Microsoft Always-On VPN - United States (2024)

Many of our recent engagements involve a modernisation of deploying and managing Windows 10 PCs, with Microsoft Intune and System Center Configuration Manager. In part, these projects are driven by the customer’s desire to reduce the number of vendors they deal with, alongside a more strategic move to reduce their infrastructure required to manage end-point devices.

These customer’s users are typically more mobile than they were 5-10 years ago and are often working from home or other remote locations, so the ability to consistently manage devices regardless of location is a key requirement. While we are a certainly seeing an uptake in mobility, customers still have legacy applications with data locked into on-premises data centers they need to manage and ensure their users continue to have access to.

Access gaps are often met with the use of application delivery solutions such as Citrix Virtual Apps and Desktops and Microsoft Remote Desktop Services or by any number of 3rd party firewall-based VPN solutions with secure tunnels back into the juicy innards of the corporate data center.

Microsoft provided us with a great, yet challenging solution in the form of DirectAccess – an extremely smooth solution for the Microsoft ecosystem which would poll a web service to identify internal vs external locations and establish a seamless VPN connection once outside the perimeter without user intervention. This was a robust solution, which whilst simple for the user, was typically quite complex for admins. DirectAccess used a combination of Windows Server, IPv6 Teredo tunnelling and a heavy amount of configuration to get things running smoothly. It was very much a “get it working and don’t touch it” solution that served its purpose.

With the release of Windows 10 1607, Microsoft now recommends Always On VPN in preference to DirectAccess. The beauty of this solution is its simplicity and ease of deployment, integrating cleanly with SCCM, PowerShell and Microsoft Intune. It has enhanced smarts around network detection tunnel triggers, allowing for the ability to use both user and device layer tunnels for remote management and inbound initiated connections, as well as application driven VPN tunnels (commonly known as MicroVPNs). The usual suspects around VPN capabilities are addressed, with both split tunnel and full tunnel configurations available. Traffic filtering and security are also natively available in Always On VPN.

If you are an existing Direct Access customer, then it’s worth investigating whether Always-On VPN addresses all of your Remote Access requirements. A mapping of features and functionality is provided by Microsoft.

What’s fun about this solution is it’s built upon yet another Microsoft revived technology: Routing and Remote Access (who remembers RRAS?). The same technology underpins many of Microsoft Azure VPN tunnels and offers a very familiar interface for those admins who have been working with Windows for a while. If you understand RRAS then Always-On VPN will be a walk in the park.

The solution comes at no cost and is built into all supported flavours of Windows 10. Which means there are no additional VPN clients that need to be deployed, reducing PC management complexity. Additionally,Always-On VPN supports Azure AD Conditional Access and MFA for an extra layer of security. The ability to prevent access to the VPN unless the Windows device is compliant is an ideal way to ensure only approved and secure devices are making tunnel connections into your data center.

Always-On VPN is quick and easy to deploy, offers a high level of encryption and security, and fills a void which still exists in the modern workplace. Leveraging an internal Active Directory Domain Services environment, internal Active Directory Certificate Services Authority, and simple DMZ architecture, Always-On VPN typically goes off like wildfire once introduced to an organization with an extremely high level of user satisfaction to boot.

Microsoft recently migrated their entire internal fleet to Always-On VPN, a showcase article has been written to describe the success Microsoft IT had in the deployment.

Routing and Remote Access-based VPN solutions have typically had a challenge with load balancing and high availability, however with the introduction of low cost solutions like Azure Traffic Manager, multi-site Active-Active deployments are a walk in the park

Looking at your Windows 10 upgrades, deployments or modernisation with Intune and still have requirements for network connectivity back to your corporate locations? Always-On VPN should be the first discussion for VPN connectivity.