• JVH Consulting
• September 17, 2023
• 3

2016 Essentials Remote VPN Alternative

Most know this error message below quite well as it happens from time to time when Windows Live either isn’t working to register the “*.remotewebaccess.com” domain name. Microsoft is pushing this wonderful feature away and don’t think it’ll be supported much longer. The result is to find an alternative solution using your Server’s Certificate Authority Role or purchase an outside Certificate. This post will be providing instructions for how to create your own Remote VPN Certificate from the Certificate Authority role on the Essentials server (or any Windows Server version 2016 and above) to use for the remote connection to the Office.

A previous post here “2016 Essentials – Anywhere Access setup fails” talks about the solutions to the above error message. Most of the time adding the registry keys and rebooting the server fixes the problem. Recently this hasn’t been the case.

The SOLUTION is to use the Certificate Authority role on the Windows Server to create a “RemoteVPN.domain.com” certificate to use with the Anywhere Access Wizard. There are a few gotcha’s with this process so please read steps below carfefully, even if you feel you’re an expert with Essentials and Certificates etc. 

The Problem

Each time running the Anywhere wizard the above picture error would show. Adding all the registry hacks to fix – multiple reboots – did not fix issue.

From the Dashboard logs under “C:\ProgramData\Microsoft\Windows Server\Logs”: “SharedServiceHost-ManagementServiceConfig.log” – This error happening each time the Wizard was run: “DomainManagerFault:[Reason:CommunicationFailure, Message:GetUserDomainNames failed, Detail:Could not establish trust relationship for the SSL/TLS secure channel with authority ‘dyndns.domains.live.com‘. – indicating that live.com wasn’t accepting new registrations for remotewebaccess.com domains!

Alternative Solution: Setup external DNS address & Create own RWA certificate

Below are steps to followto implement this solution. Pre-reqs: Router is forwarding Port 80 and 443 to the Server; Make sure NPS Policy Server is installed; Create a “remotevpn.domain.com” DNS entry for the domain zone you have for your client.

Create Certifcate on Server:

1. Use Internet Information Serices (IIS) console to create a domain certificate; Export Certificate to pfx with password to c:\temp folder. This cert will be used for the https://remotevpn.domain.com Remote website.
2. Open IIS console, click on the server on left side (root)… on right side, click on Server Certificates.
   • Click on Create Domain Certificate request.
     • Common Name – this is the remotevpn.domain.com name for the primary cert name
     • Organization – the company name
     • Org Unit – can leave blank
     • City – enter city
     • State – enter your state
     • Click Next
   • Next page will ask to specify the Online Certificate Authority… – click Select to specify the Root CA server (Windows Server CA role).
   • For Friendly Name type something like: Anywhere Access VPN; click Finish
   • Next click on the new certifcate in the list of certs.. right click to export
     • Export to – click the button to create path c:\temp\remotevpn.pfx
     • Enter password you can remember.

Setup Anywhere Access using new Certificate

1. Open the Anywere Access window – from Dashboard console, Settings, Anywhere access.
2. Click on the option to Setup own domain.
3. Select I want to use a domain I already own.
4. Type in domain name: remotevpn.domain.com; Click Next
5. Select – Set up my domain manually; Click Next
6. Type in the url – https://remotevpn.domain.com. If your domain name is different, click on the change button.
7. Click on I want to use an existing SSL certficate; click next
8. Check box at bottom: I have manually configured my domain name; click next
9. Import the trusted Certificate
   • Browse to file: c:\temp\remotevpn.pfx
   • Type in password you used; Click next
10. This should now run through wizard to install Remote Web Access & VPN Connections.
11. This should complete the process.

You can now open: https://remotevpn.domain.com/remote web page and sign in with domain account to view the devices and folders the user has access to.

Note: Domain joined machines automatically get the Root CA certificate added to the Trusted Root Certification Authorities Store.

Setup VPN for non-domain joined PC

If you have an outside PC you want to use the VPN to connect, then open the IIS console again, go back to Server Certificates.

1. Find the Root CA certificate – typical name will be Domain-servername-CA – open the cert
2. click Details tab, then copy to file; click Next
3. Select “No, do not export the private key”; click next
4. select Base-64 encoded .cer
5. specify file name: c:\temp\rootca.cer; Next and Finish
6. Copy this file to outside computer you want to setup the VPN connection.
7. Install Certificate, be sure to select the store you want to install it – select Trusted Root Certification Authorities.

Note if you use the “remotevpn.domain.com/connect” page to install the Essentials connector, it will install the VPN solution for your and you don’t need to do anything further – but it will also join your PC to the domain. If you don’t want that, then follow setps below to create own VPN connection. 

Steps for manual installation of VPN to remotevpn.domain.com

Set the No Certificate Revocation Check on Computer

1. On PC, open regedit.exe, browse to this location – HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters
2. Right-click on Parameters, click new REG_DWORD, paste in: NoCertRevocationCheck
3. Open the REG_DWORD and set value to 1.
4. Close registry editor.
5. or from Elevated command prompt,Type:
6. reg add HKLM\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters /v NoCertRevocationCheck /t REG_DWORD /D 0x1 /f

Create the VPN connection on PC

1. Open Network and Sharing Center from Control Panel.
2. Click on link to “Set up a new connection or network“
3. Click on “Connect to a workplace (VPN)“; click next
4. Choose option for “No, create a new connection“
5. Select top option – Use my internet connection (VPN)
6. Internet Address: remotevpn.domain.com; Change name to Client-VPN (or whatever you wish)
7. Since setting up manually, do not select option to Remember credentials. 
8. Now back in Network and Sharing Center: Click on menu to change adapter settings.
9. Open the VPN connection Properties you just created.
10. Click Security Tab and chose options below
    • Type of VPN – SSTP
    • Data Encryption – Require encryption.
    • Under Authentication – click on Allow these protocols
    • Select only the Microsoft Chap Version 2.
11. Now you’re ready to make the connection from your PC to the office VPN.
12. Open the connection and type in credentials and it should connect you to the office network.

Note: During my extensive troubleshooting, I tinkered with NPS Policy Server policies to make things work, however, all this was moot and unnecessary. The KEY was to change the VPN connection to only use MS-CHAPv2 as that matches the NPS policy settings.

The caveat to this option is of course the autorenewal of the remotevpn.domain.com certificate when it expires. This will need to be a manual process.

Another Certificate option was to download Certifytheweb.com application to use Let’s Encrypt to create free certs that will of course autorenew and have all the trusted root certs already be trusted on any workstation. This is on the list to test out in near future.

Thanks for reading. Comments are welcome!

References:

Office Maven – Essentials software for future Windows Server Standard OS versions.