DirectAccess was once touted by Microsoft as the best solution for enterprises wanting to provide secure, seamless and transparent, always on remote corporate network connectivity for managed (domain-joined) Windows clients. Originally introduced with Windows Server 2008 R2, DirectAccess was designed to streamline and simplify the end user’s remote access experience. DirectAccess communication is also bidirectional, which allows IT administrators to better manage and support their field-based assets.
DirectAccess, however, proved difficult to implement and manage for many enterprises so they tended to look elsewhere for third-party solutions like Cisco AnyConnect or even LogMeIn to plug the gap. Not to be outdone by other parties, Microsoft decided to introduce a new technology in Windows Server 2016 and Windows 10 that is designed to do all that DirectAccess promised — and more. This new remote access technology is called Always On VPN and to help us understand it I asked eight-time Microsoft MVP Richard Hicks to walk us through its capabilities and benefits for enterprises.
Richard is a network and information security expert specializing in Microsoft technologies. He is the founder and principal consultant of Richard M. Hicks Consulting and is focused on helping organizations implement edge security, remote access, and PKI solutions on Microsoft and third-party platforms. He is a Microsoft Most Valuable Professional (MVP) currently recognized in the Cloud & Datacenter and Enterprise Security award categories. Visit his website or follow him on Twitter at @richardhicks.
Always On VPN overview
Windows 10 Always On VPN is the replacement for Microsoft’s DirectAccess remote access technology. Always On VPN aims to address several shortcomings of DirectAccess, including support for Windows 10 Professional and non-domain joined devices, as well as cloud integration with Intune and Azure Active Directory.
Windows 10 Always On VPN provides the same seamless, transparent, and always-on user experience as DirectAccess. A VPN connection is automatically established any time an authorized client has an active Internet connection; it does not require input from or interaction with the user (unless multifactor authentication is enabled, of course). Remote users access on-premises data and applications in the same familiar way, just as if they were at the workplace.
Always On VPN is a Windows 10-only solution. However, unlike DirectAccess, client devices do not have to run the Enterprise edition to take advantage of it. Windows 10 Professional, along with all other SKUs, are now supported clients. Devices can be joined to an Active Directory domain, but this is not strictly required. Always On VPN clients can be standalone or, to take advantage of advanced features, they can be joined to Azure Active Directory.
Always On VPN is infrastructure independent and can be deployed using Windows Routing and Remote Access (RRAS) or any third-party VPN device. Authentication can be provided by Windows Network Policy Server (NPS) or any third-party RADIUS platform.
Providing secure remote access ensures the highest levels of productivity for mobile workers. It improves security and compliance for company-owned systems by allowing administrators to maintain standard configurations and ensure the best possible security posture for their client machines.
In addition, having a robust enterprise mobility strategy provides an important competitive advantage for many organizations. By supporting teleworkers, companies are no longer restricted to hiring boundaries that require users to be in a specific physical location. Organizations can draw from a much wider talent pool than would otherwise be possible without a remote access solution in place.
Features and capabilities
In addition to support for Windows 10 Professional and non-domain joined systems, Always On VPN has many new features and capabilities than those of its predecessor, DirectAccess. Always On VPN includes advanced security features such as traffic filtering, allowing administrators to restrict network access for remote users in a granular way. Also, when integrated with Azure Active Directory, Always On VPN supports conditional access, giving administrators the ability to grant access based on a defined set of parameters such as device health, logon type, location, and more.
MFA (Azure or any third-party MFA solution) can also be integrated for additional sign-on assurance. Always On VPN can also be combined with Windows Hello for Business and Windows Information Protection to further enhance the overall security of the solution.
Always On VPN is designed to be implemented and managed using a Mobile Device Management platform such as Intune, but System Center Configuration Manager (SCCM) and third-party MDM solutions can also be used. It should be noted that Always On VPN provides no native support for Active Directory group policy management.
On the whole, Always On VPN is an easier solution to support than DirectAccess. It has fewer infrastructure dependencies and is not as tightly coupled with them. This provides greater deployment flexibility and makes the solution easier to troubleshoot.
Easier — and better
DirectAccess raised the bar for remote access, providing a simple, seamless, transparent, and always-on remote access solution that was dramatically easier to use than traditional client-based VPNs of old. Always On brings the user experience into the modern, cloud-based world we live in today, with support for cloud integration with Azure Active Directory and Intune. It also provides administrators with many more security features than DirectAccess, making it even more compelling.
Here are a few links to blog posts and other documentation that Richard suggests where you can find out more about Always On VPN:
- Always On VPN deployment guide
- Always On VPN and DirectAccess feature comparison
- Always On VPN and the future of DirectAccess
- 5 things DirectAccess administrators should know about Always On VPN
- 3 important advantages of Always On VPN over DirectAccess
Also, make sure that you check out Richard’s Always On VPN hands-on training classes.
Photo credit: Shutterstock