This is the second part of the series about the Windows 10 AlwaysOn VPN solution. In the first part, which you can find here, I described how to set up the infrastructure for the AlwaysOn VPN solution. The infrastructure which is described in that blogpost is a prerequisite for this blogpost. This blogpost will focus on the configuration needed to add AzureAD Conditional Access to the solution. With AzureAD Conditional Access we add a great set of capabilities to control who can connect to the VPN solution and which conditions the user must meet before the connection can be made. In this blogpost I configure the first scenario and that is enforcing a Multi-Factor authentication request before the VPN connection can be activated.
Before we start with configuring the infrastructure and the AlwaysOn VPN solution I want to show you how this AzureAD Conditional Access flow will work together with the AlwaysOn solution. I’m using the same image as from the first blogpost and I just added the AzureAD Conditional Access part:
So with adding AzureAD Conditional Access to the AlwaysOn VPN flow an additional check will be done against AzureAD and if the device is compliant based on the Conditional Access policy an certificate will be enrolled to the device which will be used to authenticate against RRAS and NPS. Without this certificate the user cannot authenticate against the RRAS/NPS server and no connection can be made. Let’s now start with the configuration, the configuration consists of three steps:
- Generate the AzureAD Conditional Access certificate and configure the Infrastructure to trust this certificate;
- Configure the AlwaysOn VPN connection so it’s include the DeviceCompliance section to enable the Conditional Access flow
- Create an Conditional Access policy for the VPN connections.
Let’s start with the first part:
Generate the AzureAD Conditional Access certificate and configure the Infrastructure to trust this certificate:
- Go to https://portal.azure.com and open the Azure Active Directory section
- Go to Conditional Access and open the ‘VPN Connectivity (preview)’ section and click on ‘New Certificate’
- A new certificate is created. Click on ‘Download certificate’ to download the certificate
- Copy the downloaded certificate to your RRAS and NPS server;
- Import the certificate to the ‘Trusted Root Authentication Authorities’ in the Local Computer store of the RRAS server(s);
- On the NPS Server execute the following commands to import the certificate in the Active Directory Certification section in your Active Directory:
certutil -dspublish VpnCert.cer RootCA
certutil -dspublish VpnCert.cer NtAuthCA
Configure the AlwaysOn VPN connection so it’s include the DeviceCompliance section to enable the Conditional Access flow:
Now we’ve configured the Infrastructure the next step is to configure the AlwaysOn VPN configuration. In the first part I used Intune and a single ProfileXML to deploy the AlwaysOn VPN configuration to my MDM managed clients. In this ProfileXML you have to add the following XML code to enable the Conditional Access part in the AlwaysOn connection:
Create an Conditional Access policy for the VPN connections:
The last part of the configuration is creating the Conditional Access policy for the AlwaysOn VPN connections. Go back to the Conditional Access section in the Azure Portal.
- Go to Policies and click on ‘New Policy’
- Fill in the Policy name and go to the Users and Groups section and select the VPN Users group:
- In the Cloud Apps section select VPN Server as application:
- In the Access Controls section select Require Multi-Factor authentication to enforce a MFA request when connecting the AlwaysOn VPN
- Now enable and save the policy;
Now let’s check how this will look like on the Windows 10 client:
When I click on connect the following screen will appeared (Enforcing Conditional Access – MFA request):
After doing the MFA request the following screen appeared:
and finally a connected AlwaysOn VPN connection:
After the connection has been made you can check the certificate provided by AzureAD Conditional Access for connecting to the VPN infrastructure:
More information about the Windows 10 AlwaysOn VPN solution together with AzureAD Conditional Access can be found here:
In the last part of this series I will discuss some additional scenarios with AzureAD Conditional Access and the AlwaysOn VPN solution.