Many things cause a business owner to have
nightmares — at the top of the list is a computer failure that stops operations
in its tracks. Unfortunately, no company is immune to the threat of data failure. Recently,
for retail giant Target, the fear became a reality as nearly every register in
all stores throughout the United States went down.
Fortunately, the system outage only lasted two hours. But, that two hours of downtime cost Target roughly $50 million in lost sales and caused their stock shares to drop by two percent. In reality, Target’s ability to go from a catastrophic outage to getting back online in such a short time is a huge accomplishment. With significant IT infrastructure in place to respond, the company could investigate the problem, determine that there had been no data breach, and reboot all systems to full operation quickly. For the company, assuring that no data had been compromised was vital. In 2013, a data breach affected 41 million customers and resulted in a legal settlement costing them millions.
How you protect your data is critical to the success of your business — no matter your size. For a health organization, your data includes detailed medical and insurance information. There are endless client files and records for law offices, financial planners have high-level access to sensitive financial portfolios, the list goes on. No matter the industry, data is critical. In many cases, data security methods are heightened by legally mandated regulations like HIPAA and PCI.
So, how do you protect your company from
cybersecurity threats and data failure? Target spends hundreds of millions of
dollars each year. The key is to find an affordable technology partner who you
can trust. As seen in the Target event, data issues and cyber attacks don’t
only happen during business hours. You have to be prepared to respond
Now Micro, we make it a priority to be available when the need for help arises.
Our service desk technicians answer the phone live 24 hours a day. But
that is only a tiny piece of your Cyber Security response plan. Most of our
work occurs before disaster strikes. We help ensure that you have up-to-date
systems needed to prevent an attack or data failure and back-ups in place when
an attack occurs.
Your Industry Needs
Although all industries need comprehensive data and cybersecurity infrastructure, the needs vary depending on the types of data stored and industry-specific regulatory requirements. Here is a shortlist of how Now Micro customizes our services to serve the cybersecurity needs of different industries:
We protect your intellectual property — the core of your ability to be profitable for the long term — and put in place processes to ensure the reliability of manufacturing operations.
HIPAA and other compliance requirements are critical in the healthcare industry. We address these needs and ensure brand protection, secure connectivity, and offer a unified security platform.
Small and Midsize Businesses
Each small and midsize business has its own unique needs, with expense management a key factor. Therefore, we provide affordable options, giving you access to the same level of expertise that large companies have at their disposal.
In a retail operation, the ability to continually process transactions without hiccups is critical. We help you ensure the reliability of your POS system while also assisting with compliance needs.
Law & Finance
Legal and financial institutions/advisors need to secure sensitive data and are subject to intense compliance regulations. We help ensure all needs are met and a backup system in place to allow recovery in the event of a data attack or failure.
Ready to Serve
Information technology and cybersecurity are
overwhelming topics, but they don’t have to be. Click here to learn more about our comprehensive IT and Cyber
Security services. Give Now Micro
a call today, and we can work together to define a plan that meets your needs
so that you can relax knowing that your business is well cared for.
Now Micro has recently launched a new vlog series called What’s in the Lab. This series features Bernard Carter, Chief Technology Officer, going over various players we have in our lab. Our innovative digital signage & IoT solutions and services help customers from a range of industries better procure, deploy, manage and secure their visual communication devices.
Our first video covers the Lenovo ThinkEdge SE30, a rugged media player built to face the most hostile environments. The SE30 also uses the latest 11th Generation Intel® processors that run Artificial Intelligence and Machine learning to deliver the insights you need. The unit is also fanless and can function in a thermal range of -20 – 60C.
Stay tuned to our YouTube channel every Thursday for the next 4 weeks to see how our solutions and services can take your IoT beyond the edge!
Now Micro, known for its expertise in computer hardware and
services, introduces DICE, a software solution that helps organizations manage computing
devices from the time of purchase and throughout the lifecycle of the product.
Last year and continuing today, the rapid shift to remote
learning and work from home environments created challenges for IT departments,
specifically in the areas of asset management, system security and tech
support. Almost overnight, organizations had to purchase, configure and deploy
computing devices to support an increased number of remote employees, students
and educators. With this, came all the
associated technical support challenges ranging from hardware malfunctions to internet
connectivity and general usage challenges such as logging into Zoom calls.
“You’d be surprised how many organizations are tracking
device information in spreadsheets. DICE
not only puts real-time device data at their fingertips, but allows for remote
troubleshooting and restoration, saving time and eliminating costs associated
with shipping a device back for repair,” says Bernard Carter, CTO at Now Micro.
Previously, organizations might have used numerous
spreadsheets and invoices in different places to keep track of purchases and
separate software to enable remote technical assistance. Now Micro recognized
the need for a software solution that enables quick access to device
information through a centralized, real-time online portal. Streamlining device lifecycle management activities
is crucial for organizations who have hundreds or thousands of devices under
DICE is available in three versions with the base package
included at no charge with every device purchased from Now Micro. Customers may upgrade to two paid versions
that include additional features outlined in the table below. Pricing is based
on device count and administer access.
Real time device status
Remote device support
Graphic adapter information
To learn more about Now Micro and DICE, visit nowmicro.com.
Now Micro is excited to announce Bernard Carter’s promotion to Chief Technology Officer. After working for the last year and a half as the Vice President of Technology, he will continue leading our commitment to innovating device lifecycle management for our partners.
Bernard Carter has a track record of success in infrastructure, security management, and software development at Fortune 500 companies and in the public sector. In 2013, Carter started working for Now Micro. Under his leadership, his teams have successfully developed hardware and software solutions for IoT, digital signage and device lifecycle management.
How is this new role different from your previous?
BC: My previous role was Vice President of Technology. This new position reflects our changing role with our customers from procuring devices to really being an integral piece of the device lifecycle management journey. The concept is a message we have been communicating to our customers for years, but I do think this new role really doubles down on Now Micro’s commitment to be part of the journey/solution and moving beyond a transactional relationship to true partnership.
Anything you would like to plug about DICE?
BC: Our official launch of DICE 4 is next month. I am beyond excited about this release as it reflects feedback from our customers, consultants and technicians. Having a team to bring all of it together is a distinct privilege for me as it reflects the trust the organization has placed in us building our future with customers.
What are you looking forward to in this role and for Now Micro in general?
BC: Leading a focused technology organization has always been a dream of mine. My team at Now Micro really gets that technology is more than buying a box- the effectiveness of our technology really has a huge human component, and that value is reflected in this organization and our mission. I am also looking forward to eventually meeting with customers face to face again and having some time to build technology demos/talks to share.
The 2020-2021 school year has been one of the most innovating and challenging times in educational technology. According to a survey conducted by the United States Census Bureau, 80% of households with school-age children used online resources for distance learning in 2020, so having the right equipment is essential for quality education. Schools, and also businesses, are having to react quickly to procure, customize and distribute technology to their users. For many districts and universities this is an impossible feat without the support from Now Micro.
Over the next month, Now Micro will procure, warehouse, customize and distribute more than 30,000 Chromebooks to students and educators. Flexibility in our warehouse and production processes, combined with highly trained technicians, allow us to produce roughly 1,000 units a day in our Saint Paul, MN facility.
As a Certified Google White Glove service provider, Now Micro manages the enrollment and configuration of Chromebooks on behalf of the schools. This service saves K-12 schools and universities time, money and organizational headaches and allows them to focus on education.
The Now Micro Certified White Glove Services for Chromebooks include:
Enrollment of the device to the customer domain
Enterprise enrollment and validation
Application of network configuration settings
Wireless Configuration (Wi-Fi SSID and Pre-shared key)
Management Console Training
Now Micro Imaging services:
Populate custom fields in the Google Chromebook Management Console with your required data
Assign devices to the correct organization unit
Utilize Now Micro’s DICE Portal to allow you to see all of your devices combined with purchasing and hardware data in an easy to use, exportable format
To learn how Now Micro can help your organization meet its technology needs, visit https://www.nowmicro.com/ or contact Marty Linden, Vice President of Sales at email@example.com
The Most Notable Microsoft Teams Announcements of 2020 (through Oct)
The later part of 2020 has seen a flurry of updates, previews and announced roadmap items for Microsoft Teams. Let us look at the announcements that are likely to have the most impact.
HealthCare: Virtual Rounding and Care Coordination
2020 has been a stressful time for health care professional across the globe. From exposure risks to PPE shortages, healthcare providers are turning to technology to provide solutions. Microsoft has answered this call by announcing Virtual Rounding and Care Coordination.
Virtual rounding, a Teams app that aims to reduce exposure while health care professionals do their daily checkups on their patients. The goal is to limit contact to infected or vulnerable patients by leveraging portable carts equipped with video screen, mics, camera’s, and speakers. This allows healthcare professionals to maintain distancing when physical presence is not needed for diagnostics or treatment.
Care Coordination, which began its private preview October 1st, allows healthcare to aggregate patient data, provide care plans and test results and communicate with each other regardless of physical location all in a HIPAA compliant platform. The introduction of Teams for care coordination aims to improve efficiency while minimizing exposure.
SharePoint home sites for Teams
The SharePoint home site experience announced in 2019 allows organization to create a new or migrate their existing intranet sites to SharePoint. With the increasing ability to embed your organizations apps and resources into Microsoft Teams many organizations are hoping Teams will be come the single pane of glass for all needs.
So why create a home site to serve as your organizations intranet if it will detract from all the work you have done in teams?
Enter the SharePoint home site app for Teams. This home site app allows you to deploy your intranet home site through the Teams client.
The announcement came to us in September 2020 and we are eagerly awaiting release details.
Many in person conferences and events will include a keynote or introduction meeting that all attendees are present for before breaking into smaller groups for more granular content. Recreating this experience virtually has proven difficult. Microsoft Teams breakout rooms hopes to simplify this experience.
Teams Breakout Rooms will allow meeting organizer to split attendees into smaller groups and bring everyone back together without the need to drop and rejoin multiple meetings.
The announcement for Teams breakout rooms came to us in July and we hope to see previews or general availability before the end of 2020.
Advanced Communication Add-on
2020 has seen an interesting race to provide more attendees, more features, and more video feeds between collaboration platforms. The majority of normally in person conferences, large presentations and even college orientations have been converted to virtual events. 2020 more than ever has created a need for very large virtual events.
Microsoft’s answer to this need is the advanced communications add-on. At release, the advance communication add-on increased the maximum attendees for Teams live events to 20,000.
Features coming later this year include:
Teams meeting maximum members increase to 1,000
The ability for a Teams meeting to have up 20,000 overflow participants in a view only meeting experience
Custom Lobby Branding
To take advantage of these features, the organizer of the meeting/live event will need the advanced communication add-on currently priced at $12 per user/month. Attendees DO NOT need the add-on. There is also a 60-day trial available through the admin center.
Considering this new and not quite yet saturated market, I would expect to see more feature announcements coming soon.
If you are looking to make a good impression on clients or impress you coworkers with your big presentation, Microsoft may have given you a secret weapon. Teams custom meeting layouts allow you, the presenter to customize what attendees are seeing. Microsoft Ignite gave us a preview of new tech allowing you to overlay the presenter on a PowerPoint slide. Who knows, maybe someday virtual meetings may look more professional than traditional in-person meetings with half the effort!
Evaluating Services and Hardware for Remote Collaboration
What Should You Consider?
Events in early 2020 forced nearly every industry to reconsider at least some part of how their employees communicate and collaborate. Some organizations had a high level of maturity with collaboration and conferencing tools, while others made hasty decisions on tools and hardware to prevent disruptions in the workforce.
Looking back six months’ later, even if some miracle technology ends the global health crisis tomorrow, the idea of working remotely is most certainly a cat running free of its proverbial bag. As IT decision makers and admins, it is time to look back at the solutions and decisions we made at the beginning of the year and ask the following questions…
Are our users empowered or hindered by our communications and collab tools?
Are the services and solutions we spun up the best fit and return on investment?
Are the services and solutions secure and compliant?
Have we been able to integrate our existing apps and services into our new solutions?
Do our users have the right hardware and peripherals to leverage the services?
In this blog post I would like to highlight a common crossroad that most organizations find themselves at. I hope to dissect the most popular tools and services on the market and hopefully get the reader to consider somethings they may have not otherwise.
What Kind of Tool Am I Looking For?
Let us look at the functionalities that logically separate each tool. Most tools are not limited to a single functionality, so evaluating what each tool can do and whether you can leverage the functionality now or in the future is important.
Conferencing solutions have been a staple in the professional world for over a decade. However, many organizations found a drastic increase in the number of users that required a meeting/conferencing tool to do their jobs in the early months of 2020. What defines a conferencing/meeting solution?
Video and audio meetings
While conferencing/meeting solutions can certainly fall in the realm of collaboration, more purpose-built apps for team collaboration are available. Some of the features common to tools built for collaboration are…
Integrated file shares
Shared application within a collaboration tool wrapper
PSTN Calling Services
Working remotely can present a challenge to organizations reliant on a on premise resources for telephony. Ideally, we do not want to be back hauling our VOIP calls through the VPN to our network only to go out to the end destination. Cloud PBX options have matured rapidly over the past five years. It is not uncommon to find a VOIP solution integrated with other collaboration tools. Example of PSTN calling services are…
Cloud PBX – Place calls over the public switched telephone network (Hard or Soft Phones)
What Should You Considering When Selecting a Conferencing/Collaboration Tool?
Whether you are evaluating a new or existing tool, it is important to identify what considerations will be most pertinent to your choice. Those considerations can act as a filter and help you to identify which choice may or may not be right for your organization.
What tools are you already leveraging? Does your organization have familiarity with a vendor already? Is there existing cloud infrastructure you can leverage in the new tool?
How will the tool be used? Considering how existing tools are being used and how they may be used in the future can help you narrow in on the appropriate choice.
Who will be using the tool? Most organizations do not have the luxury of a single business unit with similar user types. Often tools that are a good fit in one department, may not lend themselves to another. Taking stock of the needs of each business unit can inform your selection
How much is the tool going to cost? The pricing a vendor may offer is only a piece of the total cost. It is important to consider if any other tools can be retired as the new tool is put in place. An addition in licensing for one tool may result in an elimination or reduction in the licensing for another.
Do you already have licensing or partial licensing? Many vendors such as Microsoft or Google package total or partial licensing for these tools with licensing you may already own. It may be possible to pilot or even rollout a new tool with no additional licensing cost.
How willing are your users to adopt a new tool? The tolerance of change is something varies drastically from organization to organization. Communication, training, and evangelism for technology changes can be the difference between grateful productive user and confused reluctant users.
What is it going take to manage the tool? Fortunately, the labor investment to manage most cloud tools is minimal when compared to legacy systems of the past. However, it is important to consider configuration and troubleshooting when factoring management costs.
Comparing Conferencing Solutions
Let us look at some of the most popular conferencing solutions. How do they stack up?
Comparing Collaboration Tools
In contrast to the conferencing solutions, a good collaboration tool should be the hub of your organizations business units. Features like document co-authoring and integrated file shares have been around awhile but are more important in a remote collaboration scenario. Collaboration tools can also act as a single pane of glass for files, chats and the apps your users need to access.
Persistent Chat = Google Rooms
File Share/File Collaboration = Google Drive, Document Coauthoring
Notes = Google Keep (collaborative?)
App integration = Support through third party apps like Zapier
Persistent Chat = Slack Channels – Public and Private
File Share/File Collaboration = File sharing through channel attachments
Notes = no
App integration = no native support
Persistent Chat = Teams Channels – Public and Private
File Share/File Collaboration = O365 groups backend – Included SharePoint Library for each Team/Channel, Document Coauthoring
Notes = OneNote Shared Notebooks
App integration = Prebuilt app integration for most apps. Free app development tools for customs apps
Hardware and Device Considerations
In 2020 we are lucky to have a multitude of services to enable remote workers and drive collaboration even when we are apart. After we have done our evaluations and made our choices, how do we make sure our users are getting the best out of the tools we have provided? How do we make sure we are putting our best foot forward to our clients?
One key area is evaluating the devices these tools will be used on. We have all been in a meeting where we could not see or properly hear some of the participants. While sometimes that can be the fault of the service itself or downstream network issues that are out of our control, we can prevent issues that may arise from outdated or legacy devices. The way we approach collaboration has changed, so it follows that the devices we collaborate on will be changing as well.
Are the integrated camera’s in our devices sufficient?
Low light quality?
Changes in lighting equipment?
Integrated microphones and speakers can be problematic
Do your users need to be mobile while collaborating/conferencing?
Headsets or conference speakers?
As collaboration services integrate themselves into our day to day, looking for ways to improve our interaction with them is a natural next step. Luckily the choices for purpose-built hardware that pair with almost any service are increasing every day.
Conferencing Room Hardware
High quality conferencing hardware dedicated to a specific space
Microsoft Teams and Zoom Solutions (Surface Hub, Zoom Rooms)
Audio and video solutions
May include whiteboards or touchscreens
Mobile Collaboration Stations/Bars
Cheaper alternatives to dedicated room setups
Does not have to be a dedicated to specific space
Offers more options for conferencing and presenting space
In summary, It’s important, as we push into a new collaboration paradigm that we make sure we select the appropriate tools to enable collaboration but we are also providing the proper training, support and hardware to get a full return out of our investments.
No matter the umbrella a solution is placed under- IoT, visual communications, or embedded, endpoints are driving more use cases in the real world while also generating and processing ever increasing amounts of information. Generating data shouldn’t be the end goal, the insights and action generated is key to driving value. While traditionally, this data may be uploaded and processed in cloud based infrastructure, Edge Computing changes this pattern in key ways by performing latency sensitive and data intensive computation local to the source of data to drive additional capabilities while containing cloud infrastructure costs.
Several common types of solutions can benefit from Edge Computing. Video analytics is an example of a workload that can cost prohibitive to use in cloud driven infrastructure from a bandwidth and resources perspective. Not sending constant video frames to cloud infrastructure greatly reduces the necessary cloud infrastructure to support the workload. Moving video analytics to an edge computing device also unlocks additional capabilities by lowering latency, including customizing messages to the audience and providing attribution in Digital Out of Home (DOOH) communication applications.
Other data driven, real-time and response applications that can show significant benefit from edge computing: • Container application platform • Content caching • Rapid device provisioning and restoration
Now Micro has built a number of solutions on our existing Visual Data Device (VDD) and Edge Cluster platforms: • ImageSync – A high performance and secure file synchronization and system imaging/provisioning solution • Edge Cluster – A compact, high performance platform for containerized applications
We consider these solutions only the beginning of the possibilities of Edge Computing. There are numerous application specific workloads that can benefit from low latency and high performance computing on-premise. We look forward to working with integrators, ISVs and end customers to help design and build these future looking solutions.
For further Information • To view our full range of IoT/Digital Signage devices: https://nowmicroplayers.com • High performance Visual Data Device specification computing appliances – https://nowmicroplayers.com/Solutions/VisualDataDevice • Our new container optimized container workload device: https://nowmicroplayers.com/Embedded/Product/DMPN-7i3-i5-i7-Cluster
Even before the events of early 2020, many organizations and much of the workforce were realizing the benefits of telecommuting. With a changing world, even the most die hard “butts in your seat” workplace cultures have had to adapt. For some, trusting their flock to work efficiently and productively with little oversight can be a source of anxiety. While the shift to working remotely may take some getting used to for everyone, a net positive in productivity is usually the result.
So, your staff is no longer right outside your office doors and the conversations in the break room are no longer there to give you insight. How do you measure your staff productivity? Luckily, Microsoft M365 Usage analytics allow us to pull data from Teams, Outlook, OneDrive, SharePoint, Yammer and more into a sortable, consumable report.
To install the M365 Usage Analytics app, you will need at least 1 Power BI Pro License. If you would like to demo the app, you can sign up for a free Power BI Pro trial here.
If the report is shared with additional users, they will also need a Power BI Pro License to view the report.
All the sorting done by the M365 Usage Analytics app is done by Azure AD user object attributes. It is recommended that you make sure the following attributes are populated and current.
To connect your organizations data, you will need your Tennant’s ID. The tenant ID can be easily obtained from the overview page in Azure Active Directory. Directions to obtain your tenant id are included in this post.
Enable Power BI Reporting For Your Tenant
In order for Power BI to access your organizational data, you must enable Power BI reporting with-in your Tenant.
Enabling Power BI Reporting
The link below will bring you to the Services and Add-ins configuration page with in the O365 Admin Portal.
Click on “Reports”, select the option to “Make report data available to Microsoft 365 usage analytics for Power BI” and click “Save Changes”
Selecting the option for “Display anonymous identifiers instead of user, group, or sites names in all reports” will obscure user identifiable data in the reports. This reporting option will still allow you to discern organizational trends without specific user data.
Retrieving Your Tenant ID
Navigate to Azure Active Directory overview page.
Sign in with an appropriate admin account.
The Tenant ID is located near the top of the page.
Installing the M365 Usage Analytics App
Navigate to the Power BI Portal and sign in with a global admin account which has a Power BI Pro license.
The app automatically creates its own workspace upon installation. For this reason we can begin by clicking “My Workspace” and then “Get” under “Discover Content >> My Organization”.
The easiest way to find the app is to search for “usage” in the search bar. Once you have found the Microsoft 365 Usage Analytics app, click “Get in now”.
After waiting for Power BI to Install the app, click the apps icon.
The next Screen gives three options. You can populate the app with sample data before connecting to your organization’s analytics, explore the workspace created along with the app or connect your organizations data. If your comfortable pulling in your organizational data, click “Connect” under “Connect your data”
For Power BI to find you data, you will need to input you Tenant ID. Instructions on finding your tenant ID can be found above. Enter the Tenant ID in the field and click “Next”
By default, the dataset create does a one time pull. To see updated data each day or week, you will need to configure the refresh scheduler. You can also configure alerting on refresh failures. When the app was installed, a new workspace was created to house the report and dataset. To access the refresh settings, we will first find and access the workspace.
Click on “Workspaces” on the left had blade and select the “Microsoft 365 Usage Analytics” workspace.
Click on “Datasets” with in the workplace ribbon and expand the ellipses under “Actions”. From the drop-down menu, select “Settings”
Expand “Schedule Refresh”. Make sure the radio button for “Keep your data up to date” is turned on. Configure your preferred refresh interval (Daily or Weekly). You can add additional times if you would prefer multiple refreshes per day. If you wish to alert on failed refreshes, you can configure the notification settings. Click apply when finished.
Viewing the Report
From the workspace dashboard, select “Reports” from the ribbon and click “Microsoft 365 Usage Analytics”.
You know have all your data in a prebuilt report for consumption.
Sharing the Report
If you wish the share the report with others, from the “Reports” page, click “Share” in the upper right-hand corner.
Note: Any user the report is shared with will need a Power BI Pro license to view the report
From the share dialogue, you have the option to add multiple recipients and dictate whether those recipients can share the report. Deselect the “Allow recipients to build new content…” radio button if you do not wish recipients to have access to the underlying dataset.
Obviously, there is a lot more to cover with the Microsoft 365 Usage Analytics app and Power BI. I hope to cover manipulating the dataset and building customized reports in a future blog post. Thank you for reading!
As technology continues to improve and the workplace continues to evolve, remote workers have become more common. Effectively supporting these remote workers means re-evaluating legacy remote access solutions. This post will look at Microsoft’s current remote access solution, Always On VPN.
Always On VPN is a Microsoft remote access solution that is built into Windows 10. Microsoft has positioned Always On VPN as the replacement for their older remote access solution (DirectAccess).
When planning a deployment of Always On VPN, keep in mind that it is a solution for users or devices that need remote access to local resources on a corporate network. Users with access to cloud resources, and devices managed by cloud-enabled tools may not require a VPN connection.
How Does Always On VPN Work?
Always On VPN is a solution that allows a client to automatically establish a VPN connection without any user interaction. The technology that makes this possible is the VPNv2 CSP node, which is built into Windows 10. This CSP (configuration service provider) allows the built-in Windows 10 VPN client to be configured using an MDM solution (Intune), or PowerShell.
The server side of a typical Always On VPN deployment requires at least one VPN server and one authentication (RADIUS) server. A common solution is to use Windows Server with the Routing and Remote Access role installed for the VPN server, and Windows Server with the Network Policy Server role installed for the RADIUS server. However, these servers do not need to be Microsoft servers. Third party solutions or appliances can be used. Additionally, a certificate authority is required to issue certificates to the servers and clients. The certificates will be used to authenticate the VPN connection.
The Windows 10 VPN client can be configured to connect a user authenticated tunnel or a device authenticated tunnel. Both types of tunnels can be connected simultaneously if required.
The User Tunnel is established when a user logs into a computer. This type of tunnel is ideal for granting access to file shares or applications.
Here is a high-level overview of the connection process for a Always On VPN user tunnel.
The VPN client sends a connection request to the external IP address of the VPN server
The edge firewall passes the connection request to the external interface of the VPN server
The VPN server passes the connection request to the RADIUS server. The connection request leaves via the internal interface of the VPN server and passes through the internal firewall
The RADIUS server receives and authenticates the connection request
The RADIUS server returns an accept or deny response to the VPN server
The VPN server allows or denies the connection request based on the response from the RADIUS server
The Device Tunnelis established as soon as a computer is powered on and connected to the internet. A user does not need to be logged into a computer for a device tunnel to connect. This type of tunnel is ideal for granting access to Active Directory or other management servers like Configuration Manager.
Here is a high-level overview of the connection process for a Always On VPN device tunnel.
The VPN client sends a connection request to the external IP address of the VPN server
The edge firewall passes the connection request to the external interface of the VPN server
The VPN server validates the computer authentication certificate of the client and allows or denies the connection request
Notice that the device tunnel does not use RADIUS for authentication. The VPN server preforms the authentication. This prevents device tunnels from taking advantage of more advanced Always On VPN features like conditional access and multi-factor authentication. For more guidance on when to utilize device tunnels refer to this post.
Always On VPN utilizes familiar VPN infrastructure, which means that it can also utilize familiar VPN protocols. There are two main protocols that make the most sense to use when working with Always On VPN.
Internet Key Exchange version 2 (IKEv2) has good security and good performance. Its ability to automatically re-connect after a short interruption gives it good reliability as well. The primary concern with using IKEv2 is that communication happens on UDP 500 and UDP 4500. This makes it more likely that the connection will be blocked by firewalls.
Note that when using a Always On VPN device tunnel, IKEv2 is the only supported protocol.
Secure Socket Tunneling Protocol (SSTP) also has good security, and good performance. The main benefit of using SSTP is that communication happens on TCP 443, so it is very unlikely that it will be blocked anywhere. The downsides to SSTP are that it is not quite as secure as IKEv2, and it does not handle connection interruptions as well.
As I mentioned earlier, Always On VPN utilizes the built-in Windows 10 VPN client. This client is configured using the VPNv2 CSP node. Configuring the settings in the VPNv2 CSP node can be accomplished using an XML file. Once the XML file is created, it can be deployed to systems through Intune or through Configuration Manager using PowerShell. For more information on the XML configuration and deployment, see the Microsoft Documentation.
This post was a high-level look at the technology behind Always On VPN. For a detailed guide on creating a basic Always On VPN deployment, refer to the Microsoft Documentation. I would also recommend reading Richard Hicks’s blog. Additionally, Now Micro will be hosting a Tech Connect webinar on Always On VPN next month (May 2020). More details can be found on our Events Page.