Even if you do everything absolutely by the book, certain things will randomly not work.
The built-in vpn client is horrendously poor. There is no proper logs so you don’t really know why random stuff is failing. Certain settings won’t apply, even if they are correctly configured.
Sometimes the profile will apply just fine but certain functions will still not work. Why? Who knows, no proper log during profile application and no proper log when the client launches.
On the server side, it’s built on 20 years old technology with some minor improvements, every now and then.
No serious shop should ever deploy this poor product, when there are far better solutions out there. The only benefit is that you save some money.
Also, the whole Oma-Uri/ProfileXml deployment is broken, yet you’re forced to use it when deploying through Intune because the native method lacks so many options.
It’s such a shame that Microsoft gets away with developing subpar products, and their premier support is now mainly carried out by subcontractors in Asia. Who are not experts on the subject, but just regular technicians following internal articles.
Interesting. I rolled out an MS-based AOVPN solution earlier this year for 5,000 clients and it was probably the smoothest rollout I’ve ever been involved in, LOL. It just works, full stop. My client script does look quite a bit different though as I’ve built in some additional stuff to make it more resilient. I also configured the VPN server to be its own DNS with conditional forwarding for internal zones, which effectively worked around the DNS preference issue that could otherwise affect the clients.
Why would you even implement this. It was ok in the 00’s but not a suitable solution after that. Most business level firewalls will have a VPN option built in. Ideally IPSec dialup. As SSL VPN has too many vulnerabilities on all the vendors.
There is also options like NordLayer which has the option to add gateways to your internal network.
We switched from the old, buggy MS Direct Access to using Always On VPN (AOVPN) right in the middle of the pandemic when all our staff were working at home. AOVPN has been awesome. In my experience rock solid. Somewhat complex to initially set up, but we got some paid help from Richard Hicks who is a guru on all things VPN and we’re very happy with it.
I have SSTP for some clients with Duo MFA and virtually zero problems, and previously many with L2TP, there are some minor issues with the client where you have to reinstall WAN miniport drivers sometimes or readd the tunnel if it stops working. Oh and I had to restart the Duo service like once in a year when it stopped. But compared to other solutions I would not say its a “poor product”. For my use cases it works and it even works well. It even works on Mac and iPhone/iPad now with SSTP Connect, even with Duo! I only work with small environment SMBs though.
Sstp is broken, every now and then it will refuse to connect with random errors. L2tp is deprecated, you should rather use ikev2. But all customers can’t use it, due to network issues.
Then you’re left with the broken ssyp, which every now and then will refuse to connect. And you don’t know why, because there are no proper logs.
Anything that is a proper vpn solution with a proper agent, where you can actually decipher why random stuff is failing, is better than Microsoft’s vpn solution.
Also don’t expect to get any help from premier support. That’ll just be regular technicians trying their level best through standard troubleshooting. You’ll most likely have deeper knowledge about the product than them.
I can not emphasis enough how poor the built-in vpn client is. Any product thst does not have proper log functionality, should not be used in enterprise environments.
Global Secure Access has just been made available publicly. A lot of enterprises are still using Microsoft’s poor built-in vpn client with RAS servers.
It’s not a solution for mediumsized/large enterprises, but rather for small organisations on 10-20 people who can’t afford a proper alternative.
It doesn’t work, when it doesn’t feel like it, and that’s the problem. If I deploy the same setting to 200 clients, it gets picked up by all clients, rasphone.pbk is updated with it, yet only half the clients honor it while the other half completely ignores it.
Without a proper log, you don’t even know why it’s failing. And yet the product is not broken?
What DNS preference issue? Never had any issues with Dns. Also, Microsoft recommends to deploy client profiles through Intune, yet they don’t reveal how bug ridden that deployment is. Especially if you’re forced to use oma-uri.
Sstp fails when it feels like it, and if you can’t fallback to ikev2, the user won’t be able to connect to vpn.
Also, do you have split tunnel or forced tunnel for the user tunnel? Split tunnel means your’e barely utilizing rasdial.