Always On VPN: Why you should use this new remote access technology

Editor’s note: In response to the coronavirus crisis gripping the world, TechGenix is republishing a selection of recent articles, tutorials, and product reviews with relevant information for IT pros as their jobs change dramatically and their businesses switch to work-from-home technologies. In this article, originally published May 1, 2018, we look at Always On VPN, the remote access solution from Microsoft.

DirectAccess was once touted by Microsoft as the best solution for enterprises wanting to provide secure, seamless and transparent, always-on remote corporate network connectivity for managed (domain-joined) Windows clients. Originally introduced with Windows Server 2008 R2, DirectAccess was designed to streamline and simplify the end user’s remote work access experience. DirectAccess communication is also bidirectional, which allows IT administrators to better manage and support their field-based assets.

DirectAccess, however, proved difficult to implement and manage for many enterprises so they tended to look elsewhere for third-party solutions like Cisco AnyConnect or even LogMeIn to plug the gap. Not to be outdone by other parties, Microsoft decided to introduce a new technology in Windows Server 2016 and Windows 10 that is designed to do all that DirectAccess promised — and more. This new remote access technology is called Always On VPN and to help us understand it I asked eight-time Microsoft MVP Richard Hicks to walk us through its capabilities and benefits for enterprises.

Richard is a network and information security expert specializing in Microsoft technologies. He is the founder and principal consultant of Richard M. Hicks Consulting and is focused on helping organizations implement edge security, remote access, and PKI solutions on Microsoft and third-party platforms. He is a Microsoft Most Valuable Professional (MVP) currently recognized in the Cloud & Datacenter and Enterprise Security award categories. Visit his website or follow him on Twitter at @richardhicks.

Always On VPN overview

Microsoft

Windows 10 Always On VPN is the replacement for Microsoft’s DirectAccess remote access technology. Always On VPN aims to address several shortcomings of DirectAccess, including support for Windows 10 Professional and non-domain joined devices, as well as cloud integration with Intune and Azure Active Directory.

Operation

Windows 10 Always On VPN provides the same seamless, transparent, and always-on user experience as DirectAccess. A VPN connection is automatically established any time an authorized client has an active Internet connection; it does not require input from or interaction with the user (unless multifactor authentication is enabled, of course). Remote users access on-premises data and applications in the same familiar way, just as if they were at the workplace.

Deployment

Always On VPN is a Windows 10-only solution. However, unlike DirectAccess, client devices do not have to run the Enterprise edition to take advantage of it. Windows 10 Professional, along with all other SKUs, are now supported clients. Devices can be joined to an Active Directory domain, but this is not strictly required. Always On VPN clients can be standalone or, to take advantage of advanced features, they can be joined to Azure Active Directory.

Always On VPN is infrastructure independent and can be deployed using Windows Routing and Remote Access (RRAS) or any third-party VPN device. Authentication can be provided by Windows Network Policy Server (NPS) or any third-party RADIUS platform.

Benefits


Providing secure remote access ensures the highest levels of productivity for mobile workers. It improves security and compliance for company-owned systems by allowing administrators to maintain standard configurations and ensure the best possible security posture for their client machines.

In addition, having a robust enterprise mobility strategy provides an important competitive advantage for many organizations. By supporting teleworkers, companies are no longer restricted to hiring boundaries that require users to be in a specific physical location. Organizations can draw from a much wider talent pool than would otherwise be possible without a remote access solution in place.

Features and capabilities

In addition to support for Windows 10 Professional and non-domain joined systems, Always On VPN has many new features and capabilities than those of its predecessor, DirectAccess. Always On VPN includes advanced security features such as traffic filtering, allowing administrators to restrict network access for remote users in a granular way. Also, when integrated with Azure Active Directory, Always On VPN supports conditional access, giving administrators the ability to grant access based on a defined set of parameters such as device health, logon type, location, and more.

MFA (Azure or any third-party MFA solution) can also be integrated for additional sign-on assurance. Always On VPN can also be combined with Windows Hello for Business and Windows Information Protection to further enhance the overall security of the solution.

Provisioning

Always On VPN is designed to be implemented and managed using a Mobile Device Management platform such as Intune, but System Center Configuration Manager (SCCM) and third-party MDM solutions can also be used. It should be noted that Always On VPN provides no native support for Active Directory Group Policy management.

Support


On the whole, Always On VPN is an easier solution to support than DirectAccess. It has fewer infrastructure dependencies and is not as tightly coupled with them. This provides greater deployment flexibility and makes the solution easier to troubleshoot.

Easier — and better

DirectAccess raised the bar for remote access, providing a simple, seamless, transparent, and always-on remote access solution that was dramatically easier to use than traditional client-based VPNs of old. Always On brings the user experience into the modern, cloud-based world we live in today, with support for cloud integration with Azure Active Directory and Intune. It also provides administrators with many more security features than DirectAccess, making it even more compelling.

Additional resources

Here are a few links to blog posts, articles, and other documentation that Richard suggests where you can find out more about Always On VPN:

Also, make sure that you check out Richard’s Always On VPN hands-on training classes.

Photo credit: Shutterstock

Mitch Tulloch

Mitch Tulloch is Senior Editor of both WServerNews and FitITproNews and is a widely recognized expert on Windows Server and cloud technologies. He has written more than a thousand articles and has authored or been series editor for over 50 books for Microsoft Press and other publishers. Mitch has also been a twelve-time recipient of the Microsoft Most Valuable Professional (MVP) award in the technical category of Cloud and Datacenter Management. He currently runs an IT content development business in Winnipeg, Canada.

Share
Published by
Mitch Tulloch
Tags vpn

Recent Posts

Hardware RAID vs. software RAID: Pros and cons for each

RAID is a technique to virtualize independent disks into arrays for improved performance. Should you…

3 days ago

After the plague: What IT will look like in a post-COVID-19 world

COVID-19 has changed everything, but once it disappears, we will not go back to how…

3 days ago

Solved: Outlook defaults to Microsoft 365 version with Exchange server

An Exchange server with a hybrid connection to Microsoft 365 is usually pretty seamless —…

4 days ago

How chatbots are changing the way teams communicate internally

Chatots are primarily thought of as consumer-facing solutions. They bring life to customer interactions by…

4 days ago

Hakbit ransomware campaign targeting specific European countries

The newly uncovered Hakbit ransomware campaign spread via spear-phishing emails may indicate a shift in…

4 days ago

Credential stuffing: Everything you need to know to avoid being a victim

Credential stuffing is yet another weapon being used by cybercriminals. Here’s what credential stuffing is…

5 days ago