locked
Always on VPN Settings missing RRS feed

  • Question

  • Testing deploying MS Always on VPN Profile to W10 1703 with Force tunneling. Looking at this document for settings

    https://docs.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp

    I have two settings that are in this document but missing from 1703

    ByPassForLocal and RegisterDNS

    1. The VPN Entry has the box "Register this Connection's Address" unticked. Although there is a profile setting above it is not implemented so I need to get around it. Has anyone resolved it. I can see you can use set-dns PowerShell command but only when the VPN connection is active so this is hard to manage through an SCCM job. Without this box ticked the home router's IP address is registered on our DNS server rather than the correct VPN IP address.

    2. Found with Forcetunnel that the VPN entry needs to have Proxy setting in order to allow traffic out. Again there is a setting in profileXLM "ByPassForLocal" but it is not active yet - so although I can enter the Proxy/Manual/Server entry which is fine without that bypass box ticked nothing works - again has anyone hit/resolved this?


    Ian Burnell, London (UK)

    Monday, September 10, 2018 8:28 AM

All replies

  • Bit of progress. Option 2 can enter <autoconfigurl> to a pac file so for me that works ok

    So only option one to tick box to register this connection's address in DNS


    Ian Burnell, London (UK)

    Monday, September 10, 2018 1:15 PM
  • Hi,

    Thanks for your question.

    Maybe you can get useful information from the links below:

    https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections  

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, September 11, 2018 6:58 AM
  • Thanks Travis - I have seen that article (and many others)

    The RegisterDNS entry in the profile only applies to W10 1709 and above, so with my estate of 1703 I have to work out a method to tick that box via Powershell or something 


    Ian Burnell, London (UK)

    Tuesday, September 11, 2018 12:52 PM
  • Hi,

    I am sorry that this issue still hasn't been resolved.
    If there is no progress, I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:
    http://support.microsoft.com/contactus/?ln=en-au
    Have a nice day!

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, September 12, 2018 6:48 AM
  • Not directly your issue, but keep in mind that just in 1709 MS introdused the Autoconnect feature. Before that it was all about app triggering. I would not waste my time with old build, upgrade Win10 client first. Just my opinion. VPN ALO is quite new technology, it is not yet mature and probably not so widely used... yet.

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    Thursday, September 13, 2018 3:03 PM
  • Agreed. I don't think AOVPN is mature at the moment

    Unfortunately don't have MS Support so can't raise a ticket

    It's fine on my test 1803 box. Simply adding <RegisterDNS>true</RegisterDNS> into my profilexml and PS script works perfectly but not on the estate of 1703. Moreover I've found that if I manually go into the Network Adapter settings and tick the box by hand it then loses the alwayson True setting i.e. log back in and the VPN does not attempt to connect. Click and it will connect just fine but that's no good to users

    Very frustrating - any advice would be appreciated.


    Ian Burnell, London (UK)

    Sunday, September 16, 2018 8:05 AM
  • Very frustrating - any advice would be appreciated.


    Ian Burnell, London (UK)

    With all the respect, if 1803 works perfect, why bother with 1703? Just can't understand this :)

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.


    Sunday, September 16, 2018 4:22 PM
  • Simple answer my friend because more work to upgrade entire W10 estate to 1803 - so I've been working on an SCCM Upgrade Task Sequence to do just this. Yes it works much better with 1803 so that's where I'm headed ! - thanks for the replies

    Ian Burnell, London (UK)

    Thursday, September 27, 2018 9:15 AM
  • Hello, just wondering if you got any further with this. I have exactly the same problem, although I am declaring <RegisterDNS>true</RegisterDNS> in my profile XML it is never ticked. I am using 1909 Education.
    Wednesday, August 5, 2020 1:33 PM