Hmm, I actually thought about task scheduler at one point but as I recall I couldn’t find a way to determine the proper gateway for the route. The CMAK connectoid does that with cmroute.dll and knows what the connection looks like. I’ll revisit and see what I can find now that I have some new tools available.
Thanks -- There are 10 kinds of people in the world... those who understand binary and those who don't. ¯\_(ツ)_/¯ From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith Sent: Tuesday, November 14, 2017 2:18 PM To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] Looking for a global VPN solution - looking for input The 2.0.0.0 is the module version of VpnClient. On Windows 10, Add-VpnConnectionRoute doesn’t require admin privs. Add-VpnConnection also allows you to specify SplitTunneling when you create a VPN, which is (in my experience) the real reason you want to add a route 95% of the time. If you aren’t running windows 10, you can use task scheduler to execute an admin task “on an event” to adjust routes. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus Sent: Tuesday, November 14, 2017 1:48 PM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: RE: [NTSysADM] Looking for a global VPN solution - looking for input Interesting. I actually tried using rasdial at some point to do this instead of doing CMAK connectoids but could never make it work. We actually managed to make RRAS work with NAP in our setup via CMAK, which I couldn’t reproduce. BTW, everyone we’ve talked to, including multiple Microsoft partners, said that isn’t possible. And I guess with Windows 10 they’ve made it true since they no longer provide a way to do health checks. What version of PS is required to support those? Am I correctly reading that as 2.0? And while I’m on the subject, does this method provide a way to modify the route tables which doesn’t require admin access? That’s actually one of our pain points at the moment. -- There are 10 kinds of people in the world... those who understand binary and those who don't. ¯\_(ツ)_/¯ From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith Sent: Tuesday, November 14, 2017 1:16 PM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: RE: [NTSysADM] Looking for a global VPN solution - looking for input That was true prior to 1703, unless you wrote your own packager. It isn't any longer. The AVPN PowerShell cmdlets are now public: [cid:image001.jpg@01D35D55.15899DA0] And if you want to do this BEFORE 1703, you just use rasdial.exe and a triggered task in Task Scheduler. That works all the way back to Win7. Win8 added Add-VpnConnection, which made it possible to easily distribute VPN configurations. In Win7, you had to use registry propertybags. I admit that there is a tendency to only use what is “obviously in the box” but neither Intune nor SCCM do anything “magic”. With a bit of vbscript/powershell/wmi – you can almost (almost) always duplicate the functionality. -----Original Message----- From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus Sent: Tuesday, November 14, 2017 11:45 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: RE: [NTSysADM] Looking for a global VPN solution - looking for input Multiple articles during my initial, but granted brief, research indicated one of those were required. Not having any exposure to it I reverted to my trusted source, the list, to confirm or debunk. :) https://social.technet.microsoft.com/Forums/azure/en-US/0dccbf52-89ae-4109-902d-5e7393e171d5/difference-between-microsoft-directaccess-and-windows-10-autovpn?forum=forefrontedgeiag https://social.technet.microsoft.com/Forums/en-US/561434df-b71d-46fe-bd95-8456b5cde7bb/configure-auto-vpn?forum=win10itpronetworking Either way, with our current population of W7 and W8 machines it'll take us a while to convert completely so we're dealing with at least 2 solutions for now. Although I guess AVPN is really just a configuration mechanism for whatever solution/s you use. -- There are 10 kinds of people in the world... those who understand binary and those who don't. ¯\_(ツ)_/¯ -----Original Message----- From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith Sent: Tuesday, November 14, 2017 10:47 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: RE: [NTSysADM] Looking for a global VPN solution - looking for input AVPN doesn't require Azure or SCCM. Why do you think so? Intune and SCCM make it EASIER to deploy VPN policies (especially when it comes to versioning). But it can all be done with GPOs and login scripts (for Windows devices). You do require some MDM for mobile/BYOD deployments, whether it's Intune, AirWatch, MobileIron, or <flavor-of-the-month>. -----Original Message----- From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus Sent: Tuesday, November 14, 2017 10:33 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: RE: [NTSysADM] Looking for a global VPN solution - looking for input All fair points. However it appears that AVPN requires either Azure or SCCM, neither of which are in the mix for us. NAP is gone in Windows 10 anyway, so that's already hit us in our current RRAS config. As for the rest, they are actually aligned with preferences for us so that may be a good thing. All that said, we have a really bad history of picking Microsoft solutions for connectivity and then having them go away. So far that's included UAG, NAP+RRAS, so I'm not optimistic that either DA or AVPN will be any different, the question is time frame. Unfortunately convincing management that other solutions are actually cost effective as compared to the "FREE" Microsoft solution and are actually viable. Thanks for the feedback. Maybe it will help me make my case this time around. :) -- There are 10 kinds of people in the world... those who understand binary and those who don't. ¯\_(ツ)_/¯ -----Original Message----- From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith Sent: Tuesday, November 14, 2017 10:10 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: RE: [NTSysADM] Looking for a global VPN solution - looking for input Well, NAP is gone in 2016, so DA can't use it (and that kills it right there for a lot of environments). WIP doesn't work with DA. DA is not xplat. DA requires domain join (thus it isn't suitable for mobile devices, contractors, and work-from-home - at this point, MSFT estimates that a third of corporate data access is from mobile/BYOD - and growing). A couple of the claim-based auth methods don't work with DA because they won't force the tunnel to open (e.g., Azure Conditional Access doesn't work with DA). Microsoft Hello doesn't work with DA. A key indicator - Microsoft has switched to AVPN from DA. Here are a couple of posts: https://docs.microsoft.com/en-us/windows-server/remote/remote-access/directaccess/DirectAccess-Unsupported-Configurations https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-map-da I have no insider knowledge. I just came across these facts while working on a refresh for 70-697. I think it's pretty clear that DA is on the way "out". -----Original Message----- From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus Sent: Tuesday, November 14, 2017 6:41 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: RE: [NTSysADM] Looking for a global VPN solution - looking for input Can you elaborate on the 2016 functionality issues? -- There are 10 kinds of people in the world... those who understand binary and those who don't. ¯\_(ツ)_/¯ -----Original Message----- From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith Sent: Monday, November 13, 2017 9:08 PM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: RE: [NTSysADM] Looking for a global VPN solution - looking for input So.... just a data point to consider. Microsoft is kinda moving away from DirectAccess. Many of the security functionalities added in Server 2016 won't work with DA. Instead you need to be using their Automatic VPN. The endpoint isn't very relevant, although they push RRAS. For example, WIP doesn't work properly with DA. Only with AVPN. -----Original Message----- From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff Sent: Monday, November 13, 2017 8:19 PM To: ntsysadm Subject: Re: [NTSysADM] Looking for a global VPN solution - looking for input Arg - that should be "seeking commercial services".. And, once I bring recommendations, it might well be that we just fall back to a DirectAccess server in each office, with our without a multi-site configuration, potentially with an SSP VPN appliance also at each office for backup and contractors, and call it good. Kurt On Mon, Nov 13, 2017 at 5:03 PM, Kurt Buff <kurt.b...@gmail.com<mailto:kurt.b...@gmail.com>> wrote: > I'm not sure either, but that's the task I've been given - not > necessarily to implement at this stage, but to scope out the > alternatives and come up with some possibilities. > > It's also why I'm seeing recommendations on commercial services, so > that our implementation requirements are minimized. > > Kurt > > On Mon, Nov 13, 2017 at 4:38 PM, Joseph L. Casale > <jcas...@activenetwerx.com<mailto:jcas...@activenetwerx.com>> wrote: >> I've done a lot of openvpn setups in a myriad of formats, site to site, hub >> and spoke, client etc. >> It works well and there are even some lesser documented features that do >> some neat stuff but you are now rolling your solution and marinating it >> manually. >> Not sure how well that will scale unless you have a skilled team. >> >>> -----Original Message----- >>> From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> >>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff >>> Sent: Monday, November 13, 2017 5:22 PM >>> To: ntsysadm >>> <NTSysADM@lists.myitforum.com<mailto:NTSysADM@lists.myitforum.com>> >>> Subject: [NTSysADM] Looking for a global VPN solution - looking for >>> input >>> >>> All, >>> >>> 1) For staff, currently we're using DirectAccess on 2012R2 as our >>> primary conduit in the US, with SSL VPNs (SonicWall and Palo Alto >>> Global Protect) as primary for our overseas offices and secondary >>> for the US (Sonicwall). >>> >>> 2) In the US office, we also have contractors/consultants needing to >>> use our SSL VPN for access to various resources, and that will >>> likely expand to our overseas offices soon. Differentiation and >>> securing resources is even more important here than in 1). >>> >>> 3) We also stand up IPSec tunnels for vendors/partners as needed >>> (lab to lab), for interoperability/compatibility testing. >>> >>> We're looking to get into a solution that will take care of at least >>> the first two (and ideally the third as well), so that we don't have >>> so many platforms to support, and so that we can make sure that >>> staff in the field get the fasted connection available. >>> >>> I've taken a quick gander at the websites for vyprvpn (Golden Frog), >>> and OpenVPN (commercial client offering), but don't have much of an >>> opinion on them, as info about them is a bit thin. >>> >>> Anyone have experience with solutions like this, and care to comment? >>> >>> Thanks, >>> >>> Kurt >>> >>