Clients and VMs and VPNs, Oh My!
As regular readers of this blog may be aware, I recently hung up my technical evangelist hat, and made the jump back into full-time consulting.
Consistent with best practices, I decided that when working with a new client, the best course of action would be to set up a new virtual machine to keep all of the development environment, tools, and files isolated from anything on my host machine, which helps minimize the risk that installing the latest bleeding-edge tools (which are good to have to stay ahead of the learning curve) don’t endanger the work I’m doing for the client.
With my current client, I need to be able to access files, servers, and tools on their remote network, which they enable via the Cisco AnyConnect VPN client software. So far, so good. I had no trouble at all installing and connecting with this software from my laptop over my FiOS connection. Just like being at the office.
The Tricky Part
Unfortunately, the VPN connection does not pass through to the virtual machine I set up, using client Hyper-V on Windows 8.1 (update 1). Which is interesting, because while I was onsite recently, when I connected to the LAN directly via cable, that connection would pass through to the VM. But since I’m not a networking geek, I’ll leave that to others to explain.
So, the next step was to try installing the VPN client software in the VM itself. But it was not to be. The client software installs fine, but I found that when I tried to connect, I’d get the following error message:
OK, so now what? Well, truth be told, since I didn’t have time to troubleshoot this immediately, I set the problem aside for a while, which can be a good way to let your brain work on the problem while you’re doing other things.
Or sometimes, you get lucky…this was one of those times.
Basic or Enhanced?
By good fortune, this morning, I ran across a brief blog post by Osama Mourad (No, not the same person who runs one of the CMAP Special Interest Groups), which suggested that connecting the VPN was possible “if connected to the VM using Hyper-V Manager.” A bit cryptic, but it gave me hope that it was at least possible.
Here’s where luck comes in. I was trying to see if there was a different way to connect to the VM from Hyper-V Manager, when I noticed that if I did not have the VM session window full-screen, there is an icon at the end of the toolbar that looks like this:
That button switches the VM session from Enhanced Session Mode (the default in newer versions of Hyper-V), which uses a Remote Desktop Connection to interact with the VM, to Basic Session Mode, which provides simple screen, keyboard, and mouse redirection.
And beautifully, it turns out that in Basic Session Mode, connecting the VPN works just fine. And once connected, you can switch back to Enhanced Session Mode, and the VPN will remain connected.
Conclusion
Using a virtual machine is a good practice for keeping your client environment isolated from your day-to-day experiments or bleeding edge tools, etc. And it also has the advantage of making the environment portable. You can store the VM files on a portable drive, or copy them from one machine to another if you need to migrate systems.
But along with the convenience comes the occasional head-scratcher or stumbling block. I hope that this post will help anyone else who runs into this particular issue resolve their problem.
You can learn more about Enhanced Session Mode from this TechNet article. My thanks to Osama for the clue that helped me track down the solution.
Comments
Comment by Scott on 2014-09-15 22:36:00 +0000
Thank you very much, this saved me from having to figure out a work around. I was going to sleep on it to see if anything came to me, but thanks to you… I can have have a better dream!
Cheers,
Scott
Comment by devhammer on 2014-09-16 08:06:00 +0000
@Scott Glad to hear it helped you. I wish it were a little more convenient, but it’s something I use every day myself.
Comment by Fredrik on 2014-11-10 03:37:00 +0000
You just saved me a loooot of work! Thank you so much!
Fredrik
Comment by devhammer on 2014-11-10 10:39:00 +0000
Great! Glad I could help!
Comment by Patrick on 2015-02-20 00:31:00 +0000
Thanks a lot for this. It’s been really annoying me!
Comment by spanky on 2015-03-05 15:13:00 +0000
Great post!
Comment by devhammer on 2015-03-05 15:19:00 +0000
Glad you liked it! Thanks for stopping by.
Comment by prakash on 2015-03-08 18:29:00 +0000
Thanks works great
Comment by devhammer on 2015-03-09 13:12:00 +0000
My pleasure…glad to hear it helped!
Comment by Pumzi-Code on 2015-03-28 15:21:00 +0000
Do you need to have Hyper-V installed to work? I want to connect with AnyConnect?
Comment by devhammer on 2015-03-30 17:03:00 +0000
Not sure I understand the question, but if you’re not running a Virtual Machine, you don’t need my tip at all. Perhaps you could elaborate?
Comment by Ed Downs on 2015-05-07 18:04:00 +0000
Thanks for this info!
Comment by devhammer on 2015-05-07 18:08:00 +0000
You’re very welcome.
Comment by Shane Mook on 2015-06-12 13:02:00 +0000
The any connect VPN client disables ip forwarding. I’m assuming hyper-v vm’s are using NAT, in which case it would be unable to forward the traffic on to any private subnets.
Comment by qzzyzxqKjetil on 2015-09-22 07:23:11 +0000
Great blogpost. Solves a common problem with a quick and simple solution.
You could get your VPN admins to allow remote desktop logon but to get that through is just so much harder. (and might be a security risk)
Also I love that you have checked that you can turn back on enhanced mode. That’s actually quite good to have the enhanced mode capabilities on hand also when on VPN. 🙂
Comment by Boris on 2016-01-26 16:20:09 +0000
I have same issue. Thank you for the tip.
This is what happen. In anyconnect profile there is a parameter
It can have at list 2 values
AllowRemoteUsers
or
LocalUsersOnly
if it set to AllowRemoteUsers no problem you may use a remote desktop
if not 🙂 you got a solution
Best wishes, and thank you again for the tip
Comment by José Manuel Nieto Sánchez on 2016-04-14 08:57:10 +0000
Thank you!
Comment by Kasper Nørskov on 2016-05-03 10:47:26 +0000
Did not work for me…
Comment by Kevin McCullor on 2018-10-10 14:13:46 +0000
Great tip switching to Basic to get AnyConnect to work.
Using Basic Session you lose the Clipboard Copy and Paste between the Host and Guest OS.
Is there any way to have both?
Comment by G. Andrew Duthie on 2018-10-16 18:39:38 +0000
I don’t know, sorry. Been a while since I’ve looked at this.
Comment by Darrel on 2019-02-05 17:20:14 +0000
Yes, sort of. After you’ve established your connection in Basic mode, you can switch back to enhanced and the vpn will still be connected.
Comment by Dave Heidstra on 2020-01-24 08:33:02 +0000
Even now this issue still remains thanks for this post! 🙂
Comment by John on 2020-03-21 23:58:52 +0000
This article possibly saved an entire city from losing it’s IT level access
Comment by Łukasz Lech on 2021-03-29 13:41:35 +0000
It is 2021 and the issue is still there…
Thanks for the timeless solution. 🙂
Comment by matej on 2022-03-18 08:29:11 +0000
thanks, it works nicely! …still in 2022
Comment by Norg on 2022-07-20 16:49:14 +0000
This post is a life saver, works like a charm.
Comment by Jason Molzen on 2022-09-19 16:46:00 +0000
Thank you for keeping this article posted and alive! Yes, this fixed it for me too
Comment by Roger on 2022-09-21 12:49:20 +0000
Thank you so much for this, it helped me a lot!
Comment by X on 2022-11-08 12:24:00 +0000
Thanks a lot, This has saved me a vast amount of time!!!
Comment by Bill on 2022-11-17 16:48:44 +0000
We were trying to establish a VPN connection with Cisco AnyConnect from a Win 10 VM (Hyper-v Manager Version: 10.0.19041.1)
and it works like a charm!
Comment by Adrenalyze on 2024-11-26 20:51:03 +0000
It’s already 2024 and your post still saved me just like that.