If you want to connect Windows 10 computers to the network via VPN, you can rely on Always On VPN, the successor of DirectAccess. In this video tip, we show how Microsoft Always On VPN works, what the advantages of Always On VPN are compared to DirectAccess, and how to configure Always On VPN and the necessary certificate infrastructure.
Microsoft Always On VPN – the DirectAccess successor
Not just since the Corona crisis and the boom in home office workplaces, VPN has become an increasingly sought-after service among businesses. For a long time, Microsoft DirectAccess was an extremely easy service to implement. DirectAccess has the advantage that users do not have to perform any user actions to be connected to the corporate network.
The computers must be a member of an Active Directory domain. However, Microsoft is no longer developing DirectAccess as a VPN method and recommends that companies switch to Always On VPN. However, setting up Always On VPN is not entirely straightforward. We show the options and general setup in this post. Microsoft’s full documentation can be found on the Remote Access Always On VPN page.
Advantages of Always On VPN compared to DirectAccess
As with the use of DirectAccess, Always On VPN can not only provide easy and fast connections for Windows 10 mobile computers, but it also allows you to implement policies on remote machines. Unlike DirectAccess, Always On VPN is usable for all editions of Windows 10. Always On VPN has been optimized for use with Windows 10 from the start.
As with DirectAccess, Always On also supports the ability to connect corporate computers to Active Directory via VPN and also to use group policies. For the use of Always On VPN, an Active Directory, a VPN endpoint, and a RADIUS server must be available in the local network for effective operation. Generally, a certificate authority should also be available.
Configure group policies before deployment
In general, it may be useful to use group policies to configure the automatic enrollment of certificates for users and computers. The settings for this are at “Policies\Windows Settings\Security Settings\Public Key Policies”. Here, “Certificate Service Client\Automatic Enrollment” can be enabled by checking “Renew expired certificates, update pending certificates and remove revoked certificates” and “Update certificates that use certificate templates”.
In general, when using Always On VPN, it makes sense to work with groups in Active Directory. For this purpose, a separate group should be created for the VPN users, for example, “VPN users”. For more effective policy assignment to the servers involved, it is also useful to create a “VPN Servers” group and an “NPS Servers” group.
Prepare certificate templates
A certificate is required for authentication to the VPN. Ideally, a template should be created here. This task is performed on the server on which the certification services are installed. Via the “certsrv.msc” console, the “Certificate templates” area is available here. By right-clicking on “Certificate templates”, “Manage” is called up. The administration of the certificate templates can also be called directly with “certtmpl.msc”.
To create a new template, the “User” template is right-clicked, and “Duplicate Template” is selected. The name “VPN User Authentication” can be entered here as the name on the “General” tab for “Template display name”. The option “Publish certificate in Active Directory” should be deactivated.
Under Security, the created AD group “VPN user” is now added and then the rights “Register” and “Register automatically” are granted. In addition, under “Compatibility”, “Windows Server 2016” should still be selected if possible for “Certification Authority” and “Windows 10 / Windows Server 2016” should be selected for “Certificate Recipient”.
Another template is created on the basis of the “RAS and IAS Server” template. The name of the template can be called “VPN server authentication”, for example. In “Extensions”, “Application Policies” should be edited and “IP Security IKE” should be added. In “Request Processing”, the “Allow export of private key” option should be disabled. In “Cryptography”, “Microsoft Enhanced Cryptographic Provider 1.0” is added. Here, under “Security”, the group for VPN servers should be included.
A template with the same data is also created for NPS servers. Here, of course, the NPS servers must be granted access. This is also controlled on the “Security” tab.
Install Always On VPN
Setting up Always On VPN first requires installing the necessary server roles. The quickest way to do this is via PowerShell with:
Install-WindowsFeature DirectAccess-VPN -IncludeManagementTools
Of course, the feature can also be installed via the Server Manager or the Windows Admin Center. The configurations are distributed via XML profiles, which can be distributed via SCCM or Microsoft Intune, for example. The configuration for this is somewhat complex.
However, Microsoft describes the setup quite well on the page “Always On VPN deployment for Windows Server and Windows 10”. On the page “Deploy Always On VPN”, Microsoft describes the step-by-step setup.