Always on VPN - Trusted Network Detection not working

We have a peculiar problem with our solution. Some clients are trying to launch vpn connection, even when they are connected to the internal domain, DomainName.local, and they do this all day long. The attempts get blocked in the firewall, but this creates a lot of unnecessary traffic and noise on the network.

Without being 100% certain, I think it’s mostly clients on a wired connection (through being docked), but I’ve also seen it on clients that are supposed to be connected to wireless networks. We are deploying our profiles through Intune with OMA-Uri/ProfileXml method, and <TrustedNetworkDetection> is properly configured. We only have a single domain suffix, DomainName.local, and I can check on the client with “Get-VpnConnectionTrigger” that the domain suffix has indeed been applied to the vpn profile. Their internal connection has only Domain.local as suffix.

Microsoft: https://learn.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp#deviceprofilenametrustednetworkdetection

Comma separated string to identify the trusted network. VPN won’t connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.

u/richardmhicks blog:
When trusted network detection is configured, the VPN client will evaluate the DNS suffix assigned to all physical (non-virtual or tunnel) adapters that are active. If any of them match the administrator-defined trusted network setting, the client is determined to be on the internal network and the VPN connection will not connect.Always On VPN Trusted Network Detection | Richard M. Hicks Consulting, Inc.

Yet, some clients will, when on the internal domain, launch almost 100 attempts during the day to connect to vpn.

Richard Hicks in a comment says that the use of TND can be avoided altogether if you simply can’t resolve the VPN server FQDN on the internal network. But if one creates a DNS record of MyAoVpn.domain.com and points it to nothing on the internal network, will that not cause two problems?

1. Clients will cache that MyAoVpn.domain.com resolves to nothing for x minutes
2. When clients are connected to VPN, they will check internal DNS for MyAoVpn.domain.com, and it will resolve to nothing

Has anyone else had issues with TrustedNetworkDetection?

Works with ours, how do you deploy?

We’re using AOVPN as well and also had problems with network detection. Followed Richards advice by simply not creating an internal DNS record at all and works perfectly.

So don’t create a record and point it to nothing, just don’t create a record full stop.

Deploy through Intune, ProfileXml since we have exclusion routes.
It works for some clients, but not the majority of them.

The setting is absolutely correct, and I can see that it has been applied to the profile.
Yet this poor quality product refuses to actually honor the setting for the majority of clients.

All clients have the exact same profile deployed to them.

1. Profile deploys just fine
2. Setting is applied to rasphone.pbk just fine
3. Works for some clients, but not for the majority

We don’t have a record on the internal domain, but we have forwarders, who will solve the dns query for MyAoVpn.domain.com

Maybe I should create a conditional forwader for that domain and point it to my internal DNS servers

Btw, not creating the record will not stop the client from making 100s of attempts each day, clutter up the event logs, and use resources on the machine. The only benefit you’ll get is that traffic won’t reach the network, byt remain on the client.

Care to share the xml (stripped of sensitive data) to pm?

No need for PM if there is no sensitive data. It’s a pretty generic xml.

MyAoVPNDeviceT.domain.comIKEv2 Certificate SplitTunneltrue **"Custom IPSec settings"** Various routes in separate Route tags 32 true true true MyDomain.local**MyDomain.local**

looks like ours, but dnssuffix is .mydomain.local - note the fullstop. idk if that changes stuff…

Is trustednetworkdetection also .MyDomain.local?

In Richard Hicks’ example both settings are “Mydomain.local”

So it should work, but it doesn’t. Like so much else with this terrible product. Do everything right, and by the book. It’ll still decide to not work on random stuff.