Always On VPN

Always On VPN is a technology in Windows 10 that allows users to stay

connected to their internal network even when they’re outside of
company premises, or in general, whenever they’re connected to the
internet. Unlike traditional VPN connection, that requires a user to
manually initiate when he or she wants to connect to a company’s network,
Always On VPN does this automatically, even before the user signs in, if it is
configured that way. Also, in cases when internet links fail, it reconnects
automatically when the internet connection is restored without user action.
With this technology, users don’t need to concern themselves with whether
they need to initiate a VPN connection to access a resource. When Always
On VPN infrastructure is set up, users have seamless access to both external
and internal resources despite their physical location.

Always On VPN is a direct successor of Direct Access technology,

introduced in an earlier Windows Server version. While it provides almost
the same user experience as Direct Access, it also brings simpler
deployment and more flexibility for clients. You can initiate Always On VPN
connection even from devices running Windows 10 Home edition. Always
On VPN has mitigated most of the limitations of earlier VPN solutions and
expanded the VPN functionality beyond the capabilities of DirectAccess or
traditional VPN.
Always On VPN can work on both domain and non-domain joined devices.
It supports both user and device authentication, and it uses traditional
remote access VPN protocols such as IKEv2, SSTP, and L2TP/IPsec, as well
as both IPv4 and IPv6.
As both managed and un-managed devices are supported to initiate
Always On VPN connections, in order to maintain acceptable level of
security, you can use conditional access and device compliance policies
with Always On VPN. You can also use new methods of authentication, such
as Windows Hello for Business and multi-factor authentication. If you don’t
want to enable access to the entire internal network, you can implement
traffic filters and allow external access only to selected resources in the
internal network.
Always On VPN is exclusively a Windows 10 feature – devices using other
platforms would need to use traditional client VPN solutions. Also, you can’t
use AD DS or Group Policy to deploy and manage this feature. You need to
use SCCM, Microsoft Intune or PowerShell.

Windows Server 2016 and later, with the Routing and Remote Access role
installed supports Always On VPN technology. However, other network
devices (from vendors such as Cisco, Juniper, Palo Alto and others) that can
terminate VPN connections are also supported.
Enabling clients for Always On VPN connections requires deploying an
XML VPN profile. This can be manually created or use a configured client
to generate a template. The XML file can then be deployed to clients using
Intune, SCCM or Powershell.
The process for creating VPN profiles is beyond the scope of this course,
and typically the MDA will work with the Network Manager when
configuring Always On VPNs. For more information, refer to Step 6.
Configure Windows 10 client Always On VPN connections2.
Deploying Always On VPN
You most likely have the technologies deployed that you can
use to deploy Always On VPN. Other than your DC/DNS servers,
the Always On VPN deployment requires an NPS (RADIUS)
server, a Certification Authority (CA) server, and a Remote
Access (Routing/VPN) server. Once the infrastructure is set up,
you must enroll clients and then connect the clients to your on-
premises securely through several network changes.
When preparing for Always On VPN deployment, you should
ensure that you have following components in place:

●●Active Directory domain infrastructure, including one or

more Domain Name System (DNS) servers. Both internal and
external Domain Name System (DNS) zones are required, which
assumes that the internal zone is a delegated subdomain of the
external zone (for example, corp.contoso.com and
contoso.com).
●●Active Directory-based public key infrastructure (PKI) and
Active Directory Certificate Services (AD CS).
●●Physical server, either existing or new, to install Network
Policy Server (NPS). If you already have NPS servers on your
network, you can modify an existing NPS server configuration
rather than add a new server.
●●Remote Access as a RAS Gateway VPN server with a small
subset of features supporting IKEv2 VPN connections and LAN
routing.
●●Perimeter network that includes two firewalls. Ensure that
your firewalls allow the traffic that is necessary for both VPN
and RADIUS communications to function properly.
●●Physical server or VM on your perimeter network with two
physical Ethernet network adapters to install Remote Access as
a RAS Gateway VPN server. VMs require virtual LAN (VLAN) for
the host.
●●Membership in Administrators, or equivalent, is the
minimum required.
●●Management platform of your choice for deploying the
Always On VPN configuration because the CSP is not vendor-
specific.
The following illustration shows the infrastructure that is
required to deploy Always On VPN.