Microsoft Always On VPN (IKEv2) with Intune and Azure AD

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure a Microsoft Always On VPN. The WatchGuard Firebox has a dual role as the firewall and the authenticator between Always On VPN, Network Policy Service, and Active Directory Domain Services.

Integration Summary

The hardware and software used in this guide includes:

  • Microsoft:
    • Windows Server 2016
    • Active Directory Domain Service
    • Active Directory Certificate Service
    • Routing and Remote Access Service (RRAS)
    • Network Policy Service (NPS)
    • Microsoft Intune
    • Microsoft Azure Active Directory (Azure AD)
    • Windows 10 computer
    • DHCP server
  • WatchGuard:
    • Firebox with Fireware v12.5 or higher

Topology

This diagram shows the topology for a Microsoft Always On VPN with Intune and Azure AD.

topology

Before you begin, make sure to install all the latest Windows updates for Windows Server 2016 and Windows 10.

Configure Your Firebox for Always On VPN

You must define two interfaces:

  • Perimeter network — Configured as a Trusted interface. This is the gateway for the Active Directory, CA, and Network Policy Service (NPS) servers.
  • Corporate network — Configured as an Optional interface. This the gateway for the Routing and Remote Access service (RRAS) server.

Next, you must configure a DHCP server. You have these options:

  • Install the DHCP server role on your Active Directory Server. For more information, see the Microsoft documentation.
  • Configure the Firebox as a DHCP server.

To configure the Firebox as a DHCP server:

  1. Log in to Fireware Web UI.
  2. Select Network > Interfaces.

Screen shot of the Interfaces configuration

  1. Select the interface configured for your perimeter network and click Edit.
  2. On the IPv4 tab, in the Address Pool section, click Add.
    The Add Address Range dialog box appears.
  3. In the Starting IP text box, type the first IP address in your DHCP range.
  4. In the Ending IP text box, type the last IP address in your DHCP range.

firebox-add address range

  1. In the Default Gateway section, click Use the interface IP address.

firebox-add dhcp

  1. On the DNS/WINS tab, in the DNS Server text box, type the IP address of your DNS server and click Add.

firebox-add dns

Add a Policy

Next, you must add a policy for the traffic. You have these options:

To add a policy that specifies a list of required ports:

  1. On the Firebox, select Firewall > Firewall Policies > Add Policy.
  2. Select Customand click Add.

Firebox policy settings

  1. Type a Name for this policy.
  2. In the Type section, select Proxy.
  3. Select TCP-UDP from the drop-down list.

firebox-add policy-2

  1. To add Single port, click Add.
    The Protocol dialog box appears.
  2. Add the required TCP ports:
    1. From the Protocol drop-down list, select TCP.
    2. In the Server Port box, type 389 and click OK.
    3. To add another port number, click Add.
    4. Repeat these steps for TCP ports 636, 3268, 3269, 88, 53, 445, 25, 135, 5722, 464, 9389, 139, 80, and 4000.
  3. Add the required UDP ports:
    1. From the Protocol drop-down list, select UDP.
    2. In the Server Port box, type type 389 and click OK.
    3. To add another port number, click Add.
    4. Repeat these steps for UDP ports 88, 53, 445, 123, 464, 138, 67, 2535, 137, 1645, 1646, 1812, and 1813.
  4. Click Save.
  5. From the Select a Proxy action drop-down list, select TCP-UDP-Proxy.
  6. Click Add Policy.

firebox-add policy-3

  1. In the From and To lists, click existing members and then click Remove.
  2. In the From and To lists, click Add.
    The Add Member dialog box appears.
  3. Select the perimeter interface and click OK.
  4. Repeat Steps 13–14 to add the corporate interface.

firebox-add policy-4

Because RRAS is in a DMZ and the internal network is safe, you can alternatively add a simple policy for the traffic.

To add a TCP/UDP proxy policy that does not specify port numbers:

  1. On the Firebox, select Firewall > Firewall Policies > Add Policy.
  2. Select Customand click Add.
  3. Type a Name for this policy.
  4. In the Type section, select Proxy.
  5. Select TCP-UDP from the drop-down list.
  6. In the From and To fields for the policy, add both interfaces.

firebox-add policy-5

Configure Your Always On VPN

Configure the Active Directory Domain Service

On your Microsoft 2016 server:

  1. Select Server Manager > Tools > Active Directory Users and Computers.
    The Active Directory Users and Computers console appears.
  2. Select Action > New > Group.
  3. Create new groups for NPS server, RRAS server, and VPN users. In our example, we create the groups NPS-Servers, VPN-Servers, and VPN-Users.
  4. Add your servers and users to the appropriate groups.

ad-add group

Always On VPN requires local administrative privileges. You can either add the VPN users to a Domain Admins group or add them to the local Administrators group in Windows 10.

Configure the Certificate Authority

NPS server, RRAS server, and VPN users require different certificates. You must create three new certificate templates and sign new certificates to them.

Configure VPN Users Template

  1. On the Microsoft Active Directory Certificate Services (AD CS) server, select Server Manager > Tools > Certification Authority.
    The certserv console appears.
  2. Expand your CA and right-click Certificate Templates.
  3. Select Manage.
    The Certificates Template Console appears.

ca-manage

  1. From the Template Display Name list, right-click User and select Duplicate Template.
    The Properties of New Template dialog box appears.

ca-duplicate user

  1. On the General tab, in the Template Display Name and Template Name text boxes, specify a name for this template.
  2. Clear the Publish certificate in Active Directory check box.
  3. On the Compatibility tab, from the Certification Authority drop-down list, select Windows Server 2016 and click OK.
  4. From the Certificate Recipient drop-down list, select Windows 10 / Windows Server 2016 and click OK.

ca-user-compatibility

  1. On the Request Handling tab, clear the Allow private key to be exported check box.
  2. On the Cryptography tab, from the Provider Category drop-down list, select Key Storage Provider.
  3. Select Requests must use one of the following providers.
  4. From the Providers list, select Microsoft Platform Crypto Provider and Microsoft Software Key Storage Provider.

ca-user-cryptography

  1. On the Security tab, click Add and add the VPN-Users group.
  2. For the VPN-Users group, select Read, Enroll, and Autoenroll.
  3. Remove the Domain Users group.

ca-user-security

  1. On the Subject Name tab, clear the Include e-mail name in subject name check box.
  2. Click OK.
  3. In the certserv console, from the Certification Authority list, right-click Certificate Templates.
  4. Select New > Certificate Template to Issue.
  5. Select the certificate template that you created.

ca-issue user

Configure the NPS Server Template

  1. On the Microsoft Active Directory Certificate Services (AD CS) server, select Server Manager > Tools > Certificate Authority.
    The certserv console appears.
  2. Expand your CA and right-click Certificate Template.
  3. Select Manage.
    The Certificates Template Console appears.
  4. From the Template Display Name list, right-click RAS and IAS Server and select Duplicate Template.
    The Properties of New Template dialog box appears.
  5. On the General tab, in the Template Display Name and Template Name text boxes, specify a name for this template.
  6. Clear the Publish certificate in Active Directory check box.
  7. On the Compatibility tab, from the Certification Authority drop-down list, select Windows Server 2016 and click OK.
  8. From the Certificate Recipient drop-down list, select Windows 10 / Windows Server 2016 and click OK..
  9. On the Security tab, click Add and add the NPS-Servers group.
  10. For the NPS-Servers group, select Read, Enroll, and Autoenroll.
  11. Remove RAS and IAS Server.

cert temp-nps-security

  1. Click OK.
  2. In the certserv console, from the Certification Authority list, right-click Certificate Templates.Select New > Certificate Template to Issue.
  3. Select the certificate template that you created.

Configure the VPN Server Template

  1. On the Microsoft Active Directory Certificate Services (AD CS) server, select Server Manager > Tools > Certificate Authority.
    The certserv console appears.
  2. Expand your CA and right-click Certificate Template.
  3. Select Manage.
    The Certificates Template Console appears.
  4. From the Template Display Name list, right-click RAS and IAS Server and select Duplicate Template.
    The Properties of New Template dialog box appears.
  5. On the General tab, in the Template Display Name and Template Name text boxes, specify a name for this template.
  6. Clear the Publish certificate in Active Directory check box.
  7. On the Compatibility tab, from the Certification Authority drop-down list, select Windows Server 2016 and click OK.
  8. From the Certificate Recipient drop-down list, select Windows 10 / Windows Server 2016 and click OK.
  9. On the Extensions tab, select Edit.
    The Edit Application Policies Extension dialog box appears.
  10. Click Add.
  11. From the Application Policies list, select IP Security IKE Intermediate and click OK > OK.

add ipsec ike

  1. On the Security tab, click Add to add the VPN-Servers group.
  2. For the VPN-Servers group, select Read and Enroll privileges. You must configure the certificate CN and DNS, which is why you should not select Autoenroll.
  3. Remove RAS and IAS Servers.

cert-temp-vpn-security

  1. On the Subject Name tab, select Supply in the request.
  1. In the certserv console, from the Certification Authority list, right-click Certificate Templates.
  2. Select New > Certificate Template to Issue.
  3. Select the certificate template that you created.

Configure the Group Policy

You must create group policies for domain machines to get certificates automatically enrolled.

  1. On your domain controller, select Server Manager > Tools > Group Policy Management.
    The Group Policy Management console appears.
  2. From the Domains list, right-click your domain name and select Create a GPO in this domain.
    The New GPO dialog box appears.

create gpo

  1. Specify a name for the GPO.
  2. Right-click the new policy you created and click Edit.
    The Group Policy Management Editor appears.

edit gpo

  1. Select Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  2. From the Object Type list, right-click Certificate Services Client – Auto-Enrollment and select Properties.

gpo-computer-auto-property

  1. From the Configuration Model drop-down list, select Enabled.
  2. Select Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates.
  3. Click OK.

  1. Create a new GPO for User Certificate Auto Enrollment, then select to edit that GPO.
  2. Select User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  3. Right-click Certificate Services Client – Auto-Enrollment > Properties and click Properties.

gpo-user-auto-property

  1. From the Configuration Model drop-down list, select Enabled.
  2. Select Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates.
  3. Click OK.

NPS now has an auto-enrolled certificate. When a user logs in to the Windows 10 computer , a new certificate for the user will be created automatically.

Check Certificates

  1. On the NPS server, run certlm.msc

  1. Select Personal > Certificates. The NPS certificate should appear.

nps-check-cert2

  1. On a Windows 10 computer, log in as a user who is a member of the VPN-Users group .
  2. From a command prompt, type mmcto start the Microsoft Management Console.

win10-check-cert1

  1. Select File > Add/Remove Snap-in > Certificates > Add > My User Account > Finish and click OK.

win10-check-cert2

  1. Select Certificates - Current User > Personal > Certificates. The user's certificate is enrolled.

win10-check-cert3

  1. On the RRAS server, from a command prompt, type certlm.msc to open the management console.
  2. Right-click Certificates and select All tasks > Request new certificate.
    If you do not have a Certificates folder, right-click Personal.

rras-request-cert1

  1. Select Next > Next.
  2. For the VPN-Servers template, click More information is required to enroll for this certificate. Click here to configure settings.

rras-request-cert3

  1. In the Subject Name section, from the Type drop-down list, select Common Name.
  2. In the Value text box, type the private DNS name of RRAS server. When you joined the domain with the internal interface, the host name was registered to the DNS server. Specify that name here.
  3. In the Alternative name section, from the Type drop-down list, select DNS .
  4. In the Value text box, type the public domain name.
  5. Click OK.

rras-request-cert4

  1. Select VPN-Servers template and then select Enroll > Finish.
    The corresponding certificate appears.

rras-request-cert5

Configure Network Policy Service

To configure NPS:

  1. On your NPS server, select Server Manager > Tools > Network Policy Server.
  2. Right-click NPS (Local) and select Register in Active Directory.
  3. Click OK.

register in nps

  1. Expand RADIUS Clients and Servers and right-click RADIUS Client.
  2. Select New.

nps-new radius client

  1. Type a Friendly name, IP address, and Shared secret.
    Make sure to record the shared secret because you need it later in the configuration.

configure radius client

  1. In the Network Policy Server console.
  2. In the Standard Configuration section, make sure that RADIUS server for Dial-Up or VPN Connections is selected.
  3. Click Configure VPN or Dial-Up.

configure vpn

  1. Select Virtual Private Network (VPN) Connections and then click Next.

select vpn

  1. Make sure the RADIUS client you created appears in the list.
  2. Click Next.

specify vpn server

  1. Select Extensible Authentication Protocol.
  2. Clear the Microsoft Encrypted Authentication version 2 (MSCHAPv2) check box.
  3. From the Type drop-down list, select Microsoft: Protected EAP (PEAP).
  4. Click Configure.

configure peap

  1. Remove the default EAP types.
  2. Click Add and select Smart Card or other certificates.
  3. Click OK > OK.

add smart card

  1. Click Next and then click Add to add the VPN-Users group that you created.
  2. Click Next.

specify user groups

  1. Keep the defaults settings and click Next to Finish.
  2. Verify that your Connection Request Policies appear as follows:

confirm connection request policy

  1. Verify that your Network Policies appear as follows:

confirm network policy

Configure Routing and Remote Access Service

In our example, the RRAS configuration is based on a deploy VPN only RRAS implementation and a custom configuration with VPN access.

  1. On the RRAS server, select Server Manager > Tools > Routing and Remote Access.
  2. Right-click the server name and click Properties.

vpn-properties

  1. On the IPv4 tab, keep Dynamic Host Control Protocol (DHCP) selected.
  2. From the Adapter drop-down list, select the internal interface of RRAS server that connects to your Firebox.

vpn-ipv4

  1. On the Security tab, from the Authentication provider drop-down list, select Configure.

vpn-security

  1. Click Add to add a RADIUS server.
    The Add RADIUS Server dialog box appears.
  2. Specify the IP address of your NPS server.
  3. Click Change.
    The Change Secret dialog box appears.
  4. Specify and confirm the shared secret.
  5. Click OK > OK > OK.
  6. Repeat the operations for Accounting provider and click OK.
  7. Expand your server and right-click Ports.

rras port properties

  1. Select Properties.
  2. Select WAN Miniport (SSTP) and click Configure.
    The Configure Device dialog box appears.
  3. Clear the Remote access connections (inbound only) check box and click OK.

rras-configure-protocols

  1. Repeat Steps 14–15 for other options in the list except IKEv2. After you finish, only IKEv2 should be configured to accept inbound requests.

Configure a VPN Connection on the Windows 10 Computer

Before you begin, make sure the Windows 10 computer is part of your corporate network.

  1. Log in to a Windows 10 computer with a user account that is a member of the Domain Admins group or the Administrators group on the local machine.
  2. In the Windows search text box, type VPN to open the VPN connection settings.

win10-open-vpn

  1. Click Add a VPN connection.

win10-vpn

  1. From VPN provider drop-down list, select Windows (built-in).
  2. In the Connection name text box, specify a friendly name for the VPN connection.
  3. In the Server name or address text box, type the external IP address of the RRAS server. The IP address must match the DNS record in the certificate.
  4. From the VPN type drop-down list, select IKEv2 .
  5. From the Type of sign-in info drop-down list, select User name and password .
  6. Keep all other default settings and click Save.

win10-vpn profile

  1. Select Control Panel > Network and Internet > Network Connections.
  2. Right-click the VPN connection and click Properties.

win10-adapter

  1. On the Security tab, from the Type of VPN drop-down list, select IKEv2.
  2. From the Data encryption drop-down list, select Maximum strength encryption.
  3. In the Authentication section, select Use Extensible Authentication Protocol (EAP).
  4. From the EAP drop-down list, select Microsoft: Protected EAP (PEAP).

win10-vpn-property-security

  1. Click Properties.
    The Protected EAP Properties dialog box appears.
  2. In the text box, type the FQDN of your NPS server.
  3. Select your root CA certificate.
  4. Select Don’t ask user to authorize new servers or trusted CAs.
  5. From the Select Authentication Method drop-down list, select Smart Card or other Certificate.

win10-vpn-peap-property

  1. Click Configure.
  2. Select Use a certificate on this computer.
  3. In the text box, type the FQDN of your NPS server.
  4. Select your root CA certificate.
  5. Select Don’t ask user to authorize new servers or trusted CAs.
  6. Click OK > OK > OK.

win10-vpn-smartcard-property

  1. Move the Windows 10 computer out of the internal network. The VPN connects automatically.

win10-connected

Configure Intune

Intune is a cloud-managed service center that can push implementations to registered devices. In our example, we use Intune to push VPN profiles to Windows 10 computers.

  1. To obtain profile information from the manually-added VPN connection on the Windows 10 computer, open PowerShell as administrator and run these commands:
  2. $vpn = Get-VPNConnection –Name [Your VPN connection name]
    $xml = $vpn.EapConfigXmlStream.InnerXml | Out-File <file save path>\eapconfig.xml -Encoding ASCII

    These commands output an eapconfig.xml file that you use to configure in Intune. We recommend that you output the code to a file. If you copy the code from the Powershell console, you may lose some data. The .xml file must be well formed; if it is not, we recommend that you use the XML Formatter tool to format it.
  3. Register your computer in Intune and follow these steps:
    1. Make sure you have an Enterprise Mobility + Security E5 license or others can manage the computer from Intune.
    2. Assign the license to a user account that will be used later.
  4. Log in to the Azure AD portal and follow these steps:
    1. Go to your AAD tenant.
    2. In the Manage section, click Mobility (MDM and MAM)
    3. Click Microsoft Intune.

intune-console

  1. Select an MDM user scope. In our example, we select All.
  2. Make sure the values are as follows:
  3. MDM terms of use URL: https://portal.manage.microsoft.com/TermsofUse.aspx
    MDM discovery URL: https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
    MDM compliance URL: https://portal.manage.microsoft.com/?portalAction=Compliance
  4. Keep the default MAM settings and click Save. This configuration allows users to register to Intune.

intune-mdm

  1. Log in to the Intune Management Console.
  2. Select Devices.
  3. In the Policy section, select Configuration profiles and click Create profile.

Intune-console

  1. From the Platform drop-down list, select Windows 10 and later.
  2. From the Profile drop-down list, select VPN and click Create.

intune-profile-1

  1. For the Basics step, type a Name and click Next.

intune-profile-2

  1. For the Configuration settings step, expand Base VPN.
  2. Type a Connection name for the VPN.
  3. In the Servers section, specify your RRAS server information. Make sure to specify a public IP address or FQDN that Azure can resolve.
  4. Configure this server as the Default server.
  5. From the Connection type drop-down list, select IKEv2 .
  6. Enable Always On and Remember credentials at each logon.
  7. From the Authentication method drop-down list, select EAP.
  8. In the EAP XML text box, copy and paste the content from the eapconfig.xml file.
  9. To use Split Tunnel, expand Split Tunneling and configure the settings. For example, specify the network 10.0.0.0/8.
  10. Click Next.

intune-profile-3

  1. For the Assignments step, you can assign the profile to specific groups. In our example, from the Assign to drop-down menu, we select All users.
  2. Click Next.

intune-profile-4

  1. Keep the default setting for Applicability Rules and click Next.
  2. Review the configuration and then click Create.

Test the Integration

  1. On a Windows 10 computer, select Settings > Accounts > Access work or school.
  2. To connect to Intune, click Connect. Intune registers the computer.

win10-account

  1. In the pop-up window that appears, authenticate with a licensed AAD user. You are connected to Intune.
  2. Click the MDM profile and then click Info.

win10-mdm-info

  1. Click Sync.

win10-sync

  1. After the synchronization completes, the VPN connection profile is pushed to the computer. You can use the VPN profile to connect.

win10-connected-pushed

A remediation error appears in the Intune admin portal even though the profile is pushed to the Windows 10 computer successfully. For more information, see 2016281112 (Remediation Failed) error in a custom VPN profile in the Intune admin portal in the Microsoft documentation.