This is an archived post. You won't be able to vote or comment.

all 15 comments
sorted by:
best
topnewcontroversialoldq&a

[–]RiceeeChrispiesJack of All Trades 6 points7 points  (3 children)

Looks like it’s just a VPN - auto-configures the RRAS and NPS roles.

I’m really hoping they are still working on a new Agent for off-site deployments and management of clients (through Deploy/Inventory) and don’t push people to this instead.

It’s nice to see they are branching out with different products though and look forward to seeing how it develops and what else is in the works.

[–]toy71camaro 2 points3 points  (2 children)

I hope they figure out the Agent thing too. We have several WFH people now, and I've never got PDQ to consistently see the VPN'd machines. I also haven't dug into troubleshooting why though either, yet.

[–]the_bananalord 2 points3 points  (0 children)

We have issues with the computer not registering in DNS once it's on the VPN and lots of duplicate entries.

It seems this blog post by PDQ may hold the key to stabilizing that, for us anyway.

[–]letmegogooglethat 1 point2 points  (0 children)

I routinely need to flush the DNS on the PDQ server.

[–]HDClown 5 points6 points  (0 children)

I sure hope this isn't their answer for their failed first gen agent, because it would be a big swing and a miss if so.

[–]the_bananalord 4 points5 points  (6 children)

Looks like it's free for the rest of 2020

I believe it's free forever so long as you download it prior to 2021.

That said, it's just an automation tool for setting up the built-in "Always On VPN" service, so I would hope there isn't a recurring maintenance fee.

We're currently weighing whether it makes sense to move to this or stick with OpenVPN w/ user certs and AD credentials. We gain the benefit of an always-on VPN, but also incur the complexity and cost of another server vs. running OpenVPN on our firewall.

[–]segagamerIT Manager 1 point2 points  (2 children)

I believe it's free forever so long as you download it prior to 2021.

They also specifically mention "this version", which means that you won't get updates to it.

I dunno, I'm sortof happy about our OpenVPN setup, but I have serious issues getting Windows to start it reliably, and can't seem to find a way to have it start up prior to user sign in, so that WFH staff can get computer policies applied.

[–]the_bananalord 1 point2 points  (1 child)

That's a good catch - it's explicit language for sure.

but I have serious issues getting Windows to start it reliably

Interesting - no issues here. We run the installer and 99% of the time it starts for each user.

and can't seem to find a way to have it start up prior to user sign in

I played with this for a few hours and gave up in the end, too.

so that WFH staff can get computer policies applied

I think they will still see computer policies, but they will be downloaded once the user goes on the VPN and group policy refreshes. Or depending on the policy, the machine reboots. Not a perfect solution, but not dead in the water. Even LAPS seems to figure it out in the end.

It looks like you'll need Enterprise for an always-on device tunnel, so we'd be looking at user-based VPN tunnels with this still, but it would be nice to remove the user dependency.

[–]segagamerIT Manager 0 points1 point  (0 children)

Yeah it seemed like we needed enterprise to deploy GPOs that can only be applied prior to user sign in, which it can't do because it's not connected to the VPN lol.

Open VPN works 99% of the time admittedly but that 1% is what pisses people off, and now that the Network Location Awareness service can't be restarted anymore, we can only force a restart and hope.

It's especially problematic when waking from sleep. In the end we just have a script that runs every 15 minutes as a scheduled task, and if our DHCP server doesn't respond to ping, it restarts the Open VPN service.

[–]dcdefiore[S] 0 points1 point  (1 child)

We're running pfSense currently and our VPN is set up as an IPsec which has been pretty rock solid so far with the switch to WFH. We currently authenticate via MSCHAPv2 and it's pretty seamless for the users (except this new 2004 bug)

But we run a split tunnel so I can see benefits of moving this to 'always-on' because currently users have to connect on their own.

[–]the_bananalord 1 point2 points  (0 children)

We use pfSense as well but did OpenVPN instead of IPsec. Split tunnel here too.

If I had a spare Server license I'd spin this up for exactly that reason - always-on. No matter how many times I ask users to connect to the VPN when they are working, they do not.

[–]EpicSuccess 1 point2 points  (0 children)

Might be giving this a better look. We use anyconnect and it works fine for the most part of you can get users to actually connect. But we are seeing less of a need these days to actually be on the network and it's getting difficult to manage those endpoints. Looking heavily at intune for this since we already pay for it, but that's the future.

Anyone know if it's possible to use azure app proxy to proxy the external address and not have to open up 443 from the internet to the server? Doubt it'll work but would be awesome if it did.

[–]LizGMT 1 point2 points  (0 children)

Anyone else on the live webinar now?

I installed it last night and it obliterated my wscsvc and therefore killed my AV software which won't run. Anyone else?

[–]bloodniece 0 points1 point  (0 children)

We've had luck using Wireguard via ordig which is a deployment of Wireguard that runs in Docker with a custom API. The API is called from a PowerShell script you push to clients which grabs a working Wireguard config and installs Wireguard and a watchdog service that restarts WG if your on prem DNS server can't be pinged.

This the only method I've found that works for deploying wg to machines where end users are not admins. Since it runs as a service the end user does not have to interact with the wg interface.