Advanced features of Always On VPN

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows 10

Beyond a standard deployment, you can add other advanced VPN features to improve the security and availability of your VPN connection. For example, the VPN server can use these features to help make sure that the connecting client is healthy before it allows a connection.

High Availability

The following are more options for high availability.

Option Description
Server resilience and load balancing In environments that require high availability or that support large numbers of requests, you can increase the performance and resiliency of Remote Access. Use can load balancing between multiple servers that are running Network Policy Server (NPS) and enable Remote Access server clustering.

Related documents:

Geographic site resilience For IP-based geolocation, you can use Global Traffic Manager with DNS in Windows Server 2016. For more robust geographic load balancing, you can use Global Server Load Balancing solutions, such as Microsoft Azure Traffic Manager.

Related documents:

Advanced Authentication

The following are more options for authentication.

Option Description
Windows Hello for Business In Windows 10, Windows Hello for Business replaces passwords by providing strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or Personal Identification Number (PIN).

The Windows 10 VPN client is compatible with Windows Hello for Business. After the user logs in by using a gesture, the VPN connection uses the Windows Hello for Business certificate for certificate-based authentication.

Related documents:

Azure Multifactor Authentication (MFA) Azure AD Multi-Factor Authentication has cloud and on-premises versions that you can integrate with the Windows VPN authentication mechanism.

For more information about how this mechanism works, see Integrate RADIUS authentication with Azure AD Multi-Factor Authentication Server.

Advanced VPN Features

The following are more options for advanced features.

Option Description
Traffic filtering If you have to enforce the choice of which applications VPN clients can access, you can enable VPN Traffic Filters.

For more information, see VPN security features.

App-triggered VPN You can configure VPN profiles to connect automatically when certain applications or types of applications start.

For more information about this and other triggering options, see VPN auto-triggered profile options.

VPN conditional access Conditional access and device compliance can require managed devices to meet standards before they can connect to the VPN. One of the advanced features for VPN conditional access allows you to restrict the VPN connections to only the devices whose client authentication certificate contains the "AAD Conditional Access" OID of

To restrict the VPN connections, you must do the following:

  1. On the NPS server, open the Network Policy Server snap-in.
  2. Expand Policies > Network Policies.
  3. Right-click the Virtual Private Network (VPN) Connections Network Policy and select Properties.
  4. Select the Settings tab.
  5. Select Vendor Specific, and then select Add.
  6. Select the Allowed-Certificate-OID option, and then select Add.
  7. Paste the AAD Conditional Access OID of as the attribute value, and then select OK two times.
  8. Select Close, and then select Apply.

    After you follow these steps, when VPN clients try to connect by using any certificate other than the short-lived cloud certificate, the connection fails.

For more information about conditional access, see VPN and conditional access.

Blocking VPN Clients that Use Revoked Certificates

After you install updates, the RRAS server can enforce certificate revocation for VPNs that use IKEv2 and machine certificates for authentication, such as device tunnel Always-on VPNs. This means that for such VPNs, the RRAS server can deny VPN connections to clients that try to use a revoked certificate.


The following table lists the releases that contain the fixes for each version of Windows.

Operating system version Release
Windows Server, version 1903 KB4501375
Windows Server 2019
Windows Server, version 1809
Windows Server, version 1803 KB4507466
Windows Server, version 1709 KB4507465
Windows Server 2016, version 1607 KB4503294

How to configure prerequisites

  1. Install the Windows updates as they become available.
  2. Make sure that all the VPN client and RRAS server certificates that you use have CDP entries, and that the RRAS server can reach the respective CRLs.
  3. On the RRAS server, use the Set-VpnAuthProtocol PowerShell cmdlet to configure the RootCertificateNameToAccept parameter.

    The following example lists the commands to do this. In the example, CN=Contoso Root Certification Authority represents the distinguished name of the Root Certification Authority.

    $cert1 = ( Get-ChildItem -Path cert:LocalMachine\root | Where-Object -FilterScript { $_.Subject -Like "*CN=Contoso Root Certification Authority*" } )
    Set-VpnAuthProtocol -RootCertificateNameToAccept $cert1 -PassThru

How to configure the RRAS server to enforce certificate revocation for VPN connections that are based on IKEv2 machine certificates

  1. In a Command Prompt window, run the following command:

    reg add HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\Ikev2 /f /v CertAuthFlags /t REG_DWORD /d "4"
  2. Restart the Routing and Remote Access service.

To disable certificate revocation for these VPN connections, set CertAuthFlags = 2 or remove the CertAuthFlags value, and then restart the Routing and Remote Access service.

How to revoke a VPN client certificate for a VPN connection that is based on an IKEv2 machine certificate

  1. Revoke the VPN client certificate from the Certification Authority.
  2. Publish a new CRL from the Certification Authority.
  3. On the RRAS server, open an administrative Command Prompt window, and then run the following commands:
    certutil -urlcache * delete
    certutil -setreg chain\ChainCacheResyncFiletime @now

How to verify that certificate revocation for IKEv2 machine certificate-based VPN connections is working


Before you use this procedure, make sure that you enable the CAPI2 operational event log.

  1. Follow the previous steps to revoke a VPN client certificate.

  2. Try to connect to the VPN by using a client that has the revoked certificate. The RRAS server should refuse the connection and display a message such as "IKE authentication credentials are unacceptable."

  3. On the RRAS server, open Event Viewer, and navigate to Applications and Services Logs/Microsoft/Windows/CAPI2.

  4. Search for an event that has the following information:

    • Log Name: Microsoft-Windows-CAPI2/Operational Microsoft-Windows-CAPI2/Operational
    • Event ID: 41
    • The event contains the following text: subject="Client FQDN" (Client FQDN represents the fully qualified domain name of the client that has the revoked certificate.)

    The <Result> field of the event data should include The certificate is revoked. For example, see the following excerpts from an event:

    Log Name:      Microsoft-Windows-CAPI2/Operational Microsoft-Windows-CAPI2/Operational
    Source:        Microsoft-Windows-CAPI2
    Date:          5/20/2019 1:33:24 PM
    Event ID:      41
    Event Xml:
    <Event xmlns="">
       <Certificate fileRef="C97AE73E9823E8179903E81107E089497C77A720.cer" subjectName="" />
       <IssuerCertificate fileRef="34B1AE2BD868FE4F8BFDCA96E47C87C12BC01E3A.cer" subjectName="Contoso Root Certification Authority" />
       <Result value="80092010">The certificate is revoked.</Result>

Trusted Platform Module (TPM) Key Attestation

A user certificate that has a TPM-attested key provides higher security assurance, backed up by non-exportability, anti-hammering, and isolation of keys provided by the TPM.

For more information about TPM key attestation in Windows 10, see TPM Key Attestation.

Next step

Start planning the Always On VPN deployment: Before you install the Remote Access server role on the computer that you plan to use as a VPN server, do the following tasks. After appropriate planning, you can deploy Always On VPN, and optionally configure conditional access for VPN connectivity using Azure AD.

  • NPS Proxy Server Load Balancing: Remote Authentication Dial-In User Service (RADIUS) clients, which are network access servers such as virtual private network (VPN) servers and wireless access points, create connection requests and send them to RADIUS servers such as NPS. In some cases, an NPS server might receive too many connection requests at one time, resulting in degraded performance or an overload.

  • Overview of Traffic Manager: This topic provides an overview of Azure Traffic Manager, which allows you to control the distribution of user traffic for service endpoints. Traffic Manager uses the Domain Name System (DNS) to direct client requests to the most appropriate endpoint based on a traffic-routing method and the health of the endpoints.

  • Windows Hello for Business: This topic provides an overview of the prerequisites, such as cloud only deployments and hybrid deployments. This topic also lists frequently asked questions about Windows Hello for Business.

  • Technical case study: Enabling Remote Access with Windows Hello for Business in Windows 10: In this technical case study, learn how Microsoft implements remote access with Windows Hello for Business. Windows Hello for Business is a private/public key or certificate-based authentication approach for organizations and consumers that goes beyond passwords. This form of authentication relies on key pair credentials that can replace passwords and are resistant to breaches, thefts, and phishing.

  • Integrate RADIUS authentication with Azure AD Multi-Factor Authentication: This topic walks you through adding and configuring a RADIUS client authentication with Azure AD Multi-Factor Authentication Server. RADIUS is a standard protocol to accept authentication requests and to process those requests. The Azure AD Multi-Factor Authentication Server can act as a RADIUS server.

  • VPN security features: This topic provides an overview of VPN security guidelines for LockDown VPN, Windows Information Protection (WIP) integration with VPN, and traffic filters.

  • VPN auto-triggered profile options: This topic provides an overview of VPN auto-triggered profile options, such as app trigger, name-based trigger, and Always On.

  • VPN and conditional access: This topic provides an overview of cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.

  • TPM Key Attestation: This topic provides an overview of Trusted Platform Module (TPM) and steps to deploy TPM key attestation. You can also find troubleshooting information and steps to resolve issues.