Auto-Triggered or "invisible" VPN
Periodically, I need to connect via VPN to my home network. Most often for demonstrations during speeches or trainings. Less often, to get certain files or to “see” what is there with a daughter tablet. I connect either from a working computer or from my tablet. Both there and there Windows 8.1 , and in this version there was a very interesting feature - automatically triggered (Auto-Triggered) VPN.
I’ll show all settings using the example of a Surface tablet with Windows 8.1 RT, although they also look exactly in other versions 8.1. A few words about the configuration of the home network - the Internet channel from Rostelecom, there is an external fixed IP; Access which acts as a VPN server.
In the home grid, an AD domain called “mva.com” is raised. I use it, for example, to demonstrate a tunnel with Windows Azure (it is problematic to do this in a corporate network due to policies, etc.) and other inhuman experiments. The domain “mva.com” was not registered by me and is resolved only in the home grid. I leave the VPN server setting behind the scenes, there is nothing unusual here and, strictly speaking, it is not necessary to use Windows Server in this role.
')
Go to the client setup. The first step is to create a VPN connection. Starting from 8.1, this can be done in the new Windows interface, which is especially important for tablets. By the way, the old method in the traditional interface has not disappeared anywhere. Go to Change PC Settings -> Network -> Connections , click “ Add a VPN connection ”.
Choose a VPN provider. In my case, this is Microsoft, but also in the list you will find built-in clients from Check Point, F5, Juniper and SonicWALL. Fill in the required fields.
The created “Home” connection is ready to use.
The only thing I will do additionally, through PowerShell, I will enable split tunneling for this connection.
Nothing unusual yet. We check the connection and make sure that the resources of the home network are available. In particular, the domain controller is pinged. In all the examples below, a smartphone as a 3G modem was used to connect to the Internet.
But if you try to contact the controller by name, you will get an error, because the DNS server of the ISP is used for name resolution, which, of course, knows nothing about my home domain.
I would like to receive the following: first, make sure that when you access by name to the resources of the domain “mva.com”, the VPN connection “Home” is automatically raised; second, the DNS server of the home grid would be used to resolve the names of “mva.com”.
Implemented desired by one cmdlet:
This cmdlet, in fact, sets up a trigger, that is, automatic activation of a VPN connection with the name “Home” when accessing names with the suffix “mva.com”. Name resolution for “mva.com” will be done using a machine with the address 10.40.1.200, which is the domain controller of my home network.
If, after running the cmdlet, you look at the VPN connection, then you can see the new checkbox, indicating the presence of a trigger for this connection.
As a test, we will try to connect by name to the test website on the home network. The site responds, the VPN has been automatically raised.
What more wish? Automatic VPN connection when launching a specific application. Specifically for my script, this is not particularly necessary. But I am sure that in many cases such an opportunity can be extremely in demand, especially when it comes to the client part of a business application, the server component of which is located in the company's internal network.
You can configure the trigger for both standard desktop applications and new interface applications. In the latter case, you need to know the PackageFamilyName of the desired application. To do this, you can run the Get-AppxPackage cmdlet . You will receive a list of all WinRT applications (those applications with a new interface from the Windows Store) for this user. In the list you need to find the application that interests you. For example on my tablet, I will experiment with Fiction Book Reader Lite. Below is information on this application:
Copy the line containing the PackageFamilyName and create a trigger:
We are testing. Run the application
and trying to open the folder from the domain controller:
The fact that resources are available can be seen in the application itself. And of course, you can verify that the VPN connection is established.
For traditional desktop applications, it is sufficient to specify the full path to the executable file as the ApplicationID :
The Get-VpnConnectionTrigger cmdlet will display all the information about triggers for a given connection.
In particular, in the response of the cmdlet to connect “Home” you can see that the trigger is set for the application with the corresponding ID and domain “mva.com”.
In conclusion, a few important notes.
Auto-Triggered VPN only works for connections for which split tunneling is enabled.
If, when connected to the network, the computer along with the IP settings receives the network suffix “mva.com” from the DHCP server, the trigger will not work because the OS considers it to be on the desired local network and there is no need to raise the VPN.
The VPN connection automatically established for the domain name is also automatically disconnected, if during a specified time interval, by default 5 minutes, no traffic is transmitted through the connection. The interval is configured using the -IdleDisconnectSeconds parameter when creating a connection or at any time after creating it using the Set-VpnConnection cmdlet . However, it should be borne in mind that this interval is ignored as long as the application is started, for which a trigger is set, even if traffic is not transmitted through the VPN.
If you manually disconnected an automatically established connection, then the Auto-Triggered flag is removed from the connection, and then the automatic connection setup does not work until you also manually install the newly mentioned above checkbox “ Let apps automatically use this VPN connection ” in the VPN properties profile.
Finally, you can configure triggers for multiple VPN connections in the system, but automatic connection will always work only for one of them, the default for the first one created. If you later turn on Auto-Triggering for some other profile with a checkbox or cmdlet, the automatic connection stops working for all other VPN profiles.
It seems to me that the technology is quite useful, especially for machines that are not included in the domain or which cannot be included in the domain. The configuration via PowerShell, of course, cannot be called user friendly, but users can be freed from these troubles by preparing and distributing the necessary VPN profiles using System Center 2012 R2 Configuration Manager or Windows Intune.
Additional information can be found in the detailed post of the Windows Networking Team here .
Hope the material was helpful.
Thank!
I’ll show all settings using the example of a Surface tablet with Windows 8.1 RT, although they also look exactly in other versions 8.1. A few words about the configuration of the home network - the Internet channel from Rostelecom, there is an external fixed IP; Access which acts as a VPN server.
In the home grid, an AD domain called “mva.com” is raised. I use it, for example, to demonstrate a tunnel with Windows Azure (it is problematic to do this in a corporate network due to policies, etc.) and other inhuman experiments. The domain “mva.com” was not registered by me and is resolved only in the home grid. I leave the VPN server setting behind the scenes, there is nothing unusual here and, strictly speaking, it is not necessary to use Windows Server in this role.
')
Go to the client setup. The first step is to create a VPN connection. Starting from 8.1, this can be done in the new Windows interface, which is especially important for tablets. By the way, the old method in the traditional interface has not disappeared anywhere. Go to Change PC Settings -> Network -> Connections , click “ Add a VPN connection ”.
Choose a VPN provider. In my case, this is Microsoft, but also in the list you will find built-in clients from Check Point, F5, Juniper and SonicWALL. Fill in the required fields.
The created “Home” connection is ready to use.
The only thing I will do additionally, through PowerShell, I will enable split tunneling for this connection.
Set-VpnConnection -Name "Home" -SplitTunneling $true Nothing unusual yet. We check the connection and make sure that the resources of the home network are available. In particular, the domain controller is pinged. In all the examples below, a smartphone as a 3G modem was used to connect to the Internet.
But if you try to contact the controller by name, you will get an error, because the DNS server of the ISP is used for name resolution, which, of course, knows nothing about my home domain.
I would like to receive the following: first, make sure that when you access by name to the resources of the domain “mva.com”, the VPN connection “Home” is automatically raised; second, the DNS server of the home grid would be used to resolve the names of “mva.com”.
Implemented desired by one cmdlet:
Add-VpnConnectionTriggerDnsConfiguration -Name "Home" -DnsSuffix "mva.com" -DnsIPAddress 10.40.1.200 This cmdlet, in fact, sets up a trigger, that is, automatic activation of a VPN connection with the name “Home” when accessing names with the suffix “mva.com”. Name resolution for “mva.com” will be done using a machine with the address 10.40.1.200, which is the domain controller of my home network.
If, after running the cmdlet, you look at the VPN connection, then you can see the new checkbox, indicating the presence of a trigger for this connection.
As a test, we will try to connect by name to the test website on the home network. The site responds, the VPN has been automatically raised.
What more wish? Automatic VPN connection when launching a specific application. Specifically for my script, this is not particularly necessary. But I am sure that in many cases such an opportunity can be extremely in demand, especially when it comes to the client part of a business application, the server component of which is located in the company's internal network.
You can configure the trigger for both standard desktop applications and new interface applications. In the latter case, you need to know the PackageFamilyName of the desired application. To do this, you can run the Get-AppxPackage cmdlet . You will receive a list of all WinRT applications (those applications with a new interface from the Windows Store) for this user. In the list you need to find the application that interests you. For example on my tablet, I will experiment with Fiction Book Reader Lite. Below is information on this application:
Copy the line containing the PackageFamilyName and create a trigger:
Add-VpnConnectionTriggerApplication -Name "Home" -ApplicationID 4737VitaliyLeschenkoCo.FictionBookReaderLite_rt4gm7pfmw0sj We are testing. Run the application
and trying to open the folder from the domain controller:
The fact that resources are available can be seen in the application itself. And of course, you can verify that the VPN connection is established.
For traditional desktop applications, it is sufficient to specify the full path to the executable file as the ApplicationID :
Add-VpnConnectionTriggerApplication -Name "Home" –ApplicationID “C:\Windows\System32\notepad.exe” The Get-VpnConnectionTrigger cmdlet will display all the information about triggers for a given connection.
In particular, in the response of the cmdlet to connect “Home” you can see that the trigger is set for the application with the corresponding ID and domain “mva.com”.
In conclusion, a few important notes.
Auto-Triggered VPN only works for connections for which split tunneling is enabled.
If, when connected to the network, the computer along with the IP settings receives the network suffix “mva.com” from the DHCP server, the trigger will not work because the OS considers it to be on the desired local network and there is no need to raise the VPN.
The VPN connection automatically established for the domain name is also automatically disconnected, if during a specified time interval, by default 5 minutes, no traffic is transmitted through the connection. The interval is configured using the -IdleDisconnectSeconds parameter when creating a connection or at any time after creating it using the Set-VpnConnection cmdlet . However, it should be borne in mind that this interval is ignored as long as the application is started, for which a trigger is set, even if traffic is not transmitted through the VPN.
If you manually disconnected an automatically established connection, then the Auto-Triggered flag is removed from the connection, and then the automatic connection setup does not work until you also manually install the newly mentioned above checkbox “ Let apps automatically use this VPN connection ” in the VPN properties profile.
Finally, you can configure triggers for multiple VPN connections in the system, but automatic connection will always work only for one of them, the default for the first one created. If you later turn on Auto-Triggering for some other profile with a checkbox or cmdlet, the automatic connection stops working for all other VPN profiles.
It seems to me that the technology is quite useful, especially for machines that are not included in the domain or which cannot be included in the domain. The configuration via PowerShell, of course, cannot be called user friendly, but users can be freed from these troubles by preparing and distributing the necessary VPN profiles using System Center 2012 R2 Configuration Manager or Windows Intune.
Additional information can be found in the detailed post of the Windows Networking Team here .
Hope the material was helpful.
Thank!
Source: https://habr.com/ru/post/216089/
All Articles