What you need to know about Microsoft Always On VPN

What you need to know about Microsoft Always On VPN

0 1174

Remote working has become more common as technology improves and the workplace evolves. In order to support these remote workers effectively, legacy remote access solutions need to be reevaluated. The goal of this article is to examine Microsoft's current remote access offering, Always On VPN.

Windows 10 includes Always On VPN, a remote access solution from Microsoft. In place of Microsoft's older remote access solution (DirectAccess), Microsoft has introduced Always On VPN. Learn more at celestix.com.

It is important to keep in mind when planning a deployment of Always On VPN that it provides remote access to local resources on a company's network for users and devices. Those who use cloud services will not require a VPN connection, as well as those who manage their devices using cloud-enabled tools.

Describe the process of Always On VPN

In an Always On VPN environment, a client connects automatically to a VPN server without the user having to initiate a connection. Windows 10 includes a VPNv2 CSP node, which enables this functionality. Windows 10's built-in VPN client can be configured using either an MDM solution (Intune), or a PowerShell script through this CSP (configuration service provider).

An Always On VPN deployment typically requires a VPN server and a RADIUS server for authentication. As a general rule, the solution to this issue is to use both the Routing and Remote Access role installed on the VPN server, and the Network Policy Server role installed on the RADIUS server, on a Windows Server. There is no requirement for these servers to be Microsoft servers, however. Other solutions or appliances from third parties can be utilized as well. The servers and clients must also be issued certificates by a certificate authority. VPN connections will be authenticated using these certificates.

A user authenticated tunnel or a device authenticated tunnel can be configured using the Windows 10 VPN client. You can connect simultaneously to either type of tunnel.

VPN Protocols

It can also make use of familiar VPN protocols since Always On VPN utilizes familiar VPN infrastructure. With Always On VPN, it makes the most sense to use two main protocols.


Compared to IKEv1, version 2 of Internet Key Exchange offers better security and performance. Furthermore, its ability to automatically reconnect after a brief interruption makes it reliable. Communication occurs via UDP 500 and UDP 4500, which is a concern when using IKEv2. Firewalls may block the connection because of this.

The only protocol that can be used with a Always On VPN device tunnel is IKEv2.


A secure and fast tunneling protocol, Secure Socket Tunneling Protocol (SSTP) also benefits from good security. Communication through SSTP is done over TCP 443, so there is very little chance of being blocked. While SSTP provides more security than IKEv2, it does not cope well with interruptions in traffic.


Using Windows 10's built-in VPN client is what makes Always On VPN possible. The VPNv2 CSP node is used to configure the client. An XML file can be used to configure VPNv2 CSP node settings. Intune or Configuration Manager can then deploy the XML file using PowerShell to systems. Microsoft Documentation provides information on how to configure and deploy XML.

Best WordPress Hosting


SSL for business, from $12.88

Discount Coupons

Get a .COM for just $6.98

Secure Domain for a Mini Price

Leave a Reply

    Waiting for your comments