Remote Access is one of the key components of empowering the mobile workforce for productivity when away from the central production location and network. Over the years, the Virtual Private Network or VPN connection has been a staple of the remote access mobile workforce that allows connecting to business networks over an encrypted and secure private tunnel via the Internet. However, VPN deployments can be difficult to implement and maintain.

Table of Contents

  1. What is Microsoft Always On VPN?
  2. Microsoft Always On VPN Requirements
  3. Types of Deployment Scenarios for Microsoft Always On VPN
  4. Microsoft Always On VPN Advanced Features
  5. Concluding Thoughts

A few years back, Microsoft introduced DirectAccess which was touted as the solution for remote access challenges. It proved to be difficult to implement correctly and had limitations that affected its adoption. With Windows Server 2016 and higher, along with Windows 10, Microsoft has introduced a new remote access technology called Always On VPN.

Protect Your Data with BDRSuite

Cost-Effective Backup Solution for VMs, Servers, Endpoints, Cloud VMs & SaaS applications. Supports On-Premise, Remote, Hybrid and Cloud Backup, including Disaster Recovery, Ransomware Defense & more!

In this post, we’ll take a look at the following:

  • What is Microsoft Always On VPN?
  • What are its benefits and requirements?
  • Types of Deployment Scenarios

What is Microsoft Always On VPN?

Microsoft’s Always On VPN is the revamp of DirectAccess remote access technology seeking to overcome the limitations of DirectAccess and achieve much wider adoption. With the new Always On VPN technology, Microsoft is looking to achieve a single solution of remote access that supports a wide array of clients. Like DirectAccess, the VPN connection is “Always On” meaning there is no user input required unless multi-factor authentication is enabled. As soon as a client is connected to the Internet, the VPN connection is established. The range of supported clients, unlike DirectAccess, includes more than simply domain-joined clients:

Download Banner
  • Domain-joined
  • Non Domain-joined
  • Azure AD-joined devices
  • BYOD

An additional blocker to DirectAccess was that it required Enterprise edition from a client perspective. However, with AOVPN, Microsoft is allowing Windows 10 Pro and higher clients to benefit from the technology. The connections support both user and device type connections but can also combine the two. This allows managing a device with device management as well as enabling user authentication for connectivity to internal company sites and services.

VPN1

A high-level overview of Always On VPN technology Infrastructure Requirements

The connection process to connect using the Always On VPN technology involves the following steps:

  • DNS resolution is utilized by the remote Windows 10 client to resolve the IP address of the VPN gateway
  • Once the name resolution resolves the public IP address of the VPN gateway, the client sends a connection request to the Always On VPN gateway
  • The VPN gateway doubles as a RADIUS client that forwards the connection request over to the corporate NPS server to process the authentication request
  • The Network Policy Server performs the necessary authorization, authentication, and ultimately allows or denies the request
  • The connection is then established or disconnected based on the response from the NPS server

Microsoft Always On VPN Requirements

There are various moving parts and pieces to the Microsoft Always On VPN solution. Many of the requirements are already found in most enterprise customer environments. However, these include:

  • Domain Controllers
  • DNS Servers
  • Network Policy Server (NPS)
  • Certificate Authority Server (CA)
  • Routing and Remote Access Server

To dive a bit deeper into the requirements/prerequisites for setting up the Microsoft Always On VPN, there are many components of the Active Directory environment, including DNS and Certificate Authority Servers that are required.

  • Businesses must have both an external and internal DNS structure configured with zones for each. A parent and subdomain configuration is assumed at least in Microsoft documentation of perhaps a contoso.com and a corp.contoso.com
  • Organizations will need to configure a Public Key Infrastructure using Active Directory Certificate Services (AD CS). As with DirectAccess, the Always On VPN technology makes use of certificates to make the technology seamless.
  • An existing or new Network Policy Server will be needed. Existing servers can be used with the additional configuration for the AOVPN
  • Remote Access as RAS Gateway VPN – features enabled to support IKEv2 VPN connections and LAN routing
  • Two Firewall configuration – One firewall will be the edge firewall and the other is the internal firewall. The remote access server public interface will uplink to the edge firewall and the internal interface will sit in front of the internal firewall
  • The remote access server can be a VM or a physical server for use as the RAS host with the appropriate network connections “plumbed” between the firewalls
  • Administrator permissions to deploy the AOVPN technologies

Types of Deployment Scenarios for Microsoft Always On VPN

There are actually two deployment scenarios for the Microsoft Always On VPN technology. These include:

  • Always On VPN only
  • Always On VPN with VPN connectivity using conditional Azure Active Directory access

What is the conditional Azure Active Directory access?

Conditional Azure Active Directory access factors in how a resource is accessed into an access control decision. These automated access control decisions help to secure access. The conditional access factors in such things as the sign-in risk level, location of the request, client application, etc.

This helps to strike the balance needed with protecting resources and allowing end-users to be productive and progress to not be impeded unnecessarily.

VPN2

Azure Active Directory conditional access designs/center>

A few examples of the factors that are taken into account for either granting access or denying access are the following:

  • Sign-in Risk – Using machine learning, Azure detects sign-in risks based on the behavior of the sign-in request and potentially even blocking a user if warranted
  • Network Location – Based on a network location, more proof of identity may be needed to prove you are who you say you are. This can be considered in conditional access with Azure AD
  • Device Management – Perhaps you want to restrict access to only corporate-owned and managed devices, or you want to restrict the type of device that you allow to access corporate resources
  • Client Application – Control the types of applications allowed to access corporate environments or determine which apps need to be managed by corporate

Microsoft Always On VPN Advanced Features

There are many advanced features that are found in the AOVPN technology from Microsoft including:

  • High Availability
  • Advanced Authentication
  • Advanced Traffic Features
  • Additional Security Protection

High Availability

To ensure high availability with AOVPN, you can load balance traffic between multiple Network Policy Servers (NPS) and also use clustering technology with Remote Access. To provide geographic site resilience you can use the Global Traffic Manager with DNS in Windows Server 2016.

Advanced Authentication

The AOVPN supports Windows Hello for Business that replaces passwords with strong two-factor authentication including biometric or PIN. Additionally, you can use Azure Multi-Factor Authentication that can integrate with Windows VPN.

Advanced Traffic Features

Advanced features such as traffic filtering, app-triggered VPN, and VPN conditional access can all be used with the Microsoft AOVPN to further filter and secure traffic.

Additional Security Protection

Microsoft’s AOVPN is compatible with Trusted Platform Module (TPM) Key Attestation to provide higher security assurance for access.

Concluding Thoughts

Microsoft is aiming to make the VPN experience as seamless as possible. Since DirectAccess did not catch on as Microsoft had hoped, the new Always On VPN technology found in Windows Server 2016 and higher hopes to change that. With support for non-Enterprise licensed clients as well as non-domain joined clients, AOVPN is certainly in a much better position to be adopted by enterprises today. AOVPN has strong tie ins with Azure as well with the “conditional access” technology that allows making smarter decisions about who gains access to resources. Generally speaking, there is quite a bit of complexity involved with deploying AOVPN since it requires many more difficult to deploy technologies like PKS and NPS. There are certainly great benefits to the AOVPN solution for those who want to empower their mobile workforce with the latest security and seamless user experience.

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.

4/5 - (1 vote)