Always On VPN Overview

As technology continues to improve and the workplace continues to evolve, remote workers have become more common. Effectively supporting these remote workers means re-evaluating legacy remote access solutions. This post will look at Microsoft’s current remote access solution, Always On VPN.

Always On VPN is a Microsoft remote access solution that is built into Windows 10. Microsoft has positioned Always On VPN as the replacement for their older remote access solution (DirectAccess).

When planning a deployment of Always On VPN, keep in mind that it is a solution for users or devices that need remote access to local resources on a corporate network. Users with access to cloud resources, and devices managed by cloud-enabled tools may not require a VPN connection.

How Does Always On VPN Work?

Always On VPN is a solution that allows a client to automatically establish a VPN connection without any user interaction. The technology that makes this possible is the VPNv2 CSP node, which is built into Windows 10. This CSP (configuration service provider) allows the built-in Windows 10 VPN client to be configured using an MDM solution (Intune), or PowerShell.

The server side of a typical Always On VPN deployment requires at least one VPN server and one authentication (RADIUS) server. A common solution is to use Windows Server with the Routing and Remote Access role installed for the VPN server, and Windows Server with the Network Policy Server role installed for the RADIUS server. However, these servers do not need to be Microsoft servers. Third party solutions or appliances can be used. Additionally, a certificate authority is required to issue certificates to the servers and clients. The certificates will be used to authenticate the VPN connection.

The Windows 10 VPN client can be configured to connect a user authenticated tunnel or a device authenticated tunnel. Both types of tunnels can be connected simultaneously if required.

User Tunnel

The User Tunnel is established when a user logs into a computer. This type of tunnel is ideal for granting access to file shares or applications.

Here is a high-level overview of the connection process for a Always On VPN user tunnel.

  1. The VPN client sends a connection request to the external IP address of the VPN server
  2. The edge firewall passes the connection request to the external interface of the VPN server
  3. The VPN server passes the connection request to the RADIUS server. The connection request leaves via the internal interface of the VPN server and passes through the internal firewall
  4. The RADIUS server receives and authenticates the connection request
  5. The RADIUS server returns an accept or deny response to the VPN server
  6. The VPN server allows or denies the connection request based on the response from the RADIUS server

Device Tunnel

The Device Tunnel is established as soon as a computer is powered on and connected to the internet. A user does not need to be logged into a computer for a device tunnel to connect. This type of tunnel is ideal for granting access to Active Directory or other management servers like Configuration Manager.

Here is a high-level overview of the connection process for a Always On VPN device tunnel.

  1. The VPN client sends a connection request to the external IP address of the VPN server
  2. The edge firewall passes the connection request to the external interface of the VPN server
  3. The VPN server validates the computer authentication certificate of the client and allows or denies the connection request

Notice that the device tunnel does not use RADIUS for authentication. The VPN server preforms the authentication. This prevents device tunnels from taking advantage of more advanced Always On VPN features like conditional access and multi-factor authentication. For more guidance on when to utilize device tunnels refer to this post.

VPN Protocols

Always On VPN utilizes familiar VPN infrastructure, which means that it can also utilize familiar VPN protocols. There are two main protocols that make the most sense to use when working with Always On VPN.

IKEv2

Internet Key Exchange version 2 (IKEv2) has good security and good performance. Its ability to automatically re-connect after a short interruption gives it good reliability as well. The primary concern with using IKEv2 is that communication happens on UDP 500 and UDP 4500. This makes it more likely that the connection will be blocked by firewalls.

Note that when using a Always On VPN device tunnel, IKEv2 is the only supported protocol.

SSTP

Secure Socket Tunneling Protocol (SSTP) also has good security, and good performance. The main benefit of using SSTP is that communication happens on TCP 443, so it is very unlikely that it will be blocked anywhere. The downsides to SSTP are that it is not quite as secure as IKEv2, and it does not handle connection interruptions as well.

ProfileXML

As I mentioned earlier, Always On VPN utilizes the built-in Windows 10 VPN client. This client is configured using the VPNv2 CSP node. Configuring the settings in the VPNv2 CSP node can be accomplished using an XML file. Once the XML file is created, it can be deployed to systems through Intune or through Configuration Manager using PowerShell. For more information on the XML configuration and deployment, see the Microsoft Documentation.

Additional Reading

This post was a high-level look at the technology behind Always On VPN. For a detailed guide on creating a basic Always On VPN deployment, refer to the Microsoft Documentation. I would also recommend reading Richard Hicks’s blog. Additionally, Now Micro will be hosting a Tech Connect webinar on Always On VPN next month (May 2020). More details can be found on our Events Page.

Raspberry Pi 3 and Windows 10 IoT Core For Digital Signage

I’ve been a fan of the Raspberry Pi since its first release and have used them for various small-scale server tasks throughout the years in personal projects in my lab.  When Windows 10 IoT Core was announced, I was excited to finally have an inexpensive embedded Windows test bed.  I ended up buying a Raspberry Pi 3b, the 7″ touch screen and a case to contain it all. Continue reading “Raspberry Pi 3 and Windows 10 IoT Core For Digital Signage”

IoT Security Considerations

IoT Security Considerations and Now Micro IoT Player
IoT security has become a discussion point in many organizations after recent reports of compromised IoT devices crippling critical pieces of internet infrastructure via Distributed Denial of Service (DDOS) attacks.  Recent digital compromises of high profile companies, organizations combined with these DDOS attacks has raised the visibility of IoT/Embedded device security and placed critical questions near the top of any organizations device selection criteria. 

Continue reading “IoT Security Considerations”

Intro to Windows IoT Core

Digital Signage Ecosystem

Digital signage is becoming a seamless and ubiquitous part of our physical world in the 21st century.  We often consume the information on these displays without realizing exactly what has occurred in public and private spaces.  Displays giving us direction, advertisements, ambiance have become a critical way of communicating dynamic information. Continue reading “Intro to Windows IoT Core”

Skype for Business Voice and PSTN Calling

With Microsoft’s announcement of the new E5 plans, Micah Linehan, Now Micros’ Cloud Sherpa evaluates what this gives us.

I have had the pleasure over the past several of months to be a part of the Skype for Business closed preview, and there are a few things that I am excited to share about the experience I have had so far. There are a bunch of great features but more importantly the refresh of Skype Voice in the office environment.

Continue reading “Skype for Business Voice and PSTN Calling”

Be Proactive in 2015: Three Significant Opportunities for Success or Failure

The three biggest IT challenges for 2015 are all things you can start today, so there’s no excuse when you get asked about them a year for now.

We know the pace of change is accelerating, and looking ahead at 2015 there is reason to expect that to stop.  As we start a new year we get an excellent opportunity to leave behind the business practices that have not served us well. It is time to seriously work to cut the boat anchors slowing us down and try to build a fast and capable ship that our customers are proud to be associated with. Sooner or later, the organizations whose IT shops look like junkers from last century will decide to bypass them entirely if they can’t provide useful services or respond to their changing business needs. IT will no longer be able get away being a boat anchor on the business.

Continue reading “Be Proactive in 2015: Three Significant Opportunities for Success or Failure”

Delivering a Secure, Customized Experience with Microsoft Windows Embedded

Now Micro’s solutions leveraging Microsoft Windows Embedded deliver a customized user experience, ensure a secure device, and decrease costs.

Microsoft Windows Embedded on Now Micro hardware has several key advantages over traditional methods of delivering single-purpose devices, such as kiosks, digital signs, tablets, POS terminals, or customer-facing computing devices.

Continue reading “Delivering a Secure, Customized Experience with Microsoft Windows Embedded”

How to Protect Your Business From the “XPocalypse”

Support and updates for Windows XP will no longer be available. Don’t let your PC go unprotected. Now Micro offers tips for protecting your organization’s security as Windows XP approaches end of life on April 8, 2014.

Microsoft Windows XPAs Windows XP approaches end of life on April 8, 2014, organizations throughout the world are feeling the effects. Technical assistance will no longer be available, including security updates that protect personal computers.

Continue reading “How to Protect Your Business From the “XPocalypse””