I’ve often had to employ various virtual private networking (VPN) solutions the years as I’ve worked developing documentation, white papers, courseware, and other technical collateral for business partners and large vendors like Microsoft. Deploying and configuring such solutions however has often been a headache. DirectAccess, a Microsoft technology introduced in Windows Server 2008 R2 and Windows 7, promised to provide seamless connectivity between remote clients and corporate networks without the requirement of deploying and using VPN connections. While this promise was in fact realized by this technology, implementing and managing it was often challenging for many administrators.
With Windows 10, however, the pendulum has now swung the opposite way by introducing a new remote connectivity solution called Always On VPN. I’ve used this solution myself and I personally prefer it over using DirectAccess, and to help our readers better understand how to deploy and configure it I interviewed my colleague Richard Hicks asking him to refresh our understanding of this technology and walk us through how to deploy and configure it. Richard is the founder and principal consultant of Richard M. Hicks Consulting and focuses on helping organizations implement edge security, remote access, and PKI solutions on Microsoft and third-party platforms. He is a Microsoft Most Valuable Professional in the Cloud & Datacenter and Enterprise Security award categories and can be found on Twitter here. Richard previously provided us with a brief overview of Always On VPN in this TechGenix article but today he’s going to go into much more technical detail about setting it up using Microsoft Intune.
MITCH: Richard, please start by giving us a refresher on why Always On VPN might make sense for many organizations looking for an improved remote connectivity solution.
RICHARD: Well, for many years DirectAccess has been the remote access solution of choice for enterprise organizations everywhere. It provides seamless, transparent, always on connectivity for mobile users, enabling them to be productive anywhere. Persistent network access also allows administrators to better manage their predominantly field-based devices. But DirectAccess relies heavily on Active Directory and Group Policy and requires DirectAccess clients and servers to be joined to a domain. And as organizations migrate applications, data, and even infrastructure to the cloud, a mobility solution that supports cloud integration and modern management will be required.
To address the shortcomings of DirectAccess, Microsoft introduced Always On VPN for Windows 10. It provides the same user experience as DirectAccess but includes essential support for cloud-based services such as Azure Active Directory. With Always On VPN, administrators can extend the same DirectAccess-like experience to their Windows 10 Professional devices. Always On VPN supports advanced features not included with DirectAccess such as traffic filtering, Azure Active Directory join, conditional access, and integration with Windows Information Protection (WIP) and Windows Hello for Business.
MITCH: Is Always ON VPN implemented and managed in a similar fashion to how DirectAccess is?
RICHARD: Always On VPN is implemented and managed in a fundamentally different way than DirectAccess. It required an on-premises Active Directory, and clients must be joined to a domain. Where DirectAccess used Group Policy to distribute configuration settings, Always On VPN is designed to use a Mobile Device Management (MDM) platform such as Microsoft Intune. Using Intune, administrators can create and deploy VPN profiles that are distributed to Windows 10 devices wherever they reside.
MITCH: OK, let’s now move on from the appetizer to the main dish. Before you show us how to deploy Always On VPN using Intune, tell us if there are any prerequisite steps that are necessary.
RICHARD: Well, before you begin, the guidance for provisioning an Always On VPN profile using Intune assumes that Windows 10 computers are being managed using Intune and that all required certificates have been provisioned to the client. Guidance for provisioning certificates using Intune can be found here.
MITCH: Thanks. So I assume the first step now is that you create a profile for your new Always On VPN connections, right? Please show us how to do this in a step-by-step fashion.
RICHARD: Right. To deploy a Windows 10 Always On VPN profile using Intune, open the Intune management console and perform the following steps:
- Click Device Configuration.
- Click Profiles.
- Click Create Profile.
- Enter a name for the profile in the Name field.
- Select Windows 10 and later from the Platform drop-down list.
- Select VPN from the Profile type drop-down list.
- Click Base VPN.
- Enter a name in the Connection name field.
- Enter a description and the IP address or FQDN of the VPN server in the Description and IP address or FQDN fields, respectively.
- Click True for the Default server and then click Add.
- Select Enable or Disable to Register IP addresses with internal DNS.
- Select Automatic from the Connection type drop-down list.
- Select Enable to configure the VPN connection to be Always On.
- Select Enable to Remember credentials at each logon.
- Select an Authentication certificate.
- Paste the EAP XML exported from a working template connection in the EAP Xml field.
- Click OK.
- Click DNS Settings.
- Enter the DNS suffix used on the internal network in the DNS suffixes field.
- Click Add.
- Click OK.
- Click Split Tunneling (optional).
- Click Enable for Split tunneling.
- Enter the network address(es) that corresponds to the internal network in the Destination prefix and Prefix size fields.
- Click OK.
- Click Trusted Network Detection (optional).
- Enter the DNS suffix associated with the internal network.
- Click Add.
- Click OK twice and then click Create to create the Always On VPN profile.
MITCH: This is great, even an idiot like myself can follow it! OK, now please show us how to deploy an Always On VPN profile using Intune.
RICHARD: It’s simple. Once the Always On VPN profile has been created, follow the steps below to assign the profile to client devices:
- Click Assignments.
- Choose Selected Groups from the Assign to drop-down list.
- Click Select groups to include.
- Click the appropriate target group.
- Click Select.
- Click Save.
MITCH: Are there any advanced options you can use Intune to configure for Always On VPN?
RICHARD: There are many advanced options available for Always On VPN. The following settings can also be enabled using Intune:
- Windows Information Protection (WIP).
- Network Traffic Rules.
- Conditional Access.
- Single sign-on (SSO).
- Proxy server configuration.
MITCH: Thanks very much! So going forward, should organizations who use DirectAccess start replacing it with Always On VPN?
RICHARD: Well, Microsoft is no longer investing in DirectAccess and there have been no new features introduced since the introduction of Windows Server 2012. However, DirectAccess has not been formally deprecated and will be fully supported through the lifetime of Windows Server 2019. Always On VPN is clearly the way of the future and Microsoft is making its investments there.
But choosing DirectAccess or Always On VPN depends on many factors. If your organization is looking for advanced security features and modern management support, Always On VPN is the solution of choice. If your organization is still using on-premises Active Directory and group policy management with Windows 10 Enterprise edition clients, DirectAccess can still be deployed if it meets your needs.
And DirectAccess has been around for quite some time, but it is beginning to show its age. Windows 10 Always On VPN integrates easily with Microsoft Azure and supports many advanced features not available with DirectAccess. Always On VPN uses modern management with Intune and works with all Windows 10 SKUs including Professional Edition.
MITCH: Thanks, Richard. Can we end by having you point us to some additional resources where our readers can learn more about Always On VPN?
RICHARD: Certainly, check out these links:
MITCH: Thank you!
RICHARD: You’re welcome!
Featured image: Shutterstock