I typically use VMs when connecting to customer environments. I do this so that the machine has nothing installed, is on a different network from my home network (I have a special network for secure guests), and also so that I can run my VPN client on it without effecting my other operations.
I use Hyper-V to host these guests and the other day I was unable to connect to the client’s VPN after the guest had rebooted. I looked at the log and was seeing this
The interesting line there is this: “VPN establishment capability from a remote desktop is disabled. A VPN connection will not be established.”
This is a policy that can be enabled by most VPN providers which blocks VPN connections originating from endpoints who have an RDP session established to them. I thought maybe this customer had all of the sudden changed this policy, but I did think it was weird that it happened immediately after a reboot.
So I tried connecting to another client and got the same message. I started thinking of other potential changes that I made and then I remembered: I recently started using enhanced sessions with Hyper-V .
I reconnected to the VM just by opening the console without it being an enhanced session, and sure enough it worked. So what gives?
I use enhanced sessions primarily so that I can control the window size (if I am running Anyconnect, I likely can’t RDP into the guest).
Enhanced sessions give you many features of an RDP session without it actually being an RDP session. You can get more details here.
The problem is that whatever mechanism the Anyconnect client uses to detect whether there is an RDP session connected to the endpoint running Anyconnect, detects enhanced sessions as actual RDP sessions.
Fortunately there is a very easy workaround. Open a normal console session to the guest (View and then uncheck “Enhanced session”).
Then start Anyconnect to make the VPN connection. Once the connection established, go to ‘View’ again and check ‘Enhanced session’. This will reconnect to the guest without dropping the VPN connection. This works because the RDP check by the Anyconnect client is only done during the initial connection.
Just a quick disclaimer: since this is somewhat of a workaround to a policy, I would check with the security folks and/or clients to make sure they are OK with you doing this.