I’ve often had to employ various virtual private networking (VPN) solutions the years as I’ve worked developing documentation, white papers, courseware, and other technical collateral for business partners and large vendors like Microsoft. Deploying and configuring such solutions however has often been a headache. DirectAccess, a Microsoft technology introduced in Windows Server 2008 R2 and Windows 7, promised to provide seamless connectivity between remote clients and corporate networks without the requirement of deploying and using VPN connections. While this promise was in fact realized by this technology, implementing and managing it was often challenging for many administrators.
With Windows 10, however, the pendulum has now swung the opposite way by introducing a new remote connectivity solution called Always On VPN. I’ve used this solution myself and I personally prefer it over using DirectAccess, and to help our readers better understand how to deploy and configure it I interviewed my colleague Richard Hicks asking him to refresh our understanding of this technology and walk us through how to deploy and configure it. Richard is the founder and principal consultant of Richard M. Hicks Consulting and focuses on helping organizations implement edge security, remote access, and PKI solutions on Microsoft and third-party platforms. He is a Microsoft Most Valuable Professional in the Cloud & Datacenter and Enterprise Security award categories and can be found on Twitter here. Richard previously provided us with a brief overview of Always On VPN in this TechGenix article but today he’s going to go into much more technical detail about setting it up using Microsoft Intune.
MITCH: Richard, please start by giving us a refresher on why Always On VPN might make sense for many organizations looking for an improved remote connectivity solution.
RICHARD: Well, for many years DirectAccess has been the remote access solution of choice for enterprise organizations everywhere. It provides seamless, transparent, always on connectivity for mobile users, enabling them to be productive anywhere. Persistent network access also allows administrators to better manage their predominantly field-based devices. But DirectAccess relies heavily on Active Directory and Group Policy and requires DirectAccess clients and servers to be joined to a domain. And as organizations migrate applications, data, and even infrastructure to the cloud, a mobility solution that supports cloud integration and modern management will be required.
To address the shortcomings of DirectAccess, Microsoft introduced Always On VPN for Windows 10. It provides the same user experience as DirectAccess but includes essential support for cloud-based services such as Azure Active Directory. With Always On VPN, administrators can extend the same DirectAccess-like experience to their Windows 10 Professional devices. Always On VPN supports advanced features not included with DirectAccess such as traffic filtering, Azure Active Directory join, conditional access, and integration with Windows Information Protection (WIP) and Windows Hello for Business.
MITCH: Is Always ON VPN implemented and managed in a similar fashion to how DirectAccess is?
RICHARD: Always On VPN is implemented and managed in a fundamentally different way than DirectAccess. It required an on-premises Active Directory, and clients must be joined to a domain. Where DirectAccess used Group Policy to distribute configuration settings, Always On VPN is designed to use a Mobile Device Management (MDM) platform such as Microsoft Intune. Using Intune, administrators can create and deploy VPN profiles that are distributed to Windows 10 devices wherever they reside.
MITCH: OK, let’s now move on from the appetizer to the main dish. Before you show us how to deploy Always On VPN using Intune, tell us if there are any prerequisite steps that are necessary.
RICHARD: Well, before you begin, the guidance for provisioning an Always On VPN profile using Intune assumes that Windows 10 computers are being managed using Intune and that all required certificates have been provisioned to the client. Guidance for provisioning certificates using Intune can be found here.
MITCH: Thanks. So I assume the first step now is that you create a profile for your new Always On VPN connections, right? Please show us how to do this in a step-by-step fashion.
RICHARD: Right. To deploy a Windows 10 Always On VPN profile using Intune, open the Intune management console and perform the following steps:
MITCH: This is great, even an idiot like myself can follow it! OK, now please show us how to deploy an Always On VPN profile using Intune.
RICHARD: It’s simple. Once the Always On VPN profile has been created, follow the steps below to assign the profile to client devices:
MITCH: Are there any advanced options you can use Intune to configure for Always On VPN?
RICHARD: There are many advanced options available for Always On VPN. The following settings can also be enabled using Intune:
MITCH: Thanks very much! So going forward, should organizations who use DirectAccess start replacing it with Always On VPN?
RICHARD: Well, Microsoft is no longer investing in DirectAccess and there have been no new features introduced since the introduction of Windows Server 2012. However, DirectAccess has not been formally deprecated and will be fully supported through the lifetime of Windows Server 2019. Always On VPN is clearly the way of the future and Microsoft is making its investments there.
But choosing DirectAccess or Always On VPN depends on many factors. If your organization is looking for advanced security features and modern management support, Always On VPN is the solution of choice. If your organization is still using on-premises Active Directory and group policy management with Windows 10 Enterprise edition clients, DirectAccess can still be deployed if it meets your needs.
And DirectAccess has been around for quite some time, but it is beginning to show its age. Windows 10 Always On VPN integrates easily with Microsoft Azure and supports many advanced features not available with DirectAccess. Always On VPN uses modern management with Intune and works with all Windows 10 SKUs including Professional Edition.
MITCH: Thanks, Richard. Can we end by having you point us to some additional resources where our readers can learn more about Always On VPN?
RICHARD: Certainly, check out these links:
MITCH: Thank you!
RICHARD: You’re welcome!
Featured image: Shutterstock
Traditional VPNs are showing their age in the modern cloud-powered workplace. That’s why software-defined perimeter solutions are in your future.
Should you disallow NUMA spanning in your Hyper-V architecture? There are two sides to this story, and you’ll get both…
Coding may not be the No. 1 job duty for cloud admins, but it is often a part of the…
Believe it or not, Hyper-V virtual machines can be configured to use a dedicated physical hard disk, which is referred…
Using Azure automation accounts to start and stop your VMs may just save you enough time to kick back, relax,…