Always On VPN in Azure Part 2

Hello everyone, this is the second post in the series of the Always On VPN in Azure. To securely access your resources, it’s possible to configure the Always On VPN within Azure with the Azure VPN Gateway and enroll the VPN with Microsoft Intune. This is part two of the series. If you missed out on part one please click on the following link.

Setting up Conditional Access for the user VPN tunnel

So why do we need to set up Conditional Access for the VPN? That’s because we want to use the sort of Mini PKI environment of this Microsoft system. So, we do not need to setup certificates in a PKI environment. I want to show ways to setup the VPN without using on-prem resources and to secure your user VPN tunnel with device compliance is an extra layer of security in your environment. Because Windows Hello will also be the extra security layer when users logon, this is an accepted MFA method for the VPN. Also, when you connect to the VPN you will get a short-lived user certificate issued from Azure. When you disconnect, the certificate will be removed.

1. First, we go to Azure Active Directory and go to the Security tab. There we click on Conditional Access en then on VPN connectivity. Here you can click on New certificate. When this is finished you can click on Download base64 certificate for the Root certificate.

2. Now it is possible to create a Conditional Access policy targeted to the VPN Server. You need to click on Policies and click on New Policy. Here we can configure several options.
   • Assignments
     • Users: Click on All users
     • Cloud apps or actions: Select apps and search for VPN Server.
     • Conditions: No conditions selected (configure this to your own need)
   • Access controls
     • Grant: Click on Require multifactor authentication and click on Require device to be marked as compliant.
     • Session: No controls selected (For device compliance this option is not needed)
   • Enable policy: On (And click on Save)

3. To gain access to this VPN, you will need to create a compliance policy in Microsoft Intune. Go to the Microsoft Intune portal and click on Devices. Then you go to Windows and click on Compliance policies. There you click on Create policy and the following settings can be configured. For my VMs I will choose a few options to test the compliance. I will leave the rest Not configured for now. Feel free to configure a more secure compliance policy for your organization. Assign a group to apply the compliance policy. Be aware that if some requirements are not met, users cannot connect to the VPN.

4. To access the VPN you also need to configure a Trusted Certificate profile to deploy the Root certificate of the Conditional Access VPN setting. Go to the Microsoft Intune portal and click on Devices and then on Configuration profiles. Click on Create profile and click on Windows 10 and later and then click on templates. Search for “trusted”and click on Trusted certificate. Within the wizard you can upload the .CER file to complete this profile. Assign this to the same users group that are going to use the VPN.

Configuring the Azure VPN Gateway for the user VPN tunnel

To show that it is possible to create two Always On VPN tunnels on the same device, I will show you how to create the user VPN tunnel in Azure as well. It is also possible to only setup this type of VPN tunnel. To have multiple Azure VPN Gateways, you need to use a new VNET. Because you cannot connect the same VNET on the other Azure VPN Gateway. You can check in part one how to create a VNET and an Azure VPN Gateway. When everything is in place, we can start the steps to configure this gateway for the user tunnel.

1. First, we need to configure the Point-to-site configuration. By clicking on Point-to-site configuration and then on the text Configure now. Now we can fill in some fields for the Point-to-site configuration.

• Address pool: 192.168.100.0/24 (Choose the correct VPN client subnet, because devices will get addresses from this subnet) Also choose a different subnet for this VPN tunnel if you want to combine the two VPN tunnels.
• Tunnel type: IKEv2
• Authentication type: Azure Certificate

2. Here we are going use the Certificate info from the Conditional Access certificate. Now you can open the downloaded .CER file and copy the content between BEGIN CERTFICATE and END CERTIFICATE in the field of Public certificate data. Enter a name for the Root Certificate.

3. When the configuration is done you can click on Download VPN Client (select the default option you get) to get a zip file. Once the zip file is opened you can go the folder Generic and open the file VpnSettings.xml. One you open this file you can get the connection url for the VPN profile.

4. Always make sure your connectivity is setup correctly for your VPN client subnet and your VNET. So, your VPN can connect to the resources within the client subnet range.

Creating the device configuration profiles for the user VPN tunnel

The Azure VPN Gateway is ready to connect, but first we need to configure the VPN profile in Microsoft Intune to connect to the VPN. The following profile should be created.

• VPN profile (Windows 10 and later)

1. Now we need to create the EAP XML for the next step. You can use my template to configure the profile with the Conditional Access certificate. This EAP XML will be used in the VPN client from Windows. You can copy and paste the following code. Please check if the code pastes in one line in your notepad (Word Wrap should be disabled). Notepad ++ shows better results in showing code the right way.

<EapHostConfig xmlns=”http://www.microsoft.com/provisioning/EapHostConfig”><EapMethod><Type xmlns=”http://www.microsoft.com/provisioning/EapCommon”>13</Type><VendorId xmlns=”http://www.microsoft.com/provisioning/EapCommon”>0</VendorId><VendorType xmlns=”http://www.microsoft.com/provisioning/EapCommon”>0</VendorType><AuthorId xmlns=”http://www.microsoft.com/provisioning/EapCommon”>0</AuthorId></EapMethod><Config xmlns=”http://www.microsoft.com/provisioning/EapHostConfig”><Eap xmlns=”http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1″><Type> <EapHostConfig xmlns=”http://www.microsoft.com/provisioning/EapHostConfig”><EapMethod><Type xmlns=”http://www.microsoft.com/provisioning/EapCommon”>13</Type><VendorId xmlns=”http://www.microsoft.com/provisioning/EapCommon”>0</VendorId><VendorType xmlns=”http://www.microsoft.com/provisioning/EapCommon”>0</VendorType><AuthorId xmlns=”http://www.microsoft.com/provisioning/EapCommon”>0</AuthorId></EapMethod><Config xmlns=”http://www.microsoft.com/provisioning/EapHostConfig”><Eap xmlns=”http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1″><Type>13</Type><EapType xmlns=”http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1″><CredentialsSource><CertificateStore><SimpleCertSelection>true</SimpleCertSelection></CertificateStore></CredentialsSource><ServerValidation><DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation><ServerNames></ServerNames></ServerValidation><DifferentUsername>false</DifferentUsername><PerformServerValidation xmlns=”http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2″>false</PerformServerValidation><AcceptServerName xmlns=”http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2″>false</AcceptServerName><TLSExtensions xmlns=”http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2″><FilteringInfo xmlns=”http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3″><EKUMapping><EKUMap><EKUName>AAD Conditional Access</EKUName><EKUOID>1.3.6.1.4.1.311.87</EKUOID></EKUMap></EKUMapping><ClientAuthEKUList Enabled=”true”><EKUMapInList><EKUName>AAD Conditional Access</EKUName></EKUMapInList></ClientAuthEKUList></FilteringInfo></TLSExtensions></EapType></Eap></Config></EapHostConfig>

2. If the certificates profiles are in place and your EAP profile is ready, you can configure the VPN profile. We are going to create a Configuration Profile. Click on Create profile and then on Windows 10 and later. Then you click on Templates and go to VPN. Now we are going to configure the settings in the profile. We are going to configure the following values (If some values are not mentioned, they are left on default settings):

• Use this VPN profile with a suer/device scope: User
• Connection type: IKEv2 (Native type)
• Base VPN
  • Connection name: AOVPN M2C User (Please choose your own name)
  • Servers: Description: Azure VPN Gateway User (Choose your own name), VPN server address: (Azure VPN URL from file VpnSettings.xml), Default server: True
  • Always On: Enable
  • Authentication Method: EAP
  • EAP XML:
  • Device tunnel: Disable
• Conditional Access
  • Conditional Access for this VPN connection: Enable
• Split tunneling (This is required for the Device tunnel)
  • Split tunneling: Enable
  • Destination prefix: 10.1.0.0 Prefix size: 24 (This is the range within my VNET in Azure. Be aware that the split tunnel represents your subnet connectivity over the VPN. The VPN Client subnet will push VPN traffic over this selected destination prefix.)
• Trusted network detection (If you are working internally, the VPN will not connect) (If you want to use the VPN also internally, then leave this field blank)
  • Trusted network DNS suffixes: m2c.local (Please use your own local domain name from your Active Directory)

Check if the VPN connects on your device

Now we are going to check if the VPN connects on my device. Because I’ve configured a device tunnel, you can also use this VPN for the autopilot. Check out this post from Richard Hicks about subscription activation during Autopilot.

1. First, we are going to check if all profiles have been assigned in Microsoft Intune. If all checks are green, you know that the VPN profiles must be available on the device. It is possible that the VPN profile gives errors, but the status page of the devices is not real time. This could be a timing issue, because the certificates need to be in place to configure the VPN profiles. It took me some time to get the VPN profiles on green.

2. Now we are going to check if the VM is connected to the device tunnel VPN. You can check this with the rasdial.exe command. Open CMD.exe to use this command. As you can see it is successfully connected to the Azure VPN Gateway. The connection in Windows is hidden, that’s why I show you this command. It is also visible in the network adapters list in Windows.

3. This can be checked within the Azure VPN gateway in Azure. Open the Azure VPN Gateway and go to the Point to Site Sessions tab to check if your device is connected. You should see a connection like the following screenshot. The VPN Username is the Intune ID from your device. This ID can be copied and searched for within the Devices list in Endpoint Management.

4. We also want to check if the user VPN tunnel gets connected. My device is not yet compliant. We are going to check what happens when we want to connect to the VPN. First, we need to connect the VPN ourselves, next time when you login again it will try to connect automatically. After I try to connect the VPN and I pick my account. The access to my VPN is blocked. Because my device is not compliant. You can click on Open to check your compliance in the Company portal online.

5. After my device has been encrypted with the Bitlocker and re-evaluated my access through the Company Portal. I will try again to connect to the User VPN Tunnel with my device. But when I restarted the device, the VPN was already connected.

6. We can check the connection in the Azure VPN Gateway. Go to the section of Monitoring and click on Point-to-Site Sessions. You will see the user connected with the UPN name.

7. We can also check if the user has the short-lived certificate from the Conditional Access VPN Connectivity configuration. When we open the Certificate manager in Windows. We see the following certificate in the personal certificate store. This also expires within one day. If you disconnect the VPN, it will be removed from the computer.

7. Now to show that it is possible to have two Always On VPN tunnels on your Hybrid domain joined Windows 10 device. This will show the double connection in Windows 10 21H2.

8. Windows 11 22H2 did not work with two VPN tunnels af first, but Microsoft fixed this issue with updates on Windows 11. Please check the link from Microsoft. Feel free to comment on this post in the comments section.

More information

Always On VPN features | Microsoft Learn

Deploy Always On VPN | Microsoft Learn

Tutorial – Create & manage a VPN gateway – Azure portal – Azure VPN Gateway | Microsoft Learn

Tutorial – Connect an on-premises network and a virtual network: S2S VPN: Azure portal – Azure VPN Gateway | Microsoft Learn

Final thoughts

This post was a about moving the Always On VPN to the cloud. The Always On VPN in Azure may be useful if you are creating your footprints in Azure. This solution is built for extra security and connectivity of your environment. Having the option to create two VPN tunnels on your device could be an option for your company. The user VPN tunnel is the easiest way to setup an Always On VPN. Because there are practically no extra services needed besides the Azure VPN Gateway and Conditional Access. The device tunnel gives the convenience of setting up the connection before logon. If you have a hybrid domain joined device this is the way to go. Because services need to be connected before logon. But be aware that the device VPN tunnel does not have Conditional Access. Thats way I wanted to show that it is possible to have two VPN tunnels on the same device. I hope you enjoyed this post. Feel free to ask questions in the comments.