Windows 10 AlwaysOn VPN with Conditional Access – Part 1

Standard

In this series of blogposts I want to show you how you can use AzureAD Conditional Access to protect your Windows 10 / Server 2016 AlwaysOn VPN solution (deployed with Intune). This first part of the series will describe the initial requirements and setup of the infrastructure which is needed for the AlwaysOn VPN solution. The second part will focus on the configuration needed to add AzureAD Conditional Access for VPN connections to the flow and the last part of the series will focus on testing the Conditional Access features against AlwaysOn VPN connections. But let’s start with the description of the needed components and the initial configuration of those components.

For a Microsoft AlwaysOn VPN solution you need to have or need to install and configure the following components:

  • Windows 2016 Certificate Authority for deploying the certificates;
  • Windows 2016 RRAS server with Remote Access. In my lab environment this server is joined to my local Active Directory;
  • Windows 2016 NPS server. In my lab environment this server is joined to my local Active Directory;
  • Certificate deployment to Windows 10 MDM devices by Microsoft Intune (SCEP or PKCS);
  • AlwaysOn Profile deployed by Microsoft Intune;
  • Windows 10 client, I tested the 1703 and 1709 versions;

In the picture below you will see a graphical representation of the Windows 10 / Windows Server 2016 AlwaysOn VPN infrastructure:

It’s not my goal to provide for each component a step-by-step walk-through. The documentation from Microsoft is pretty clear but of course I will describe my gotchas from installing and configuring these components:

Before you start to implement all the functionality it’s good to read the following article about how to configure the Server architecture of the AlwaysOn VPN configuration: https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-server-infrastructure/. This was my the first step in configuring the Infrastructure for the AlwaysOn VPN solution. The only change you will need to made in these steps is the User VPN Certification template the option ‘Export Private Key’ should activated instead of deactivated.

Windows 2016 Certificate Authority

In my lab environment I installed and configured single-tier Enterprise Root CA. I’m planning to use the PKCS certificate deployed through Intune. This functionality has at least the following requirements to the Certificate Authority:

  • Certification Authority: An Enterprise Certification Authority (CA) that runs on an Enterprise edition of Windows Server 2008 R2 or later. A Standalone CA is not supported.
  • Computer that can communicate with Certification Authority: Alternatively, use the Certification Authority computer itself.
  • Microsoft Intune Certificate Connector: From the Azure portal, download and install the Certificate Connector on the computer that communicates with the Certificate Authority.

More information about installing the CA can be found here: https://technet.microsoft.com/library/jj125375.aspx. After these steps you need to make the AIA and CDP file publicly available. I’ve done this through the Web Application proxy. I executed the following steps:

  • Install a fresh server new Windows 2016 server including IIS;
  • Configure an external DNS name with SSL certificate on this webserver;
  • Create an application on WAP and configure the same SSL certificate on this application and forward the requests to this server;

The documentation around these steps can be found here: https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-the-cdp-and-aia-extensions-on-ca1.

Windows 2016 RRAS Server

In my lab environment I used an single RRAS server with one IP address behind a NAT firewall. I forwarded the following ports to this server:

  • IP Protocol Type=TCP, TCP Port number=1723
  • IP Protocol Type=GRE (value 47)
  • IP Protocol Type=UDP, UDP Port Number=500
  • IP Protocol Type=UDP, UDP Port Number=4500
  • IP Protocol Type=ESP (value 50)
  • IP Protocol Type=TCP number=443

After the installation of Windows Server 2016 I joined the machine to my local AD domain and installed the Remote Access role. A detailed plan of steps can be found here: https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-ras.

Windows 2016 NPS Server

After installing the RRAS server In installed and configured the NPS Server which will take care of the authentication part of the VPN Connection. Detailed steps and instructions can be found here: https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-nps. After following these steps no additional configuration has to be done.

Certificate deployment to Windows 10 MDM devices by Microsoft Intune (SCEP or PKCS);

In my lab environment I configured PKCS to deliver user certificates to my MDM users. The needed configuration is described here: https://docs.microsoft.com/en-us/intune/certficates-pfx-configure. Yes, you need the NDESConnectorSetup.exe to install the PKCS certificate deployment. During the installation of the Connector you need to select PFX Distribution as method for certificate deployment. Next step is to start the NDESConnectorUI and login so that the Connector gets access to Microsoft Intune. When the connection is made the next step is to create a PKCS profile in Intune. Go to Device Configuration > Profiles > New Profile and select the following values:

AlwaysON VPN Profile within Intune

Next step is to configure the AlwaysOn profile. Currently this can be achieved by one of the following options:

  1. Create a VPN profile through the GUI (with this option the user needs to activate the AlwaysOn option themselves);
  2. Create a Custom Settings profile which sends a profile.xml of the VPN Connection to the client;

Since I wanted to deploy a configuration where the end users doesn’t have to do additional configuration I implemented the second option. Microosft has decribed it very clearly how to create an AlwaysOn Profile XML configuration. You can find this documention here: https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#bkmk_ProfileXML. When you have the Profile XML you’ve to create a Custom Windows 10 and later Policy. Within this policy you need to add on setting with the following OMA-URI setting: ./User/Vendor/MSFT/VPNv2/EMSMASTER_AlwaysOnVPN/ProfileXML. Select String (XML File) as data type and select the profile XML as file (note that the XML file must have a supported encoding):

When you assign this policy to your users the result will look like this on the Windows 10 clients:

So with this blogpost I described how to configure the Microsoft Windows 10 AlwaysOn VPN infrastructure including the configuration of the AlwaysOn VPN within Intune. In the next blogpost I will focus on combining this AlwaysOn VPN configuration with Azure AD Conditional Access.

Leave a Reply