Windows 10 AlwaysOn VPN with Conditional Access – Part 2

This is the second part of the series about the Windows 10 AlwaysOn VPN solution. In the first part, which you can find here, I described how to set up the infrastructure for the AlwaysOn VPN solution. The infrastructure which is described in that blogpost is a prerequisite for this blogpost. This blogpost will focus on the configuration needed to add AzureAD Conditional Access to the solution. With AzureAD Conditional Access we add a great set of capabilities to control who can connect to the VPN solution and which conditions the user must meet before the connection can be made. In this blogpost I configure the first scenario and that is enforcing a Multi-Factor authentication request before the VPN connection can be activated.

Before we start with configuring the infrastructure and the AlwaysOn VPN solution I want to show you how this AzureAD Conditional Access flow will work together with the AlwaysOn solution. I’m using the same image as from the first blogpost and I just added the AzureAD Conditional Access part:

So with adding AzureAD Conditional Access to the AlwaysOn VPN flow an additional check will be done against AzureAD and if the device is compliant based on the Conditional Access policy an certificate will be enrolled to the device which will be used to authenticate against RRAS and NPS. Without this certificate the user cannot authenticate against the RRAS/NPS server and no connection can be made. Let’s now start with the configuration, the configuration consists of three steps:

Generate the AzureAD Conditional Access certificate and configure the Infrastructure to trust this certificate;
Configure the AlwaysOn VPN connection so it’s include the DeviceCompliance section to enable the Conditional Access flow
Create an Conditional Access policy for the VPN connections.

Let’s start with the first part:

Generate the AzureAD Conditional Access certificate and configure the Infrastructure to trust this certificate:

Go to https://portal.azure.com and open the Azure Active Directory section
Go to Conditional Access and open the ‘VPN Connectivity (preview)’ section and click on ‘New Certificate’

A new certificate is created. Click on ‘Download certificate’ to download the certificate
Copy the downloaded certificate to your RRAS and NPS server;
Import the certificate to the ‘Trusted Root Authentication Authorities’ in the Local Computer store of the RRAS server(s);
On the NPS Server execute the following commands to import the certificate in the Active Directory Certification section in your Active Directory:

certutil -dspublish VpnCert.cer RootCA

certutil -dspublish VpnCert.cer NtAuthCA

Note: if the above command is failing due to an LDAP/Permission error please add the -f switch to the command to force the creation of the entry.

Configure the AlwaysOn VPN connection so it’s include the DeviceCompliance section to enable the Conditional Access flow:
Now we’ve configured the Infrastructure the next step is to configure the AlwaysOn VPN configuration. In the first part I used Intune and a single ProfileXML to deploy the AlwaysOn VPN configuration to my MDM managed clients. In this ProfileXML you have to add the following XML code to enable the Conditional Access part in the AlwaysOn connection:


 true

Create an Conditional Access policy for the VPN connections:

The last part of the configuration is creating the Conditional Access policy for the AlwaysOn VPN connections. Go back to the Conditional Access section in the Azure Portal.