Always On VPN disconnects if firewall Captive Portal is enabled

Question

Hi All,

We have a customer testing Always On behind a firewall, in non-split-tunnelling mode.
They want LDAP groups to allow users differing Internet access whilst connected to the VPN.

When we enable captive portal, and the client connects, they disconnect immediately as the browser opens the normal connection test, before they ever see the captive portal.

After running some packet sniffs, we allowed traffic to an IP we saw popping up that belongs to Microsoft - 13.107.4.52 - and the client no longer disconnects immediately, but also does not get the automated connection test that would usually redirect to the captive portal. Instead they have to manually browse to a site using HTTP or at the very least not using HSTS, so that captive portal login is presented.

My question is what is 13.107.4.52? And, more importantly, is there a setting that will prevent the Always On server from dropping the VPN connection when the connection test is redirected to a captive portal without allowing all traffic to that IP?

Answer 1

Hi
Windows 10 does a connection check to detect, if there is Internet connectivity. This is done by trying connect www.msftconnecttest.com (13.107.4.52) via http.
Always On VPN only connects automatically to the VPN peer if there is Internet connectivity.
What do you mean with 'enable captive portal'?
Typically a captive portal allows Internet access after successful authentication. That means as long you are not authenticated at the captive portal there is no Internet access and also no access to VPN peer. As soon Internet connectivity is detected, the VPN connection should be established.
By the way we found some more IPs that must be reachable for a successful Internet detection of Win10: 13.107.4.52, 52.164.206.56, 104.215.95.187

Thomas