1
00:00:02,140 --> 00:00:08,640
So let's get onto the demonstration of optimizing our VPN server configuration.

2
00:00:08,640 --> 00:00:13,720
So, we have a number of fine tuning and optimization tasks to accomplish

3
00:00:13,720 --> 00:00:16,840
here, and the tool of choice for this is going to be,

4
00:00:16,840 --> 00:00:22,360
you guessed it, PowerShell. I have made your life infinitely easier to do all of

5
00:00:22,360 --> 00:00:28,480
these tasks because I have created a PowerShell module called AOVPNTools that I

6
00:00:28,480 --> 00:00:33,470
use when I'm working with my customers to deploy Always On VPN. I've automated

7
00:00:33,470 --> 00:00:36,600
many of these tasks. Some of them are, you know,

8
00:00:36,600 --> 00:00:37,680
configuration settings,

9
00:00:37,680 --> 00:00:42,570
some of them are registry keys. Regardless, I have created a number of

10
00:00:42,570 --> 00:00:45,540
tools to just kind of help automate this process.

11
00:00:45,540 --> 00:00:45,900
Now,

12
00:00:45,900 --> 00:00:48,200
the best way to start is to install this PowerShell

13
00:00:48,200 --> 00:00:49,930
module, and so you will run the command,

14
00:00:49,930 --> 00:01:01,140
Install‑Module, and then the module name is AOVPNTools. And at this point,

15
00:01:01,140 --> 00:01:06,240
you just hit Enter, and you are off to the races. Now,

16
00:01:06,240 --> 00:01:09,550
there is a variety of things that happen here. You'll have to

17
00:01:09,550 --> 00:01:13,800
install the NuGet provider. You might have to accept the publisher

18
00:01:13,800 --> 00:01:18,730
check and things of that nature, but I have screened all of that for

19
00:01:18,730 --> 00:01:22,680
the purposes of being expedient here and getting things done

20
00:01:22,680 --> 00:01:24,120
quickly. At the end of the day,

21
00:01:24,120 --> 00:01:27,100
I've installed the module here on this server, and we're ready to go.

22
00:01:27,100 --> 00:01:30,790
So the first thing that we need to do is configure our VPN ports.

23
00:01:30,790 --> 00:01:34,940
Now, if we look at this in the UI, let's take a quick look,

24
00:01:34,940 --> 00:01:37,470
you'll see that the port configuration here, if we

25
00:01:37,470 --> 00:01:41,440
highlight Ports and choose Properties, there's a number of different ports.

26
00:01:41,440 --> 00:01:48,220
Again, the default is 128. Some of them we don't need like L2TP and PPTP.

27
00:01:48,220 --> 00:01:52,140
Some of them are used by RAS, some are used by RAS and Routing.

28
00:01:52,140 --> 00:01:56,020
And again, we could walk through this UI and fine tune all of this.

29
00:01:56,020 --> 00:01:58,200
But again, as I said before,

30
00:01:58,200 --> 00:02:01,600
I've made this much easier by just using PowerShell. So the

31
00:02:01,600 --> 00:02:03,880
PowerShell command that we want to use here is called

32
00:02:03,880 --> 00:02:07,540
Set‑VpnServerPortConfiguration.

33
00:02:07,540 --> 00:02:12,080
And in this case, I want to define my SstpPorts. And in this case,

34
00:02:12,080 --> 00:02:14,300
I'm just going to choose a round number of 500,

35
00:02:14,300 --> 00:02:18,770
let's say, and then a value for my IKEv2 ports because I'm

36
00:02:18,770 --> 00:02:20,960
also supporting the device tunnel here.

37
00:02:20,960 --> 00:02:26,850
Now, it's important to remember, the number of ports you define is

38
00:02:26,850 --> 00:02:29,890
the number of available ports for that protocol.

39
00:02:29,890 --> 00:02:34,920
So if I'm expecting 500 concurrent users split up between a

40
00:02:34,920 --> 00:02:38,330
combination of user and device‑based connections,

41
00:02:38,330 --> 00:02:40,960
I may not need 500 each.

42
00:02:40,960 --> 00:02:45,220
My recommendation here is to over provision. There's no

43
00:02:45,220 --> 00:02:47,950
real penalty for over provisioning here.

44
00:02:47,950 --> 00:02:52,430
So if you're expecting 500 concurrent users, assign 500 for both. It

45
00:02:52,430 --> 00:02:55,880
really doesn't hurt anything. Always better to over provision than

46
00:02:55,880 --> 00:02:59,010
under because, obviously, you're going to have some issues if you run

47
00:02:59,010 --> 00:03:00,880
out of ports. But if I have too many,

48
00:03:00,880 --> 00:03:03,910
it doesn't really consume a lot of extra resources. So I'm going to choose

49
00:03:03,910 --> 00:03:09,700
500 here. And in this case, I'm also going to supply the restart switch so

50
00:03:09,700 --> 00:03:16,240
that the change takes effect immediately.

51
00:03:16,240 --> 00:03:17,410
So as I mentioned earlier,

52
00:03:17,410 --> 00:03:22,430
the default security settings for IKEv2 IPsec out of the box for Windows

53
00:03:22,430 --> 00:03:26,460
Server leave a little bit to be desired. By default, Windows Server

54
00:03:26,460 --> 00:03:32,130
supports 3DES for encryption, or TripleDES, SHA‑1 for integrity, and

55
00:03:32,130 --> 00:03:38,720
Diffie Hellman Group 2 for RSA key size, and that's a 1024‑bit key size

56
00:03:38,720 --> 00:03:41,040
defined as Diffie Hellman Group 2.

57
00:03:41,040 --> 00:03:44,180
Those may have been perfectly valid and acceptable security

58
00:03:44,180 --> 00:03:47,690
parameters in the earlier mid 90s. Today, it's certainly not

59
00:03:47,690 --> 00:03:49,400
going to fly. At a minimum,

60
00:03:49,400 --> 00:03:55,600
we recommend that you use AES‑128. And beginning in Windows Server 2019,

61
00:03:55,600 --> 00:04:01,130
Microsoft added support for GCM AES‑128 with RSA keys,

62
00:04:01,130 --> 00:04:03,230
which is kind of the default standard.

63
00:04:03,230 --> 00:04:07,110
And so if you're using Windows Server 2019 and later, you

64
00:04:07,110 --> 00:04:09,360
can take advantage of that, and I'll show you how to do

65
00:04:09,360 --> 00:04:12,040
that here in just a few minutes.

66
00:04:12,040 --> 00:04:16,380
We also recommend using SHA‑256 for integrity, and minimum

67
00:04:16,380 --> 00:04:20,430
key size today for RSA should be 2048 bit, which is defined

68
00:04:20,430 --> 00:04:23,440
as Diffie Hellman Group 14.

69
00:04:23,440 --> 00:04:27,990
So to update the default IKEv2 IPsec security settings on Windows Server,

70
00:04:27,990 --> 00:04:39,880
we're going to run the command, Set‑IKEv2VpnSecurityBaseline. And if you

71
00:04:39,880 --> 00:04:44,150
run this command as is without any parameters, it will install the

72
00:04:44,150 --> 00:04:49,510
minimum recommended baseline security parameters, which would be AES‑128,

73
00:04:49,510 --> 00:04:54,340
SHA‑256, and Diffie Hellman Group 14.

74
00:04:54,340 --> 00:04:55,090
However,

75
00:04:55,090 --> 00:05:00,150
if you are running on Windows Server 2019 and later, it's best to use

76
00:05:00,150 --> 00:05:06,820
the enhanced security switch. And when you do this,

77
00:05:06,820 --> 00:05:10,590
it will take advantage of GCM AES‑128, which provides a

78
00:05:10,590 --> 00:05:13,640
little bit better security and integrity.

79
00:05:13,640 --> 00:05:18,570
However, if you're running Windows Server 2012, 2012 R2 or 2016,

80
00:05:18,570 --> 00:05:22,500
you can't take advantage of this. It won't work in those versions of Windows.

81
00:05:22,500 --> 00:05:27,950
You must have Windows Server 2019 or later to run this. We'll also add the

82
00:05:27,950 --> 00:05:35,340
restart switch so these changes will take effect immediately.

83
00:05:35,340 --> 00:05:39,120
Once that's complete, let's move on to defining our root certificate.

84
00:05:39,120 --> 00:05:42,380
Now, we need to gather a bit of information for this.

85
00:05:42,380 --> 00:05:48,240
So here, we need to go back to our Local Computer certificate store.

86
00:05:48,240 --> 00:05:52,640
And what I want to do is I want to go to my Trusted Root CA,

87
00:05:52,640 --> 00:05:57,590
choose Certificates, and I want to find the certificate for my

88
00:05:57,590 --> 00:06:00,130
enterprise PKI, and here it is right here.

89
00:06:00,130 --> 00:06:04,350
Now, there are some scenarios where, and again this is a clean lab, so

90
00:06:04,350 --> 00:06:07,370
there's only one certificate, but you may find that you have multiple

91
00:06:07,370 --> 00:06:11,650
certificates here. If you've renewed your root or issuing CA certificates,

92
00:06:11,650 --> 00:06:18,750
you may have also deployed more than one for whatever reason. There may be

93
00:06:18,750 --> 00:06:21,490
some challenges or issues. You might see several of them and you need to

94
00:06:21,490 --> 00:06:23,170
know exactly which one.

95
00:06:23,170 --> 00:06:26,190
So the best way to do this is actually to go look at the

96
00:06:26,190 --> 00:06:29,740
certificate that you issued for IPsec.

97
00:06:29,740 --> 00:06:31,440
So we'll double‑click on that.

98
00:06:31,440 --> 00:06:35,780
We'll go to Certification Path, and we're going to go to the root CA

99
00:06:35,780 --> 00:06:41,590
of the certificate that was issued for IPsec. So on this server,

100
00:06:41,590 --> 00:06:44,990
we'll select this certificate, and we'll choose View Certificate.

101
00:06:44,990 --> 00:06:48,900
Then we'll go to Details and scroll to the bottom here and then find

102
00:06:48,900 --> 00:06:50,660
our Thumbprint value.

103
00:06:50,660 --> 00:06:54,950
We need to copy this to the clipboard because this is the root certificate

104
00:06:54,950 --> 00:06:59,370
that we want to trust for our device‑based authentication.

105
00:06:59,370 --> 00:07:05,190
So we'll click OK. And we're going to run the command

106
00:07:05,190 --> 00:07:14,010
Set‑IKEv2VpnRootCertificate, and we're going to supply the

107
00:07:14,010 --> 00:07:16,340
thumbprint that we just paste copied there.

108
00:07:16,340 --> 00:07:18,990
So I'll paste that on the command line, and we'll add

109
00:07:18,990 --> 00:07:22,740
the restart command here as well.

110
00:07:22,740 --> 00:07:24,090
And that's it.

111
00:07:24,090 --> 00:07:26,630
The next thing we want to do is, as I mentioned before,

112
00:07:26,630 --> 00:07:29,500
we want to enable IKEv2 fragmentation.

113
00:07:29,500 --> 00:07:38,260
So that command is Enable‑VpnServerIKEv2Fragmentation Once

114
00:07:38,260 --> 00:07:44,740
again, the restart switch if you like.

115
00:07:44,740 --> 00:07:51,320
And finally, the last command that we need to run is enabling the CRL check.

116
00:07:51,320 --> 00:08:05,000
That command is Enable‑IKEv2CrlCheck, and we'll add the restart switch once again.