Native Windows VPN Client Viability?

Does anyone have any experience with using the built-in VPN client on Windows in an environment with 100+ users? And what appliances support connecting from it?

I’m curious about it because users currently connect with GlobalProtect. Nearly all traffic is tunneled for URL filtering and inspection purposes. Two issues with that are how to dynamically handle the exceptions for what is not tunneled and public WIFI connections that redirect to a captive portal to accept terms before allowing a user out to the internet. For whatever reason, EDL’s can’t be used to define tunneling exceptions.

My consideration of the Windows client is mostly driven by the ability to manage it with group policy and possibility to be a more seamless experience for users.

I wouldn’t suggest it. We have hundreds of users on the Windows 10 VPN client using LT2P over IPsec (Cisco Meraki Client VPN) and I would be happy to move them all to a supported SSL VPN client like GlobalProtect or AnyConnect.

There are occasionally weird issues with Windows split-tunnel routing and interface metric.

You will sometimes have to remove/rescan all the WAN miniport drivers in device manager as a troubleshooting step or recreate the VPN configuration for unknown reasons.

The UI can be kind of buggy depending on where you connect/disconnect from (VPN settings page vs the system tray icon).

And sometimes Windows releases an update that completely breaks the built in VPN client and causes chaos.

-Have you tried the setting in GlobalProtect that gives a grace period for captive portal sign-ons?

“Please configure the “Captive Portal Exception Timeout” to a specific value in seconds and run the test again.”"

In our experience, the windows native vpn client sucks. We have around 150 users on vpn and when we used native we had to constantly uninstall, remove miniport drivers, reinstall. Multiple tickets per week.

We moved to Cisco anyconnect deployed via intune and much more reliable so far.

I have used SSTP with reasonable performance, but I had all but 10 users.

Basically every VPN headend that does IKEv2 works and it’s what I’d recommend if you want the native client. That way you can also use certificates for authentication and get start before logon functionality.

The massive downside to the Windows client is that it’s a pain in the ass to manage and can’t do TCP/443, so you can run into problems on guest networks and the like.

250 L2TP clients on a Meraki VPN. 0/10 would not recommend. Rolling it out and trying to train people on connecting was hell.

Next time around, my foot goes down and I say no unless we pony up for the licensing to use AnyConnect.

Have you tried the setting in GlobalProtect that gives a grace period for captive portal sign-ons?

I have. The issue is when someone connects to an SSID that redirects to a captive portal, GlobalProtect sees a cert issue because of the redirect and just stops there. Sometimes people can get past it by entering in http://(site I allow without being VPN’d) into a browser. Leaving out the S doesn’t trigger a cert error so they can then be successfully redirected to accept terms. Sometimes I have to have people connect to their personal phone as a hotspot, generate a ticket in PanOS to disable GlobalProtect, have them disable it, disconnect from their hotspot, reconnect to the guest WIFI, get redirected, accept, and then re-enable GlobalProtect. The ticket doesn’t work unless they’re already connected :man_shrugging: It’s a hassle

I miss AnyConnect. Thanks for the insight

What do you terminate on? Windows Server?

Got it, thanks for responding, this is helpful

Do you have the setting: Allow user to continue with invalid server certificate set to yes?

It was a MikroTik router actually. Just windows clients.

I have used windows server before. RRAS I believe is the role for that. Personally I think that would be the best solution if you already have Windows server setup. Especially if you already have your users in there you can simply grant them access to the VPN group. I would think Windows clients with windows server should work well. My understanding is that SSTP is reasonably good with hardware encryption on desktop/laptops. Only issues I’ve had were getting android/iPhone SSTP client to work consistently.

For what’s it’s worth, I’ve moved entirely to WireGuard. We have site to site and road warriors. This of course doesn’t afford you near the accountability and management that RRAS in Windows would offer, but WireGuard does work well with every platform I’ve tested it on.

I’ve considered it but it’s too much of a security hole