Menu Close

Windows Server Remote Access (RRAS) Management Pack for VPN and Direct Access

image

At the time of this writing, the last Windows Server Remote Access Management pack released by Microsoft was for Windows Server 2012R2.  Customers need to monitor their VPN solutions deployed using the Windows Server Remote Access role on Windows Server 2016 and 2019.  This MP will discover and monitor all your RRAS servers on Windows Server 2012 and later.

Quick Download:  https://github.com/thekevinholman/RemoteAccessMP

I basically started with the WS 2012R2 MP, but made a LOT of changes.  It was not a good MP, I soon found:

  • Changed the discovery to be OS version agnostic
  • Disabled all the event collection rules (what a terrible thing to do originally!)
  • Removed the massive number of classes.  They served absolutely no purpose and just bloated the MP.  A very common issue with a lot of Microsoft MP’s.
  • Rewrote the Distributed Application to contain Remote Access Servers instead of sites, so it populates now.
  • Removed On-Demand detection from the Heuristic monitortype, and set “ConfirmDelivery=false” on all Heuristic monitors, which was breaking cookdown.
  • Added a RunAs profile, which will be used by the discovery script and the Heuristics script monitor, if needed.
  • Cleaned up the ID of the MP, and some class names
  • Cleaned up the views
  • Cleaned up the discovery and monitoring PowerShell scripts

 

image

 

image

 

Quick Download:  https://github.com/thekevinholman/RemoteAccessMP

16 Comments

  1. Martin

    Hi!

    Good work Kevin. 🙂

    Maybe good to know is that we had (AP.Remote.Access v19.5.5) installed, see more info –> https://c22mort.github.io/RemoteAccess.html.
    I had to remove AP.Remote.Access v19.5.5 before Microsoft Windows Server Remote Access Management Pack 10.0.0.0 could be installed. Otherwise it will be a naming conflict in the database and the installation will be canceled.

    • Kevin Holman

      WOW. I had no idea that existed.

      I have done some additional work on this one recently to the one I posted and I believe it fixes a lot of the issues in the original MP.

  2. Dave L

    Hi Kevin

    Can your updated MP monitor AlwaysON VPN as well as Direct Access? It looks like this will cover the RAS server components, but how about the NPS role?

    Thanks

  3. Johnny

    Hi Kevin,

    When I try to import the MP, I got the following error.

    ————————————————————————————————————————————————–
    Microsoft Windows Remote Access Server could not be imported.

    If any management packs in the Import list are dependent on this management pack, the installation of the dependent management packs will fail.

    Database error. MPInfra_p_ManagementPackInstall failed with exception:
    [MP ID: 3d274d76-7ee2-b5a7-fe35-ae87563e99d0][MP Version: 10.0.0.10][MP PKT: ] Database error. MPInfra_p_ManagementPackInstall failed with exception:
    ManagementPack cannot be imported because it contains a Relationship Type with the same name as an existing type: RemoteAccessSite.Contains.RemoteAccessServer

    ———————————————————————————————————————————————————

    Did I missing any MP? Please advise.

    Thank you!

      • Johnny Chan

        Yes, I have the following MP installed

        – Microsoft Windows RemoteAccess 2012 Monitoring
        – Microsoft Windows RemoteAccess 2012 R2 Monitoring
        – Multi-Tenant RemoteAccess Server 2012 R2 (Discovery)
        – Multi-Tenant RemoteAccess Server 2012 R2 (Monitoring)

        Thank you!

        • Kevin Holman

          You need to remove:

          – Microsoft Windows RemoteAccess 2012 Monitoring
          – Microsoft Windows RemoteAccess 2012 R2 Monitoring

          As those are replaced by my MP.

  4. Ike Fuentes

    My SCOM SME is out on vacation so if you can give me a quick tutorial how to gather AOVPN Client counts, that would make our team look good!

  5. Jens

    Hello Kevin!

    Thanks for bringing this MP to my attention!

    At the moment, after around a week after I installed it, still I don’t get any VPN servers discovered. After reading the guide, I reckon this is a permission problem. Can you clarify “The account that runs the workflows in the management pack will need to have full control permissions for the DirectAccess Server GPO”? We do not use DA and don’t have a Group Policy Object for DA. Or did you mean the OU? I’m not really sure what a bunch of VPN (only SSTP) need in terms of permissions, but would like to finally discover my VPN hosts and start monitoring them.

    Cheers
    Jens

  6. CyrAz

    That’s probably not the best place to ask, but since you mention that you “set confirmdelivery=false”, could you elaborate on what confirmdelivery actually is for? And while we are at it, what about Priority?

    I’m not been able to find much relevant information, and these don’t really seem to make any difference in my workflows

    Thanks 🙂

    • Kevin Holman

      I wish I knew. 🙁
      I only know they break cookdown. I don’t write much that needs cookdown, so it doesn’t come up often, and when it does, I turn it off. Wish I had a better answer.

Leave a Reply

Your email address will not be published. Required fields are marked *