Microsoft Always on VPN : Overview, Requirements, and Features

Remote Access is one of the key components of empowering the mobile workforce for productivity when away from the central production location and network. Over the years, the Virtual Private Network or VPN connection has been a staple of the remote access mobile workforce that allows connecting to business networks over an encrypted and secure private tunnel via the Internet. However, VPN deployments can be difficult to implement and maintain.

Table of Contents

1. What is Microsoft Always On VPN?
2. Microsoft Always On VPN Requirements
3. Types of Deployment Scenarios for Microsoft Always On VPN
4. Microsoft Always On VPN Advanced Features
5. Concluding Thoughts

A few years back, Microsoft introduced DirectAccess which was touted as the solution for remote access challenges. It proved to be difficult to implement correctly and had limitations that affected its adoption. With Windows Server 2016 and higher, along with Windows 10, Microsoft has introduced a new remote access technology called Always On VPN.

In this post, we’ll take a look at the following:

• What is Microsoft Always On VPN?
• What are its benefits and requirements?
• Types of Deployment Scenarios

What is Microsoft Always On VPN?

Microsoft’s Always On VPN is the revamp of DirectAccess remote access technology seeking to overcome the limitations of DirectAccess and achieve much wider adoption. With the new Always On VPN technology, Microsoft is looking to achieve a single solution of remote access that supports a wide array of clients. Like DirectAccess, the VPN connection is “Always On” meaning there is no user input required unless multi-factor authentication is enabled. As soon as a client is connected to the Internet, the VPN connection is established. The range of supported clients, unlike DirectAccess, includes more than simply domain-joined clients:

• Domain-joined
• Non Domain-joined
• Azure AD-joined devices
• BYOD

An additional blocker to DirectAccess was that it required Enterprise edition from a client perspective. However, with AOVPN, Microsoft is allowing Windows 10 Pro and higher clients to benefit from the technology. The connections support both user and device type connections but can also combine the two. This allows managing a device with device management as well as enabling user authentication for connectivity to internal company sites and services.

The connection process to connect using the Always On VPN technology involves the following steps:

• DNS resolution is utilized by the remote Windows 10 client to resolve the IP address of the VPN gateway
• Once the name resolution resolves the public IP address of the VPN gateway, the client sends a connection request to the Always On VPN gateway
• The VPN gateway doubles as a RADIUS client that forwards the connection request over to the corporate NPS server to process the authentication request
• The Network Policy Server performs the necessary authorization, authentication, and ultimately allows or denies the request
• The connection is then established or disconnected based on the response from the NPS server

Microsoft Always On VPN Requirements

There are various moving parts and pieces to the Microsoft Always On VPN solution. Many of the requirements are already found in most enterprise customer environments. However, these include:

• Domain Controllers
• DNS Servers
• Network Policy Server (NPS)
• Certificate Authority Server (CA)
• Routing and Remote Access Server

To dive a bit deeper into the requirements/prerequisites for setting up the Microsoft Always On VPN, there are many components of the Active Directory environment, including DNS and Certificate Authority Servers that are required.

• Businesses must have both an external and internal DNS structure configured with zones for each. A parent and subdomain configuration is assumed at least in Microsoft documentation of perhaps a contoso.com and a corp.contoso.com
• Organizations will need to configure a Public Key Infrastructure using Active Directory Certificate Services (AD CS). As with DirectAccess, the Always On VPN technology makes use of certificates to make the technology seamless.
• An existing or new Network Policy Server will be needed. Existing servers can be used with the additional configuration for the AOVPN
• Remote Access as RAS Gateway VPN – features enabled to support IKEv2 VPN connections and LAN routing
• Two Firewall configuration – One firewall will be the edge firewall and the other is the internal firewall. The remote access server public interface will uplink to the edge firewall and the internal interface will sit in front of the internal firewall
• The remote access server can be a VM or a physical server for use as the RAS host with the appropriate network connections “plumbed” between the firewalls
• Administrator permissions to deploy the AOVPN technologies

Types of Deployment Scenarios for Microsoft Always On VPN

There are actually two deployment scenarios for the Microsoft Always On VPN technology. These include:

• Always On VPN only
• Always On VPN with VPN connectivity using conditional Azure Active Directory access

What is the conditional Azure Active Directory access?

Conditional Azure Active Directory access factors in how a resource is accessed into an access control decision. These automated access control decisions help to secure access. The conditional access factors in such things as the sign-in risk level, location of the request, client application, etc.

This helps to strike the balance needed with protecting resources and allowing end-users to be productive and progress to not be impeded unnecessarily.