Remote Access is one of the key components of empowering the mobile workforce for productivity when away from the central production location and network. Over the years, the Virtual Private Network or VPN connection has been a staple of the remote access mobile workforce that allows connecting to business networks over an encrypted and secure private tunnel via the Internet. However, VPN deployments can be difficult to implement and maintain.
A few years back, Microsoft introduced DirectAccess which was touted as the solution for remote access challenges. It proved to be difficult to implement correctly and had limitations that affected its adoption. With Windows Server 2016 and higher, along with Windows 10, Microsoft has introduced a new remote access technology called Always On VPN.
In this post, we’ll take a look at the following:
- What is Microsoft Always On VPN?
- What are its benefits and requirements?
- Types of Deployment Scenarios
What is Microsoft Always On VPN?
Microsoft’s Always On VPN is the revamp of DirectAccess remote access technology seeking to overcome the limitations of DirectAccess and achieve much wider adoption. With the new Always On VPN technology, Microsoft is looking to achieve a single solution of remote access that supports a wide array of clients. Like DirectAccess, the VPN connection is “Always On” meaning there is no user input required unless multi-factor authentication is enabled. As soon as a client is connected to the Internet, the VPN connection is established. The range of supported clients, unlike DirectAccess, includes more than simply domain-joined clients:
- Non Domain-joined
- Azure AD-joined devices
An additional blocker to DirectAccess was that it required Enterprise edition from a client perspective. However, with AOVPN, Microsoft is allowing Windows 10 Pro and higher clients to benefit from the technology. The connections support both user and device type connections but can also combine the two. This allows managing a device with device management as well as enabling user authentication for connectivity to internal company sites and services.
The connection process to connect using the Always On VPN technology involves the following steps:
- DNS resolution is utilized by the remote Windows 10 client to resolve the IP address of the VPN gateway
- Once the name resolution resolves the public IP address of the VPN gateway, the client sends a connection request to the Always On VPN gateway
- The VPN gateway doubles as a RADIUS client that forwards the connection request over to the corporate NPS server to process the authentication request
- The Network Policy Server performs the necessary authorization, authentication, and ultimately allows or denies the request
- The connection is then established or disconnected based on the response from the NPS server
Microsoft Always On VPN Requirements
There are various moving parts and pieces to the Microsoft Always On VPN solution. Many of the requirements are already found in most enterprise customer environments. However, these include:
- Domain Controllers
- DNS Servers
- Network Policy Server (NPS)
- Certificate Authority Server (CA)
- Routing and Remote Access Server
To dive a bit deeper into the requirements/prerequisites for setting up the Microsoft Always On VPN, there are many components of the Active Directory environment, including DNS and Certificate Authority Servers that are required.
- Businesses must have both an external and internal DNS structure configured with zones for each. A parent and subdomain configuration is assumed at least in Microsoft documentation of perhaps a contoso.com and a corp.contoso.com
- Organizations will need to configure a Public Key Infrastructure using Active Directory Certificate Services (AD CS). As with DirectAccess, the Always On VPN technology makes use of certificates to make the technology seamless.
- An existing or new Network Policy Server will be needed. Existing servers can be used with the additional configuration for the AOVPN
- Remote Access as RAS Gateway VPN – features enabled to support IKEv2 VPN connections and LAN routing
- Two Firewall configuration – One firewall will be the edge firewall and the other is the internal firewall. The remote access server public interface will uplink to the edge firewall and the internal interface will sit in front of the internal firewall
- The remote access server can be a VM or a physical server for use as the RAS host with the appropriate network connections “plumbed” between the firewalls
- Administrator permissions to deploy the AOVPN technologies
Types of Deployment Scenarios for Microsoft Always On VPN
There are actually two deployment scenarios for the Microsoft Always On VPN technology. These include:
- Always On VPN only
- Always On VPN with VPN connectivity using conditional Azure Active Directory access
What is the conditional Azure Active Directory access?
Conditional Azure Active Directory access factors in how a resource is accessed into an access control decision. These automated access control decisions help to secure access. The conditional access factors in such things as the sign-in risk level, location of the request, client application, etc.
This helps to strike the balance needed with protecting resources and allowing end-users to be productive and progress to not be impeded unnecessarily.
A few examples of the factors that are taken into account for either granting access or denying access are the following:
- Sign-in Risk – Using machine learning, Azure detects sign-in risks based on the behavior of the sign-in request and potentially even blocking a user if warranted
- Network Location – Based on a network location, more proof of identity may be needed to prove you are who you say you are. This can be considered in conditional access with Azure AD
- Device Management – Perhaps you want to restrict access to only corporate-owned and managed devices, or you want to restrict the type of device that you allow to access corporate resources
- Client Application – Control the types of applications allowed to access corporate environments or determine which apps need to be managed by corporate
Microsoft Always On VPN Advanced Features
There are many advanced features that are found in the AOVPN technology from Microsoft including:
- High Availability
- Advanced Authentication
- Advanced Traffic Features
- Additional Security Protection
To ensure high availability with AOVPN, you can load balance traffic between multiple Network Policy Servers (NPS) and also use clustering technology with Remote Access. To provide geographic site resilience you can use the Global Traffic Manager with DNS in Windows Server 2016.
The AOVPN supports Windows Hello for Business that replaces passwords with strong two-factor authentication including biometric or PIN. Additionally, you can use Azure Multi-Factor Authentication that can integrate with Windows VPN.
Advanced Traffic Features
Advanced features such as traffic filtering, app-triggered VPN, and VPN conditional access can all be used with the Microsoft AOVPN to further filter and secure traffic.
Additional Security Protection
Microsoft’s AOVPN is compatible with Trusted Platform Module (TPM) Key Attestation to provide higher security assurance for access.
Microsoft is aiming to make the VPN experience as seamless as possible. Since DirectAccess did not catch on as Microsoft had hoped, the new Always On VPN technology found in Windows Server 2016 and higher hopes to change that. With support for non-Enterprise licensed clients as well as non-domain joined clients, AOVPN is certainly in a much better position to be adopted by enterprises today. AOVPN has strong tie ins with Azure as well with the “conditional access” technology that allows making smarter decisions about who gains access to resources. Generally speaking, there is quite a bit of complexity involved with deploying AOVPN since it requires many more difficult to deploy technologies like PKS and NPS. There are certainly great benefits to the AOVPN solution for those who want to empower their mobile workforce with the latest security and seamless user experience.Like what you read? Rate us