19 September 2019

One of the features of Windows 10 is the Always On VPN.

What is it, how do you use it and what about DirectAccess?

When Windows Server 2016 and Windows 10 were introduced, Microsoft also introduced a new approach to allow Windows users to connect remotely; Always On VPN (Virtual Private Network).

When using it, a VPN connection is automatically established whenever an authorised client has an active internet connection. No input is necessary from the user – unless multifactor authentication is enabled, see below. Remote users get access to on-premise data and applications, just as if they were in the office at their workplace.

Replacement of DirectAccess

Since the launch of Windows Server 2012 and Windows 8.1, the preferred way to gain remote access has been by using DirectAccess. DirectAccess is, however, a bit difficult to implement and manage for some organisations who instead chose to use third-party solutions such as Cisco AnyConnect or maybe even LogMeIn.

“…one of the great things about Always On VPN is the built-in support for both IPv4 and IPv6.”

Always On VPN is supposed to make the remote access easier for Windows users with Microsoft’s own solution – and Microsoft is actively encouraging organisations to use the Always On VPN instead of DirectAccess. As Microsoft writes in this comparison between the two: “Always On VPN is the DirectAccess replacement solution”.

Support for Ipv4 and IPv6

As you can see in the comparison, one of the great things about Always On VPN is the built-in support for both IPv4 and IPv6. As Always On VPN natively supports Extensible Authentication Protocol (EAP), it also allows the use of diverse Microsoft and third-party EAP types as part of the authentication. This includes support for physical and virtual smart cards and Windows Hello for Business certificates to satisfy two-factor authentication requirements. See the Advanced Options for more information.

How to deploy in your organisation

Even though Always On VPN is supposed to be easier to manage than DirectAccess and is presented as a user-friendly VPN, it does require some configuration, setup and network knowledge to implement in an organisation. Microsoft has written a deployment guide that can lead you some of the way or you are welcome to contact Curo Services (see below) if the configuration of VPN server infrastructure, Remote Access Server, Network Policy Server and DNS settings sounds a bit too daunting.

Windows 10, server agnosticism and Azure integration

It is important to remember that Always On VPN is a Windows 10-only solution on the client-side. However, unlike DirectAccess, client devices do not have to run the Enterprise edition to take advantage of it. Windows 10 Professional and Windows 10 Home are also supported clients.

Whereas DirectAccess required Windows servers before you could implement it in your organisation, Always On VPN can be used together with any third-party VPN device.

Another interesting feature of Always On VPN is the cloud integration with Azure Active Directory where you can take advantage of Microsoft Azure Conditional Access.

You can read more about the Always On VPN technology at this Microsoft site.

John Davies; Always On VPN expert

Curo Services is working in partnership with the leading subject matter expert on Always On VPN, John Davies. John has amassed a wealth of knowledge and experience with Always On VPN, which is not always easy to install, configure, or troubleshoot. John also has expert knowledge of Active Directory and PKI technologies, both on-premise and in the cloud. Email hello@curoservices.com with your contact details if you would like to discuss a solution.

Back to Curo News