Always On VPN: The Magical VPN Everyone Should Have, All You Need to Know

featured always on small

Always On VPN is a Microsoft remote access solution that is built into Windows 10. Microsoft has positioned Always On VPN as the replacement for their older remote access solution (DirectAccess).

When planning a deployment of Always On VPN, keep in mind that it is a solution for users or devices that need remote access to local resources on a corporate network.

Always On VPN provides a single, cohesive solution for remote access and supports domain-joined, nondomain-joined (workgroup), or Azure AD–joined devices, even personally owned devices. With Always On VPN, the connection type does not have to be exclusively user or device but can be a combination of both.

For example, you could enable device authentication for remote device management, and then enable user authentication for connectivity to internal company sites and services.

How Does Always On VPN Work?

Always On VPN is a solution that allows a client to automatically establish a VPN connection without any user interaction. The technology that makes this possible is the VPNv2 CSP node, which is built into Windows 10. This CSP (configuration service provider) allows the built-in Windows 10 VPN client to be configured using an MDM solution (Intune), or PowerShell.

The server side of a typical Always On VPN deployment requires at least one VPN server and one authentication (RADIUS) server. A common solution is to use Windows Server with the Routing and Remote Access role installed for the VPN server, and Windows Server with the Network Policy Server role installed for the RADIUS server. However, these servers do not need to be Microsoft servers. Third-party solutions or appliances can be used. Additionally, a certificate authority is required to issue certificates to the servers and clients. The certificates will be used to authenticate the VPN connection.

User Tunnel

The User Tunnel is established when a user logs into a computer. This type of tunnel is ideal for granting access to file shares or applications.

Here is a high-level overview of the connection process for an Always On VPN user tunnel.

  1. The VPN client sends a connection request to the external IP address of the VPN server
  2. The edge firewall passes the connection request to the external interface of the VPN server
  3. The VPN server passes the connection request to the RADIUS server. The connection request leaves via the internal interface of the VPN server and passes through the internal firewall
  4. The RADIUS server receives and authenticates the connection request
  5. The RADIUS server returns an accept or deny response to the VPN server
  6. The VPN server allows or denies the connection request based on the response from the RADIUS server

Device Tunnel

The Device Tunnel is established as soon as a computer is powered on and connected to the internet. A user does not need to be logged into a computer for a device tunnel to connect. This type of tunnel is ideal for granting access to Active Directory or other management servers like Configuration Manager.

  1. The VPN client sends a connection request to the external IP address of the VPN server
  2. The edge firewall passes the connection request to the external interface of the VPN server
  3. The VPN server validates the computer authentication certificate of the client and allows or denies the connection request

Always On VPN Protocols

IKEv2

Internet Key Exchange version 2 (IKEv2) has good security and good performance. Its ability to automatically re-connect after a short interruption gives it good reliability as well. The primary concern with using IKEv2 is that communication happens on UDP 500 and UDP 4500. This makes it more likely that the connection will be blocked by firewalls.

Always On VPN

SSTP

Secure Socket Tunneling Protocol (SSTP) also has good security and good performance. The main benefit of using SSTP is that communication happens on TCP 443, so it is very unlikely that it will be blocked anywhere. The downsides to SSTP are that it is not quite as secure as IKEv2, and it does not handle connection interruptions as well.

Read More: Microsoft Documentation.

Always On VPN features and functionalities

Functional areaAlways On VPN
Seamless, transparent connectivity to the corporate network.You can configure Always On VPN to support auto-triggering based on application launch or namespace resolution requests.Define using: VPNv2/ProfileName/AlwaysOn VPNv2/ProfileName/AppTriggerList VPNv2/ProfileName/DomainNameInformationList/AutoTrigger
Use of a dedicated Infrastructure Tunnel to provide connectivity for users not signed into the corporate network.You can achieve this functionality by using the Device Tunnel feature in the VPN profile.Note: Device Tunnel can only be configured on domain-joined devices using IKEv2 with computer certificate authentication.Define using: VPNv2/ProfileName/DeviceTunnel
Use of manage-out to allow remote connectivity to clients from management systems located on the corporate network.You can achieve this functionality by using the Device Tunnel feature in the VPN profile combined with configuring the VPN connection to dynamically register the IP addresses assigned to the VPN interface with internal DNS services.Note: If you turn on traffic filters in the Device Tunnel profile, then the Device Tunnel denies inbound traffic (from the corporate network to the client).Define using: VPNv2/ProfileName/DeviceTunnel VPNv2/ProfileName/RegisterDNS
Fall back when clients are behind firewalls or proxy servers.You can configure to fall back to SSTP (from IKEv2) by using the automatic tunnel/protocol type within the VPN profile.Note: User Tunnel supports SSTP and IKEv2, and Device Tunnel supports IKEv2 only with no support for SSTP fallback.Define using: VPNv2/ProfileName/NativeProfile/NativeProtocolType
Support for end-to-edge access mode.Always On VPN provides connectivity to corporate resources by using tunnel policies that require authentication and encryption until they reach the VPN gateway. By default, the tunnel sessions terminate at the VPN gateway, which also functions as the IKEv2 gateway, providing end-to-edge security.
Support for machine certificate authentication.The IKEv2 protocol type available as part of the Always On VPN platform specifically supports the use of machine or computer certificates for VPN authentication.Note: IKEv2 is the only supported protocol for Device Tunnel and there is no support option for SSTP fallback.Define using: VPNv2/ProfileName/NativeProfile/Authentication/MachineMethod
Use security groups to limit remote access functionality to specific clients.You can configure Always On VPN to support granular authorization when using RADIUS, which includes the use of security groups to control VPN access.
Support for servers behind an edge firewall or NAT device.Always On VPN gives you the ability to use protocols like IKEv2 and SSTP that fully support the use of a VPN gateway that is behind a NAT device or edge firewall.Note: User Tunnel supports SSTP and IKEv2, and Device Tunnel supports IKEv2 only with no support for SSTP fallback.
Ability to determine intranet connectivity when connected to the corporate network.Trusted network detection provides the capability to detect corporate network connections, and it is based on an assessment of the connection-specific DNS suffix assigned to network interfaces and network profile.Define using: VPNv2/ProfileName/TrustedNetworkDetection
Compliance using Network Access Protection (NAP).The Always On VPN client can integrate with Azure conditional access to enforce MFA, device compliance, or a combination of both. When compliant with conditional access policies, Azure AD issues a short-lived (by default, 60 minutes) IPsec authentication certificate that the client can then use to authenticate to the VPN gateway. Device compliance takes advantage of Configuration Manager/Intune compliance policies, which can include the device health attestation state. At this time, Azure VPN conditional access provides the closest replacement to the existing NAP solution, although there is no form of remediation service or quarantine network capabilities. For more details, see VPN and conditional access.Define using: VPNv2/ProfileName/DeviceCompliance
Ability to define which management servers are accessible before user sign-in.You can achieve this functionality in Always On VPN by using the Device Tunnel feature (available in version 1709 – for IKEv2 only) in the VPN profile combined with traffic filters to control which management systems on the corporate network are accessible through the Device Tunnel.Note: If you turn on traffic filters in the Device Tunnel profile, then the Device Tunnel denies inbound traffic (from the corporate network to the client).Define using: VPNv2/ProfileName/DeviceTunnel VPNv2/ProfileName/TrafficFilterList

Always On Frequently Asked Questions

Is always on VPN secure?

Security: Always On VPN has new, advanced security capabilities to restrict the type of traffic, which applications can use the VPN connection, and which authentication methods you can use to initiate the connection. When the connection is active most of the time, it is especially important to secure the connection.

Is always on VPN better than DirectAccess?

Windows 10 Always On VPN is the way of the future. It provides better overall security than DirectAccess, it performs better, and it is easier to manage and support

What technology behaves like an always on VPN connection?

Using Windows 10 Always On VPN is a replacement for Microsoft’s DirectAccess, which had previously been used.

What is always on VPN Intune?

When your client machines synchronize with Intune, the Always On VPN configuration profile will apply and clients will start to connect with the Azure VPN gateway. With the Always On VPN connection established, it is now possible to reach corporate resources from any network.

What ports does always on VPN use?

Redirect Universal Datagram Protocol (UDP) ports 500 and 4500 to the VPN server.

How is always on VPN different from a regular VPN?

Always On VPN works as an automated service that establishes a connection between the client and the VPN with no user interactions whatsoever. It is meant as a replacement for DirectAccess and it’s easier to manage, implement, and is more secure.

Always On Mfa

Configuring Multifactor Authentication (MFA) is an excellent way to ensure the highest level of assurance for Always On VPN users. Azure MFA is widely deployed and commonly integrated with Windows Server Network Policy Server (NPS) using the NPS Extension for Azure MFA.

What is replacing DirectAccess?

Windows 10 Always On VPN is the replacement for Microsoft’s DirectAccess remote access technology. Always On VPN aims to address several shortcomings of DirectAccess, including support for Windows 10 Professional and non-domain joined devices, as well as cloud integration with Intune and Azure Active Directory.

Recommended Articles

1 Comment

  1. […] Aidy Bryant has spoken about leaving the cast of Saturday Night Live during an interview with Variety. […]

Leave a Reply

Your email address will not be published.