Microsoft Always On VPN: transparent access to the corporate network suitable in smart working scenarios

Technology can play an important role in reducing the impact of COVID-19 on people and business realities, helping staff stay productive when it is not able to be physically at his workplace. In these days of emergency, companies have been forced to adopt effective solutions quickly to allow their employees to work remotely without sacrificing collaboration, productivity and security. The solutions that can be adopted in this area are different, each with its own characteristics and peculiarities, able to meet different needs. This article presents the main features of the technology Microsoft Always On VPN, to assess the benefits and what are the main use cases of the solution.

Key Features of Always On VPN

Starting with Windows Server 2016 and later Microsoft introduced a new remote access technology for endpoints called Always On VPN that allows transparent access to the corporate network, making it particularly suitable in smart working scenarios. It is the evolution of the technology DirectAccess and, however effective, it presented some limitations that made it difficult to adopt.

As the name tell, VPN is “always active”, In fact, a secure corporate network connection is established automatically whenever an authorized client has Internet connectivity, all without requiring user input or interaction, unless a multi-factor authentication mechanism is enabled. Remote users access business data and applications in the same way, just as if they were in the workplace.

Always On VPN connections include the following types of tunnels:

  • Device Tunnel: the device connects to the VPN server before users log on to the device.
  • User Tunnel: it activates only after users have logged on to the device.

Using Always On VPN you can have a user connection, a device connection, or a combination of both. Both the Device Tunnel that the User Tunnel they work independently and can use different authentication methods. It appears therefore possible to enable the device authentication to manage it remotely through the Device Tunnel, and enable user authentication for connectivity to internal resources through the User Tunnel. The User Tunnel supports SSTP, and IKEv2, while the Device Tunnel only supports IKEv2.

Supported scenarios

Technology Always On VPN is a solution only for systems Windows 10. However, unlike DirectAccess, client devices don't have to run the Enterprise edition, but all versions of Windows 10 support this technology, adopting the tunnel type defined User Tunnel. In this scenario, the devices can be members of an Active Directory domain, but this is not strictly necessary. The Always On VPN client can be nondomain-joined (workgroup), therefore also owned by the user. To take advantage of certain advanced features, clients may be to join Azure Active Directory. Only for use Device Tunnel systems are required to join a domain and must have Windows 10 Enterprise or Education. In this scenario, the recommended version is 1809 or later.

Infrastructure requirements

The following infrastructure components are required to implement an Always On VPN architecture, many of which are typically already active in the business realities:

  • Domain Controllers
  • DNS Servers
  • Network Policy Server (NPS)
  • Certificate Authority Server (CA)
  • Routing and Remote Access Server (RRAS)

Figure 1 – Overview of VPN Always On technology

In this context it is appropriate to specify that Always On VPN is infrastructure-independent and can be activated by using the Windows Routing and Remote Access role (RRAS) or by adopting any third-party VPN device. Authentication can also be provided by the Windows Network Policy Server role (NPS) or from any third-party RADIUS platform.

For more details on the requirements, please refer to the Microsoft's official documentation.

Always On VPN in Azure environment?

In general,, it is advisable to establish VPN connections to endpoints as close as possible to the resources that must be accessed. For hybrid realities, there are several options for positioning the architecture Always On VPN. Deploying the Remote Access role on a virtual machine in Azure environment is not supported, however, you can use Azure VPN Gateway with Windows 10 Always On, to establish tunnels of both type Device Tunnel and User Tunnel. In this regard it should be noted that it is appropriate to make the correct assessments of the type and of the SKU to deploy Azure VPN Gateway.

Deployment types

For Always On VPN there are two deployment scenarios:

The deployment of Always On VPN can predict optionally, for client Windows 10 joined to domain, to configure conditional access to adjust how VPN users access company resources.

Figure 2 – Workflow for the deployment of Always On VPN for Windows 10 client domain-joined

The client Always On VPN can be integrate with the platform Azure Contitional Access to force multi-factor authentication (MFA), device compliance or a combination of these two aspects. If meets the Contitional Access criteria, Azure Active Directory (Azure AD) issues a short-lived IPsec authentication certificate that can be used to authenticate to the VPN gateway. Device compliance uses Microsoft Endpoint Manager compliance policies (Configuration Manager / Intune), which may include the status of integrity attestation of the device, as part of the compliance check for the connection.

Figure 3 – Client-side connection workflow

For more details on this deployment method you can refer to this Microsoft documentation.

Provisioning of the solution on the client
Always On VPN is designed to be deployed and managed using a mobile device management platform such as Microsoft Endpoint Manager, but you can also use Mobile Device Management solutions (MDM) of third party. For Always On VPN there is no support for the configuration and management via Group Policy in Active Directory, but if you do not have a MDM solution it is possible to proceed with a manual deploy of the configuration via PowerShell.

Integration with other Microsoft solutions

Besides the cases specified in the preceding paragraphs, technology Always On VPN can be integrated with the following Microsoft technologies:

  • Azure Multifactor Authentication (MFA): when combined with RADIUS services (Remote Authentication Dial-In User Service) and the extension NPS (Network Policy Server) for Azure MFA, VPN authentication can exploit multi-factor authentication mechanisms.
  • Windows Information Protection (WIP): thanks to this integration is permitted the application of network criteria for determining if traffic is permitted to pass through the VPN tunnel.
  • Windows Hello for Business: in Windows 10, this technology replaces passwords, providing authentication mechanism with two strong factors. This authentication is a type of user credentials related to a device and use a PIN (Personal Identification Number) biometric or personal.


Prepare your infrastructure to allow the endpoint to access the corporate network through technology Always On VPN it does not require any additional cost for software licenses and the necessary investments both in terms of effort and resources are minimal. Thanks to this connectivity method you can ensure the best user experience on the move, providing a transparent and automatic access to the corporate network while maintaining a high level of security. For the aspects listed above technology Always On VPN is not suitable for all usage scenarios, but it is certainly to be considered in the presence of systems Windows 10 that need remote access to corporate resources.

Please follow and like us: