Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, February 20, 2020 3:41 PM
Hi There,
We are setting-up Always On VPN platform for our windows10 clients. We are defining NRPT using Microsoft Intune to make certain traffic like webapps published over internet via proxy, office365 apps, skype-online etc. are not routed over VPN tunnel. In Direct Access I can define NRPT in DA console by mentioning FQDN or DNS suffix and just leave the DNS server blank to make sure name resolution is not forwarded to internal DNS servers, but instead route to the dns server defined on vpn client's local network interface. Does same applicable when it comes defining NRPT via Intune or VPNProfile.XML for AOVPN clients? can I leave DNS server field blank so that it contacts whatever DNS server assigned on VPN clients local network interface for name resolution? or is it mandatory to mention the some public DNS server name?
Mahi
All replies (9)
Friday, February 21, 2020 5:25 PM ✅Answered | 1 vote
Yes, that's correct. The NRPT for Always On VPN works exactly as it does for DirectAccess. You can create exclusions by adding host names or domain names and leaving the DNS server entry blank. However, it is possible that those names could still be resolved by DNS servers over the VPN, which may not be desirable. In this scenario you would have to specify public DNS servers in the NRPT rule instead of leaving it blank.
Richard M. Hicks
Founder and Principal Consultant - Richard M. Hicks Consulting, Inc.
directaccess.richardicks.com
Friday, February 21, 2020 9:03 AM | 1 vote
Hi,
This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible.
I appreciate your patience.
If you have any updates during this process, please feel free to let me know.
Have a nice day!
Ellen
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Saturday, February 22, 2020 11:01 AM
Thanks for the quick answer.
Could you also clarify on the following?
We are going to deploy to Always On VPN with both Device and User Tunnel features. We need to make VPN clients to automatically connect to corporate network as soon as they are outside the network. I understand we can achieve this using 'Trusted Network Detection' and 'VPNv2/ProfileName/AlwaysOn' for clients to identify whether they are inside or outside the corporate network and trigger VPN connectivity automatically.
Question is, how does User Tunnel automatically trigger connectivity when a VPN client already established device tunnel and '**Trusted Network Detection' **can reach DNS namespace via Device tunnel?
Mahi
Saturday, February 22, 2020 3:34 PM | 1 vote
The device tunnel and user tunnel can be configured to automatically connect by setting the value of AlwaysOn to 'true' (note the lower case 't'!). Trusted Network Detection can be configured so the VPN tunnels don't connect when they are on your internal network. Trusted Network Detection works by looking for a defined DNS suffix on any physical (non-virtual) adapter. This includes Ethernet, Wi-Fi, LTE, etc. IPv6 transition tunnel or VPN interfaces are excluded, so even if the device tunnel is up and has your internal DNS suffix assigned it will not prevent the user tunnel from connecting.
Richard M. Hicks
Founder and Principal Consultant - Richard M. Hicks Consulting, Inc.
directaccess.richardicks.com
Saturday, February 22, 2020 5:08 PM
Thanks a lot Richard for the clarification!!
Mahi
Tuesday, March 24, 2020 12:36 AM
Hi Richard,
We have an issue where the Always on VPN stays connected when the network changes from external to our internal network.
Testing on Windows 10 1903 device and confirmed that the VPN profile has TrustedNetworkDetection configured to our domain. Sign-out/Restart fixes the issue.
Thanks
Anthony
Tuesday, March 24, 2020 12:54 AM
What version of Windows are you running? Also, when you move from the external network to the internal network, are you using the same network interface? Or are you switching from Wi-Fi to Ethernet (for example connecting to a docking station)?
Richard M. Hicks
Founder and Principal Consultant - Richard M. Hicks Consulting, Inc.
directaccess.richardicks.com
Tuesday, March 24, 2020 2:41 AM
We are running Windows 10 1903 and moving from Wired External Network to Wi-Fi Adapter and same thing when VPN connects via Wireless Adapter and connects the laptop to the internal network using Wired it does not disconnect. But it does disconnect when i use External wireless network then connect to internal wireless network and same thing for wired. So i am assuming it is not possible to disconnect the VPN without reboot when Wired External then connect to internal network via Wireless?
Thanks
Tuesday, March 24, 2020 8:49 PM
You can use group policy to configure Windows 10 clients to prefer Ethernet over Wi-Fi and to force Wi-Fi connections to terminate when connected via Ethernet. Details here.
https://directaccess.richardhicks.com/2020/03/24/always-on-vpn-trusted-network-detection/
Richard M. Hicks
Founder and Principal Consultant - Richard M. Hicks Consulting, Inc.
directaccess.richardicks.com