Always On VPN using Windows Server 2016 and Windows 10 Clients
This blog series started after the struggle with implementing Always On Virtual Private Network (VPN) connections for remote employees by using Remote Access in Windows Server 2016 and Always On VPN profiles for Windows 10 client computers.
Although Microsoft have provided lot of documentation but it is never easier to find all the requirements in the pre-stages. Mainly because Microsoft is so good to reveal information in separate places at different stages of implementation.
I am writing this to make it easy for someone who is just about to begin this journey and able to implement it successfully in one go.
Pre-Requisites and Assumptions
This blog series assume that you have following already in place:
- You must have an Active Directory domain infrastructure, including one or more Domain Name System (DNS) servers.
- At least one Windows Server 2016 Domain Controller
- You must have a Public Key Infrastructure (PKI) and Active Directory Certificate Services (AD CS).
- You must be prepared to get a public certificate with a specific URL, which will be used for clients to connect to.
- You must have a perimeter network that includes two firewalls.
- One before the Perimeter Network
- One after the Perimeter network, toward internal network
- Remote client computers must be joined to the Active Directory domain.
- Remote client computers must be running the Windows 10 Anniversary Update (version 1803) or later operating system.
- You must be prepared to deploy one new physical server or virtual machine (VM) on your perimeter network, upon which you will install Remote Access. This server must have two physical Ethernet network adapters.
- External facing Network with Public IP Address
- Internal Facing Network with Internal IP
- This Internal Facing network needs to have full access to the internal network including any no https inspection.
- You must be prepared to install NPS as a RADIUS server on a server or VM. You can install NPS on a new physical server or on a new VM. If you already have NPS servers on your network, you can modify an existing NPS server configuration rather than adding a new server.
- You must decide on VPN Connection type to be used for Windows 10 client computers
- Internet Key Exchange version 2 (IKEv2)
- You must decide what type of Routing will be allowed –
routing rules determine whether users can use other network routes while connected to the VPN.
- Split Tunnel or Forced Tunnel
- Device or user authentication
- Always On VPN uses device certificates and device-initiated connection through a feature called Device Tunnel. That connection can be initiated automatically and is persistent, resembling a DirectAccess infrastructure tunnel connection.
- By using user certificates, the Always On VPN client connects automatically, but it does so at the user level (after user sign-in) instead of at the device level (before user sign-in). The experience is still seamless to the user, but it supports more advanced authentication mechanisms, like Windows Hello for Business.
- You must Plan IP Addresses for Remote Clients
- Whether to use Static or DHCP Range
- If you are using DHCP, then you must allow DHCP IP Helpers on the Perimeter network to connect to your DHCP Servers internally.
- You must allow appropriate Firewall rules to
- Depending on your network environment, you might need to make several routing modifications.
This blog series is based on Microsoft – Deploy Always On VPN
Next Follow Always On Design