Deploying Always On VPN with the Remote Access in Windows 10


DirectAccess was introduced in Windows 8.1 and Windows Server 2012 operating systems as a feature to allow Windows users to connect remotely. However, following the launch of Windows 10, the deployment of this infrastructure has witnessed a decline. Microsoft has been actively encouraging organizations considering a DirectAccess solution to instead implement client-based VPN with Windows 10. This Always On VPN connection delivers a DirectAccess-like experience using traditional remote access VPN protocols such as IKEv2, SSTP, and L2TP/IPsec. Besides, it comes with some additional benefits as well.

The new feature was introduced in the Windows 10 Anniversary Update to allow IT-administrators to configure automatic VPN connection profiles. As mentioned earlier, Always On VPN has some important advantages over DirectAccess. For instance, Always On VPN can use both IPv4 and IPv6. So, if you have some apprehensions about the future viability of DirectAccess, and if you meet all of the requirements to support Always On VPN with Windows 10, then perhaps switching to the latter is the right choice.

Always On VPN for Windows 10 client computers

This tutorial walks you through the steps to deploy Remote Access Always On VPN connections for remote client computers that are running Windows 10.

Always On VPN for Windows 10

Before proceeding any further, ensure you have the following in place:

  • An Active Directory domain infrastructure, including one or more Domain Name System (DNS) servers.
  • Public Key Infrastructure (PKI) and Active Directory Certificate Services (AD CS).

To begin Remote Access Always On VPN Deployment, install a new Remote Access server that is running Windows Server 2016.

Next, perform the following actions with the VPN Server:

  1. Install two Ethernet network adapters in the physical server. If you are installing the VPN server on a VM, you must create two External virtual switches, one for each physical network adapter; and then create two virtual network adapters for the VM, with each network adapter connected to one virtual switch.
  2. Install the server on your perimeter network between your edge and internal firewalls, with one network adapter connected to the External Perimeter Network, and one network adapter connected to the Internal Perimeter Network.

After you complete the above procedure, install and configure Remote Access as a single tenant VPN RAS Gateway for point-to-site VPN connections from remote computers. Try configuring Remote Access as a RADIUS Client so that it is in a position to send connection requests to the organization NPS server for processing.

Enroll and validate the VPN server certificate from your certification authority (CA).

NPS Server

If you are not aware, it is the server is installed on your organization/corporate network. It is necessary to configure this server as a RADIUS server so as to enable it to receive connection requests from the VPN server. Once the NPS server starts receiving requests, it processes the connection requests and performs authorization and authentication steps before sending an Access-Accept or Access-Reject message to the VPN Server.

AD DS Server

The server is an on-premises Active Directory domain, which hosts on-premises user accounts. It requires you to setup the following items on the domain controller.

  1. Enable certificate autoenrollment in Group Policy for computers and users
  2. Create the VPN Users Group
  3. Create the VPN Servers Group
  4. Create the NPS Servers Group
  5. CA Server

The Certification Authority (CA) Server is a certification authority that is running Active Directory Certificate Services. The CA enrolls certificates that are used for PEAP client–server authentication and creates certificates based on certificate templates. So, first, you need to create certificate templates on the CA. The remote users that are allowed to connect to your organization network must have a user account in AD DS.

Also, make sure that your firewalls allow the traffic that is necessary for both VPN and RADIUS communications to function correctly.

Apart from having these server components in place, ensure that the client computers you configure to use VPN are running Windows 10 v 1607 or later. The Windows 10 VPN client is highly configurable and offers many options.

This guide is designed for deploying Always On VPN with the Remote Access server role on an on-premises organization network. Please do not attempt to deploy Remote Access on a virtual machine (VM) in Microsoft Azure.

For complete details and configuration steps, you can refer this Microsoft Document.