Always on vpn windows 10 pro

DirectAccess был представлен в операционных системах Windows 8.1 и Windows Server 2012 как функция, позволяющая пользователям Windows подключаться удаленно. Однако после запуска Windows 10 развертывание этой инфраструктуры сократилось. Microsoft активно поощряет организации, рассматривающие решение DirectAccess, вместо этого внедрить клиентскую VPN с Windows 10. Это соединение Всегда на VPN обеспечивает аналогичный DirectAccess опыт с использованием традиционных протоколов VPN для удаленного доступа, таких как IKEv2, SSTP. и L2TP/IPsec. Кроме того, он имеет некоторые дополнительные преимущества.

В Windows 10 Anniversary Update появилась новая функция, позволяющая ИТ-администраторам настраивать автоматические профили VPN-подключения. Как упоминалось ранее, Always On VPN имеет некоторые важные преимущества по сравнению с DirectAccess. Например, Always On VPN может использовать как IPv4, так и IPv6. Итак, если у вас есть некоторые опасения по поводу будущей жизнеспособности DirectAccess и если вы соответствуете всем требованиям для поддержки Always On VPN с Windows 10, то, возможно, переключение на последнее является правильным выбором.

Always On VPN для клиентских компьютеров Windows 10

В этом руководстве рассматриваются шаги по развертыванию подключений Remote Access Always On VPN для удаленных клиентских компьютеров под управлением Windows 10.

Прежде чем продолжить, убедитесь, что у вас есть следующее:

• Доменная инфраструктура Active Directory, включая один или несколько серверов системы доменных имен (DNS).
• Инфраструктура открытых ключей (PKI) и службы сертификации Active Directory (AD CS).

Чтобы начать Удаленный доступ всегда при развертывании VPN , установите новый сервер удаленного доступа под управлением Windows Server 2016.

Далее выполните следующие действия с VPN-сервером:

1. Установите два сетевых адаптера Ethernet на физическом сервере. Если вы устанавливаете VPN-сервер на ВМ, вы должны создать два внешних виртуальных коммутатора, по одному для каждого физического сетевого адаптера; а затем создайте два виртуальных сетевых адаптера для виртуальной машины, причем каждый сетевой адаптер подключен к одному виртуальному коммутатору.
2. Установите сервер в вашей сети периметра между вашим пограничным и внутренним брандмауэрами, с одним сетевым адаптером, подключенным к внешней сети периметра, и одним сетевым адаптером, подключенным к внутренней сети периметра.

После выполнения описанной выше процедуры установите и настройте удаленный доступ как шлюз VPN RAS с одним клиентом для VPN-подключений точка-сайт с удаленных компьютеров. Попробуйте настроить удаленный доступ в качестве клиента RADIUS, чтобы он мог отправлять запросы на подключение на сервер организации NPS для обработки.

Зарегистрируйте и подтвердите сертификат VPN-сервера в своем центре сертификации (CA).

Сервер NPS

Если вы не знаете, это сервер установлен в вашей организации/корпоративной сети. Необходимо настроить этот сервер как сервер RADIUS, чтобы он мог получать запросы на подключение от VPN-сервера. Как только сервер NPS начинает получать запросы, он обрабатывает запросы на подключение и выполняет шаги авторизации и аутентификации перед отправкой сообщения Access-Accept или Access-Reject на VPN-сервер.

Сервер является локальным доменом Active Directory, в котором размещаются локальные учетные записи пользователей. Требуется настроить следующие элементы на контроллере домена.

1. Включите автоматическую регистрацию сертификатов в групповой политике для компьютеров и пользователей
2. Создать группу пользователей VPN
3. Создать группу VPN-серверов
4. Создать группу серверов NPS
5. CA Server

Сервер центра сертификации (ЦС) – это центр сертификации, на котором запущены службы сертификации Active Directory. CA регистрирует сертификаты, которые используются для аутентификации клиент-сервер PEAP, и создает сертификаты на основе шаблонов сертификатов. Итак, во-первых, вам нужно создать шаблоны сертификатов в ЦС. Удаленные пользователи, которым разрешено подключаться к сети организации, должны иметь учетную запись в AD DS.

Кроме того, убедитесь, что ваши межсетевые экраны позволяют трафику, который необходим для правильной работы связи VPN и RADIUS.

Помимо наличия этих серверных компонентов, убедитесь, что клиентские компьютеры, настроенные для использования VPN, работают под управлением Windows 10 v 1607 или более поздней версии. VPN-клиент Windows 10 обладает широкими возможностями настройки и предлагает множество вариантов.

Это руководство предназначено для развертывания Always On VPN с ролью сервера удаленного доступа в локальной сети организации. Пожалуйста, не пытайтесь развернуть удаленный доступ на виртуальной машине (ВМ) в Microsoft Azure.

Для получения полной информации и шагов настройки вы можете обратиться к этому документу Microsoft.

Также читайте : как настроить и использовать AutoVPN в Windows 10 для удаленного подключения.

Windows 10 Always On VPN and DirectAccess both provide seamless, transparent, always on remote network access for Windows clients. However, Always On VPN is provisioned to the user, not the machine as it is with DirectAccess. This presents a challenge for deployment scenarios that require the VPN connection to be established before the user logs on. For example, pre-logon connectivity is required to support remote logon without cached credentials. To address this issue and to provide feature parity with DirectAccess, Microsoft introduced support for a device tunnel configuration option beginning with Windows 10 version 1709 (Fall creators update).

Learn Windows 10 Always On VPN today! Register for an upcoming Always On VPN Hands-On Training class. More details here!

Prerequisites

To support an Always On VPN device tunnel, the client computer must be running Windows 10 Enterprise or Education version 1709 (Fall creators update) or later. It must also be domain-joined and have a computer certificate with the Client Authentication Enhanced Key Usage (EKU) issued by the organization’s Public Key Infrastructure (PKI).

In addition, only the built-in Windows VPN client is supported for Always On VPN device tunnel. Although Windows 10 Always On VPN user connections can be configured using various third-party VPN clients, they are not supported for use with the device tunnel.

VPN ProfileXML

The Always On VPN device tunnel is provisioned using an XML file. You can download a sample VPN ProfileXML file here. Make any changes required for your environment such as VPN server hostnames, routes, traffic filters, and remote address ranges. Optionally include the trusted network detection code, if required. Do not change the protocol type or authentication methods, as these are required.

Reference: https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config#configure-the-vpn-device-tunnel

Once the ProfileXML file is created, it can be deployed using Intune, System Center Configuration Manager (SCCM), or PowerShell. In this post I’ll cover how to configure Windows 10 Always On VPN device tunnel using PowerShell.

Client Configuration

Download the PowerShell script located here and then copy it to the target client computer. The Always On VPN device tunnel must be configured in the context of the local system account. To accomplish this, it will be necessary to use PsExec, one of the PsTools included in the Sysinternals suite of utilities. Download PsExec here, copy it to the target machine, and then run the following command in an elevated PowerShell command window.

PsExec.exe -i -s C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe

Another elevated PowerShell window will open, this one now running in the context of the local system account. In this window, navigate to the folder where you copied the PowerShell script and XML file to. Run the PowerShell script and specify the name of the ProfileXML file, as shown below.

VPN_Profile_Device.ps1 -xmlFilePath .\profileXML_device.XML -ProfileName DeviceTunnel

To verify creation of the VPN device tunnel, run the following PowerShell command.

Get-VpnConnection -AllUserConnection

Note: In Windows 10 releases prior to 1903 the ConnectionStatus will always report Disconnected. This has been fixed in Windows 10 1903.

Server Configuration

If you are using Windows Server 2012 R2 or Windows Server 2016 Routing and Remote Access Service (RRAS) as your VPN server, you must enable machine certificate authentication for VPN connections and define a root certification authority for which incoming VPN connections will be authenticated with. To do this, open an elevated PowerShell command and run the following commands.

$VPNRootCertAuthority = “Common Name of trusted root certification authority”
$RootCACert = (Get-ChildItem -Path cert:LocalMachine\root | Where-Object {$_.Subject -Like “*$VPNRootCertAuthority*” })
Set-VpnAuthProtocol -UserAuthProtocolAccepted Certificate, EAP -RootCertificateNameToAccept $RootCACert -PassThru

Limitations

Using PowerShell to provision an Always On VPN device tunnel is helpful for initial testing and small pilot deployments, but it does not scale very well. For production deployments it is recommended that Microsoft Intune be used to deploy Always On VPN device tunnel.

Deploy Device Tunnel with Intune

Guidance for deploying an Always On VPN device tunnel using Microsoft Intune can be found here. You can also view the following demonstration video that includes detailed guidance for provisioning the Always On VPN device tunnel using Microsoft Intune.

Summary

Once the Always On VPN device tunnel is configured, the client computer will automatically establish the connection as soon as an active Internet connection is detected. This will enable remote logins for users without cached credentials, and allow administrators to remotely manage Always On VPN clients without requiring a user to be logged on at the time.

Additional Information

Deploy Windows 10 Always On VPN Device Tunnel using Microsoft Intune

VIDEO: Deploying Windows 10 Always On VPN Device Tunnel using Microsoft Intune

Windows 10 Always On VPN Device Tunnel Does Not Connect Automatically

Windows 10 Always On VPN Device Tunnel Does Not Appear in the UI

Windows 10 Always On VPN Hands-On Training

Always On VPN is easy to use and easy to implement. Follow this four-part guide as we turn Remote Access into a seamless and persistent connection for your Windows 10 mobile devices.

DirectAccess is a bit of a snob, always talking about Teredo tunneling and IPv6, only hanging out with the Enterprise clients. While I exaggerate just a little, DirectAccess can be intimidating to set up and limiting in implementation. For the most part, Microsoft has stopped improving DirectAccess. Instead, their focus is Always On VPN. Beginning in Windows 10 1607, Microsoft changed their recommendation for VPN connectivity. With Windows 10 1607 clients, Microsoft recommends «that you use Always On VPN instead of DirectAccess.»

Always On VPN has three overlapping technology segments (server, client, and network). We are going to start with an overview of Always On VPN and cover the components required for setup. The second article will cover server setup. Article three will outline client configurations and connections. The final piece will cover network changes, advanced configurations, and additional troubleshooting. Before we look at the components, let’s see why Always On VPN is the recommended form of remote access.

The Always On VPN is ready to connect

VPNs, DirectAccess, and Always On: a comparison

Unlike a traditional VPN, this iteration of Remote Access is designed to be persistent. A user automatically connects to your network by connecting to any external network. With 1607, we can configure this on a per-user basis, and the VPN client uses your rules to decide when to connect automatically.

It can connect upon launching certain applications, when looking for certain hosts, or stay in an always-connected state. With 1709, we can configure device connections as well. This can allow users to log on to a new laptop at an offsite location. In other words, it eliminates the whole there are currently no logon servers available paradox. Traffic in both versions is two way and management capable. Offsite clients can process Group Policy, receive updates, and even be remotely controlled. In part three, we will configure these connection rules. This setup uses the native Windows 10 1607+ VPN client. Users can enroll without having to install any additional client software.

Unlike DirectAccess, Always On VPN is a dual stack technology. It supports IPv4 and IPv6. As you will see in part four, this will make your firewall configuration much easier.

Where DirectAccess required domain-joined Enterprise or Education edition clients, Always On does not require those specific Windows 10 editions. Clients do not even need to be domain joined.

For advanced deployments, it can integrate with Windows Hello for Business as well as Azure Multi-Factor Authentication (MFA). While the server and network configuration for Always On VPN is simpler than DirectAccess, traditional client configuration is not.

Currently, you have to configure the Always On VPN client through PowerShell, SCCM, or Intune. There is not a native Always On VPN client-side extension for Group Policy. It is possible to automate PowerShell enrollment for organizations without SCCM or Intune. This requires changes to the default client configuration scripts though. The third article of this series will cover this part as well.

Where to configure Always On VPN

Always On VPN ties together many different technologies. First, you need to configure a set of servers—Network Policy Server (NPS), Certificate Authority (CA), and Remote Access. Next, you have to enroll clients (users at first, 1709+ devices for pre-logon connections). Finally, you have to connect your remote clients to your on-premises infrastructure securely through several network changes. All three sections overlap a bit, but we will break them up into logical segments.

The Always On VPN server infrastructure relies on technologies you have probably already deployed. Other than your DC/DNS servers, this configuration requires a NPS (RADIUS) server, a CA server, and a Remote Access (Routing/VPN) server. These servers do not need to be at 2016. 2012 R2 servers will work just fine. This series will assume that you already have servers with those roles enabled on them and that you just need to make the modifications necessary for the Always On VPN setup.

Along with the NPS, CA, and Remote Access servers, you will need a bit of network configuration. Remote clients will connect over UDP ports 500 and 4500 to your Remote Access server. This section will focus on a single server setup. Organizations should use failover or a load balancer for high availability though. This Remote Access server will straddle your public network and private network. If physical, it will require two network interface controllers (NICs). Virtual machines (VMs) will require correct virtual LAN (VLAN) placement for the host.

The Remote Access server will need a public DNS record and a client-trusted certificate installed on it. The certificate name will need to match the Remote Access server name. The steps in this part of the guide will be generic because there are so many types of firewalls, routers, and switches.  The VM discussion will focus on Hyper-V.

Clients interact with this setup by talking to the CA first. Let’s look at a user on a remote device. To authenticate, this user’s device would need a specific VPN certificate issued to it. In this guide, we will use Active Directory (AD) security groups to issue this certificate to selected users automatically. The user profile on the remote device would already have the Always On VPN connection configured. This connection checks the network status on a defined basis. When the status matches rules you configure, it initiates a connection to the public interface of your Remote Access server.

The Remote Access server, through the internal interface, validates this request against your Network Policy server. If the connection request is valid, it allows clients to connect and places them in an IP pool you specify during the Remote Access server setup.

Depending on your network configuration, you can constrain clients to certain network segments or allow them normal on-premises-like access.

Subscribe to 4sysops newsletter!

The configuration required for Always On VPN setup overlaps server, network, and client setup. In part two, we will walk through the server setup required for an Always On VPN environment. As you proceed through this guide, refer back to this post if you are confused about where items tie together.

Remote Access is one of the components of empowering remote workers to be productive. Always On VPN is easy to use and easy to implement, thereby providing a seamless and persistent connection for your Windows 10 mobile devices. In the past and to date, this has been implemented by Virtual Private Network (VPN) and this setup can be extremely difficult when you are inexperienced. Kindly see the following related contents: Windows 10 Always On VPN (AOVPN) Overview, features and Requirements, Quick Steps in Setting Up AWS VPC, and how to Activate (License) Cisco ASA 5505.

Brief difference between Windows 10 Always On VPN and DirectAccess. These two technologies provide seamless, transparent, always-on remote network access for Windows clients.
- Always On VPN is provisioned to the user.
- DirectAccess is provisioned to the devices
This presents a challenge for deployment scenarios that require the VPN connection to be established before the user logs on.

Windows 10 Always On VPN

Windows 10 Always On VPN is a common way of allowing remote users to access resources behind a perimeter network securely. And as more employees are being asked to work from home, organizations need to provide effective but secure remote access. Microsoft Always On VPN can be deployed in the following ways
– Always On VPN only and
– Always On VPN with VPN connectivity using conditional Azure Active Directory access.

Previously, DirectAccess was developed in Windows Server 2008 R2, providing this service to Windows 7 and Windows 8 “Enterprise” edition clients. And this technology has had some drawbacks and difficulties in its implementation. Therefore from Windows 10 and Windows 2016 and above, “Always On VPN” technology was introduced.

DirectAccess is now Always On VPN with the idea to overcome the impediments of DirectAccess. Always On VPN technology, Microsoft is looking to achieve a single solution of remote access that supports a wide array of clients. Like DirectAccess, the VPN connection is “Always On” meaning there is no user input required unless multi-factor authentication is enabled. As soon as a client is connected to the Internet, the VPN connection is established.

Below are some clients “Always On VPN” supports
– Domian and non-domain joined devices
– Azure AD joined devices and
– BYOD devices

Steps for implementing Always On VPN connection.

The following illustration shows the infrastructure that is required to deploy Always On VPN

• DNS name resolution: Needed by the Windows 10 client to resolve the IP Address of the VPN gateway.
• When the name is resolved aganist the public IP Address of the VPN gateway, a connection request is sent to the Always On VPN gateway.
• The VPN gateway also serves as a RADIUS client and will forward the connection request over the corporate NPS server to process the authentication request.
• The NPS server will ensure the authentication and authorization requests are processed and then decides the request
• This request determines if the connection is permited or denied.

Here are the requirements for Always On VPN
The following requirements (components) are needed to implement Always On VPN.

• Domain Controller (AD DS): Serves as your Domain controller (DC). AD DS provides a distributed database that stores and manages information about network resources and application-specific data from directory-enabled applications. Administrators can use AD DS to organize elements of a network, such as users, computers, and other devices, into a hierarchical containment structure. The hierarchical containment structure includes the Active Directory forest, domains in the forest, and organizational units (OUs) in each domain. A server that is running AD DS is called a domain controller.
• AD DS contains the user accounts, computer accounts, and account properties that are required by Protected Extensible Authentication Protocol (PEAP) to authenticate user credentials and to evaluate authorization for VPN connection requests.

• A DNS Server: An external and internal DNS strcuture is configured for each zones.
• Network Policy Server: Ensure the NPS is configured to support AOVPN as this allows Windows 10 Pro and higher clients to benefit from the technology.
• Certificate Authority Server (CA): Active Directroy Certificate Services (AD FS) is needed to deploy certificates fro remote devices by your Public Key Infrastrcture (PKI) as this is needed for seamless connection.
• Routing and Remote Access: Remote Access VPN should be anbaled to support IKEv2 connection and LAN routing.

Below are some features of Always On VPN

• High Availability (HA): Ensures HA by load-balancing multiple NPS.
• Advanced Authentication: AOVPN Supports Windows Hello for business. for more information, see the following link.
• Advanced Traffic Features: Supports traffic filtering, app-triggered VPN, and VPN conditional access can all be used with the Microsoft AOVPN to further filter and secure traffic.
• Additional Security Protection: AOVPN is compatible with Trusted Platform Module (TPM) Key Attestation to provide higher security assurance for access

I will be implementing this technology from next month in my laboratory environment, Stay tuned! For more detailed information, see the article.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.