Block Always-on VPN from connecting whilst on a specific subnet

Question

Hi Microsoft Q&A!

Currently we have a Windows Always-On VPN setup using Windows Server 2016 as the main RAS, and Windows 10 devices for the clients.

We are using a full-tunnel VPN rather than split-tunneling to ensure all traffic goes through our web-filtering software.

The issue I am currently faced with is this; Can I restrict our devices from being able to connect using the always-on VPN when they are on our company wi-fi? It is a separate subnet to our main LAN but it has direct access to the same servers, etc, so the VPN connection is not required when on the Office-based wi-fi.

I have tried to create a new network policy which restricts access to clients attempting to establish a connection from that specific subnet (I think) but it doesn't seem to have made a difference as of yet. If anyone could offer advice I'd be grateful.

Thanks!

Answer 1

Hi,

Thanks for posting here.

Most VPN clients use ports 500 and 4500 UDP, and port 1723 for TCP.

If you need restrict windows 10 client to connect to VPN, you could create new rules in Windows Defender Firewall from client side to block these ports.

1. Go to Control Panel-->System and Security-->Windows Defender Firewall-->Advanced Settings
   
2. Locate Outbound Rules-->New rules-->select Port-->click Next-->select UDP-->insert "500,4500" in Specific remote ports-->click Next-->select Block the connection-->click Next-->choose when does this rule apply-->click Next-->insert the name of rule-->click Finish
   
   
   
   
   

The steps for creating a rule to block TCP port 1723 is same as above details steps.

Hope my answer will help you.

---Please Accept as answer if the reply is helpful---

Best Regards,
Sunny