
Always On VPN – Design
Below workflow diagram that will be used to follow to implement this solution – Detailed workflow for deploying Always-On VPN connections for remote domain-joined Windows 10 client computers.
Planning And Design
This blog series assume that you have following already in place:
- Windows Server 2016 Domain Controller
- Public Key Infrastructure (PKI) and Active Directory Certificate Services (AD CS).
- A public certificate with a specific URL (remote.harrmikbatth.lab)
- A perimeter network firewalls.
- One before the Perimeter Network
- One after the Perimeter network, toward internal network
- Remote client computers must be joined to the Active Directory domain.
- Remote client computers must be running the Windows 10 Anniversary Update (version 1803) or later operating system.
- VM with two Network Cards in DMZ
- External facing Network with Public IP Address
- Internal Facing Network with Internal IP
- This Internal Facing network needs to have full access to the internal network including any no https inspection.
- Install new NPS as a RADIUS server on a server or VM.
- VPN Connection type to be used
- Internet Key Exchange version 2 (IKEv2)
- SSTP (To allow Home Wifi, Airport and Guest Public Wifi’s)
- Forced Tunnel will be used.
- User authentication
- By using user certificates, the Always On VPN client connects automatically, but it does so at the user level (after user sign-in) instead of at the device level (before user sign-in).
- Remote Clients will be using DHCP Range
- You must allow appropriate Firewall rules to
- Depending on your network environment, you might need to make several routing modifications.
Workflow Diagram

Previous Post –
Always-on-vpn-using-windows-server-2016-and-windows-10-clients/
Next Follow – Always On VPN Technology Overviews
No Comments