Share via

Always on VPN - Trusted Network Detection not working

Simon Belmont 25 Reputation points
2024-12-13T11:31:20.71+00:00

We have a peculiar problem with our solution. Some clients are trying to launch vpn connection, even when they are connected to the internal domain, DomainName.local, and they do this all day long. The attempts get blocked in the firewall, but this creates a lot of unnecessary traffic and noise on the network.

Without being 100% certain, I think it's mostly clients on a wired connection (through being docked), but I've also seen it on clients that are supposed to be connected to wireless networks. We are deploying our profiles through Intune with OMA-Uri/ProfileXml method, and <TrustedNetworkDetection> is properly configured. We only have a single domain suffix, DomainName.local, and I can check on the client with "Get-VpnConnectionTrigger" that the domain suffix has indeed been applied to the client, and their internal connection has only Domain.local as suffix.

Yet, some clients will, when on the internal domain, launch almost 100 attempts during the day to connect to vpn.

Microsoft: https://learn.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp#deviceprofilenametrustednetworkdetection

Comma separated string to identify the trusted network. VPN won't connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.

u/RichardHicks blog:
When trusted network detection is configured, the VPN client will evaluate the DNS suffix assigned to all physical (non-virtual or tunnel) adapters that are active. If any of them match the administrator-defined trusted network setting, the client is determined to be on the internal network and the VPN connection will not connect.

https://directaccess.richardhicks.com/2020/03/24/always-on-vpn-trusted-network-detection/

Richard Hicks in a comment says that the use of TND can be avoided altogether if you simply can’t resolve the VPN server FQDN on the internal network. But if one creates a DNS record of MyAoVpn.domain.com and points it to nothing on the internal network, will that not cause two problems?

  1. Clients will cache that MyAoVpn.domain.com resolves to nothing for x minutes
  2. When clients are connected to VPN, they will check internal DNS for MyAoVpn.domain.com, and it will resolve to nothing

Has anyone else had issues with TrustedNetworkDetection?

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,844 questions
Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,902 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,467 questions
Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,371 questions
Windows Network
Windows Network
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Network: A group of devices that communicate either wirelessly or via a physical connection.
793 questions

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.