The rise in remote working has steadily increased with new innovations in technology, but has seen a massive increase since the Covid-19 pandemic. Companies the world over have sent their workers home, however, enabling remote workers to securely access company resources within the network perimeter is no simple task.
Microsoft offers two solutions for better remote working: DirectAccess and Windows Always On VPN. We’ll discuss the latter in this article.
What is Always On VPN?
Always On VPN is one of Microsoft’s latest remote access solutions and is built into Windows 10. The other remote access solution is DirectAccess, which has been used for years. Both are fundamentally the same thing as they both provide consistent and seamless remote access, but Always On VPN is meant to be the successor to DirectAccess.
DirectAccess allows client computers to securely connect to organizational resources without the traditional VPN setup. Users don’t need to start and stop connections because the client computers are always connected to the network. DirectAccess was the go-to solution until Microsoft rolled out Always On VPN, which improves upon security, authentication, performance, and management.
What You Need for Always On VPN
Always On VPN only works with Windows 10. In order to deploy it, you’ll need:
- AD-based Public Key Infrastructure (PKI)
- Active Directory Certificate Services (AD CS)
- Certificate Authority (CA) server
- authentication (RADIUS/NPS) server
- Remote Access server
- MDM solution
In order to experience the advanced features of Always On VPN, Windows 10 devices should be joined to Azure AD (Microsoft Entra ID). Always On VPN requires at least two servers: one being the VPN server with Routing and Remote Access role, and the other being the RADIUS server with the NPS role. Most organizations configure Windows Servers, but it’s possible to use third-party servers, like SecureW2’s Private CAs which can be custom-tailored to fit your needs.
How does Always On VPN Work?
Always On VPN works as an automated service that establishes a connection between the client and the VPN with no user interactions whatsoever. It is meant as a replacement for DirectAccess and it’s easier to manage, implement, and is more secure.
Always On VPN Features
The trend of remote working has been rapidly increasing over the years, making the need for VPNs all the more necessary. However, VPNs are also common vectors for cyberattacks, so security needs to be a priority.
With Always On VPN, network administrators can maintain standard configurations their devices and machines have the highest level of security. Traffic filtering allows admins to manage and restrict remote user access. Combining Always On VPN with Azure AD grants admins conditional access, meaning they can create custom parameters, attach them to users, and base user access based on those parameters.
Always On VPN can be integrated with Azure MFA (or any MFA provider) and Windows Hello to further strengthen network security measures.
Always On VPN + AD CS PKI
AD CS can provide the authentication mechanism for Always ON VPN through certificate issuance. With AD CS, admins can issue certificates to users, devices, machines, servers, etc. and act as their identity in the digital space. You no longer need users to enter their own passwords as the certificate is enough identification.
Here’s a brief overview of how to enable Always On VPN, but check out this guide for a more detailed explanation.
- Set up security groups in AD
- Create groups for servers and users and start assigning them to your custom groups.
- Set up PKI solution
- Most organizations use AD CS, but many have had issues installing AD CS because they didn’t properly plan out their PKI implementation. Take some time to determine what you need, what you don’t need. There could be other PKI solutions that work better for you than AD CS.
- Create and publish certificate templates
- You need to create three templates: one for VPN users, one for NPS server, and one for VPN server.
- Use Group Policy to Auto-enroll Certificates
- Admins can use Group Policy to configure certificates with security policies and automatically provision them to devices, computers, workstations, and more.
- Install NPS (RADIUS)
- In order to deploy Always On VPN, you need an authentication server, most Microsoft systems use NPS as a RADIUS server, but you can configure third-party servers, like SecureW2’s Dynamic CloudRADIUS.
- Setup RAS
- RAS and it’s successor, RRAS, allows users to connect to Microsoft networks remotely.
- Configure you Windows 10 Machines.
- Deploy Settings.
You should now be able to connect your Windows 10 machines and devices to Always On VPN.
Always On VPN + SecureW2 PKI and CloudRADIUS
SecureW2’s PKI simplifies certificate issuance and management. Admins can easily search for certificates by username, SAN, operating system, and much more. You can also select individual users and see all their certificates and devices, alongside their certificate enrollment logs, making remote troubleshooting a breeze. It also significantly improves the certificate enrollment process.
Included in our PKI solution is the JoinNow onboarding software that allows BYOD devices of any operating system to easily self-enroll for certificates. Plus our advanced API gateways empower admins to send payloads that allow managed devices to enroll themselves for certificates in ultra-secure fashion.
Along with our PKI and onboarding software, SecureW2 provides CloudRADIUS, a turnkey RADIUS solution that can be implemented into virtually any environment because it works with all major SAML and LDAP Identity Providers like AD or Azure AD. Designed from the ground up for certificate-based EAP-TLS authentication, it eliminates the risk of sending credentials over the internet and eliminates the risk for credential theft.
CloudRADIUS comes with all the benefits of cloud computing, including 24/7 availability and built-in redundancy to easily handle large onboarding events. Along with the benefits of being in the cloud, CloudRADIUS is more scalable than on-prem alternatives, making it easy to expand your network’s capabilities if your business grows. Security and user experience are bolstered by CloudRADIUS because it performs certificate-based EAP-TLS authentication.
