In this last part of the tutorial, you'll learn how to use a ProfileXML PowerShell configuration script to configure Always On VPN settings and create a user tunnel for client connections.
For more detailed information on Always on VPN configuration options for the configuration service provider (CSP), see VPNv2 configuration service provider.
In this section, we'll create a VPN client connection in order to verify that the VPN test client can establish a successful VPN connection. This will also allow us to create the EAP settings for export in the next section.
On the Start menu, type VPN to select VPN Settings. Press ENTER.
In the details pane, select Add a VPN connection.
For VPN Provider, select Windows (built-in).
For Connection Name, enter Contoso VPN.
For Server name or address, enter the external FQDN of your VPN server (for example, vpn.contoso.com).
For VPN type, select IKEv2.
For Type of sign-in info, select Certificate.
Select Save.
Under Related Settings, select Change adapter options.
Right-click Contoso VPN, and select Properties.
On the Security tab, for Data encryption, select Maximum strength encryption.
Select Use Extensible Authentication Protocol (EAP). Then, for Use Extensible Authentication Protocol (EAP), select Microsoft: Protected EAP (PEAP) (encryption enabled).
Select Properties to open Protected EAP Properties, and complete the following steps:
For Connect to these servers, enter the name of the NPS server.
For Trusted Root Certification Authorities, select the CA that issued the NPS server's certificate (for example, contoso-CA).
For Notifications before connecting, select Don't ask user to authorize new servers or trusted CAs.
For Select Authentication Method, select Smart Card or other certificate.
Select Configure.
Select Use a certificate on this computer.
For Connect to these servers, enter the name of the NPS server.
For Trusted Root Certification Authorities, select the CA that issued the NPS server's certificate.
Select Don't prompt user to authorize new servers or trusted certification authorities.
Select OK to close Smart Card or other Certificate Properties.
Select OK to close Protected EAP Properties.
Select OK to close Contoso VPN Properties.
Close the Network Connections window.
In Settings, select Contoso VPN, and then select Connect.
Important
Make sure that the template VPN connection to your VPN server is successful. Doing so ensures that the EAP settings are correct before you use them in the next step. You must connect at least once before continuing; otherwise, the profile will not contain all the information necessary to connect to the VPN.
Configure your Windows VPN client
In this section, you'll manually configure the Windows VPN client using a PowerShell script.
Sign in as your VPN User to the VPN client computer.
Open Windows PowerShell integrated scripting environment (ISE) as Administrator.
Copy and paste the following script:
PowerShell
# Define key VPN profile parameters# Replace with your own values$Domain = 'corp'# Name of the domain.$TemplateName = 'Contoso VPN'# Name of the test VPN connection you created in the tutorial. $ProfileName = 'Contoso AlwaysOn VPN'# Name of the profile we are going to create.$Servers = 'aov-vpn.contoso.com'#Public or routable IP address or DNS name for the VPN gateway.$DnsSuffix = 'corp.contoso.com'# Specifies one or more commas separated DNS suffixes. $DomainName = '.corp.contoso.com'#Used to indicate the namespace to which the policy applies. Contains `.` prefix.$DNSServers = '10.10.0.6'#List of comma-separated DNS Server IP addresses to use for the namespace.$TrustedNetwork = 'corp.contoso.com'#Comma-separated string to identify the trusted network.#Get the EAP settings for the current profile called $TemplateName$Connection = Get-VpnConnection -Name$TemplateNameif(!$Connection)
{
$Message = "Unable to get $TemplateName connection profile: $_"Write-Host"$Message"exit
}
$EAPSettings= $Connection.EapConfigXmlStream.InnerXml
$ProfileNameEscaped = $ProfileName -replace' ', '%20'# Define ProfileXML$ProfileXML = @("
<VPNProfile>
<DnsSuffix>$DnsSuffix</DnsSuffix>
<NativeProfile>
<Servers>$Servers</Servers>
<NativeProtocolType>IKEv2</NativeProtocolType>
<Authentication>
<UserMethod>Eap</UserMethod>
<Eap>
<Configuration>
$EAPSettings
</Configuration>
</Eap>
</Authentication>
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
</NativeProfile>
<AlwaysOn>true</AlwaysOn>
<RememberCredentials>true</RememberCredentials>
<TrustedNetworkDetection>$TrustedNetwork</TrustedNetworkDetection>
<DomainNameInformation>
<DomainName>$DomainName</DomainName>
<DnsServers>$DNSServers</DnsServers>
</DomainNameInformation>
</VPNProfile>
")
#Output the XML for possible use in Intune$ProfileXML | Out-File -FilePath ($env:USERPROFILE + '\desktop\VPN_Profile.xml')
# Escape special characters in the profile (<,>,")$ProfileXML = $ProfileXML -replace'<', '<'$ProfileXML = $ProfileXML -replace'>', '>'$ProfileXML = $ProfileXML -replace'"', '"'# Define WMI-to-CSP Bridge properties$nodeCSPURI = "./Vendor/MSFT/VPNv2"$namespaceName = "root\cimv2\mdm\dmmap"$className = "MDM_VPNv2_01"try
{
# Determine user SID for VPN profile.$WmiLoggedOnUsers = (Get-WmiObject Win32_LoggedOnUser).Antecedent
If($WmiLoggedOnUsers.Count -gt1) {
$WmiLoggedOnUsers = $WmiLoggedOnUsers -match"Domain=""$Domain"""
}
$WmiUserValid = ($WmiLoggedOnUsers | Select-Object -Unique -First1) -match'Domain="([^"]+)",Name="([^"]+)"'If(-not$WmiUserValid){
Throw"Returned object is not a valid WMI string"
}
$UserName = "$($Matches[1])\$($Matches[2])"$ObjUser = New-Object System.Security.Principal.NTAccount($UserName)
$Sid = $ObjUser.Translate([System.Security.Principal.SecurityIdentifier])
$SidValue = $Sid.Value
$Message = "User SID is $SidValue."Write-Host"$Message"
}
catch [Exception]
{
$Message = "Unable to get user SID. $_"Write-Host"$Message"exit
}
try
{
# Define WMI session.$session = New-CimSession$options = New-Object Microsoft.Management.Infrastructure.Options.CimOperationOptions
$options.SetCustomOption("PolicyPlatformContext_PrincipalContext_Type", "PolicyPlatform_UserContext", $false)
$options.SetCustomOption("PolicyPlatformContext_PrincipalContext_Id", "$SidValue", $false)
}
catch {
$Message = "Unable to create new session for $ProfileName profile: $_"Write-Host$Messageexit
}
try
{
#Detect and delete previous VPN profile.$deleteInstances = $session.EnumerateInstances($namespaceName, $className, $options)
foreach ($deleteInstancein$deleteInstances)
{
$InstanceId = $deleteInstance.InstanceID
if ("$InstanceId" -eq"$ProfileNameEscaped")
{
$session.DeleteInstance($namespaceName, $deleteInstance, $options)
$Message = "Removed $ProfileName profile $InstanceId"Write-Host"$Message"
}
else
{
$Message = "Ignoring existing VPN profile $InstanceId"Write-Host"$Message"
}
}
}
catch [Exception]
{
$Message = "Unable to remove existing outdated instance(s) of $ProfileName profile: $_"Write-Host$Messageexit
}
try
{
# Create the VPN profile.$newInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", "$nodeCSPURI", "String", "Key")
$newInstance.CimInstanceProperties.Add($property)
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("InstanceID", "$ProfileNameEscaped", "String", "Key")
$newInstance.CimInstanceProperties.Add($property)
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ProfileXML", "$ProfileXML", "String", "Property")
$newInstance.CimInstanceProperties.Add($property)
$session.CreateInstance($namespaceName, $newInstance, $options)
$Message = "Created $ProfileName profile."Write-Host"$Message"
}
catch [Exception]
{
$Message = "Unable to create $ProfileName profile: $_"Write-Host"$Message"exit
}
$Message = "Script Complete"Write-Host"$Message"
Set the value for the following variables at the top of the script: $Domain, $TemplateName, $ProfileName, $Servers, $DnsSuffix, $DomainName, and $DNSServers. For more detailed information about how to set these variables, see: VPNv2 CSP.
Press ENTER to run the script.
Verify that the script was successful by running the following command in the Windows PowerShell ISE:
For more detailed information on Always on VPN configuration options for the configuration service provider (CSP), see VPNv2 configuration service provider.
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.