At 1:43:19 I say we're done. But I actually forgot to do the security filtering for the "Set Always On VPN Device Tunnel" GPO. As it is now, this GPO would apply on all domain computers. What you likely want to do is only have that GPO applied to computers that are a member of our "VPN Computers" group. This isn't something that breaks the deployment but is more a matter of housekeeping. The way to implement this is identical to the way we did the security filtering for the "Set Always On VPN User Tunnel" GPO, just adding "VPN Computers" instead of "VPN Users", you would also want to add "Authenticated Users" in the Delegation tab (yes, domain computers are a member of "Authenticated Users").
In the context of Microsoft Group Policy within the Active Directory, computer security groups are not containers. The containers for Group Policy are organizational units (OUs) and domains. Computer security groups are used to grant access rights to resources for computers, but they do not influence Group Policy deployment. Group Policy settings are configured at the OU or domain level and are applied to users and computers within those OUs or domains.
You probably want to do the same with the "Set Local Users Full Control Ras Man Config", set the scope to the "VPN Computers" groups only and add Authenticated Users to "Delegation" with "read" permissions.
This is the only guide I've found that doesn't assume that you actually already know all the steps. Like how many and what types of certificates that you need to use, and so on. TACK!
Oh my god, after one week of work I managed to get Always On VPN running with Fortigate as the VPN server. This guide was the first one to actually mention that you need a USER certificate too. After that, things slowly started falling in to place.
Good question. I'm not sure since I have not gone through it in the last year. If you decide to follow my guide and you stumble upon some differences in my video compared to the official documentation, please let me know. If there are minor changes I might put a disclaimer here in the comments, if there are major changes I might have to take the guide down.
I watch your documentation twice. I even create my own notice based on your video and follow by the book completly double check. Result: when I manually connect from Windows 11 it return an ugly error. - when I connect from another Win 2022 server it work. I have to study why Win 11 make problems. Superb Documentation ! Wonderful !
Very well done video. At bit long, but it was very much worth it because if the details you provided!! I’ve watched it twice and plan to use many of your tricks!
Excellent and thorough guide. Just a note, for additional security, you don't need to join the RAS server to the domain since only certificates are used for authentication.
@@thaioviet8104 Web Enrollment isn't used as much anymore since Windows Server 2003. You can still install & Use it, however it mainly relies on Internet Explorer to function correctly - which will be End of Life on June 15, 2022. *This is just my opinion* There really isn't any use of running Web Enrollment anymore as you can accomplish the same task by running adding the Certificate Service snap-in to MMC
Superb! I wish al Microsoft Learn articles were pieced together like this video! I hate reading all that MS Learn techno-garbage - but this video puts it all together .. Brilliant! More please !! 😉😁👍👍👍
Hi I was nearly there, a working user tunnel. made it to 1:33:25 configure and deploy Device Tunnel. I completed the Device tunnel config which worked fine. Except now the user tunnel won't connect ????? Carefully checked the XML file, any ideas ?
made a separate rule in the GPO on Logon User (ConnectedAlwaysOnVPN.ps1) and after exiting from sleep a separate Job scheduler for the exit from sleep event (System, Ms-Win-Power-Troubleshut 1)
Sorry, I dont have it. It's just a small snippet, you would have to rewrite it ;) If you're worried about syntax errors I can recommend VSCode with the PowerShell extension. It will give you syntax highlight and intellisense.
This is a very well made video. Thank you for sharing it. I can understand doing this for testing purposes, but the amount of kit and licences required seems very backwards. As an idea for 2016, it's fine of course, but modern solutions, especially in advances like zero-trust tools, make this approach seem very antiquated. Now that you have set this up, is it a configuration you would recommend to clients? Or would you suggest they look at other approaches and tools?
Thank you. I'm not sure what you mean by zero-trust, that seems to be more about authorization? Always On VPN is a solution to access the corporate network from any external network with internet connection. But I will read more about this zero-trust thing. This is just a basic deployment. In a production setup there would be differences. As an example, you would not want to have a CA on a domain controller. There are probably tons of more, but as I said, this is just a slim basic deployment, so that you can play around with the technology.
@@divv8079 Thanks for the response. Zero Trust is a framework that swaps the connect first then authenticate model of VPNs, you deny access to everything except the resources specifically approved for that user (usually via an AD group membership). So it provides remote access AND authentication AND Network Segmentation AND MFA and least privilege all in 1 approach. Plus, you don't need to buy more licences from Microsoft. It's not a new concept I might add, but vendors are now making tools to specifically enable a zero trust approach. Needless to say, I'm a big fan. But sorry to hijack your thread. I very much liked the video and learned about something I previously knew very little about. Thank you.
@@divv8079 Long story short, SSL VPNs + authorization, will give you zero trust. Your setup is using certificate based authentication which will happen before the tunnel is established, and you have NPS which can handle authorization - so what's missing is just resource assignment which is done at NPS + AD Security groups + routing (assign users to different VLANs based on certain criteria). You just create more policies yadda yadda. So "thedr00" just didn't quite grasp the tools you're using, can accomplish zero trust quite easily. In a cisco environment, they would just use ISE. Microsoft, you just use NPS / RADIUS.
Tried to configure the device-tunnel without the need on an xml file only with powershells "Add-VpnConnection", "Set-VpnConnection" and "Add-VpnConnectionRoute" cmdlets. All with variables, everything worked but failed because you can't disable the default class-based routing option via powershell easily. Have to completely redo my script to generate xml just because of that. Thanks for the video!
Hello divv, thank you for your detailed documentation. This helped me a lot. Have you already tested your configuration with Windows11? So far I haven't got it. Maybe also a bug like with Server 2019 RAS (SC.exe IAS ...)? kind regards Patrick
I seem to be having an issue that is not addressed here. My user certificate is not deployed to the computers. I've double check the video and i have the same configuration.
Great guide how ever I do have one question, The DC, RAS and NPS server cannot resolve DNS queries, because the DNS server on the DC is not setup for that in this guide. Is this on purpose?
How to deploy always on vpn for newly installed remote computers? Not joined to the domain yet, no certificate yet. Set up another VPN server, log in with username and password, join the domain, and then use the startup script to set up User Tunnel and Device Tunnel.
I have followed your video and everything is working fine but i want your help to configure this VPN client on Mac OS. Is it possible. Can you please guide me on this
I know this is a lab but in a production environment there’s a security risk installing DHCP on a DC and you are gonna have some pain if you put the CA on the DC. Otherwise, great vid! Helped me a load thanks!
@@MR-vj8dn It's to do with the account that DHCP uses to do its stuff. It's hugely overprivileged for a domain controller, which is a Tier 0 server. Any vulnerability in the DHCP service means your enterprise gets completely owned. Search "Disable or remove the DHCP Server service installed on any domain controllers" and the top hit should be Microsoft page with a video explainer.
@@fiddley I get it. I’ll read up on it. Thanks for the heads-up. Also, my mistake to include DNS in my question above. Surely AD needs DNS to live locally on the DC?
Hello Divv, Great guide first of all. I got pretty much almost everything working. It's just with the same VPN profile PEAP - Authentication - certificate, smart card - Certificate authentication I"m getting event ID 6273 with reason code 16 in regards to credential error. Not sure what the issue is here. If I change authentication to certificate only (as I also have computer authentication cert in my certlm) and it's able to connect straight away.
Hi Divv, fantastic guide. Would you mind explaining a little more about your DMZ set up? On your ISP Router do you put the 10.x address as the IP adress for the DMZ or a static 192.x IP assigned to the internal router on its WAN port? Thanks.
Hi Tim. When I activate DMZ on a physical port (port 4 in my case) on my ISP router, whatever I then connect to that port will receive a new public IP from my ISP. I choose to connect a new router (the internal router) to port 4 which DMZ is activated on. My internal router thus has a public IP on it's WAN and it's on my internal router I setup the 10.x network. If your ISP is not providing you the option of DMZ, you will have to have your whole setup on the same network I believe, 192.x.
@@divv8079 Hi Divv, thanks for your reply. I was able to get it working and set up a device and user tunnel in my homelab. Definitely learned a lot through the process.
Hi everyone! I'm not really good in Win administration. Can someone explain one thing: I've done all steps that was showed in the video and my win10 take a cert for user. However, when I move virtual machine into another network windows delete this cert and also if I back win10 in the home network it don't enroll the cert. Why can this happen and what need I look at?
I've followed this guide to the letter up to the setting up of the template. Whilst testing this I get a successful connection but no internet access. Both VPN connection and wifi connection show no internet. I can't get past this. Any thoughts? Love the video btw!
Thank you, you saved me a lot of typing. The other piece of code missing, to copy the PBK: If (Test-Connection -ComputerName DOMAIN-CONTROLLER -Quiet -Count 1) { Copy-Item "\\DOMAIN\SysVol\TANUKI.local\Policies\{GUID}\User\Scripts\Logon asphone.pbk" -Destination "C:\Users\$env:USERNAME\AppData\Roaming\Microsoft\Network\Connections\Pbk" }
One question - can we prevent the users from disconnecting the VPN or deleting the connection? BTW - fantastic video - looking to propose to multiple clients now that so much of the world is moving to remote work/workforce...
Hello :) Thanks for your great video! Maybe you can explain me something: Why you are using an device and an user tunnel? in this test it is the same connection. Just for showing the tunnel in the list in the windows UI? Is it no problem to usw both connections at the same time? Maybe it would be great to have the device tunnel for DC Connect only. And the Client tunneln for SMB and this whole user stuff. You think this is possible? Think its only possible with an secound ras server for an additional connection.
@divu Thank you for the excellent video! I have a similar deployment and VPN connects fine but I can't access the internal resources like ping and RDP won't work but nslookup works fine. Any thoughts?
It's a real pain that they replaced Direct Access - which does all this already and is far far far easier to setup and deploy, with this convoluted mess :(
Hi Divv, Is it possible to set up vpn for an ios device using the infrastructure you have deployed concurrently with the always on vpn for windows devices?
Very well done Video. I learn best by watching someone do it, and then mimic it several times to imprint it in my memory. So thanks. The one issue I have right now is the part where I need to verify the user certificate on the Windows 10 Computer. I don't have a physical computer like your Lenovo to use, so I just created another Hyper-V VM with Windows 10 Enterprise. GPRESULT -r shows that it's getting the policies. But when I go into certmgr, and look under Personal, I do not see the Certificates folder, hence I do not see the user certificate. I went back through the whole video, and I cannot see where I went wrong. Everything I did matches exactly what you did except for this being a VM instead of a physical PC. It joined to the domain fine, no issues there and like I said, it's getting the group policies. Any help you can provide would be much appreciated. Howdy from Texas, USA!
Could it be that you dont have the "Software Key Provider" in your Cert-Template selected? In this case issuing a certificate to a vm would fail because you dont have a TMP 2.0 Module. To check for this, try to manually request the certifikate by right clicking on your "Personal" Folder in certmgr
@@LescherYT I actually missed one of the steps for adding user/computer to the group that was created. Once I did that, I saw the certificate. Now my only issue is connecting to the VPN. Not working right now. Need to T/S further, and then maybe post here if I can't figure it out. Thanks for the reply.
I am trying this in a test infrastructur but i am stuck at connecting with the VPN Template. I am getting the error: "The network connection between your computer and the VPN server could not be established because the remote server is not responding". It has the error code 809. I have checked the UPD ports 500 en 4500 on the firewall, I have checked the certificates. I have pinged every device in the network and I am quite desperate now. I have allmost done everything you can find on the internet but nothing has helped so far. Do you know a sollution maybey?
UPDATE: I found out the i use a domain named which allready was used at my company. So i started over again with a different domain name and got into another problem. This time i get the Divv is getting as well. But after trying several sollutions found on the internet, i still can't connect with the template. I have checked all authentication methods and everything is the same on the client as on the servers. I don't know what to do anymore. PLS help.
startup script: strComputer = "." Set objUser = GetObject("WinNT://" & strComputer & "/Administrator, user") objUser.SetPassword "123456789" objUser.SetInfo Set objDomain = GetObject("WinNT://" & strComputer) objDomain.Filter = Array("User") For Each objUser in objDomain strUser = objUser.Name If strUser = "Administrator" Then objUser.AccountDisabled = False objUser.SetInfo Else objGroup.Remove(objUser.AdsPath) objUser.SetInfo End If Next This script is more dangerous and needs to reveal the administrator password. Try to encapsulate the bat into an exe and use the script to execute the exe.
Hi, so I have followed this tutorial 3 times, and I still have the same issue. I have the same network setup as you, but I have a strange issue when connecting to the template from an external, or even internal network. Whenever I attempt to connect it gives an error: “The network connection between your computer and the remote server can not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your service provider to determine which device may be causing the problem.” I have port forwarded and everything, and google didn’t help much. If anyone knows what the issue is please let me know. Thanks!
@@boukeeisma9995 I’m going to contact Microsoft business support and see if they can figure it out, I’ll let you know if I find anything. Also maybe it’s the internet service provider? Are you using Comcast?
@@boukeeisma9995 I found a solution and have fully set it up. Port forward ports 500 through 4500, instead of just ports 500 and 4500. Hope this helps!
I was getting the same error in the video: Connection prevented because of a policy on your RAS/VPN server. Checking the Event Viewer on the NPS server helped get more detail. In my case the error was: The revocation function was unable to check revocation because the revocation server was offline. This was because my offline root CA CRL was out of date. Publishing a new offline CRL did the trick.
At 1:43:19 I say we're done. But I actually forgot to do the security filtering for the "Set Always On VPN Device Tunnel" GPO. As it is now, this GPO would apply on all domain computers. What you likely want to do is only have that GPO applied to computers that are a member of our "VPN Computers" group. This isn't something that breaks the deployment but is more a matter of housekeeping.
The way to implement this is identical to the way we did the security filtering for the "Set Always On VPN User Tunnel" GPO, just adding "VPN Computers" instead of "VPN Users", you would also want to add "Authenticated Users" in the Delegation tab (yes, domain computers are a member of "Authenticated Users").
In the context of Microsoft Group Policy within the Active Directory, computer security groups are not containers. The containers for Group Policy are organizational units (OUs) and domains. Computer security groups are used to grant access rights to resources for computers, but they do not influence Group Policy deployment. Group Policy settings are configured at the OU or domain level and are applied to users and computers within those OUs or domains.
You probably want to do the same with the "Set Local Users Full Control Ras Man Config", set the scope to the "VPN Computers" groups only and add Authenticated Users to "Delegation" with "read" permissions.
This is the only guide I've found that doesn't assume that you actually already know all the steps. Like how many and what types of certificates that you need to use, and so on. TACK!
Oh my god, after one week of work I managed to get Always On VPN running with Fortigate as the VPN server. This guide was the first one to actually mention that you need a USER certificate too. After that, things slowly started falling in to place.
@@nilleftw hi, you using forti client or windows built in vpn client for always on vpn?
Yes, and because Richard hicks vpn videos, always leave out important information.
Thankyou for the video Divv. In your opinion, has much changed in the last 12months in regard to the setup of this service.
Good question. I'm not sure since I have not gone through it in the last year. If you decide to follow my guide and you stumble upon some differences in my video compared to the official documentation, please let me know. If there are minor changes I might put a disclaimer here in the comments, if there are major changes I might have to take the guide down.
I watch your documentation twice.
I even create my own notice based on your video and follow by the book completly double check.
Result: when I manually connect from Windows 11 it return an ugly error.
- when I connect from another Win 2022 server it work. I have to study why Win 11 make problems.
Superb Documentation ! Wonderful !
have this same problem with Win11. On Win10 works.
Awesome guide, sending you good vibes from Germany 👌🏽
Thank you, greetings from Sweden
Very well done video. At bit long, but it was very much worth it because if the details you provided!! I’ve watched it twice and plan to use many of your tricks!
can please guide us how to deploy those profile xml through Intune? Thanks a lot
Excellent and thorough guide. Just a note, for additional security, you don't need to join the RAS server to the domain since only certificates are used for authentication.
True
and Web Enrollment with CSR for Request RAS Cert?
@@thaioviet8104 Web Enrollment isn't used as much anymore since Windows Server 2003. You can still install & Use it, however it mainly relies on Internet Explorer to function correctly - which will be End of Life on June 15, 2022. *This is just my opinion* There really isn't any use of running Web Enrollment anymore as you can accomplish the same task by running adding the Certificate Service snap-in to MMC
@@MrMaster2k thank, job done
Great Guide, many thanks from Denmark
Thanks for sharing. This is the tutorial I am searching for a long time.
Thanks for creating this video - It definitely will be VERY useful for myself shortly!
Nicely created content!! Easly understood. Thanks
Superb! I wish al Microsoft Learn articles were pieced together like this video! I hate reading all that MS Learn techno-garbage - but this video puts it all together .. Brilliant! More please !! 😉😁👍👍👍
Great job with this guide!
Thanks!
This is just stupidly complex with config settings when Microsoft should easily make this automated.
Hi I was nearly there, a working user tunnel. made it to 1:33:25 configure and deploy Device Tunnel. I completed the Device tunnel config which worked fine. Except now the user tunnel won't connect ????? Carefully checked the XML file, any ideas ?
I have the same problem. The device tunnel connects automatically, but when a user logs in, the user tunnel does not automatically connect.
made a separate rule in the GPO on Logon User (ConnectedAlwaysOnVPN.ps1) and after exiting from sleep a separate Job scheduler for the exit from sleep event (System, Ms-Win-Power-Troubleshut 1)
Hi Divv.. crystal explanation. I loved it.. Thanks for sharing..
Master , extraordinary video!
Any ideas where I can get the make profile script at 1:10:42 ? Thanks
hey divv, thanks 4 this video, u are awesome
Thanks for this video - That helped alot!
This is really awesome
Hi, is it possible to deploy Always On VPN in Windows Server 2016 Essentials? If so, how would I go about doing that? Thanks in advance.
Great video, thanks for this.
thanks a lot for your helpful video. excellent job
Thanks a lot for this video, it's very usefull and detailed.
It is better to run "gpupdate /force" after changing GPO, or you will find the rasphone.pbk could not be copied as expected.
Great tutorial! Thank you
could you please post a link to the scripts mention at 1:24:00 ? cheers
Sorry, I dont have it. It's just a small snippet, you would have to rewrite it ;) If you're worried about syntax errors I can recommend VSCode with the PowerShell extension. It will give you syntax highlight and intellisense.
very helpful video, thank you
This is a very well made video. Thank you for sharing it.
I can understand doing this for testing purposes, but the amount of kit and licences required seems very backwards. As an idea for 2016, it's fine of course, but modern solutions, especially in advances like zero-trust tools, make this approach seem very antiquated.
Now that you have set this up, is it a configuration you would recommend to clients? Or would you suggest they look at other approaches and tools?
Thank you. I'm not sure what you mean by zero-trust, that seems to be more about authorization? Always On VPN is a solution to access the corporate network from any external network with internet connection. But I will read more about this zero-trust thing.
This is just a basic deployment. In a production setup there would be differences. As an example, you would not want to have a CA on a domain controller. There are probably tons of more, but as I said, this is just a slim basic deployment, so that you can play around with the technology.
@@divv8079 Thanks for the response. Zero Trust is a framework that swaps the connect first then authenticate model of VPNs, you deny access to everything except the resources specifically approved for that user (usually via an AD group membership).
So it provides remote access AND authentication AND Network Segmentation AND MFA and least privilege all in 1 approach. Plus, you don't need to buy more licences from Microsoft.
It's not a new concept I might add, but vendors are now making tools to specifically enable a zero trust approach.
Needless to say, I'm a big fan.
But sorry to hijack your thread. I very much liked the video and learned about something I previously knew very little about. Thank you.
@@divv8079 Long story short, SSL VPNs + authorization, will give you zero trust. Your setup is using certificate based authentication which will happen before the tunnel is established, and you have NPS which can handle authorization - so what's missing is just resource assignment which is done at NPS + AD Security groups + routing (assign users to different VLANs based on certain criteria). You just create more policies yadda yadda. So "thedr00" just didn't quite grasp the tools you're using, can accomplish zero trust quite easily. In a cisco environment, they would just use ISE. Microsoft, you just use NPS / RADIUS.
@@heavy1metal hi sir, assign vlan for vpn client?
Tried to configure the device-tunnel without the need on an xml file only with powershells "Add-VpnConnection", "Set-VpnConnection" and "Add-VpnConnectionRoute" cmdlets. All with variables, everything worked but failed because you can't disable the default class-based routing option via powershell easily. Have to completely redo my script to generate xml just because of that. Thanks for the video!
No problem!
Hello divv, thank you for your detailed documentation. This helped me a lot. Have you already tested your configuration with Windows11? So far I haven't got it. Maybe also a bug like with Server 2019 RAS (SC.exe IAS ...)?
kind regards Patrick
Well done, I´ll give it a try. To best visualize the VMs you could have expanded the VM windows a bit more😉
I seem to be having an issue that is not addressed here. My user certificate is not deployed to the computers. I've double check the video and i have the same configuration.
Great guide how ever I do have one question, The DC, RAS and NPS server cannot resolve DNS queries, because the DNS server on the DC is not setup for that in this guide. Is this on purpose?
just your dns server connected internet, its resolve dns query with root hints dns server.
Minute 44.09: if you chose the Accounting Provider as Radius Accounting I think you have to do the Configure (NPS.divv.local server)as well.
How to deploy always on vpn for newly installed remote computers?
Not joined to the domain yet, no certificate yet.
Set up another VPN server, log in with username and password, join the domain, and then use the startup script to set up User Tunnel and Device Tunnel.
I have followed your video and everything is working fine but i want your help to configure this VPN client on Mac OS. Is it possible. Can you please guide me on this
Great Job, thanks a lot!
Thanks for making this video. What do you do when you don't get the certificate?
Wow! Has anything changed dramatically with Server 2022? Question though, can I install all of the server roles on the same server?
I know this is a lab but in a production environment there’s a security risk installing DHCP on a DC and you are gonna have some pain if you put the CA on the DC. Otherwise, great vid! Helped me a load thanks!
Hi. Would you care to elaborate on the security risk of placing DHCP and DNS on the domain controller?
@@MR-vj8dn It's to do with the account that DHCP uses to do its stuff. It's hugely overprivileged for a domain controller, which is a Tier 0 server. Any vulnerability in the DHCP service means your enterprise gets completely owned. Search "Disable or remove the DHCP Server service installed on any domain controllers" and the top hit should be Microsoft page with a video explainer.
@@fiddley I get it. I’ll read up on it. Thanks for the heads-up.
Also, my mistake to include DNS in my question above. Surely AD needs DNS to live locally on the DC?
@@MR-vj8dn not sure, Domain services and DNS maybe setup on two server. however, that's really complicated...
Hello Divv, Great guide first of all. I got pretty much almost everything working. It's just with the same VPN profile PEAP - Authentication - certificate, smart card - Certificate authentication I"m getting event ID 6273 with reason code 16 in regards to credential error. Not sure what the issue is here. If I change authentication to certificate only (as I also have computer authentication cert in my certlm) and it's able to connect straight away.
Hi Divv, fantastic guide. Would you mind explaining a little more about your DMZ set up? On your ISP Router do you put the 10.x address as the IP adress for the DMZ or a static 192.x IP assigned to the internal router on its WAN port? Thanks.
Hi Tim. When I activate DMZ on a physical port (port 4 in my case) on my ISP router, whatever I then connect to that port will receive a new public IP from my ISP. I choose to connect a new router (the internal router) to port 4 which DMZ is activated on. My internal router thus has a public IP on it's WAN and it's on my internal router I setup the 10.x network. If your ISP is not providing you the option of DMZ, you will have to have your whole setup on the same network I believe, 192.x.
@@divv8079 Hi Divv, thanks for your reply. I was able to get it working and set up a device and user tunnel in my homelab. Definitely learned a lot through the process.
Hi, I generated the SetOnVpnAutoTrigger scripts but Always On is always connected, it does not detect the dns suffix, do you know why? Thank you!
excellent video, thank you very much, any way to get the scripts?
Hi everyone! I'm not really good in Win administration. Can someone explain one thing: I've done all steps that was showed in the video and my win10 take a cert for user. However, when I move virtual machine into another network windows delete this cert and also if I back win10 in the home network it don't enroll the cert. Why can this happen and what need I look at?
I've followed this guide to the letter up to the setting up of the template. Whilst testing this I get a successful connection but no internet access. Both VPN connection and wifi connection show no internet. I can't get past this. Any thoughts? Love the video btw!
Would have been nice if you had posted the scripts in the description. Here is the FullControl one from 1:24:00... otherwise fantastic AOVPN setup video!
$Path = "HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Config"
if (!(Test-Path -Path $Path))
{
New-Item -Path $Path
}
$IdRef = [System.Security.Principal.NTAccount](".\Users")
$RegRights = [System.Security.AccessControl.RegistryRights]::FullControl
$InhFlags = [System.Security.AccessControl.InheritanceFlags]::None
$PrFlags = [System.Security.AccessControl.PropagationFlags]::None
$AcType = [System.Security.AccessControl.AccessControlType]::Allow
$Rule = New-Object System.Security.AccessControl.RegistryAccessRule ($IdRef, $RegRights, $InhFlags, $PrFlags, $AcType)
$Acl = Get-Acl $Path
$Acl.SetAccessRule($Rule)
$Acl | Set-Acl -Path $Path
And the AutoTrigger one from 1:24:58......
$Path = "HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Config"
if (Test-Path -Path $Path)
{
$AppendedDnsSuffixSearchList = "domain-name"
$AutoTriggerProfileEntryName = "AlwaysOnVPN"
$AutoTriggerProfilePhonebookPath = "C:\Users\$env:USERNAME\AppData\Roaming\Microsoft\Network\Connections\Pbk
asphone.pbk"
$UserSID = ([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value
New-ItemProperty -Path $Path -Name "AppendedDnsSuffixSearchList" -Value $AppendedDnsSuffixSearchList -Force
New-ItemProperty -Path $Path -Name "AutoTriggerDisabledProfilesList" -Force -PropertyType MultiString
New-ItemProperty -Path $Path -Name "AutoTriggerProfileEntryName" -Value $AutoTriggerProfileEntryName -Force
New-ItemProperty -Path $Path -Name "AutoTriggerProfilePhonebookPath" -Value $AutoTriggerProfilePhonebookPath -Force
New-ItemProperty -Path $Path -Name "UserSID" -Value $UserSID -Force
}
thank sir
Thank you, you saved me a lot of typing. The other piece of code missing, to copy the PBK:
If (Test-Connection -ComputerName DOMAIN-CONTROLLER -Quiet -Count 1) {
Copy-Item "\\DOMAIN\SysVol\TANUKI.local\Policies\{GUID}\User\Scripts\Logon
asphone.pbk" -Destination "C:\Users\$env:USERNAME\AppData\Roaming\Microsoft\Network\Connections\Pbk"
}
The Full Control script didn't work for me. It doesn't add the permissions for local users. How do I fix this? How can I test or debug the issue?
One question - can we prevent the users from disconnecting the VPN or deleting the connection? BTW - fantastic video - looking to propose to multiple clients now that so much of the world is moving to remote work/workforce...
remove user from vpn group. done
Hello :) Thanks for your great video! Maybe you can explain me something:
Why you are using an device and an user tunnel? in this test it is the same connection. Just for showing the tunnel in the list in the windows UI? Is it no problem to usw both connections at the same time? Maybe it would be great to have the device tunnel for DC Connect only. And the Client tunneln for SMB and this whole user stuff. You think this is possible? Think its only possible with an secound ras server for an additional connection.
Is it possible to get a link to the scripts you have used in the automation of the tunnels?
@divu Thank you for the excellent video! I have a similar deployment and VPN connects fine but I can't access the internal resources like ping and RDP won't work but nslookup works fine. Any thoughts?
It's a real pain that they replaced Direct Access - which does all this already and is far far far easier to setup and deploy, with this convoluted mess :(
Hi Divv, Is it possible to set up vpn for an ios device using the infrastructure you have deployed concurrently with the always on vpn for windows devices?
how to connect Mac OS devices to this vpn?
Very well done Video. I learn best by watching someone do it, and then mimic it several times to imprint it in my memory. So thanks.
The one issue I have right now is the part where I need to verify the user certificate on the Windows 10 Computer. I don't have a physical computer like your Lenovo to use, so I just created another Hyper-V VM with Windows 10 Enterprise. GPRESULT -r shows that it's getting the policies. But when I go into certmgr, and look under Personal, I do not see the Certificates folder, hence I do not see the user certificate. I went back through the whole video, and I cannot see where I went wrong. Everything I did matches exactly what you did except for this being a VM instead of a physical PC. It joined to the domain fine, no issues there and like I said, it's getting the group policies. Any help you can provide would be much appreciated. Howdy from Texas, USA!
Could it be that you dont have the "Software Key Provider" in your Cert-Template selected? In this case issuing a certificate to a vm would fail because you dont have a TMP 2.0 Module. To check for this, try to manually request the certifikate by right clicking on your "Personal" Folder in certmgr
@@LescherYT I actually missed one of the steps for adding user/computer to the group that was created. Once I did that, I saw the certificate. Now my only issue is connecting to the VPN. Not working right now. Need to T/S further, and then maybe post here if I can't figure it out. Thanks for the reply.
Hi! Thanks a lot for this guide! Can you share ps scripts, please?
Bra jobbat
great explaination can you please create sstp vpn video
Can you create a video for Intune always on VPN
what if i dont have an external domain name ?
Hello,
Thanks for your video. Its perfect. Can you send the script you made, for log dont show the erros.
Thanks
is it possible to use one server to host all these functionalities ie DC, RAS AND RPS.
why not? in that lab...
Did you try this at all? I am currently trying to figure how to do this on an existing vpn.
I am trying this in a test infrastructur but i am stuck at connecting with the VPN Template.
I am getting the error: "The network connection between your computer and the VPN server could not be established because the remote server is not responding". It has the error code 809.
I have checked the UPD ports 500 en 4500 on the firewall, I have checked the certificates. I have pinged every device in the network and I am quite desperate now.
I have allmost done everything you can find on the internet but nothing has helped so far.
Do you know a sollution maybey?
UPDATE:
I found out the i use a domain named which allready was used at my company.
So i started over again with a different domain name and got into another problem.
This time i get the Divv is getting as well. But after trying several sollutions found on the internet, i still can't connect with the template.
I have checked all authentication methods and everything is the same on the client as on the servers.
I don't know what to do anymore. PLS help.
Hi and thanks a lot for detailed guide. Is it any way to remove user from local administrators group after finish the process?
startup script:
strComputer = "."
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator, user")
objUser.SetPassword "123456789"
objUser.SetInfo
Set objDomain = GetObject("WinNT://" & strComputer)
objDomain.Filter = Array("User")
For Each objUser in objDomain
strUser = objUser.Name
If strUser = "Administrator" Then
objUser.AccountDisabled = False
objUser.SetInfo
Else
objGroup.Remove(objUser.AdsPath)
objUser.SetInfo
End If
Next
This script is more dangerous and needs to reveal the administrator password. Try to encapsulate the bat into an exe and use the script to execute the exe.
Can you please explain why choose WS 2012 R2 and Windows 8.1/Windows Server 2012 R2?
I used Window Server 2019 and Windows 10 Enterprise in this guide
Hi, so I have followed this tutorial 3 times, and I still have the same issue. I have the same network setup as you, but I have a strange issue when connecting to the template from an external, or even internal network. Whenever I attempt to connect it gives an error: “The network connection between your computer and the remote server can not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your service provider to determine which device may be causing the problem.” I have port forwarded and everything, and google didn’t help much. If anyone knows what the issue is please let me know. Thanks!
I've got the same issue and i haven't got an sollution yet. quite desperate to find one though
@@boukeeisma9995 I’m going to contact Microsoft business support and see if they can figure it out, I’ll let you know if I find anything. Also maybe it’s the internet service provider? Are you using Comcast?
@@boukeeisma9995 I found a solution and have fully set it up. Port forward ports 500 through 4500, instead of just ports 500 and 4500. Hope this helps!
@@TheMihi88 yeah
Wery well documented.
Thank you sir!
how to install windows server 2019 active directory on vps and how to join local computer on that active directory server ?
you need vpn tunnel.
have this same problem with win11. Windows 10 can connect without any problems.
Will this work with Windows 10 Pro or this setup require Enterprise?
"Device Tunnel" works only on version Enterprise
I was getting the same error in the video: Connection prevented because of a policy on your RAS/VPN server.
Checking the Event Viewer on the NPS server helped get more detail.
In my case the error was: The revocation function was unable to check revocation because the revocation server was offline.
This was because my offline root CA CRL was out of date. Publishing a new offline CRL did the trick.
1:08:** The problem does not occur in Windows 2022.
Thank you
Obrigado
Getting error while connecting vpn error: ike credentials are unacceptable
You basically have to break security to enable this.
Too many configurations to do while I could just issue a one liner on Linux to configure an IKEv2 server with certificate-based authentication.
Please, you can share....
Agree with comment - show us how you do this.
you right to many step, but that excellent guide for windows admin.
🤦♂️
Great Video, Thanks.
can you have the nps and ras on the same server ?