of Windows 10 do you have? If it is anything other than Enterprise or Education then make sure you are using user authentication and not machine authentication.
This also works with Windows 10 Pro. I'm running it on that version
Hi Joseph,
I can get the VPN to connect but unfortunatly when i connect a network cable the vpn is still staying connected is there a way to disable this ?
Thanks
You will want to set the Trusted Network Detection options in your VPN profiles. Here is some information on that: https://docs.microsoft.com/en-us/windows/security/identity-protection/vpn/vpn-auto-trigger-profile
Hi Joseph,
I have added it in but it doesnt detect it as a trusted network unless i disconnect it from the VPN.
Thanks
Hi Joseph,
The LAN nic doesnt get detected as a trusted network unless i disconect the vpn first ?
Thanks
This sounds like a trusted network detection issue to me. What was your solution though?
Same here! Did you ever figure out a solution? Script runs fine. I also find it odd I go back on the template machine and in the vpn settings i saved are all gone? The scalability of this solution makes me want to look elsewhere!
Agreed – Microsoft has some work to do on the client side of this solution.
Is there a way to get Maximum strength encryption in XML?
Each time I create AO VPN with Powershell scipt is go to require & NOT “Maximum strength encryption”
Hi sebus – I am actually not sure how to do this. Let me know if you find a way though.
Hi Sebus, did you ever find a method for forcing maximum encryption using the XML. Seems to be missing from any profile we generate.
In the Edit Protected EAP Properties window on the NPS server, the “Issuer” value lists one of our Intermediate CAs. “ContosoCA2”.
But when setting up a client, only our Root CA is listed, not the intermediate ones. So if I check “ContosoRootCA” on the client at that point because “ContosoCA2” isn’t listed, is that going to cause a problem?
(I’m currently getting an 812 error, and was wondering if this is related).
Thank you.
So I got it working. It actually works with ContosoRootCA checked, but not with just ContosoCA2 checked. Even though the NPS server lists the latter as the issuer.
“Technically, you can use Group Policy since you can use the logon/startup scripts client-side extension (CSE) to run your PowerShell script” – can anyone tell me if the have successfully manged to deploy through GP? I have banged my head for several weeks and I am unable to come up with a consistent resolution. Would be so grateful if anyone could help me out. Thanks
Hi, i have trubleshot with my Always On VPN.
User tunnel (IKEv2) connection from Windows 10 (1803) is triggered, routes applied, i see it`s status, packets are sended to interface – but no packets return back (zero at “Received”). Network and Sharing center shows my VPN-connection as “Identifying…” for a minute or two, then changed to “Public network”. If i wait 3-5 minutes(or if i reconnect manually) – status changed to “Domain Network” and in same time packets start running in both direction – everything is good now, connection worked.
Wen i use SSTP protocol all work fine.
How i can fix it?
I have weird problems with Always On VPN profile.
I completed configuring RAS/NPS servers. I manually created Test VPN Connection, it is working fine. I followed your document along with Microsoft to use MakeProfile.ps1 to generate VPN_Profile.xml and VPN_Profile.ps1. I ran VPN_Profile.ps1 to make new VPN Connection on test machine. The new VPN Connection connected fine, but I couldn’t access network resources. When I ping our domain controllers, it gave me 198.105.254.104. I am thinking there is some routing issues. Do you have any tips for me to troubleshoot this problem?
Thanks very much for your helps
Tho
It looks more like DNS issues than routing issues. Try to ping a DC using its IP instead of hostname.
It looks like TMobile hijacks DNS to boost ad revenue and returns 198.105.254.104 as the IP for any nonexistent DNS requests. This trend of hijacking DNS has been very frustrating as Windows 10 doesn't seem to act predictably when running ipconfig /flushdns
Thanks Greg, I tried to ping IP address, it doesn't go anywhere. My current problem, event VPN Connection show connected, I cannot access any network resources on this VPN Connection. I can see it on RSA server with correct IP address.
However, if I created VPN Connection manually on Windows 10, it is working fine.
When I tested the VPN Connection, I connect to my T-mobile hotspot ti simulate external network.
Here is two VPN Connections. MPLSVPN is manual one I created and it is working fine. MPLS Alwayson VPN is the one created by the script and it is not working. I hope you can detect something that can help me to resolve this problem
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\WINDOWS\system32> Get-WmiObject -Namespace root\cimv2\mdm\dmmap -class MDM_VPNv2_01
__GENUS : 2
__CLASS : MDM_VPNv2_01
__SUPERCLASS :
__DYNASTY : MDM_VPNv2_01
__RELPATH : MDM_VPNv2_01.InstanceID="MPLSVPN",ParentID="./Vendor/MSFT/VPNv2"
__PROPERTY_COUNT : 10
__DERIVATION : {}
__SERVER : TEST-1848230-L
__NAMESPACE : root\cimv2\mdm\dmmap
__PATH : \\TEST-1848230-L\root\cimv2\mdm\dmmap:MDM_VPNv2_01.InstanceID="MPLSVPN",ParentID="./Vendor/MS
FT/VPNv2"
AlwaysOn :
ByPassForLocal :
DnsSuffix :
EdpModeId :
InstanceID : MPLSVPN
LockDown :
ParentID : ./Vendor/MSFT/VPNv2
ProfileXML : <VPNProfile><APNBinding><AuthenticationType>None</AuthenticationType></APNBinding><NativeProf
ile><Servers>vpn.minneapolis.edu;vpn.minneapolis.edu</Servers><NativeProtocolType>Ikev2</Nati
veProtocolType><Authentication><UserMethod>Eap</UserMethod><MachineMethod>Eap</MachineMethod>
<Eap><Configuration><EapHostConfig
xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type
xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type><VendorId
xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType
xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId
xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config
xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.
com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://www.mic
rosoft.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptFor
ServerValidation>true</DisableUserPromptForServerValidation><ServerNames>Elephant2.campus.min
neapolis.edu</ServerNames><TrustedRootCA>72 51 82 0d 89 a9 7b a1 49 fb ab 59 b4 9b 4f d5 a8
fe 9b 0a </TrustedRootCA></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptio
nal>false</InnerEapOptional><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnecti
onPropertiesV1"><Type>13</Type><EapType xmlns="http://www.microsoft.com/provisioning/EapTlsCo
nnectionPropertiesV1"><CredentialsSource><CertificateStore><SimpleCertSelection>true</SimpleC
ertSelection></CertificateStore></CredentialsSource><ServerValidation><DisableUserPromptForSe
rverValidation>true</DisableUserPromptForServerValidation><ServerNames>Elephant2.campus.minne
apolis.edu</ServerNames><TrustedRootCA>72 51 82 0d 89 a9 7b a1 49 fb ab 59 b4 9b 4f d5 a8 fe
9b 0a </TrustedRootCA></ServerValidation><DifferentUsername>false</DifferentUsername><Perform
ServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">t
rue</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/E
apTlsConnectionPropertiesV2">true</AcceptServerName></EapType></Eap><EnableQuarantineChecks>f
alse</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtension
s><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPrope
rtiesV2">true</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/prov
isioning/MsPeapConnectionPropertiesV2">true</AcceptServerName></PeapExtensions></EapType></Ea
p></Config></EapHostConfig></Configuration></Eap></Authentication></NativeProfile></VPNProfil
e>
RememberCredentials :
TrustedNetworkDetection :
PSComputerName : TEST-1848230-L
__GENUS : 2
__CLASS : MDM_VPNv2_01
__SUPERCLASS :
__DYNASTY : MDM_VPNv2_01
__RELPATH : MDM_VPNv2_01.InstanceID="MPLS%20AlwaysOn%20VPN",ParentID="./Vendor/MSFT/VPNv2"
__PROPERTY_COUNT : 10
__DERIVATION : {}
__SERVER : TEST-1848230-L
__NAMESPACE : root\cimv2\mdm\dmmap
__PATH : \\TEST-1848230-L\root\cimv2\mdm\dmmap:MDM_VPNv2_01.InstanceID="MPLS%20AlwaysOn%20VPN",ParentI
D="./Vendor/MSFT/VPNv2"
AlwaysOn : False
ByPassForLocal :
DnsSuffix : campus.minneapolis.edu
EdpModeId :
InstanceID : MPLS%20AlwaysOn%20VPN
LockDown :
ParentID : ./Vendor/MSFT/VPNv2
ProfileXML : <VPNProfile><RememberCredentials>true</RememberCredentials><AlwaysOn>false</AlwaysOn><DnsSuff
ix>campus.minneapolis.edu</DnsSuffix><TrustedNetworkDetection>campus.minneapolis.edu</Trusted
NetworkDetection><NativeProfile><Servers>vpn.minneapolis.edu;vpn.minneapolis.edu</Servers><Ro
utingPolicyType>SplitTunnel</RoutingPolicyType><NativeProtocolType>Ikev2</NativeProtocolType>
<Authentication><UserMethod>Eap</UserMethod><MachineMethod>Eap</MachineMethod><Eap><Configura
tion><EapHostConfig
xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type
xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type><VendorId
xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType
xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId
xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config
xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.
com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://www.mic
rosoft.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptFor
ServerValidation>true</DisableUserPromptForServerValidation><ServerNames>Elephant2.campus.min
neapolis.edu</ServerNames><TrustedRootCA>72 51 82 0d 89 a9 7b a1 49 fb ab 59 b4 9b 4f d5 a8
fe 9b 0a </TrustedRootCA></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptio
nal>false</InnerEapOptional><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnecti
onPropertiesV1"><Type>13</Type><EapType xmlns="http://www.microsoft.com/provisioning/EapTlsCo
nnectionPropertiesV1"><CredentialsSource><CertificateStore><SimpleCertSelection>true</SimpleC
ertSelection></CertificateStore></CredentialsSource><ServerValidation><DisableUserPromptForSe
rverValidation>true</DisableUserPromptForServerValidation><ServerNames>Elephant2.campus.minne
apolis.edu</ServerNames><TrustedRootCA>72 51 82 0d 89 a9 7b a1 49 fb ab 59 b4 9b 4f d5 a8 fe
9b 0a </TrustedRootCA></ServerValidation><DifferentUsername>false</DifferentUsername><Perform
ServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">t
rue</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/E
apTlsConnectionPropertiesV2">true</AcceptServerName></EapType></Eap><EnableQuarantineChecks>f
alse</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtension
s><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPrope
rtiesV2">true</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/prov
isioning/MsPeapConnectionPropertiesV2">true</AcceptServerName></PeapExtensions></EapType></Ea
p></Config></EapHostConfig></Configuration></Eap></Authentication></NativeProfile><DomainName
Information><DomainName>campus.minneapolis.edu</DomainName><DnsServers>134.29.***.***</DnsServers></DomainNameInformation></VPNProfile>
RememberCredentials : True
TrustedNetworkDetection : campus.minneapolis.edu
PSComputerName : TEST-1848230-L
PS C:\WINDOWS\system32>
I believed I found the problem. The VPN Connection that I created manually used Force Tunneling so it is working fine. The VPN Connection that I created using VPN_Profile.ps1 using Slipt Tunneling. I tried to add some static route on RAS server, but it still not working.
Hi Guys
I have set up User tunnel AOVPN windows 10 1809 , I have deployed it to few machines using SCCM and it seems to work fine when I manually click on connect . however Auto connect does not seems to work , we always have to click on the vpn template and click connect to get it working , I though the whole idea of AOVPN was to automatically connect. I have been trying to troubleshoot this for the last few days with no luck. I will appreciate any type of advise or assitance.
Many thanks
Just setting this up now in a lab. I cant see anywhere in this guide where it talks about installing the public certificate on the Always On infrastructure (just mentions briefly to install it to the test client which I have done).
My test machine currently has the Internal CA certificate (VPN User 1 issued by my CA) and have manually installed the public certificate (albeit this isn't present anywhere on my Always On infrastructure).
There seem to be a lot of gaps in this guide – can anyone confirm what needs to happen with the public certificate?
The public cert should be on your Routing and Remote Access (VPN) server.
So the public certificate needs to be on the RRAS server and the client connecting? If thats the case, what is the point of the CA and the certs being issued – in theory we can just use the public cert?
Apologies if i am missing something here.
Out of interest i tested this within my Hyper V lab and it connects fine without the public cert installed to RRAS – i just had to switch the Common and DNS names specified on the VPN server.
I am so close to having the alwayson device tunnels going. However when I run the powershell VPN_Profile.ps1 script, I am hit with an error that reads:
Unable to create AlwaysOn VPN profile: A general error occurred that is not covered by a more specific error code."
Any ideas on this?
Hi Ryan, have you tried opening it in Powershell ISE and running it step by step?