How to deploy an Always On VPN to Azure VPN Gateway with Conditional Access

How to deploy an Always On VPN to Azure VPN Gateway with Conditional Access

In a previous blog post, I’ve published a way to configure and deploy an Always On VPN on Intune-manage devices, connecting to an Azure VPN Gateway. The goal was to achieve an Always On VPN deployment with cloud-native solutions more easily than it would be using their traditional counterparts. However, the solution presented was with the use of self-signed certificates, which generally should not be used from a security point of view.

I was triggered by a comment from one of my former colleagues, Jannick Oeben, who said:

In reply to Jannick, Philip Siems asked what steps would need to be done in order to use the Conditional Access method correctly:

First of all, I’d like to thank Jannick for his comment, and Philip for asking the “How?” question. They helped me discover a simpler and even more secure solution, which I would like to share with you today. This is a modified version of the earlier blog post, only now using Conditional Access instead of self-signed certificates for VPN connectivity.

Designing the Always on VPN solution

You’ll learn how to build an Always On VPN deployment leveraging the Azure and Endpoint Management platforms, without having to configure any server infrastructure. In a “traditional” Always On VPN deployment, you have to configure server roles such as:

  • Active Directory-based public key infrastructure (PKI) and Active Directory Certificate Services (AD CS)
  • Network Policy Server (NPS)
  • Routing and Remote Access Server (RRAS)

In this approach, you will deploy an Always On VPN consisting of only:

  • An Azure VPN Gateway (VpnGw1 SKU or higher, Basic is not supported)
  • Conditional access for VPN connectivity

The Always On VPN client configuration is then deployed to the devices with Microsoft Intune.

Scenario

Consider the following scenario:

  • You want to deploy an Always on VPN to an Azure VPN Gateway
  • You manage Azure Active Directory Joined devices with Microsoft Endpoint Manager (Intune)
  • You configure an Always On VPN User Tunnel, as Device Tunnel is not supported for Azure AD Joined devices. Only domain-joined devices support a Device Tunnel.

Design considerations

Branch office connectivity

If you need connectivity to branch offices, simply creating Site-to-Site VPN connections from the Azure VPN Gateway is insufficient. You will also need to configure BGP to enable routing from the clients to the branch offices.

Make sure your firewall(s) support IKEv2, route-based VPN tunnels, and BGP. For more information, visit Azure VPN Gateway: About P2S routing – Azure VPN Gateway | Microsoft Docs

Bandwidth

Note that the bandwidth consumed by Always On VPN (P2S) connections is shared with Site-to-Site VPN Connections on the same VPN gateway.

Max connections and pricing

Starting with VpnGw1, a maximum of 250 concurrent VPN connections are supported. Pricing for the first 128 concurrent connections are included, additional P2S connections are priced at $0.01/hour per connection. Consider a connection being up 24/7, this would result in additional costs of $0.01 * 24 hours * 30 days = $7.20 per month per connection. Therefore, in my opinion, this solution is intended for SMEs and not for Large Enterprise companies

More information about VPN Gateways: VPN Gateway Pricing | Microsoft Azure

Always On VPN IKEv2 Features and Limitations

Be aware that IKEv2 comes with some operational challenges. For example, IKEv2 can be blocked, thus preventing users to establish a VPN connection on some networks. Richard Hicks has written a clear article about this on his blog: Always On VPN IKEv2 Features and Limitations | Richard M. Hicks Consulting, Inc. (richardhicks.com)

Configuring the Always On VPN

The configuration of the Always On VPN is divided into several configuration topics:

  • Create the Conditional Access VPN connectivity certificate
  • Configure the Azure VPN Gateway P2S VPN with the Conditional Access VPN connectivity certificate
  • Deploy the Always On VPN client configuration to the client machines with instructions to use Conditional Access

Create the Conditional Access VPN connectivity certificate

To use Conditional Access for VPN connectivity, you need to create and download a Conditional Access VPN certificate in the Azure Portal.

From the Microsoft docs:

When a user attempts a VPN connection, the VPN client makes a call into the Web Account Manager (WAM) on the Windows 10 client. WAM makes a call to the VPN Server cloud app. When the Conditions and Controls in the Conditional Access policy are satisfied, Azure AD issues a token in the form of a short-lived (1-hour) certificate to the WAM. The WAM places the certificate in the user’s certificate store and passes off control to the VPN client.

The VPN client then sends the certificate issued by Azure AD to the VPN for credential validation.

Create the Conditional Access VPN certificate using the procedure below:

  1. Sign in to your Azure portal as a global administrator.
  2. On the left menu, click Azure Active Directory.
  3. On the Azure Active Directory page, in the Manage section, click Security.
  4. On the Security page, in the Protect section, click Conditional Access.
  5. On the Conditional Access | Policies page, in the Manage section, click VPN Connectivity.
  6. On the VPN connectivity page, click New certificate.
  7. On the New page, perform the following steps: a. For Select duration, select either 1, 2 or 3 years. b. Select Create.

After creating the (first) Conditional Access VPN connectivity certificate, it automatically creates a ‘VPN Server’ Cloud application in your tenant that can be used to target a Conditional Access policy.

Download the base64 certificate. Open the .CER file with Notepad, you’ll see something similar to the example below. You will configure the section highlighted in blue on the Azure VPN Gateway P2S configuration in the next step.

Open with Notepad

Configure the Azure VPN Gateway P2S VPN with the Conditional Access VPN connectivity certificate

If you haven’t deployed the Azure VPN Gateway yet, check out the tutorial to create and manage a VPN gateway. Assuming an Azure VPN Gateway is available, you’ll need to set up the Point to Site VPN configuration.

On the Azure VPN Gateway navigate to the Point-to-site configuration, you will now configure the address pool, tunnel type, and authentication type.

If you don’t see tunnel type or authentication type on the Point-to-site configuration page, your gateway is using the Basic SKU. The Basic SKU does not support IKEv2 or RADIUS authentication. To enable these settings, you will need to update to atleast a Standard gateway SKU.

  • Address pool: Enter an IP range in which the VPN clients will obtain an IP address when setting up a VPN connection.
  • Tunnel type: Select IKEv2
  • Authentication type: Select Azure certificate

In the previous step you’ve exported the Conditional Access VPN (base64) certificate (.cer), when opened with Notepad, upload the blue highlighted text to the Azure Point-to-Site VPN configuration.

Click Save to finish the Point-to-Site configuration.

When the configuration is completed, click Download VPN client. In the .zip file, navigate to the Generic folder and open the VpnSettings.xml file in an editor of choice. Take note of the value in the <VpnServer> element, which is required to build the configuration for the VPN connection later. For example, this looks like: azuregateway-5a5b0069-386a-4254-90f2-c11c14cb4dc7-ddb9fa020695.vpn.azure.com

Deploy the Always On VPN client configuration to the client machines with instructions to use Conditional Access

Now that the VPN Gateway is deployed and the Conditional Access certificate is in place, it’s time to create the Intune configuration that deploys the Always On VPN connection to your client machines.

In the Microsoft Endpoint Manager Admin Center, create a new configuration profile.

  1. Select Windows 10 and later as platform.
  2. Select Templates as Profile type
  3. Create a new configuration profile based on the VPN template.

4. Enter a name for the configuration profile, e.g. Always On VPN, and click Next.

5. Expand the Base VPN section.

  • Connection name: Enter a name for the Always On VPN connection. This is how the VPN connection is displayed on the end user’s device.
  • Servers:
    • Enter the VPN server address you’ve collected earlier in the VpnSettings.xml file.
    • Enter a description for the VPN server.
    • Set the value for default server to true.
  • Connection Type: Select IKEv2.
  • Always On: Select Enable.
  • Remember credentials at each logon: Select Enable.
  • Authentication method: Select EAP.
  • Connection name: Enter a name for the Always On VPN connection. This is how the VPN connection is displayed on the end user’s device.
  • Servers:
    • Enter the VPN server address you’ve collected earlier in the VpnSettings.xml file.
    • Enter a description for the VPN server.
    • Set the value for default server to true.
  • Connection Type: Select IKEv2.
  • Always On: Select Enable.
  • Remember credentials at each logon: Select Enable.
  • Authentication method: Select EAP.
  • EAP xml: Enter the EAP configuration shown below. For example this is a basic EAP xml configuration that includes the logic to select the Azure AD conditional Access Certificate.

The VPN client needs to be provided with logic to select the Azure AD Conditional Access Certificate. This is achieved by inserting the orange string between the </AcceptServerName> and </EapType> sections.

EAP XML

<EapHostConfig xmlns=”http://www.microsoft.com/provisioning/EapHostConfig”><EapMethod><Type xmlns=”http://www.microsoft.com/provisioning/EapCommon”>13</Type><VendorId xmlns=”http://www.microsoft.com/provisioning/EapCommon”>0</VendorId><VendorType xmlns=”http://www.microsoft.com/provisioning/EapCommon”>0</VendorType><AuthorId xmlns=”http://www.microsoft.com/provisioning/EapCommon”>0</AuthorId></EapMethod><Config xmlns=”http://www.microsoft.com/provisioning/EapHostConfig”><Eap xmlns=”http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1″><Type> <EapHostConfig xmlns=”http://www.microsoft.com/provisioning/EapHostConfig”><EapMethod><Type xmlns=”http://www.microsoft.com/provisioning/EapCommon”>13</Type><VendorId xmlns=”http://www.microsoft.com/provisioning/EapCommon”>0</VendorId><VendorType xmlns=”http://www.microsoft.com/provisioning/EapCommon”>0</VendorType><AuthorId xmlns=”http://www.microsoft.com/provisioning/EapCommon”>0</AuthorId></EapMethod><Config xmlns=”http://www.microsoft.com/provisioning/EapHostConfig”><Eap xmlns=”http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1″><Type>13</Type><EapType xmlns=”http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1″><CredentialsSource><CertificateStore><SimpleCertSelection>true</SimpleCertSelection></CertificateStore></CredentialsSource><ServerValidation><DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation><ServerNames></ServerNames></ServerValidation><DifferentUsername>false</DifferentUsername><PerformServerValidation xmlns=”http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2″>false</PerformServerValidation><AcceptServerName xmlns=”http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2″>false</AcceptServerName><TLSExtensions xmlns=”http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2″><FilteringInfo xmlns=”http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3″><EKUMapping><EKUMap><EKUName>AAD Conditional Access</EKUName><EKUOID>1.3.6.1.4.1.311.87</EKUOID></EKUMap></EKUMapping><ClientAuthEKUList Enabled=”true”><EKUMapInList><EKUName>AAD Conditional Access</EKUName></EKUMapInList></ClientAuthEKUList></FilteringInfo></TLSExtensions></EapType></Eap></Config></EapHostConfig>

EAP XML formatting

NOTE: Please note that WordPress messes up the XML formatting. Here’s a gist of the EAP XML with Conditional Access example: AOVPN EAP XML with Conditional Access (github.com)
  • Device Tunnel: Make sure that this is set to disable. Only a User tunnel is supported.

6. Expand the Conditional Access section.

Set the Conditional Access for this VPN connection setting to Enable.

7. Expand the DNS Settings section.

  • DNS suffixes: Optionally add your domain’s DNS suffixes

8. Expand the Split Tunneling section

To prevent all traffic from going through the VPN, you can enable split tunneling so that only traffic to corporate networks is routed through the VPN connection. Below is an example to enable only traffic to your Azure Virtual Network subnet through the VPN.

  • Split tunneling: Enable
  • Split tunneling routes for this VPN connection:
    • Destination prefix: <Enter your Azure Virtual Network subnet>
    • Prefix size: <Enter your Azure Virtual Network subnet prefix size>

9. Expand the Trusted Network Detection.

Client machines will automatically establish the Always On VPN connection on any network. By configuring Trusted network DNS suffixes, client machines can detect when they are on a trusted network and will not automatically establish a VPN connection on these networks.

  • Trusted network DNS suffixes: <Optionally add your domain’s DNS suffixes”>

10. Create and assign the Always On VPN configuration to your users.

Optional: Configure a Conditional Access policy

Now that the Always-on VPN connection is configured with Conditional Access, the ‘VPN Server’ cloud application that was created when you generated the first Conditional Access VPN certificate can be targeted in Conditional Access policies.

Optionally, you can use the steps described in Configure the Conditional Access policy | Microsoft Docs to configure Multi-Factor Authentication, Require a compliant device, or use other conditions and controls to make the Always-on VPN accessible.

Select cloud apps

Result

When your client machines synchronize with Intune, the Always On VPN configuration profile will apply and clients will start to connect with the Azure VPN gateway.

With the Always On VPN connection established, it is now possible to reach corporate resources from any network.

20 thoughts on “How to deploy an Always On VPN to Azure VPN Gateway with Conditional Access

  1. Great read. Do you know if it is possible to use set a different user principal name on the short lived CA certificates in Azure? I am adopting this to an on-premises VPN solution, where UPN differs from the Azure one. Just can’t find where to modify it. I also considered moving the NPS to Azure, but that is a lot of work because of such a small detail.

  2. Anyone have any reference for the EAP XML, whenever I try to deploy Azure complains about it not being well formed XML

  3. Hello and thanks for this guide
    Though I have a problem with the EAP XML, I’m getting the error ” Must be a well formed XML string”

  4. Thanks a lot – that helped.

    Now I just need to figure out why Endpoint manager reports it as failed when its applied.
    (Nothing happens on the client)

    And also, a option has changed – “Use this VPN profile with a user/device scope” do you apply to user or device?

  5. Thanks for this article, I am trying to configure this…
    Everything seems to be correct configured, but Intune gives an error for the VPN configuration deployment, but I see the connection in Windows 11…
    But cannot connect to VPN with the following error:

    the requested operation was not performed because the user was not authenticated.

    Is this working with Windows Hello for Business?
    When try to connect, email and password question popups up, but same error message.

  6. Hi John,
    Thanks for this great article. I have followed your steps but the VPN profile is not deployed and user can’t login for the first time after autopilot deployment done. It said can’t connect to domain controller to sign-in.
    What I am missing? Is your solution work pre-login or post-login stage?

  7. This deployment worked great, but we’re hoping to use this to create a secure internet connection for traveling clients with no onsite infrastructure (purely remote work). We’re not able to get internet connectivity through this connection, any idea what we need to do to make that happen?

  8. Hi John, Is it possible to deploy client configuration using .xml file instead of Intune? Thank you.

  9. Hi John,
    If you use Intune for client configuration, the configuration profile needs to be assigned to the users or devices? Thank you.

  10. Hi John,
    Does this method of authentication allow you to access on-premises resources if there is connectivity to on-premises services? Thank you and have a nice day.

    1. Hi Mariusz,

      Yes it does, but you have to make sure the connection between the on-premises environment and Azure is BGP enabled for the routes to propagate.

      Best regards,

      John.

  11. Is this configuration verified with Windows 11?
    Deploying this with Windows 10 works perfect.

    With Windows 11, we’re having issues the VPN security properties are on “Microsoft Secure Password (EAP-MSCHAP v2)”.

    Deleting the VPN and resycing the device does deploy the correct VPN.

    Not sure though if this is a permanent work-around.

    1. Hi Frust,

      I’ve noticed the same with Windows 11, however in my case it now seems to be fixed when deploying this to Windows 11 2022 Update (22H2) devices.

      Best regards,

      John

  12. Hey John,

    Really great article. Got it working right away with this guide. I do have one lingering question about the cipher suite used for the vpn connection.

    I noticed that the IKE proposals were skipped during configuration, but there is a lot of mentions of EAP TLS in the xml configuration. Do you know off hand what encryption is being used for the connection (TLS 1.2/3?) or links to any articles to read up on it?

    Greatly appreciate your time and the quality of your work.

Leave a Reply

Your email address will not be published.