Brief difference between Windows 10 Always On VPN and DirectAccess.
These two technologies provide seamless, transparent, always-on remote network access for Windows clients.
- Always On VPN is provisioned to the user.
- DirectAccess is provisioned to the devices
This presents a challenge for deployment scenarios that require the VPN connection to be established before the user logs on.
Windows 10 Always On VPN is a common way of allowing remote users to securely access resources behind a perimeter network. And as more employees are being asked to work from home, organizations need to provide effective but secure remote access.
Remote Access is one of the components of enpowering remote workers to be productive. Always On VPN is easy to use and easy to implement, thereby providing seamless and persistent connection for your Windows 10 mobile devices. In the past and to date, this has been implemented by Virtual Private Network (VPN) and this setup can be extremely difficult when you are inexperienced.
Microsoft Always On VPN can be deployed in the following ways
– Always On VPN only and
– Always On VPN with VPN connectivity using conditional Azure Active Directory access.
Previously, DirectAccess was developed in Windows Server 2008 R2, providing this service to Windows 7 and Windows 8 “Enterprise” edition clients. And this technology has had some drawbacks and difficulties in its implementation. Therefore from Windows 10 and Windows 2016 and above, “Always On VPN” technology was introduced.
DirectAccess is now Always On VPN with the idea to overcome the impediments of DirectAccess. Always On VPN technology, Microsoft is looking to achieve a single solution of remote access that supports a wide array of clients. Like DirectAccess, the VPN connection is “Always On” meaning there is no user input required unless multi-factor authentication is enabled. As soon as a client is connected to the Internet, the VPN connection is established.
Below are some clients “Always On VPN” supports
– Domian and non-domain joined devices
– Azure AD joined devices and
– BYOD devices
Steps for implementing Always On VPN connection. The following illustration shows the infrastructure that is required to deploy Always On VPN
- DNS name resolution: Needed by the Windows 10 client to resolve the IP Address of the VPN gateway.
- When the name is resolved aganist the public IP Address of the VPN gateway, a connection request is sent to the Always On VPN gateway.
- The VPN gateway also serves as a RADIUS client and will forward the connection request over the corporate NPS server to process the authentication request.
- The NPS server will ensure the authentication and authorization requests are processed and then decides the request
- This request determines if the connection is permited or denied.
Here are the requirements for Always On VPN
The following requirements (components) are needed to implement Always On VPN.
- Domain Controller (AD DS): Serves as your Domain controller (DC). AD DS provides a distributed database that stores and manages information about network resources and application-specific data from directory-enabled applications. Administrators can use AD DS to organize elements of a network, such as users, computers, and other devices, into a hierarchical containment structure. The hierarchical containment structure includes the Active Directory forest, domains in the forest, and organizational units (OUs) in each domain. A server that is running AD DS is called a domain controller.
AD DS contains the user accounts, computer accounts, and account properties that are required by Protected Extensible Authentication Protocol (PEAP) to authenticate user credentials and to evaluate authorization for VPN connection requests.
- A DNS Server: An external and internal DNS strcuture is configured for each zones.
- Network Policy Server: Ensure the NPS is configured to support AOVPN as this allows Windows 10 Pro and higher clients to benefit from the technology.
- Certificate Authority Server (CA): Active Directroy Certificate Services (AD FS) is needed to deploy certificates fro remote devices by your Public Key Infrastrcture (PKI) as this is needed for seamless connection.
- Routing and Remote Access: Remote Access VPN should be anbaled to support IKEv2 connection and LAN routing.
Below are some features of Always On VPN
- High Availability (HA): Ensures HA by load-balancing multiple NPS.
- Advanced Authentication: AOVPN Supports Windows Hello for business. for more information, see https://techdirectarchive.com/2020/01/19/preparing-guild-to-deploying-windows-hello-for-business/
- Advanced Traffic Features: Supports traffic filtering, app-triggered VPN, and VPN conditional access can all be used with the Microsoft AOVPN to further filter and secure traffic.
- Additional Security Protection: AOVPN is compatible with Trusted Platform Module (TPM) Key Attestation to provide higher security assurance for access
I will be implementing this technology from next month in my laboratory environment, Stay tuned! For more detailed information, see the article.