Remote Access Always-On VPN Deployment Overview
This blog series is used to deploy Always On Virtual Private Network (VPN) connections for remote computers that are running Windows 10.
For this deployment, a pair of new Remote Access server that is running Windows Server 2016 is configured, as well as modified some of your existing infrastructure for the deployment.
The following illustration shows the infrastructure that is required to deploy Always-On VPN.
The connection process depicted in this illustration is comprised of the following steps.
- Using public DNS servers, the Windows 10 VPN client performs a name resolution query for the IP address of the VPN gateway.
- Using the IP address returned by DNS, the VPN client sends a connection request to the VPN gateway.
- The VPN gateway is also configured as a Remote Authentication Dial-In User Service (RADIUS) Client; the VPN RADIUS Client sends the connection request to your NPS server for connection request processing.
- The NPS server processes the connection request, including performing authorization and authentication, and determines whether to allow or deny the connection request.
- The NPS server forwards an Access-Accept or Access-Deny response to the VPN gateway.
- The connection is initiated or terminated based on the response that the VPN server received from the NPS server.
For more information on each infrastructure component depicted in the illustration above, see the following sections.
The VPN Server is a new virtual machine (VM) that is installed to complete the steps in this document. The server is running Windows Server 2016. In addition, in the process of completing the steps in this document, following actions are performed with the VPN Server.
- Install two Ethernet network adapters in the physical server.
- Install the server on your perimeter network between your edge and internal firewalls, with one network adapter connected to the External Perimeter Network, and one network adapter connected to the Internal Perimeter Network.
- Install and configure Remote Access as a single tenant VPN RAS Gateway for point-to-site VPN connections from remote computers.
- Configure Remote Access as a RADIUS Client so that it can send connection requests to your NPS server for processing.
- Enroll and validate the VPN server certificate from your certification authority (CA).
The NPS Server is installed on your network.
NPS server is configured as a RADIUS server that receives connection requests from the VPN server. The NPS server processes the connection requests, performing authorization and authentication, and sends either an Access-Accept or Access-Reject message to the VPN Server.
The Active Directory Domain Services (AD DS) server is an on-premises Active Directory domain, which hosts on-premises user accounts.
During completion of the steps in this document, following items will be configured on the domain controller.
- Enable certificate autoenrollment in Group Policy for computers and users
- Create the VPN Users Group
- Create the VPN Servers Group
- Create the NPS Servers Group
The Certification Authority (CA) Server is a certification authority that is running Active Directory Certificate Services. The VPN configuration requires an Active Directory–based public key infrastructure (PKI).
The CA enrolls certificates that are used for PEAP client–server authentication. The CA creates certificates based on certificate templates. During completion of the steps in this document, you will configure the following certificate templates on the CA.
- The User Authentication certificate template
- The VPN Server Authentication certificate template
- The NPS Server Authentication certificate template
Both internal and external Domain Name System (DNS) zones are required, which assumes that the internal zone is a delegated subdomain of the external zone.
In addition to the server components, client computers are configured to use VPN are running Windows 10 Anniversary Update (version 1803) or later.
The Windows 10 VPN client is highly configurable and offers many options. To better illustrate the specific features this scenario uses, Table 1 identifies the VPN feature categories and specific configurations that this document references. You’ll configure the individual settings for these features by using the VPNv2 configuration service provider (CSP) discussed later in this document.
Table 1. VPN Features and Configurations Discussed in This Document
|VPN feature||Deployment scenario configuration|
|Connection type||Native IKEv2|
|Name resolution||Domain Name Information List and DNS suffix|
|Triggering||Always On and Trusted Network Detection|
|Authentication||PEAP-TLS with TPM\–protected user certificates|
PEAP-TLS and TPM are “Protected Extensible Authentication
Protocol with Transport Layer Security” and “Trusted Platform
Firewalls are configured to allow the traffic that is necessary for both VPN and RADIUS communications to function correctly.
For more information, see Configure Firewalls for RADIUS Traffic.
The remote users that are allowed to connect to your network must have a user account in AD DS.
User accounts in Active Directory Users and Computers have dial-in properties that NPS evaluates during the authorization process – unless the Network Access Permission property of the user account is set to Control access through NPS Network Policy.
This is the default setting for all user accounts. In some cases, however, this setting might have a different configuration that blocks the user from connecting using VPN.
For more information, see Configure NPS to Ignore User Account Dial-in Properties.
Previous Post – Always On – Technology Overview
Next Post – RRAS Deployment