To make VPN profile management easier for end user, there is a new intuitive modern user interface to manage VPN profiles in Windows 8.1. This new interface resides in PC Settings and provides a unified experience to create, edit and remove native as well as 3rd party VPN clients. This blog only talks about the native (Microsoft) VPN client.
VPN page in PC Settings
In Windows 8.1, for navigating to the VPN page in PC Settings, open the Settings charm > Change PC settings > Network.
This page lists all the VPN clients that are configured on the client machine. The VPN profile may be created using:
- PC Settings: Profiles created using the ‘Add a VPN connection’ option in the connections page of PC Settings
- Desktop VPN create wizard: Profiles created from the Get Connected Wizard (“Setup a new connection or network”) option under Networking and Sharing Center.
- PowerShell: Profiles created using the ‘Add-VpnConnection’ PowerShell cmdlet
- InTune: Profiles provisioned on the Windows client using InTune, the Unified Device Management solution by Microsoft.
- Connection Manager Administrator Kit: Profile created using Connection Manager Administrator Kit (CMAK), which is a Windows feature.
Native VPN client
To create a native Windows VPN client, click Create a new VPN connection and then choose Microsoft in the VPN provider drop-down list.
The new UI asks user to enter only basic information about the VPN connection and assumes smart defaults for the advanced VPN properties. The end user is thus not required to deal with the complex properties of the VPN. All the profiles created using PC Settings are single user profiles.
VPN profile properties
The VPN profile created is a single-user VPN profile with the following properties:
User can choose authentication method to be used for the VPN connection. The authentication method can be the following:
i. User name and password: When user selects this option, the VPN client negotiates the username-password based authentication methods with the server. Client will be able to negotiate MSCHAP v2, EAP-MSCAHPv2, PEAP with MSCHAPv2 as inner method, EAP-TTLS with inner method as PAP (for non-domain joined only) and EAP-TTLS with inner method as MSCHAPv2 (for domain joined only) with the VPN server. Once the user selects this authentication method, he has the option of entering User name and password in the UI itself.
ii. Smart Card: This authentication method translates to Smart Card based authentication using EAP-TLS.
iii. One-time password: Select this authentication method for using RSA One-time password. This authentication method translates to TTLS-PAP authentication protocol. TTLS-PAP is used to transport the token and the password entered by the user to the VPN server which is configured with RSA’s Authentication Manager Server as the RADIUS server. The Authentication Manager terminates TTLS-PAP and is capable of interpreting the credentials to contain the RSA token and password. More details can be found here.
The Tunnel Type is set to ‘Automatic’, which results in IKEv2, SSTP, PPTP and L2TP tunnel types being negotiated (in that order). Once the tunnel is negotiated, the VPN client remembers it for the subsequent connections. User cannot change tunnel type through PC Settings.
The encryption level is by default set to ‘Optional Encryption’. For IKEv2 and L2TP, this encryption level has been expanded to negotiate all the IPsec proposals that are supported. Admins can control the proposal to be used by specifying it on the VPN server (using Set-VpnServerConfiguration cmdlet for Windows RRAS). For PPTP connections, when set to ‘optional encryption’ the VPN client does not require encryption but uses it if it is required by the VPN server. The encryption setting is not used for SSTP connections, hence, as before, they remain unaffected by it. User cannot change Encryption Level through PC Settings.
VPN connections created through PC settings are force tunneled by default.
To edit an existing VPN connection, click the name of the VPN connection and then click Edit. The edit option is not available for all-user VPN profiles if the user is not an administrator on that machine.
In addition to the properties exposed during the creation of VPN profile, user can also modify the proxy settings for the VPN connection. By default the proxy is turned off. User has the option to choose among the three proxy types:
1. Automatic Proxy
2. Automatic script
3. Manual proxy
These settings are similar to the proxy settings in the Internet Explorer. Any change in the proxy settings done using PC Settings are reflected in IE directly and are not stored as part of the VPN profile.
Provisioned VPN profiles are typically profiles that are created and managed by the network admins through PowerShell and InTune. These are generally created using Device Management solutions like InTune or distributed as PowerShell scripts. There are certain differences in the way editing of provisioned profiles work as opposed to other profiles.
1. A Provisioned profile cannot be renamed through PC Settings. User is not allowed to change the authentication method also.
2. If the VPN profile has a list of VPN servers configured, the server name field shows a drop-down list (of the VPN servers) from which user can select the VPN server to connect to. The server selected becomes the default server for the subsequent connections.
3. If the provisioned VPN profile contains the proxy settings, then any change made in the proxy settings of the VPN connection through PC Settings will last for that VPN session only and be over-ridden when the VPN connection is dialed the next time.
VPN profiles provisioned using Connection Manager Administrator Kit behave the same way as user-created profiles. Any change in proxy settings is reflected directly in the IE settings. It is advised not to change the settings of a CM VPN profile using PC settings.
Legacy Desktop Properties page
The modern UI experience and the corresponding defaults are generally sufficient for the VPN profiles to connect successfully. However, if user wants to configure any advanced property that is not configurable through PC Settings, he can go to legacy properties page via Network and Sharing Center > Change adapter Settings and then right-click on the VPN and select Properties. These legacy properties dialog is unchanged in Windows 8.1.