Steven M. Jordan

NPS Extension Certificate Error

2023-06-05T12:49:00.000-05:00

Problem:

The NPS Azure AD Extension creates a self-signed certificate that is valid for two years. This certificate must be renewed!

The renewal process is simple enough:

PS C:\Program Files\Microsoft\AzureMfa\Config
> .\AzureMfaNpsExtnConfigSetup.ps1

PowerShell Error:

This error implies the package source 'https://www.powershellgallery.com/api/v2 is not reachable or resolved.

Fix:

Windows 2016, 2019, and up natively support TLS 1.2. However, you might still need to update the .NET framework and cryptography. At a minimum, manually enable TLS 1.2:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

That's it!

GPO Slow Link Detection

2019-11-19T18:13:00.001-06:00

GPOs don't work on the VPN?

Problem:

Branch office or managed laptops are missing group policies.

Definition: Group Policy Slow Link Detection

Slow-link detection identifies slow connections: Slow transfer rates or high latency. This process can trigger applications to scale back feature and function. For example, slow link detection may interfere with distributed file systems (DFS). In other situations, slow link detection can prevent remote workstations from receiving GPO updates.

Background:

Wide-spread high-speed Internet connections (e.g., 100 Mbps) were uncommon before c. 2009. Older network protocols were less efficient (e.g., SMB2 vs SMB3). Slow-link detection was designed to compensate for poor connections. This legacy process continues to impact modern network services (e.g., Windows 2019).

Group Policy Slow Link Detection:

Connection rates are measured between the domain controllers and the client. Group policy changes are not distributed when this transfer rate is less than 500 kbps.

500 kbps may seem reasonable -but it's not.

Solution:

Disable slow link detection:

GPO: Policies\Administrative Templates\System\Group Policy\Slow Link Detection

Options: Enable this policy.

Enter 0 to disable slow-link detection.
Alternately, set high connection speed rate (e.g., 10000 Kbps is ~10 Mbps).

That's it!

References:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc978717(v=technet.10)

Set the Network Location

2019-07-31T17:09:00.002-05:00

How to Assign Active Network Location with PowerShell.

Step 1: Identify networks and associated NICs.

Get-NetConnectionProfile

Name             : domain.com

InterfaceAlias   : Ethernet (Domain)

InterfaceIndex   : 1

NetworkCategory  : DomainAuthenticated

IPv4Connectivity : Internet

IPv6Connectivity : NoTraffic



Name             : Unidentified network

InterfaceAlias   : RDMA

InterfaceIndex   : 2

NetworkCategory  : Public

IPv4Connectivity : NoTraffic

IPv6Connectivity : NoTraffic

The above examples shows two NICs that belong to two different networks.

Step 2. Change the NetworkCategory:

Set-NetConnectionProfile -InterfaceIndex 13 -NetworkCategory Private

This example changes the active network for the NIC named RDMA. The network location changed from Public to Private. Confirm with Get-NetConnectionProfile.

That't It!

References:

https://docs.microsoft.com/en-us/powershell/module/netconnection/get-netconnectionprofile?view=win10-ps

Transfer FISMO Roles with PowerShell

2019-05-09T14:23:00.000-05:00

Problem:

How to use PowerShell commands to transfer FISMO roles?

Solution:

Active Directory PowerShell module.

Assumptions:

FISMO PowerShell management requires Active Directory PowerShell module.

Import-Module ActiveDirectory

Example 1. Show forest FSMO roles (forest):

PS> Get-ADForest contoso.com| ft DomainNamingMaster, SchemaMaster

Example 2. Show domain FSMO roles (domain):

PS> Get-ADDomain contoso.com | ft InfrastructureMaster, PDCEmulator, RIDMaster

Example 3. Transfer single role to a domain controller.

PS>; Move-ADDirectoryServerOperationMasterRole -Identity "DCX" PDCEmulator

#N.B., PowerShell FISMO role names:

0= PDCEmulator
1= RIDMaster
2= InfrastructureMaster
3= SchemaMaster
4= DomainNamingMaster

Example 4. Transfer multiple roles.

Move-ADDirectoryServerOperationMasterRole -Identity “DCX” –OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster

Example 5: Transfer all roles with numbers:

Move-ADDirectoryServerOperationMasterRole “DCX” –OperationMasterRole 0,1,2,3,4

Example 6. Transfer FSMO roles between domain controllers:

Move-ADDirectoryServerOperationMasterRole

That's It!

References:

https://docs.microsoft.com/en-us/powershell/module/addsadministration/move-addirectoryserveroperationmasterrole?view=win10-ps
https://blogs.technet.microsoft.com/canitpro/2017/05/24/step-by-step-migrating-active-directory-fsmo-roles-from-windows-server-2012-r2-to-2016/

Domain Controller Preference Order

2018-07-16T17:45:00.001-05:00

Outline:

How to configure locator preferences for domain controllers (DCs). How to set priority and weight on domain controllers. Force clients to consistently connect to the same domain controller.

Problem:

Clients connect to different DCs within the same site. IPv4 DNS server search has no effect on this random behavior.

Solution:

(a) Assign priority and weights to DNS SRV-records via GPO (i.e., registry changes);

(b) Or, change subnet topology for simple DC Subnet Prioritization;

Assumptions:

All DCs are located within the same Active Directory (AD) site.

Domain Controller Priority within a Site

Domain DNS SRV-records assign priority and weight values that determine DC preference. Clients connect to the domain controller (DC) with the lowest priority value. By default, priority for all DCs is set to zero. For example, assume a site has two DCs:

· DC-X with a priority of 0 (i.e., preferred).
DC-Y with a priority of 2.

In this example, Windows clients connect to DC-X because it has the lowest priority value. Clients only connect to DC-Y when DC-X is unavailable (e.g., maintenance).

Domain Controller Weights

What happens when all the DCs share the same priority? In this situation, DC preference is determined by SRV-record weight values. Unlike priority, clients prefer higher weight values over lower values.

What happens if all DCs have the same weight values? By default, DCs weight value is set to 100. Clients connect round-robin when all DCs use the same priority and weight values.

What happens when same-site DCs have the same priority and different weight values? Weight is not absolute. Weight is proportionate. In other words, clients may disproportionately connect to any available DC.

Clients are more likely to connect to DCs with higher weights. Clients are less likely to connect to lower weights DCs. Weight preference uses a simple formula: DC weight (i.e., single server) divided by the sum of all DCs weights:

For Example, assume three DCs within a single AD site (Table 1):

Table 1
Determine domain controller preference based on weights.

Domain Controller	Priority (Default)	Weight	Formula	Connection Odds
DC10	0	10	10/(10+20+30) = 10/60 = 1/6	17%
DC20	0	20	20/(10+20+30) = 20/60 = 2/6	33%
DC30	0	30	30/(10+20+30) = 30/60 = 1/2	50%

Note: This assumes client and domain controllers reside in the same site and use the same priority values.

DC Preference Configuration

Set priority and weight via the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Create new 32-bit DWORDs:
LdapSrvWeight
LdapSrvPriority
Assign DC priority and weight values.
Restart the NETLOGON service to publish to SRV records

Subnet Prioritization

Clients prefer to connect to DCs on the same IP subnet. For example, let’s say we have a single AD site. This site consists of one Windows 10 client and two DCs (Table2):

Table2
Subnet Prioritization

Host	Priority	Weight	IP address	Preferred DC
WIN-10			192.168.1.1/24
DC-X	0	100	192.168.1.100/24	Yes
DC-Y	0	100	192.168.2.100/24	No

Note: All hosts reside in the same AD site. DC01 and DC02 use default weight and priority values.

In this situation, all hosts belong to the same AD-site. Both DCs have the same preference values (i.e., default). WIN-10 and DC-X belong to the same IP subnet. However, DC-Y resides on a separate IP subnet. DC-X is the preferred DC. Clients only connect to DC-y when DC-X is unavailable (e.g., maintenance).

Additional Thoughts:

I recommend minimal registry changes –especially to DCs. Implement priority and weight changes with caution. Also consider, registry changes can be difficult to troubleshoot. Therefore, it’s prudent to push these changes out via GPO.

Subnet Prioritization seems to be the simplest approach. That is, if you’re comfortable with internetworking. Simply create a new gateway. Add routes. Assign the subnet to the second DC. Done.

That’s It!

References:

https://blogs.msmvps.com/acefekay/2010/01/03/the-dc-locator-process-the-logon-process-controlling-which-dc-responds-in-an-ad-site-and-srv-records/

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc733142(v=ws.10)

http://techgenix.com/domain-controllers-weight-priority/

https://www.blackmanticore.com/1a64083f14eccc1d32a755a850c2ea3d

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772592%28v%3dws.10%29

Fix Shutdown Event Tracker in RDP

2018-07-10T20:38:00.002-05:00

Problem:

How to disable the unexpected shutdown prompt for remote desktop users. The remote desktop server (RDS) displays the shutdown tracker warning after patching updates. This shutdown error causes confusion and unnecessary help desk calls.

Solution:

Remove local\Users group permissions from shutdown.exe: c:\windows\system32\shutdown.exe

Both local administrators and local users, have read and execute permissions, on this system file. Remove the local user group in order to hide unwanted shutdown messages. Also note, this change may require ownership changes from the Trusted Installer to the local administrator group.

That's It!

SRX: How to Copy & Paste in JUNOS

2018-06-23T22:31:00.001-05:00

Problem:

How copy and paste configuration text with Juniper SRX.

Solution:

Paste text into the config with the "load replace terminal" command.

Return to the router prompt with either CTRL-D or ^D.

Example:

root@SRX# load replace terminal    
[Type ^D at a new line to end input]
interfaces 
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                    address 192.168.1.2/24;
            }
        }
    }
}
load complete
[edit]
root@SRX# commit

That's It!

SSH Between SRX Nodes

2018-06-23T21:53:00.001-05:00

Problem:

How to SSH from Node0 to Node 1 within a Juniper SRX cluster.
How to connect from the primary node to the secondary node.

Solution:

SRX 300 Series:

{primary:node0}
smj@SRX> request routing-engine login node 1
SRX 1500 Series:

smj@SRX% rlogin -T node1

That's It!

How to Setup a Virtual Smart Card

2018-06-22T17:29:00.000-05:00

Fun with Virtual Smart Cards!

Outline:

Steps on how to enable a virtual smart card.

Assumptions:

Virtual smart cards require a computer with an initialized TPM. N.B., Windows 10 initializes the TPM by default.

Virtual Smart Card Configuration:

tpmvscmgr.exe create /name VSC /pin prompt /puk prompt /adminkey random /generate

Reset the Virtual Smart Card:

tpmvscmgr.exe destroy /instance root\smartcardreader\0000

PINs, PUKs, and Keys:

Smart Card Personal Identity Number (PIN). The PIN is essentially a password. The PIN can be changed by the end user from any domain computer:

CRTL-ALT-Delete → Change Password → Change PIN.
Smart Card Personal Unlock Key (PUK). Windows locks the PIN after three unsuccessful attempts. End users can use their PUK to unblock their PIN:

CRTL-ALT-Delete → Change Password → Unblock Smart Card.

The PUK is optional but I recommend it. It's simply too easy to lock the PIN!

The PUK changes the PIN. Keep the PUK safe and only use it when its absolutely necessary.

In addition, Windows does not include native tools to change the PUK. In order to choose a new PUK, the virtual smart card must first be deleted (i.e., destroyed) and then recreated. Of course, this process deletes all certificates on the smart card.
Admin Key. The key benefit to the admin key is that it allows Administrators to generate certificate keys for enrolling-on-the-behalf of others. Organizations that do not use enrollment stations should simply generate a random admin key.

References:

https://docs.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started

Quickly Uninstall Single KB Update

2018-05-08T07:01:00.000-05:00

Problem:

Uninstalling Windows Updates is a pain in the neck!

The Windows Update GUI provides a long list of KB updates.
Updates are organized by date and not by KB numbers.
It lacks a built-in search function!

Figure 1. Windows Update History:
No search for you (CRL+F)! :(

Solution:

Use the command line to search and uninstall specific updates.

List installed patches:

wmic qfe list

Uninstall specific patch:

wusa /uninstall /kb:xxxxx

That's It!

Container Does Not Exist on the Smart Card

2018-05-07T20:33:00.000-05:00

T-Shoot Yubikey Minidriver

Problem:

RDP fails to authenticate Yubikey smart card.

Error:

The requested key container does not exist on the smart card (Figure 1).

Figure 1. Smart card container error.

Assumptions:

Yubikey runs as PIV smart card.
Smart card has multiple authentication certificates.
Certificates reside on slots 81-95.

Solution:

By default, Windows uses the NIST SP 800-73 PIV smart card driver. Multiple certificates require the Yubikey smart card Minidriver. Install this driver on both the client and the server.

Important:

The Yubikey smart card MSI package does not install the Minidriver on remote servers or virtual machines. Nor does it provide an error.

The MSI installer only works when a smart card is directly connected (e.g., workstation).

To reiterate, the MSI package only updates the NIST driver when a smart card is attached to the local USB port.

Instead, use the Yubikey limited INF installer on VMs or via RDP.

Figure 2. How to Install the Yubikey Minidriver.

Right-click on ykmd.inf. Left-click on install. That's It!

Fix Chrome Extensions in RDP

2018-02-23T18:17:00.000-06:00

Problem:

RDP users cannot install Chrome extensions from the Chrome Web Store.

Errors:

Could not install package
COULD_NOT_GET_TEMP_DIRECTORY

Figure 1: Chrome Temp Directory Error

Solution:

User logs onto RDP. User does not open Chrome.
Admin creates a new directory on the system drive. This new directory holds user Chrome AppData. For example: c:\\mkdir c:\Temp\RDP\
Move user’s Chrome AppData to the new directory. For example:
c:\move "c:\users\stevenjordan\AppData\Local\Google\Chrome" "c:\temp\RDP\stevenjordan\"
Delete original folder if necessary.
Create new symbolic junction where the old data was located. This junction links to the new location:


c:\mklink /j c:\users\stevenjordan\AppData\Local\Google\Chrome\
"c:\temp\RDP\stevenjordan\Chrome\"

Junction created for c:\users\smjordan\AppData\Local\Google\Chrome\
=== c:\temp\RDP\stevenjordan\Chrome\

Figure 2: New Symbolic Junction for Chrome extension.

Analysis:

Chrome extensions reference DOS device paths. Let's consider how dynamic profile disks use symbolic junctions that point to different disks:

c:\Users  dir 
02/23/2018  11:29 AM  bgates {\??\Volume{a5ae22c7-18b8-11e8-968e-00145de79140}

The junction link causes the problem. Ironically, a second junction link fixes this issue:


c:\Users\bgates\AppData\Local\Google dir
 
 Directory of c:\Users\bgates\AppData\Local\Google

02/20/2018  10:58 AM   DIR
02/20/2018  10:58 AM   DIR
02/20/2018  10:58 AM   JUNCTION  Chrome c:\temp\RDP\bgates\Chrome
09/16/2015  07:46 AM   DIR       Chrome Cleanup Tool
05/14/2014  06:09 AM   DIR       CrashReports
03/11/2014  04:26 PM   DIR       Google Talk
12/04/2017  02:27 AM   DIR       Software Reporter Tool

0 File(s)              0 bytes
7 Dir(s)  36,942,458,880 bytes free

Note how the new junction link points to the system drive.

Additional Thoughts:

This solution is implemented on a per-user basis. It does not universally "fix" Chrome extensions for all RDP users.  Nonetheless, it may be a good fit because it narrows the scope of untrusted applications.

Alternatively, use Group Policy to change user environmental variables:

Group Policy
→ Computer Configuration
  → Administrative Templates
→ System
→ Group Policy
→ Configure user Group Policy loopback processing mode:
Enabled: On
Mode: Merge

→ User Configuration
  → Windows Settings
→ Preferences
→ Environment (right-click) → New
→ New Environment Properties:
Action: Update
User Variable=Check
Name=Temp
Value=c:\Temp\RDP\%USERNAME%
→ Environment (right-click) → New
Action: Update
User Variable=Check
Name=TMP
Value=c:\Temp\RDP\%USERNAME%

This change has a wider-scoping impact. It affects all related AppData programs -not just Chrome. It impacts all RDP users (without GP filtering). Avoid the system drive if possible -use a secondary disk instead. In addition, loopback processing applies user configurations to computer objects (i.e., RDP servers).

That's It!

References:
https://blogs.technet.microsoft.com/grouppolicy/2009/05/13/environment-variables-in-gp-preferences/
https://devtidbits.com/2009/09/07/windows-file-junctions-symbolic-links-and-hard-links/
https://blogs.msdn.microsoft.com/jeremykuhne/2016/04/21/path-format-overview/
https://blog.brankovucinec.com/2017/01/09/users-cant-install-google-chrome-extensions-on-rds-farm/

Fix Broken Checkpoints

2018-02-13T15:28:00.002-06:00

Summary:

How to delete Hyper-V checkpoints that cannot be deleted.

Problem:

Checkpoint cannot be removed from the Hyper-V Manager.

Symptoms:

Hyper-V Manager shows a checkpoint. No option to remove checkpoint.

VM disk directory has VHDX and AVHD files:

Solution:

1. Use PowerShell to view existing snapshot:

PS C:\Users Get-VMSnapshot -VMName tfs.stevenjordan.net

VMName  Name    SnapshotType CreationTime           
------  ----    ------------ ------------          
tfs     tfs     (2/13/2018 - 2:52:36 PM) Standard

2. Remove VM-Snapshot.


PS C:\User Get-VMSnapshot -VMName tfs | Remove-VMSnapshot

3. Confirm Snapshot has been removed.


PS C:\Users Get-VMSnapshot -VMName tfs
PS C:\Users

That's It!

How to Setup BranchCache

2018-02-02T18:34:00.000-06:00

Guide:

Quick and Easy BranchCache Setup.

Overview:

This article provides instructions on how to implement BranchCache.

Topology:

Three office locations:

Primary office in Atlanta (ATL).
Branch offices in Chicago (CHI) and Washington D.C (DCA).

CHI and ATL host local file servers (i.e., hosted cache mode).
DCA is the only office without a dedicated file server (i.e., distributed cache mode).
All clients use Windows Enterprise.

Implement BranchCache:

Install the BranchCache Role and Feature.
BranchCace SSL Certificates.
BranchCache Group policy.

Step 1. Add Roles and Features.

Run the Add Roles and Features Wizard on each file server. Install the (a) BranchCache for Network Files Role; and (b)the BranchCache Feature.

PowerShell:

Install-WindowsFeature BranchCache -IncludeManagementTools
Enable-BCHostedServer -RegisterSCP

Step 2. Adjust Caching.

BranchCache stores files in two directories: (a) HashCache and (b) DataCache.

File servers store file hashes in the HashCache directory. Remote Hosted Cache servers, as well as Distributed Cache clients, use files hashes for content tracking and updates.

The DataCache directory stores content derived from the hash. This directory contains cached remote content (i.e., files) that are served to local clients. Both directories are stored on the system drive -not good!

Adjust the Cache Location:

netsh branchcache set publicationcache directory=D:\BranchCache\
netsh branchcache set localcache directory=D:\LocalCache\

The default HashCache size is a measly 1% of the system disk. The Data Cache is slightly improved with 5% of total disk. Now consider that most system drives hold less that than 100GB. 5GB does not provide enough storage to make BrachCache worthwhile. Let's make BrachCache useful:

Adjust the Cache Size:

Netsh branchcache set publicationcachesize size=5 percent=TRUE
Netsh branchcache set localcachesize size=5 percent=TRUE

Additional caching attributes will be configured via Group Policy (Step 4).

Step 3. BranchCache SSL

BranchCache SSL certificates support Windows 7 clients. It's not necessary for organizations with only Windows 8 or Windows 10 clients. Of course, the file server will probably require certificates for other services -just not BranchCache.

Any trusted SSL certificate will work with BranchCache. We simply need to associate the server certificate with BranchCache:

Add a server certificate in the personal certificate directory for each BranchCache hosted cache server (e.g., ATL and CHI).
Bind the SSL certificate hash (i.e., thumbprint) to the hosted cache server. Use the following command: NETSH HTTP ADD SSLCERT IPPORT=0.0.0.0:443 CERTHASH=xxxxxxxxxxx APPID={d673f5ee-a714-454d-8de2-492e4c1bd8f8}

N.B., CERTHASH is the certificate's thumbprint. Further certificate information found here.

Step 4. Group Policy

Use Group Policies to adjust caching attributes and client settings.

Policies for the File Servers:

Table 1. BranchCache Policy for File Servers.

Policy	Path	Setting	Function
Turn on BranchCache	ComputerConfiguration/ Administrative Templates/ Network/ BranchCache	Enabled
Hash Publication for BranchCache	ComputerConfiguration/ Administrative Templates/ Network/ LanmanServer	Enabled: Value 2	(Hash publication for all shared folders).
MinContentLength Registry Key	ComputerConfiguration/ Preferences/ Windows Settings/ Registry/ MinContentLength	Reg_D WORD: 32768 (Decimal)	Default caching 64KB. New caching 32K. Set as low as 4KB. N.B., Low values may impact performance.

Policies for Windows clients:

Table 2. BranchCache policies for Win 8 and Win 10:

Policy	Path	Setting
Turn on BranchCache	ComputerConfiguration/ Administrative Templates/ Network/BranchCache	Enabled
Configure BranchCache for network files	Computer Configuration/ Administrative Templates/ Network/ BranchCache	Enabled Value:10
Enable Automatic Hosted Cache Discovery by Service Connection Point	Computer Configuration/ Administrative Templates/ Network/ BranchCache	Enabled
Set BranchCache Distributed Cache mode	Computer Configuration/ Administrative Templates/ Network/ BranchCache	Enabled

Note: BranchCache for network files uses round trip latency. Value 10 = 10ms. Hosted Cache mode is for location with dedicated file servers. Distributed Caching is for locations without dedicated file servers.

BranchCache Firewall Policies:

BranchCache requires inbound and outbound client firewall rules.

Table 3. BranchCache Inbound Firewall Group Policies

Policy	Path	Action
BranchCache Content Retrieval (HTTP-In)	Computer Configuration/ Policies/ Windows Settings/ Security Settings/ Windows Firewall with Advanced Security/ Inbound Rules	a. Right-click Inbound Rules. b. Left-click New Rule. c. Add predefined BranchCache rules.
BranchCache Hosted Cache Server (HTTP-In)
BranchCache Peer Discovery (WSD-In)
BranchCache Content Retrieval (HTTP-Out)	Computer Configuration/ Policies/ Windows Settings/ Security Settings/ Windows Firewall with Advanced Security/ Outbound Rules	a. Right-click Inbound Rules. b. Left-click New Rule. c. Add predefined BranchCache rules.
BranchCache Hosted Cache Clietnt (HTTP-Out)
BranchCache Hosted Cache Server (HTTP-Out)
BranchCache Peer Discovery (WSD-Out)

Optional: BranchCache for WSUS and IIS Servers

BranchCache also accelerates content for web servers and BITS application servers. Simply install the BranchCache feature and ensure the service is running. No other configuration steps are necessary.

Evaluate

User PowerShell and Performance monitor to ensure BranchCache works:

http://www.stevenjordan.net/2013/03/2012-branchcache-troubleshooting.html

That's It!

References:

http://social.technet.microsoft.com/wiki/contents/articles/14309.branchcache-frequently-asked-questions.aspx

http://technet.microsoft.com/en-us/library/hh848420.aspx

http://technet.microsoft.com/en-us/library/jj572970.aspx

http://technet.microsoft.com/en-us/library/dd637785(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/ff710438(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/dd637785(v=ws.10).aspx

https://ammarhasayen.com/2013/10/11/branchcache-course-109-where-files-are-stored/

https://2pintsoftware.com/branchcache-teeny-weeny-files/

Force AD DC Replication CMD

2018-02-01T06:31:00.000-06:00

Goal:

Synchronize Active Directory in a flash.

Problem:

How to quickly force domain controller replication throughout the domain.

Solution:

repadmin /syncall /AdeP

That's It!

Check DFSR for Backlogs

2018-01-31T20:26:00.000-06:00

Goal:

Determine if file share replication is up-to-date between shares.

Problem:

DFS replication propagation reports show usually high replication times (e.g., 11 days instead of 11 seconds). Users complain about missing data.

Solution:

Use DFS diagnostic commands to check for backlogs. Large backlogs indicate replication problems (e.g., insufficient staging size, failed pre-seeding, etc.).

Example:

C:\dfsrdiag backlog /rgname:"contoso\data\content" /rfname:Namespace-Folder /sendingmember:server1-hostname /receivingmember:server2-hostname

No Backlog - member

References:

https://blogs.technet.microsoft.com/filecab/2009/05/28/dfsrdiag-exe-replicationstate-whats-dfsr-up-to/
https://blogs.technet.microsoft.com/askds/2010/09/07/replacing-dfsr-member-hardware-or-os-part-2-pre-seeding/

Fix Win NAT-T for L2TP and IKEv2

2017-05-10T21:38:00.000-05:00

Problem:

Windows 2012 RRAS IPsec VPN does not support NAT-T out-of-the-box. By default, RRAS only works with public IP addresses -no NAT. Windows 10 clients cannot connect with L2TP from outside the office. Windows 2016 does not support L2TP for any client from behind routers running NAT.

Solution:

Enable NAT-T on both Windows servers and the clients. NAT-T allows the VPN server to serve clients (e.g., Windows 10, Android, Apple iOS) from behind the NAT device. Modify MTU.

Background:

Why NAT-T?

IPsec uses Encapsulating Security Payload (ESP) to encrypt packet headers and payloads. By default, ESP is not compatible with Port Address Translation (PAT). This is because TCP uses ports and ESP does not.

TCP and ESP are different Internet protocols. TCP uses protocol number 6. N.B., TCP protocol number 6 is not the same thing as TCP port 6. TCP ports are communication endpoints. For example, TCP uses port 80 for web traffic.

ESP uses protocol (i.e., not port) number 50. ESP is a protocol without ports. Network Address Translation (NAT) uses port translation PAT to bind traffic flows with internal hosts. Therefore, ESP does not work with NAT.

NAT-T allows ESP to work from behind NAT. It encapsulates ESP protocol 50 inside User Datagram Protocol (UDP) 4500. N.B, NAT-T is not the same as IPsec over UDP.

Enable NAT-T

NAT-T is enabled on most operating systems (e.g., Android) -Windows is the exception. Fortunately, we can enable NAT-T on Windows 10 and Windows 2012 with a few simple changes.

~~Windows IPsec clients are supposed to work from any location. Therefore, only enable NAT-T on the 2012 RRAS server.~~

Create a new registry key to enable NAT-T.

Edit Registry or create GPO:

HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent\Parameters\

Create new DWORD value: AssumeUDPEncapsulationContextOnSendRule

Modify DWORD value: 2

These changes will fix those pesky L2TP-NAT problem.

Troubleshooting Issues

Make sure clients use the latest edition of Windows 10. Early versions had quirks where clients simply would not connect via NAT-T.

NAT-T does not work with the following editions:

version 10240
version 1511 (i.e. November Update)

Unconfirmed (may or may not work):

version 1607 (i.e., Anniversary Update)

Confirmed:

version 1703 (i.e., Creators Update)

NAT-T works great with the registry fix and Creators Update.

Workarounds:

Some folks had to toggle the NAT-T registry value in order to connect (http://bit.ly/2r2CKnF). I assume this fix was for the November or Anniversary Update.

MTU

Don't forget to adjust the Max Segment Size (MSS):
http://www.stevenjordan.net/2016/11/windows-ikev2-mtu.html.

That's It!

Fix IKEv2 Mobile Scripts on IOS10

2017-04-28T18:01:00.005-05:00

Problem:

Pre-existing IKEv2 VPN mobile configuration scripts do not work with new iPhones. The script installs the VPN but connection attempts fail.

iPhone7 does not connect to the IKEv2 VPN. However, older iPhones running IOS8 and IOS9 continues to connect.

Solution:

Update the Mac OS and Apple Configurator 2 software. Create a new mobile config after software updates are complete.

Explanation:

IOS 10 cannot connect to IKEv2 VPNs using mobile scripts designed for IOS 8 & 9.

Additional Information:

http://www.stevenjordan.net/2016/11/mobile-config-gui.html

http://www.stevenjordan.net/2016/11/mdm-cert-enrollment.html

http://www.stevenjordan.net/2016/09/harden-rras-ikev2.html

Sidesync connection has been lost

2017-03-07T06:03:00.000-06:00

Problem:

Samsung SideSync crashes and displays error messages:

Sidesync connection has been lost.
USB connection to Samsung Phone has been lost.

This problem generally happens from mouse interaction with the virtual phone screen.

Cause:

Sidesync crashes from keyboard and mouse interaction with the remote session (i.e., virtual phone). This situation occurs when the Keyboard & Mouse sharing are disabled. N.B., Keyboard & Mouse Sharing is disabled by default.

Solution:

Enable the Keyboard and mouse sharing:

Open SideSync from the notification bar.
Click on the "More" button.
Click on "Enable Keyboard and mouse sharing" menu item.
Click on the Phone screen button to initiate screen mirror.

That's It!

TSA Searches Phones and Laptops

2017-02-02T06:43:00.000-06:00

Headlines: DIGITAL INTERROGATION? TRAVELERS' PHONES, SOCIALS SCANNED AT AIRPORTS...

Takeaway:

Personal electronic devices are subject to searches by the TSA and CBP agents -travelers beware. U.S. Agents may request full access to smart phones, tablets and laptops. Special emphasis is placed on search history, text history, and social media (e.g., Facebook). TSA/ CBP may temporarily confiscate the device, up to thirty days, or copy the contents of the entire disk for further investigation.

News about digital frisking is en vogue because of recent political events. However, this specific policy has been in effect before 2011 -during both Bush and Obama administrations. (Schneier, 2008). The less told story, however, is that data is at greatest risk when traveling to other countries.

Problem:

It may come as a surprise to learn that most Western governments do not respect individual privacy rights -digital or otherwise. For example, authorities at Paris Charles de Gaulle Airport are known to scan laptops (BBC, 1998). Devices are also subject to search when traveling through Canada, Australia, or the U.K -no warrants needed. (Hughes, 2014).

Encryption to the rescue? Encryption may protect your data but it's not fail-proof. For starters, there are different types of encryption. Some types of encryption are considered strong and nearly impossible to break. However, encryption uses cryptographic algorithms that become obsolete within months or years. Implementing secure encryption can be a complicated process.

What's more, encryption may protect your data, but it will not stop a frustrated border patrol agent from taking your device or arresting you. (Hughes, 2014).

Why the Fuss?

There are two sides to every coin. Governments have legitimate national security issues to contend with. Digital search and seizure policies are a simple means to identify terrorists, child pornographers, and other criminal activity.

On the other hand, the majority of international travelers are not criminals. At least in the U.S., and with exceptions, the right to privacy is a constitutional civil right. There are legitimate reasons to keep trade secrets, health records, or financial information secret.

Data at Risk

Not all inspections are invasive. Some agents may simply ask you to turn the device on. Others may causally browse its contents. However, there are situations that compromise data integrity:

If you provide a key code or password.
If the device is removed from your line of sight.
If the device is physically connected to another machine (e.g., scanned).
If the device connects to an agent's network (Ethernet or WiFi).

If a device is compromised it can no longer be trusted:

Your data is no longer confidential (e.g., pictures, credit cards, etc.)
Your data may have been altered or deleted.
The device may contain a viruses or malware.
All of your passwords may be compromised.
Your network accounts may be vulnerable (e.g., Exchange, VPN, RDP)

Conclusion:

In most situations, digital searches by the TSA/ CBP are probably harmless. However, it's prudent to take extra precautions when traveling outside the United States.

Links:

http://www.vocativ.com/397897/travelers-affected-by-trump-ban-forced-to-unlock-phones-computers/
https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices
http://www.stevenjordan.net/2014/08/network-security-international-and.html
http://www.stevenjordan.net/2016/09/ipsec-security-levels.html
http://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html
https://www.theguardian.com/profile/bruceschneier
http://news.bbc.co.uk/2/hi/science/nature/150465.stm

FYI, data snooping occurs at most other international airports (e.g., British Russian , & Chinese).https://t.co/lfOjvbCS6W
— Steven Jordan (@stevenuwm) January 31, 2017

https://www.theguardian.com/technology/2008/may/15/computing.security

S4B Clients on Split-Tunnel VPNs.

2016-12-14T15:00:00.000-06:00

S4B: Bypass Split-Tunnel VPNs.

Take Away:

Skype for Business (S4B) and Lync clients may experience problems when traversing a split-tunnel VPN. Use Name Resolution Policy Table (NRPT) and Windows firewall group policies (GPOs) to bypass split-tunnel VPNs. This solution is easy to administer and provides remote offices the best multimedia experience.

Problem:

The DCA office experiences weird S4B/ Lync issues:

Local S4B/ Lync clients cannot host conference calls for external clients.
All clients (external and DCA) can connect to conference calls hosted at at the company headquarters (JFK).
Local S4B/ Lync clients cannot share multimedia content (e.g., screen-sharing, video, etc.) between external clients.
All clients can share multimedia content when connected to conference calls hosted at JFK HQ.
Audio and video quality is poor (e.g., choppy or static) between DCA and JFK locations.

Topology:

This business consists of two locations: JFK is the primary HQ office. DCA is the branch office.

A site-to-site IPsec VPN tunnel connects the DCA and JFK offices.
DCA uses split-tunneling to forward all corporate data.
DCA uses its default gateway to forward all other traffic to the Internet.
JKF hosts all Lync servers: Front End, Access Edge, and Reverse Proxy servers.
Both DCA and JFK use Active Directory (AD) integrated DNS servers.
External clients allow staff to work from home.

Figure 1. Example of Lync and organization topology.

ICE Framework:

S4B-Lync uses network topology to select the best connection path. It uses a peer-to-peer connection framework called Interactive Connectivity Establishment (ICE).   This framework includes Session Traversal Utilities for NAT (STUN) and Traversal Using Relay NAT (TURN) protocols.

STUN identifies client Network Address Translation (NAT) (i.e., private IPs). This process also identifies the default gateway (i.e., public IP).  Multimedia travels directly between end-points when STUN is used. S4B/ Lync clients prefer to communicate directly (i.e., peer-to-peer) between clients which reside on the same LAN. N.B., LAN is not a reference for broadcast domains. LAN, in this situation, includes all internal networks (i.e., subnets) with routes to the Front-End subnet. Internal clients never use the Access Edge server for internal communication.

Similarly, external clients prefer STUN for communicating multimedia content to other external peers.  The Access Edge server will only bridge external-to-external clients (i.e., TURN) if peer-to-peer communication is not possible.

Lync clients use TURN framework when end-points do not share a common LAN. The TURN process creates dynamic ports on the Access Edge server; and in turn (pun), proxies external multimedia.  TURN is similar to Port Address Translation (PAT), just as the Access Edge server is similar to an Internet gateway.

To recap, S4B/ Lync clients prefer direct peer-to-peer multimedia communication.  Internal clients will never use the Access Edge server for internal multimedia communication. External clients use the Access Edge server to bridge communication whenever peer-to-peer communication is unavailable; including external-to-external, and external-to-internal.

Split-Tunnel Problems:

ICE framework (generally) provides the best multimedia experience. However, it does not work well over split-tunnel VPNs. Split-tunnel VPNs create STUN and TURN mismatches. For example, the DCA branch office firewall forwards all domain traffic to the JFK primary office; all other traffic forwards out the local gateway (i.e., Internet). DCA and external Lync clients interpret this topology differently (Table 1).

Table 1. Default Multimedia Network Traffic Between Lync Clients
Source	Destination
	JFK	DCA	External Client
JFK	STUN	STUN	TURN
DCA	STUN	STUN	TURN
External Client	TURN	STUN	STUN
Notes: DCA uses split-tunnel VPN to connect to JKF. Stun represents Lync client-to-client. TURN represents multimedia proxy (i.e., Lync Access-Edge) requirement. Blue represents split-tunnel topology. Red represents client topology mismatch.

The primary problem with split-tunnel VPNs is with how the S4B/ Lync client interprets the topology. Recall, internal clients always use the Access Edge server for external communication. Likewise, internal clients never use the Access Edge for internal conversations. The VPN firewall forwards all domain traffic to the JKF network. Therefore, DCA clients consider themselves as internal; and external clients as external. DCA clients will only use the Access Edge server when communicating with external clients.

External clients have an entirely different interpretation of the topology. External clients are aware of the DCA Internet gateway, but they remain unaware of its split-tunneling. External clients will therefore interpret DCA clients as external peers; multimedia traffic is sent directly to the DCA clients (i.e., STUN).

To recap, external clients are unaware of the DCA split-tunnel. These external clients attempt to send audio and video (AV), and expect to receive AV, directly from the DCA clients. Whereas DCA clients send AV, and expect to receive AV, proxied from the Access Edge server.

Figure 2. Lync directional mismatch.

The split-tunnel VPN causes a secondary problem between JFK and DCA. These clients use STUN to establish peer-to-peer connections across the VPN. Users complain about overall client AV quality between these locations.

Multiple layers of encryption decreases overall AV quality. Lync encrypts multimedia packets with TLS and SRTP protocols. The VPN adds additional packet overhead as it encrypts and encapsulates each packet. Staff at both locations can expect better AV if DCA S4B-Lync clients bypass split-tunneling (i.e., TURN).

Figure 3. Bypass the split-tunnel VPN.

Resolution:

S4B-Lync clients can bypass split-tunneling entirely: (a) changes to DNS topology; and (b) changes to client firewalls. Recall, both offices belong to a single AD domain, and each office uses recursive AD integrated DNS servers. AD replication ensures internal name resolution is the same at each location. Lync clients use DNS to locate S4B-Lync servers via S4B-Lync Discovery (Table 2).

Table 2. S4B-Lync Client Discovery Preference Order
DNS Prefix	lyncdiscoverinternal	lyncdiscover
Discovery Order	1st preference	2nd preference
Client	Internal clients	External clients
Server	Front-End	Access-Edge
Notes: Discovery preference assumes organization uses a split-brain DNS topology. Topology consists of independent internal and external DNS servers.

All internal clients, including those on the VPN, use internal DNS for Lync Discovery resolution. External clients use external DNS for their Lync Discovery process. Therefore, VPN clients can bypass split-tunneling using a process that distinguishes Lync traffic, and resolves it using external name records. N.B., Internal DNS continues to resolve all other (i.e., non-Lync) requests. Otherwise, what's the point of having a VPN?

Name Resolution Policy Table:

Split-brain DNS requires a confusing array of zone records. Most Internet documentation suggests pin-point DNS zones to influence Lync traffic. Instead, consider using NRPT, which simplifies the entire domain resolution process.

Lync clients can bypass the VPN with NRPT group policy. NRPT is configured with two simple rules:

Forward all domain name requests for Lync services to external DNS servers.
Use client DNS settings (i.e. internal) for all other DNS resolution.

Create the NRPT Group Policy to allow S4B-Lync clients to bypass the VPN:

Create new GPO: Computer Configuration → Policies → Windows Settings → Name Resolution Policy.
Configure the Advanced Global Policy Settings:

Figure 4. NTRP GPO to bypass split-tunneling.
Change the Query Resolution settings. Enable "Configure query resolution options". Enable Resolve both IPv4 and IPv6 addresses for names.
Create rules that forward Lync FQDNs to external DNS servers.

a. To which part of the namespace does this rule apply? Choose FQDN.
b. Click on the Generic DNS Server tab.
c. Toggle the Enable DNS settings check box
d. Click the Add button
e. DNS server: Enter an external recursive DNS server; or the authoritative public (i.e., Internet facing) DNS server for your organization's sip-domain.
f. Click Apply.

GPOs are applied to AD domains, sites, or Organizational Units (OUs). In most situations, it makes sense to apply the NRPT GPO to the AD site that correlates with the branch office.

From Group Policy Management: Right click on Sites → Left click on Show Sites → Right click on the branch office site → Link an Existing GPO.

Alternately, create separate computer OUs per location. Link the NRPT GPO OU that nests all branch office computers.

Windows Firewall:

NRPT influences clients to logically bypass the VPN. However, there may be circumstances when Lync clients discover alternate (i.e., split-tunnel) paths to internal resources. Lync clients, therefore, require both logical and physical divisions. Windows Firewall compliments the NRPT GPO with two simple rules:

Restrict traffic based on application (i.e., S4B).
Restrict traffic based on source (i.e., DCA) and destination (i.e., JFK).

Create the Windows Firewall GPO:

Create new GPO: Computer Configuration → Policies → Windows Settings → Security Settings → Windows Firewall with Advanced Security → Inbound Rules.
Right click on Inbound Rules → New Inbound Rule → Program → Path: %ProgramFiles%\Microsoft Office\Office15\lync.exe → Block the Connection → Apply rule to Domain. N.B, Use applicable application paths. For example, Lync Basic and Lync Professional may use different paths.
Edit the new Inbound Rule: Right click on the new rule → Click on the Scope tab → Add all internal IP subnets (i.e., primary office) to the Remote IP address field → Click Add → Click OK.

Figure 5. Windows Firewall GPO to bypass VPN.
Apply the newly created Firewall GPO to apply the AD site that correlates with the branch office. Alternately, apply this GPO to OU that nests branch office computers.

Conclusion:

NRTP and firewall GPOs force S4B-Lync clients to bypass split-tunnel VPNs. These combined GPOs have two primary effects: (a) DCA-to-external clients prefer STUN (i.e., client-to-client); and (b) DCA-to-JFK clients use TURN (i.e., client-to-Access Edge) for external AV communication (Table 3).

Table 3. Effects of Split-Tunnel GPOs on Multimedia Traffic
Source	Destination
	JFK	DCA	External Client
JFK	STUN	TURN	TURN
DCA	TURN	STUN	STUN
External Client	TURN	STUN	STUN
Notes: DCA uses split-tunnel VPN to connect to JKF. Stun represents Lync client-to-client. TURN represents multimedia proxy (i.e., Lync Access-Edge) requirement. Blue emphasizes branch office traffic. That's It!

Android IKEv2 Client Setup

2016-11-19T17:35:00.000-06:00

Task:

Send end-user instructions on how to configure Android IKEv2 VPN clients.

Solution:

Installation is a two-step process:

Step 1: Install all three certificates. The Administrator has sent a separate website link where you can download necessary certificates: (a) user_device.PFX; (b) vpn_server.CER, and root.CER. Open each attachment to start the installation. Include the PFX password.

Step 2: Configure the Android VPN client: Android Settings → Connections → More Connection Settings → VPN → Add VPN.

VPN Settings (Figure 1):
N.B., Change the value for “IPSec user certificate” to “user_android”.

Figure 1. Android IKEv2 VPN Settings.

Hint: VPN shortcut apps are available in the Google Play Store. This provides a quick and easy method to connect.
For example: https://play.google.com/store/apps/details?id=com.rosaneng.vpnsettings&hl=en

Also note, your device certificate contains a private key for your client certificate. Anyone that gets a hold of this key can impersonate your account. Please protect your device with a passcode and encryption. This script is not intended for rooted devices. I encourage you to delete this email from your mailbox after you’ve configured your devices.

That's It!

Windows IKEv2 MTU

2016-11-18T06:03:00.000-06:00

Problem:

How to set MTU on Windows Servers. Windows Server 2012 VPN fragments packets after it applies encryption! This issue causes latency and causes the VPN to disconnect clients -no good!

Background:

The default packet size is 1500. Now consider how IPsec encryption adds a number of bytes to the original packet. This process leads to post-fragmentation conditions. In other words, packets are fragmented after encryption. This condition degrades or disrupts VPN performance.

Solution:

Adjust maximum segment size (MSS) on the outside interface so packet size is less that the default 1500 MTU.

Packet fragmenting occurs when a packet is larger than its default MTU. TCP fragments the original data and sends it avoid encrypted packet. According to Cisco, ESP overhead adds a maximum of 73 Bytes to each packet. Therefore, we can adjust the MSS to a conservative 1400.

PowerShell:

Step 1: Identify external interface.



PS
C:\Users\thedude> netsh int ipv4 sh int

Idx Met MTU State Name

--- ---------- ---------- ------------ ---------------------------

1 50 4294967295 connected Loopback Pseudo-Interface 1

29 30 Default connected RAS (Dial In) Interface

12 5 1500 connected Inside

14 5 1500 connected Outside

Step 2. Modify external interface MSS.

PS C:\Users\thedude> netsh int ipv4 set subint "Outside" mtu=1350 store=persistent

Step 3. Confirm MSS:

PS C:\Users\thedude> netsh int ipv4 sh int

Idx Met MTU State Name

--- ---------- ---------- ------------ ---------------------------

1 50 4294967295 connected Loopback Pseudo-Interface 1

29 30 Default connected RAS (Dial In) Interface

12 5 1500 connected Inside

14 5 1400 connected Outside

That's It!

References:

https://supportforums.cisco.com/document/64281/how-does-nat-t-work-ipsec

http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/vspa/configuration/guide/ivmsw_book/ivmvpnb.html#wp2047965

http://www.concurrency.com/blog/w/site-to-azure-vpn-using-windows-server-2012-rras>

Install Mobile-Config Script

2016-11-15T21:38:00.000-06:00

Task:

Setup instructions for manual distribution of mobile-config scripts for iPhones and iPads.

Assumptions:

These instructions assume the mobile-config script has already been generated, These instructions are for situations when mobile device management (MDM) is not available. It assumes email distribution from a private server. Use caution whenever distributing certificates and private keys!

Background:

Mobile-device scripts run on any iPhone or iPad –simply open the email attachment to start the process. It installs certificates and configures the IKEv2 VPN. This script can configure multiple devices.

Security Considerations

Also note, the script includes the private key for the client certificate. This provides identity validation, authentication, and authorization. Anyone that gets a hold of this key can impersonate the account. It’s critical to use a passcode and enforce encryption. Do not install these files on jailbroken devices. Delete the script from your mailbox after all devices are configured.

Brief instructions:

Step 1: Open mobile-config file to start the profile installation.

· N.B., This script is not signed –that’s OK.
· Click Next.

Step 2: Enter device passcode.

Step 3: Consent.

· Brief description for mobile-config.
· Installation requires consent.
· Click Next.

Step 4: Confirm Install.

· General VPN disclosure.
· Click Install. Click Done.

Step 5. Connect to the VPN.

· Open Settings.
· Toggle the VPN button.
· The VPN symbol appears in upper left-hand corner to confirm active VPN sessions.

The VPN is ready for action. That's It!

Dynamic S2S VPNs

2016-11-14T18:08:00.000-06:00

Task:

Create site-to-site (S2S) interfaces for dynamic IKEv2 VPN clients (e.g., iPhones). Assign different cryptographic algorithms to each S2S interface.

What are dynamic S2S VPNs?

S2S VPNs usually support static VPN endpoints. For example, a dedicated (i.e., always-on) VPN that connects a branch office to its HQ office. However, S2S VPNs can also connect mobile clients for dynamic connections. This hybrid approach is for special circumstances.

Why use dynamic S2S VPNs?

Most folks should stick with the default RRAS dial-up VPN server. It provides better management and reporting tools. However, dynamic S2S VPNs support configuration features that are unavailable with the standard RRAS client VPNs.

For example, dial-up IKEv2 VPNs may authenticate any certificate issued from one of its trusted root certificates. S2S VPNs can limit authentication to specific client certificates. The best part, IMHO, is the ability to apply unique cipher suites per S2S interface. For example, we can create separate S2S interfaces for each client -including unique cipher suite standards.

How do we implement dynamic S2S VPNs?

PowerShell offers a straight-forward method to implement S2S VPNs. However, consider using a GUI-Powershell hybrid approach that supports additional client management features.

Dynamic S2S via PowerShell:

The following example creates a new S2S interface with strong security targets:
• Certificate authentication
• IKEv2 Protocol
• Main Mode: AES128-SHA256-DHGroup14
• Quick Mode: AES256-SHA256

Add-VpnS2SInterface -name smj@stevenjordan.net -CustomPolicy -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod aes128 -IntegrityCheckMethod SHA256 -Destination 0.0.0.0 -Protocol IKEv2 -AuthenticationMethod MachineCertificates -ResponderAuthenticationMethod MachineCertificates -EncryptionType RequireEncryption

The interface name always matches the authentication certificate's subject name. Some clients (e.g., iPhone) require a matching subject common name and matching subject alternative name (SAN) DNS name. This attribute associates the authentication certificate with the S2S interface. The destination flag is set to accept connection requests from any IP (i.e., it's dynamic).

Don't forget to lock down the VPN server. Enforcing subject names does not secure the server. Recall, Windows VPN server leaves its front door wide open -by default. Windows VPN security requires manual changes: http://www.stevenjordan.net/2016/10/door-wide-open-on-win-ikev2.html

Managing S2S connections via PowerShell:

Managing client connections is cumbersome compared to traditional RRAS client VPN tools. For example, RRAS and Remote Access Management provide simple GUI tools to manage dial-up connections (Figure 1). However, Remote Access Clients does not display S2S connections. Additionally, RRAS Network Interfaces does display S2S interfaces by deafult.

Figure 1. RRAS Client Connections.

The RRAS management GUI does not play well with dynamic S2S connections. The Remote Access Clients tab does not display active connections. However, the GUI will display active IKEv2 WAN Miniports:

Figure 2. Active WAN Miniports. Good enough.

PowerShell provides a better method to view active S2S connections:


PS C:\Users\SMJ> Get-VpnS2SInterface


RoutingDomain  Name             Destination   AdminStatus  ConnectionState 

------         -------          -----------   -----------  --------------- 

               XXXXXX-XXXX-SMJ  {0.0.0.0}      True         Connected

Dynamic S2S GUI-Powershell Hybrid

Alternately, create dynamic S2S interfaces with the RRAS GUI. This approach offers some S2S client management benefits. Keep in mind, these S2S interfaces use default cryptographic algorithms. We'll need to modify S2S security targets with PowerShell:

Step 1. RRAS → VNS server → Right-click Network Inerfaces → New Demand-Dial Interface:

• Interface Name: Certificate's subject common name.
• Connection Type: VPN → Next
• VPN Type: IKEv2 → Next
• Hostname: None (leave blank) → Next
• Protocols & Security: Route IP packets on this interface → Next
• Static Routes: None (or add based on your organization's needs).
• Dial-Out Credentials: None → Next → Finish.

Step 2: Edit S2S interface properties → Options tab.
• Connection type: Persistent connection → OK.

Step 3: Edit security targets for S2S interface in PowerShell.

PS C:\Users\SMJ> Set-VpnS2SInterface -name xxxx-xxxx-SMJ -CustomPolicy -CipherTransformConstants AES256 -DHGroup Group14 -EncryptionMethod aes256 -IntegrityCheckMethod SHA256 -EncryptionType RequireEncryption

WARNING: VPN site-to-site adapter xxxx-xxxx-SMJ will be modified and the parameters 
other than IPv4Subnet/IPv6Subnet will be applicable next time the connection is dialed.

Check Hybrid S2S Connection from GUI:

RRAS → VNS server → Network Interfaces: Connection Status

Figure 3. S2S connection status via RRAS GUI.

The RRAS Network Interface GUI now includes a list of S2S interfaces and connection status. It also provides a simple method to disconnect or disable client connections.

Troubleshoot:

Use PowerShell to check server IPsec crypto-sets:
• Get-NetIPsecMainModeCryptoSet
• Get-NetIPsecQuickModeCryptoSet

Confirm server-client security targets work as intended:
• Get-VPNS2SInterface
• Get-NetIPsecMainModeSA
• Get-NetIPsecQuickModeSA

I also recommend using the Best Practice Analyzer (BPA) to check for any obvious S2S security warnings.
https://technet.microsoft.com/en-us/library/ee922676(v=ws.10).aspx

That's It!