Implementing Microsoft Remote Access Server / VPN Server End to End Solution: Configuring Azure Multi Factor Authentication (MFA) for VPN connection - Part 4

Posted by Ahmed Nabil | 1 comments»
In part 1,2 and 3 of this series we discussed the VPN role and its step by step installation, configuration, integration with the RADIUS server and the VPN client configuration with the main common problems from the client side

For more information, please check Part 1, 2 and 3 from this series.

In this final post we will be adding to our solution the Multi factor Authentication using Azure MFA On-premise server. The MFA will add an extra security layer instead of depending only on the User name/Password. We will be using the model of something you know (Which is your password) + something you have (which is your device - Cell phone)

If you have Azure Active Directory Premium or Enterprise Mobility suite (EMS) then you already have the Azure MFA included. For more details on Azure MFA licensing and pricing, please check the below link

Installing and Configuring Azure MFA On-Premise Server

  1. Log in to your Azure Portal - Active Directory - Multi factor Authentication Providers. If you have a provider you can directly manage it however if not as in our case you need to create an Authentication Provider                                                                                                                                                               
  2. Creating one is very easy Wizard as shown below however you have to make one important decision regarding the License model (Check above link for licensing)                                                                                                                                                                                                     
  3. After Creating the provider you will be directed to the Azure Multi Factor Authentication page where you can find downloads and pick the one that suites your environment (In our case i am installing it on 64 Bit Windows server 2016).                                                                                                                                                                                              
  4. I will pick the 2012 R2 version since the 2016 wasn't available at that time and generate the activation codes. Please note this activation code will last for 10 minutes only to enter it in the MFA installation wizard later, if you took more than 10 minutes before you reached the Wizard part requiring it then you will get an error. Don't panic, all you need to do is come back here and generate a new code.                                                                                                                                                                                                              
  5. Launch/Run the downloaded file, it will require couple of components and updates to be installed as shown below (Prerequisites).                                                                                                                                                                                                             

  6. Go ahead and select the installation folder (You can safely have it in the default location)                                                                                                                                                                                                              
  7. After Installation, it will launch the configuration page - Click Next and add the activation code you copied from step 4                                                                                                                                                                                                                
  8. The next option will be which service you need to apply MFA ? In our case we are applying it on the VPN service. This is is a very critical step, we will add here the VPN Server IP address and shared secret (You can use the one we used before with RADIUS). Now the VPN server Security was previously configured pointing to the RADIUS server, we need now to change it in VPN server to point to the MFA server (as if its the RADIUS server) and the MFA will connect on behalf of it to the RADIUS server.                                                                                                                                                                                                                                                                                                                                                                                 Check Part 2 of this series to add the MFA server instead of the RADIUS server directly and also check Part 2 on how to add a new RADIUS client (This time it will be the MFA server). So previously VPN server contact RADIUS directly, now Its VPN to MFA to RADIUS.                                                                                                                                                                                                                       
  9. Add the RADIUS server IP. Again remember the MFA is a broker now receiving requests from VPN (claiming to be RADIUS) and then contacting the real RADIUS.                                                                                                                                                                                                                                  
  10. After finalizing the Wizard, open the Azure MFA Server application located on the Start Window and click on Users.                                                                                                                                                                                                                   
  11. Pick any user to enable the MFA.  Add the Phone number and pick the MFA method (Phone call, Text, Mobile App....etc.) and then click on Enabled.                                                                                                                                                                               
  12. Make sure that the user Account in Active Directory - Dial In Tab                                                                                                                                                                                             Network Access Permission = Allow                                                                                             Call Back Options = Set by Caller (RRAS)                                                                                                    
  13. In the Azure MFA server Application - Click on Radius Authentication. On the Client you should have the IP address of the VPN server and on the Target you should have the RADIUS server IP.                                                                                                                                                                                                                                            
By that you are ready to turn on to your client and connect your VPN and it won't sign you until you pick your phone and press the # key to complete authentication.

Through this 4 blog posts, i tried to detail each and every step with screen shots to make sure nothing is missed, Hopefully you enjoyed this series and you will try the VPN solution on your devices especially the portable ones (Tablets and phones).

See you on the next post.

Implementing Microsoft Remote Access Server / VPN Server End to End Solution: Configuring VPN On Windows 10 Client - Part 3

Posted by Ahmed Nabil | 0 comments»
In part 1 and 2 of this series we discussed the VPN role and its step by step installation, configuration and integration with the RADIUS server

For more information, please check Part 1 and 2 from this series.

In this part we will be discussing the Client side and how to setup the VPN on Windows machines (Screen shots will be on Windows 10 machine) and common issues after installation.

VPN Client Configuration:

  1. On a windows 10 computer, open the Setting - Network and Internet - VPN and Add a VPN connection                                                                                                                                                                                                    
  2. Connection type will be Windows (built-in) and you can pick any name for the connection name. The server name/address should be the FQDN that you have HTTPS traffic directed on your network. This name should match the name of the SSL certificate you bought and configured during the VPN (Security TAB - Please check Part 2). We will be using in our scenario SSTP as agreed (we only allowed HTTPS). Sign-in will be using Username/Password and remove the check box to remember my sign-in.                                                                                                                                                                                                         
  3. One common issue after the user gets VPN connected being unable to connect to normal Internet sites (Google, Microsoft) because all traffic is now pushed through the VPN tunnel (Your machine looks as if its inside the domain) so if you have proxy server in your network then you need to add it to your browser. A quick fix is split tunneling where all corporate traffic go through the VPN and normal Internet traffic from your normal Wireless or Home connection.                                                                                                                                                                                                                                                                                                 In order to do this you need to go to the Network connections and get the properties of the newly created network (Test VPN in our case) - Properties - IPV4 - Advanced and remove the check box of "Use default gateway on remote network" - Check below screen shots                                                                                                                                                                                                             
  4. Now you are ready and the user can double click the Test VPN from the VPN tab in the settings or from the Wireless connections and enter his/her user name and password. Make sure to enter it in the format domain\username (remember this is Home computer or work group device with no information on your domain.)                                                                                                                                                                                                          
At that point your VPN status should be connected and you are ready to access your corporate resources, applications and data.

Frequently asked questions (FAQ):

  • I can't map any share or RDP to my client/Server ?
We need always to remember that this VPN connected machine is a work group machine which is not connected or joined to your domain. Always use FQDN when connecting to resources (There is no default DNS suffix on the client and we even can't push it by Group Policy).

For example: RDP to Not just computer name. Also map the share in FQDN as \\\share. Everything should be in FQDN. Ping by either IP or FQDN.

If you can't ping by IP or FQDN a corporate resource then its not reachable (No route on the VPN server) - Remember the internal NIC of the VPN server has no Gateway. Make sure to add the route first to all resources/VLANs on the VPN server (Manually using Route Add Command).

  • I can't map or access my DFS root shares ?
This is a very tricky situation. Logically this is normal since DFS is based on Active Directory domain structure and the VPN is a work group client who cann't connect to the domain controller and get the Server referral.

The solution is configuring the DFS to use FQDN in Referrals because its normal behavior is to reply to queries in Net BIOS names only.

To fix this issue you need to follow the below article

Example: Your DFS server "Server01" with DFS Root "RootShare" and all users access it using \\\RootShare

Remove-DfsnRootTarget -TargetPath \\Server01\RootShare
Set-DfsnServerConfiguration -ComputerName -UseFqdn $true

Stop-Service dfs
Start-Service dfs
New-DfsnRootTarget -Path \\\RootShare -TargetPath \\\RootShare

This should cover most of the issues the VPN/Work group users face while connected. Hopefully you enjoyed this part and stay tunes for our last part with the Azure Multi Factor Authentication.