Windows ‘Always On’ VPN Part 2 (NPS, RAS, and Clients)

KB ID 0001403


Back in Part One, we setup the AD (Groups,) and the Certificate services that will knit everything together. Now we need to configure an NPS server that acts as a RADIUS server for our remote clients, And a RAS Server that our remote clients will connect to.

Step1: Network Setup

Microsoft have an alarming habit of telling you to connect DMZ assets to the LAN. In their defence I’ve seen some documentation where theres is a firewall in front and behind their RAS/VPN server, but then you keep reading and they refer to the NIC on the LAN and the NIC in the DMZ. As you can tell I’m not a fan, I prefer to have an un-authenticated and an authenticated DMZ, and neither of them are connected to the LAN, So then I can control what can, and cannot flow between the DMZs and the LAN.


My way means I have to allow more ports for domain membership etc, but, if you have a Cisco ASA I’ve covered that in the following article,

Cisco ASA – Allowing Domain Trusts, and Authentication

As for the VPNs and RADIUS you need to allow the following;

From Outside to the RAS Server

  • UDP 500 (ISAKMP)
  • UDP 4500 (NAT Traversal)

From the RAS Server to the NPS/NAP Server

  • UDP 1812 (RADIUS Authentication)
  • UDP 1813 (RADIUS Accounting)
  • UDP 1645 (RADIUS Authentication)
  • UDP 1646 (RADIUS Accounting)

Quite why it needs both pairs or RADIUS ports I’m unsure, I’ve not scanned or packet captured the traffic, but I’m wiling to bet it really only needs 1812/1813 or 1645/1646.

Step2: Install NPS

Server Manager > Manage > Add Roles and Features > Network Policy and Access Services > Complete the wizard accepting the defaults.

Instal NPS Server 2016

Administrative tools > Network Policy Server > Right click NPS (Local) > Register in Active Directory > OK.

NPS Server Register in AD

Even though its not setup yet, we need to create our RAS server as a RADIUS client > RADIUS Clients > New.

Friendly Name: A sensible name that identifies the RAS server

IP: IP of the RAS server (On the LAN segment)

Shared Secret: Generate a new one and copy it to the clipboard, (you will need it in a minute.)

NPS Create RADIUS Client

On the main page, ensure ‘RADIUS server for Dial-Up or VPN Connections’ is selected‘ > Configure VPN or Dial-Up.


Select ‘Virtual Private Network (NPS) Connections > Next > Ensure the RADIUS server you have just created is listed > Next > Ensure ONLY ‘Extensible Authentication protocol’ is ticked > Change its value to Microsoft Protected EAP (PEAP) > Configure.

NPS VPN Dial Up Policy

EAP Types: Remove the one that is listed by default > Add in ‘Smart card or other certificate’ > OK > Under Groups make sure sure you have ONLY added the group you created back in part one > Next > Next.

NPS VPN Dial Up Certificate

Next > Next > Finish.

NAP Connection Policy

Your connection request policies should look like this.

NAP Connection Request Policy

Your network policies should look like this.

NAP Network Policy

Step 3: Setup RAS

Server Manager > Manage > Add roles and Features > Next > Next > Next > Remove Access > Next.

Add Remote Acess Role

Select DirectAccess and RAS > Finish the wizard accepting the defaults.

DirectAccess and VPN RAS

Open the Getting Started Wizard > Select VPN Only.

DirectAccess Setup

Administrative Tools > Routing and Remote Access > Right click {server-name} > Configure and enable Routing and Remote Access > Next  > Custom configuration.

Configure RAS

VPN Access > Next > Finish > Start service.

Configure Windows RAS

Once again right click {server-name} > Properties > IPv4 > Note: If you are not going to use your internal DHCP server/scope, then you can set one up manually (as shown) > Ensure ‘Enable broadcast name resolution’ is selected, and the RAS servers internal/LAN interface is selected > Apply.

RAS DHCP Settings

Security Tab:  Authentication provider  = RADIUS Authentication  > Configure > Add > Enter the IP of the NPS server > Change > Paste in the shared secret you copied, (above) > OK > OK. 

Repeat the same procedure for Authentication provider, (below).


Drill down to ‘Ports’ > Right Click  > Properties > Select SSTP > Configure > Remove the tick from ‘Remote access connections (inbound only) > OK. Repeat this procedure for ALL the protocols EXCEPT IKEv2, (So when finished, only IKEv2 is set to accept incoming requests).

RAS Port Settings

Step 4: Configure Reference Windows 10 Machine

On a Windows 10 machine* Launch the ‘Change virtual private networks.

*Note: Your logged on user, must have a certificate issued to them, and be a member of the AD group we created earlier. 

Windows 10 VPN

Add a VPN Connector.

Windows 10 Ad a VPN

  • VPN Provider: Windows (Built-in).
  • Connection Name: Connection-Template.
  • Server Name or address: (The ‘public’ name we put on the certificate on the RAS server).

Windows Add a VPN Connection

Change Adapter options.

Change Adaptor Settings

Right click the VPN connection > Properties.

Change NIC Settings

Security Tab:

  • Type of VPN: IKEv2
  • Data Encryption: Maximum
  • Use Extensible Authentication Protocol (EAP)
  • Properties > Enter the name on the certificate on your NAP Server, (I know that does not make sense trust me!)
  • Tick your Root CA Cert for the domain.
  • Select ‘Don’t prompt user to authorise new servers or new authorities’.

NIC VPN Settings

Connect your VPN to test it.

Connect VPN

Make sure everything works.

VPN Connected

Note: I had some DNS resolution problems, see the post below to find out how I fixed them;

Windows 10: Remote VPN Client Cannot Resolve Domain DNS

Now you need to ‘capture’ all those settings so you can give them to your other clients. To do that you need a copy of the PowerShell script MakeProfile.ps1 You will need to edit the script a little, see the example below. Running the script will output two files to the desktop, an PowerShell Script and an XML file

VPN Profile

Step 5: Deploying the Settings

At the time of writing you can deploy these settings via three methods, PowerShell Script, SCCM, or Microsoft Intune. I’m simply going to run the PowerShell Script, there are a few restrictions though, you have to be logged on as the particular user. They need administrative rights to run the script, which is a bit of a pain, you can use restricted groups and set the powershell to run at logon with group policy, then remove the policy when configured, but it’s still a bit of a drama. Below I’m simply running the VPN_Profile.ps1 file I generated above.

eploy Always On VPN Profile

Now once the user logs in, (and has a valid remote internet connection.) The remote client will auto-connect.

Always On VPN Connected

That covers USER tunnels, you can also, (Post 1709 Windows 10 Builds,) have DEVICE tunnels. Which I would write a part three about, but I simply cannot get them to work, so I’m waiting for the bugs to be ironed out, and I will revisit it at some point in the future.

Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On


  1. Thanks for your clear and detailed walk-though.
    Some questions on the network setup diagram. On the left side, the DMZ is on the same subnet as the internal LAN. Is that intentional or just a copy and paste type of error?

    The second similar question is about the diagram on the right side – the Authenticated DMZ is also on the same subnet as the internal LAN – is that intentional?

    Also on that diagram, is that meant to be a single firewall device, and the Authenticated and Unauthenticated DMZ interfaces on the RAS server are both connected to that same device?

    Post a Reply
    • Hi Ralph, thanks for spotting the typo! LAN is (Image updated). Both deployments use a single firewall, On the left the RAS server is connected both LAN and DMZ. The second deployment (on the right) Is MY PREFERRED method, to have an un-authenticated and an authenticated DMZ with the RAS server connected to both.

      Post a Reply
  2. Pete,
    how could you use the setup without using DMZ? Would you need the NPS server registered IP on the internet as well to do that? looking to set it up and test it also….the client supposed to ask for your creds? when I tried to set it up the first time, I don’t remember it doing that.


    Post a Reply
    • You would need a public facing NIC on the RAS server, I would not recommend this.


      Post a Reply
  3. Hi, Any update on when the part 3 will be written as I need the device tunnel working. We also seem to be falling at a authentication attempt due to the following reason: The connection was prevented because of a policy configured on your RAS/VPN server error?
    Our setup is roughly the same as this setup. 2 x VPN a cluster in the DMZ behind a external DNS name, NPS on the LAN

    Post a Reply
    • Hi Steve, I had such a bad experience with it I’ve never revisited it 🙁 Ill stick with Cisco AnyConnect, Sorry Buddy

      Post a Reply
  4. Hi, First of all i want to say that this guide has helped me a lot! But i had 1 question, Am i obligated tu use (P)EAP? of can i use something like MSCHAP?

    Post a Reply
    • I don’t see why not, I only ever use PEAP/EAP or EAP/TLS.


      Post a Reply
  5. Hi, Has anyone experienced an issue with Windows 10 refusing to save the PEAP settings? Particularly specifying the servers to connect to and the certificate to use?

    This is on Windows 10 Enterprise 1803

    Post a Reply
    • Hi James,

      I included the information in the template that I used to generate the powershell script that creates the profile, in my environments, I have not faced this issue.
      However, the way I deploy the profile to my users may work as aworkaround for you.
      I create a scheduled task on the clients with a GPO, the task runs with highest priviledges and as SYSTEM. The task triggers the profile-creation script, with a few changes.
      I start by checking if the profile is already present, if it is, then it skips to the end.
      If not, then it creates the profile.
      The script could be edited to remove the existing profile first and then re-add it.

      Post a Reply
  6. You say:
    “UDP 1813 (RADIUS Accounting)”

    But later:
    “it really only needs 1812/1823”

    Now what? 1813 or 1823?

    Post a Reply
    • 1812 if your only doing authentication, and 1813 if you doing accounting as well.

      Post a Reply
  7. I got device tunnel to work. The problem i have now that my logon script tries to run before the user is completely logged in. I dont want to set a delay on the logon script (because it will affect other users). Is there a way that when the connection gets build up the logon script is called?

    Post a Reply
    • Use an AnyConnect Login script?

      Post a Reply
  8. Hi Pete,

    Excellent article!
    Helped me get through this and understand what I didnt from MS articles.

    You ask about DEVICE AUTH.

    As I found out, simply
    – auto enroll Computer certificates
    – RAS > Properties > Security > Auth Methods > Allow Machine Certificate…for IKEv2
    – On Windows 10 client – under Security > Auth > Instead of EAP – simply choose “use machine certificates”


    Post a Reply
  9. Hi Pete,

    Brilliant tutorial! you should be writing documentation for Microsoft as this is much more helpful than theirs 🙂

    Thank you – appreciate all the effort!

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *