Always On VPN: Why you should use this new remote access technology

Editor’s note: In response to the coronavirus crisis gripping the world, TechGenix is republishing a selection of recent articles, tutorials, and product reviews with relevant information for IT pros as their jobs change dramatically and their businesses switch to work-from-home technologies. In this article, originally published May 1, 2018, we look at Always On VPN, the remote access solution from Microsoft.

DirectAccess was once touted by Microsoft as the best solution for enterprises wanting to provide secure, seamless and transparent, always-on remote corporate network connectivity for managed (domain-joined) Windows clients. Originally introduced with Windows Server 2008 R2, DirectAccess was designed to streamline and simplify the end user’s remote work access experience. DirectAccess communication is also bidirectional, which allows IT administrators to better manage and support their field-based assets.

DirectAccess, however, proved difficult to implement and manage for many enterprises so they tended to look elsewhere for third-party solutions like Cisco AnyConnect or even LogMeIn to plug the gap. Not to be outdone by other parties, Microsoft decided to introduce a new technology in Windows Server 2016 and Windows 10 that is designed to do all that DirectAccess promised — and more. This new remote access technology is called Always On VPN and to help us understand it I asked eight-time Microsoft MVP Richard Hicks to walk us through its capabilities and benefits for enterprises.

Richard is a network and information security expert specializing in Microsoft technologies. He is the founder and principal consultant of Richard M. Hicks Consulting and is focused on helping organizations implement edge security, remote access, and PKI solutions on Microsoft and third-party platforms. He is a Microsoft Most Valuable Professional (MVP) currently recognized in the Cloud & Datacenter and Enterprise Security award categories. Visit his website or follow him on Twitter at @richardhicks.

Always On VPN overview

always on vpn
Microsoft

Windows 10 Always On VPN is the replacement for Microsoft’s DirectAccess remote access technology. Always On VPN aims to address several shortcomings of DirectAccess, including support for Windows 10 Professional and non-domain joined devices, as well as cloud integration with Intune and Azure Active Directory.

Operation

Windows 10 Always On VPN provides the same seamless, transparent, and always-on user experience as DirectAccess. A VPN connection is automatically established any time an authorized client has an active Internet connection; it does not require input from or interaction with the user (unless multifactor authentication is enabled, of course). Remote users access on-premises data and applications in the same familiar way, just as if they were at the workplace.

Deployment

Always On VPN is a Windows 10-only solution. However, unlike DirectAccess, client devices do not have to run the Enterprise edition to take advantage of it. Windows 10 Professional, along with all other SKUs, are now supported clients. Devices can be joined to an Active Directory domain, but this is not strictly required. Always On VPN clients can be standalone or, to take advantage of advanced features, they can be joined to Azure Active Directory.

Always On VPN is infrastructure independent and can be deployed using Windows Routing and Remote Access (RRAS) or any third-party VPN device. Authentication can be provided by Windows Network Policy Server (NPS) or any third-party RADIUS platform.

Benefits

Always on VPN remote access
Providing secure remote access ensures the highest levels of productivity for mobile workers. It improves security and compliance for company-owned systems by allowing administrators to maintain standard configurations and ensure the best possible security posture for their client machines.

In addition, having a robust enterprise mobility strategy provides an important competitive advantage for many organizations. By supporting teleworkers, companies are no longer restricted to hiring boundaries that require users to be in a specific physical location. Organizations can draw from a much wider talent pool than would otherwise be possible without a remote access solution in place.

Features and capabilities

In addition to support for Windows 10 Professional and non-domain joined systems, Always On VPN has many new features and capabilities than those of its predecessor, DirectAccess. Always On VPN includes advanced security features such as traffic filtering, allowing administrators to restrict network access for remote users in a granular way. Also, when integrated with Azure Active Directory, Always On VPN supports conditional access, giving administrators the ability to grant access based on a defined set of parameters such as device health, logon type, location, and more.

MFA (Azure or any third-party MFA solution) can also be integrated for additional sign-on assurance. Always On VPN can also be combined with Windows Hello for Business and Windows Information Protection to further enhance the overall security of the solution.

Provisioning

Always On VPN is designed to be implemented and managed using a Mobile Device Management platform such as Intune, but System Center Configuration Manager (SCCM) and third-party MDM solutions can also be used. It should be noted that Always On VPN provides no native support for Active Directory Group Policy management.

Support

Always on VPN
On the whole, Always On VPN is an easier solution to support than DirectAccess. It has fewer infrastructure dependencies and is not as tightly coupled with them. This provides greater deployment flexibility and makes the solution easier to troubleshoot.

Easier — and better

DirectAccess raised the bar for remote access, providing a simple, seamless, transparent, and always-on remote access solution that was dramatically easier to use than traditional client-based VPNs of old. Always On brings the user experience into the modern, cloud-based world we live in today, with support for cloud integration with Azure Active Directory and Intune. It also provides administrators with many more security features than DirectAccess, making it even more compelling.

Additional resources

Here are a few links to blog posts, articles, and other documentation that Richard suggests where you can find out more about Always On VPN:

Also, make sure that you check out Richard’s Always On VPN hands-on training classes.

Photo credit: Shutterstock

10 thoughts on “Always On VPN: Why you should use this new remote access technology”

  1. You say:

    do not have to run the Enterprise edition to take advantage of it. Windows 10 Professional, along with all other SKUs, are now supported clients

    But I assume that Windows 10 Home is NOT one of the “other” SKU’s that is supported? This is still a business only feature, correct?

    1. Incorrect. Windows 10 Home does indeed work as an Always On VPN client. It’s a solution that is designed to support BYOD, for which Windows 10 Home Edition would be common.

  2. Tony Sperbeck

    Thanks, Mitch and Richard for the great articles on Always On VPN. Question for you: I’ve noticed in the Intune VPN profile, you can specify multiple Servers in the Base VPN settings, with one designated as the “Default Server”. Can you elaborate on how the Windows 10 client will failover to non-default Servers? Also, can you compare/contrast using multiple Servers via this specification versus using a Load Balancer in front of the RRAS servers? Thanks!

  3. While you can specify multiple VPN servers to connect to in the profile, the client only ever connects automatically to the primary server. If it fails, the connection fails. However, the user can manually select a secondary or tertiary server from the list to re-establish the connection. Unfortunately it does not provide automatic failover as it would seem to suggest.

    That said, using a load balancer to provide local redundancy or a global server load balancer to provide geographic redundancy is recommended for enterprise deployments where high availability and transparent failover is required.

  4. So now I need to get Intune and other ongoing monthly Azure subscription services, per user/device, where before I didn’t need anything other than a spare Windows Server VM to connect all my Domain joined Surface Pro’s and Laptops seamlessly to corporate file shares and resources from anywhere in the world. I can see why Microsoft prefers this path over Direct Access, and, to me anyway, it has little to do with ‘better security’.

  5. Is there a way I can change the connection type to SSTP and keep it that way even after it times out?

    I have the following code:

    Automatic

    When I change this to SSTP, VPN fails to connect. In the above code line, when it times out trying to connect to SSTP it connects to IKEv2. I am trying to get it loop to SSTP again.

  6. Prasanth Kuttasseri

    One question. Thinking of AlwaysON vpn to be implemented. We had DA before. We face issue with proxy internal as the source will come from the same DA ip and credential caching in proxy go crazy as it sees source ip with multiple user credentials. When we implement the Always ON using the VPN gateway server and two leg topology(one leg internal and one to the perimeter) what will be my source IP. will the client reflect their own pool ip or will it be only the VPN gateway server IP coming out of the RAS VPN server?

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top