What is Microsoft Always-on-VPN?

Microsoft Always On VPN is a feature in Windows Server and Windows 10 and later that provides a seamless and secure remote access solution for users and devices. It allows users to connect to their corporate network from anywhere, ensuring a persistent and always-on connection. Always On VPN offers several features and functions to enhance security and ease of use. Here’s a detailed description of these features and a step-by-step guide on how to configure Always On VPN:

Features and Functions:

  1. Seamless Connectivity:
    • Always On VPN automatically connects users to the corporate network when they have internet access, ensuring a continuous connection.
  2. Secure Remote Access:
    • It provides a secure and encrypted connection through protocols like IKEv2 and SSTP, safeguarding data during transit.
  3. Single Sign-On (SSO):
    • Users can enjoy a seamless sign-in experience by using their Windows credentials, eliminating the need to repeatedly enter their credentials.
  4. Device Tunnel and User Tunnel:
    • Always On VPN supports both device tunnel (computer-based) and user tunnel (user-based) configurations for various use cases.
  5. Authentication Methods:
    • It supports various authentication methods, including username and password, smart cards, certificates, and multi-factor authentication (MFA).
  6. Connection Profiles:
    • Administrators can configure different connection profiles for specific user groups, allowing granular control over access.
  7. Split Tunneling:
    • Administrators can define which traffic should be sent through the VPN tunnel and which can use the local internet connection.
  8. Traffic Filters:
    • Traffic filters enable administrators to restrict or allow specific network traffic based on user, device, or application.
  9. Health Attestation:
    • Always On VPN can perform health attestation checks, ensuring that devices meet specific security requirements before granting access.
  10. Automatic VPN Reconnect:
    • It automatically reconnects to the corporate network after network disruptions or changes in the user’s location.

Step-by-Step Guide to Configure Always On VPN:

Configuring Always On VPN requires a Windows Server and Windows 10 or later clients. Here’s a high-level step-by-step guide:

Server Configuration:

  1. Install and Configure a Remote Access Server:
    • On your Windows Server, install the Remote Access role and configure it with the Remote Access Management Console.
  2. Set Up Routing and Remote Access:
    • Configure Routing and Remote Access to use VPN, and enable the Always On VPN option.
  3. Configure Certificate Services:
    • Set up a certificate authority (CA) and issue computer and user certificates.
  4. Create Connection Profiles:
    • Define connection profiles that specify the VPN server address, authentication methods, and other settings.
  5. Configure Network Policies:
    • Create network policies that define who can connect to the VPN and the conditions under which they can connect.

Client Configuration:

  1. Install Client Certificates:
    • Install user and device certificates on client devices.
  2. Configure VPN Connection:
    • On Windows 10 clients, open the Settings app, go to Network & Internet, and set up a VPN connection using the connection profile created on the server.
  3. User Configuration:
    • Configure user settings on the client device, such as selecting the VPN connection type (device tunnel or user tunnel) and enabling single sign-on.
  4. Connect to VPN:
    • Users can connect to the VPN from the Windows 10 client by clicking on the VPN connection and entering their credentials.

Once configured, the Always On VPN will provide a persistent, secure, and user-friendly remote access solution. Users will be able to connect seamlessly, and administrators can enforce security policies and traffic filtering to protect the corporate network.

Author: tonyhughes