What is Microsoft Always-on-VPN?

Microsoft Always On VPN is a feature in Windows Server and Windows 10 and later that provides a seamless and secure remote access solution for users and devices. It allows users to connect to their corporate network from anywhere, ensuring a persistent and always-on connection. Always On VPN offers several features and functions to enhance security and ease of use. Here’s a detailed description of these features and a step-by-step guide on how to configure Always On VPN:

Features and Functions:

1. Seamless Connectivity:
   • Always On VPN automatically connects users to the corporate network when they have internet access, ensuring a continuous connection.
2. Secure Remote Access:
   • It provides a secure and encrypted connection through protocols like IKEv2 and SSTP, safeguarding data during transit.
3. Single Sign-On (SSO):
   • Users can enjoy a seamless sign-in experience by using their Windows credentials, eliminating the need to repeatedly enter their credentials.
4. Device Tunnel and User Tunnel:
   • Always On VPN supports both device tunnel (computer-based) and user tunnel (user-based) configurations for various use cases.
5. Authentication Methods:
   • It supports various authentication methods, including username and password, smart cards, certificates, and multi-factor authentication (MFA).
6. Connection Profiles:
   • Administrators can configure different connection profiles for specific user groups, allowing granular control over access.
7. Split Tunneling:
   • Administrators can define which traffic should be sent through the VPN tunnel and which can use the local internet connection.
8. Traffic Filters:
   • Traffic filters enable administrators to restrict or allow specific network traffic based on user, device, or application.
9. Health Attestation:
   • Always On VPN can perform health attestation checks, ensuring that devices meet specific security requirements before granting access.
10. Automatic VPN Reconnect:
    • It automatically reconnects to the corporate network after network disruptions or changes in the user’s location.

Step-by-Step Guide to Configure Always On VPN:

Configuring Always On VPN requires a Windows Server and Windows 10 or later clients. Here’s a high-level step-by-step guide:

Server Configuration:

1. Install and Configure a Remote Access Server:
   • On your Windows Server, install the Remote Access role and configure it with the Remote Access Management Console.
2. Set Up Routing and Remote Access:
   • Configure Routing and Remote Access to use VPN, and enable the Always On VPN option.
3. Configure Certificate Services:
   • Set up a certificate authority (CA) and issue computer and user certificates.
4. Create Connection Profiles:
   • Define connection profiles that specify the VPN server address, authentication methods, and other settings.
5. Configure Network Policies:
   • Create network policies that define who can connect to the VPN and the conditions under which they can connect.

Client Configuration:

1. Install Client Certificates:
   • Install user and device certificates on client devices.
2. Configure VPN Connection:
   • On Windows 10 clients, open the Settings app, go to Network & Internet, and set up a VPN connection using the connection profile created on the server.
3. User Configuration:
   • Configure user settings on the client device, such as selecting the VPN connection type (device tunnel or user tunnel) and enabling single sign-on.
4. Connect to VPN:
   • Users can connect to the VPN from the Windows 10 client by clicking on the VPN connection and entering their credentials.

Once configured, the Always On VPN will provide a persistent, secure, and user-friendly remote access solution. Users will be able to connect seamlessly, and administrators can enforce security policies and traffic filtering to protect the corporate network.