Block as follows - outbound: UDP Any Any Any 443,80   You can verify it's working by doing the following before creating the rule using Chrome. Go to youtube.com and in Chrome open Developer Tools -- Security -- Look for "QUIC" under Connection.   Once you have created and saved the rule and given the MX a minute or two to pull down the changes, hard refresh the page and where it said QUIC originally it should now say TLS 1.3 or similar. ... View more

DoH and DoT is now a category that can be chosen on the content filtering page. ... View more

I think I've fixed this now - I had to change the source port from 443,80 to Any and I can now see hits against it and when using the 'Security' tab in Developer Tools it now shows TLS 1.3 rather than QUIC. ... View more

Would the correct way to block it be: Deny UDP Any 443,80 Any 443,80 ? When I have that in place I'm not seeing any hits against it (am trying to access Facebook, YouTube and Gmail to trigger it, using Chrome). The rule is at the bottom of our deny rules list, but placed before any allow rules if that makes any difference. ... View more

Just to close the loop on this one - it was a fairly simple fix in the end.   To create a self-signed cert (to enable Meraki Client VPN via AD auth to work):   PowerShell (admin) and run the command New-SelfSignedCertificate -DnsName "servername.fqdn.domain" -KeyAlgorithm RSA -KeyLength 2048 -CertStoreLocation "Cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(10) Hit your Windows Key and type “Cert” and click on Manage Computer Certificates Go to Personal > Certificates and see your new Cert that you just created Right-click the new Cert and go to All Tasks > Export Yes, export the private key Personal Information Exchange, check the following: Include all certificates Export all extended properties Check Password: Make a password you’ll remember Browse to an easy to remember location like C:\Certs and Finish Expand Trusted Root Certificate Authorities, right click Certificates > All Tasks, Import… Choose your cert, enter the password, make sure importing is a success Test Note: DO NOT DELETE the certificate from Personal > Certificates - it needs this one otherwise Auth will continue to fail. ... View more

I can't explain how, but for some reason now it is working. Very strange as I tried it on 3 different laptops, each of which had a slightly different configuration. Always seems to happen when you finally decide to reach out for help!   The only challenge now is how to deploy it out to all the laptops on the domain. The PS scripts are stored locally on all laptops (pushed out using GPO file copy) and a start-up script configured, however given that needs to run prior to logon it fails. Trying to connect the VPN via the logon screen still doesn't allow it to process any start-up GPOs.   If the laptop is in the office that would be fine, but given most users are working remotely now due to COVID-19, I need to find a solution to push out these new VPN profiles. ... View more

I've tried a number of scripts including yours Nash. The connection etc. all creates fine and the VPN connects, however even with using the remote gateway (i.e. split tunneling is not turned on) I just cannot hit anything on our internal network.   Traffic to external sites works fine, but if I ping anything internal or try RDP for example it just times out.   I've checked the settings via the GUI once created and they look exactly the same as if I had of just created the VPN connection in the GUI so not sure where else to look?   Disabled Windows Firewall too and still no joy. ... View more

Using AD auth.   Password replication policy is in place, but I don't believe LDAPS is in place. Would we need to have a CA server running in the environment in order to use LDAPS? ... View more

No, no one can VPN through the MX65W when it's pointing to a RODC for AD authentication.   Once I changed the AD controller it's pointing at to a full DC, authentication is fine. ... View more