Always On VPN Hands-On Training Classes Coming to Denver and New York

Windows 10 Always On VPN Hands-On Training Classes for 2018I’m pleased to announce that I will be bringing my popular three-day Windows 10 Always On VPN Hands-On Training classes to Denver and New York in May and June! Join me May 15-17, 2018 in Denver or June 5-7, 2018 in New York. These training classes will cover all aspects of designing, implement, and supporting an Always On VPN solution in the enterprise. These three-day courses will cover topics including…

  • Windows 10 Always On VPN overview
  • Introduction to CSP
  • Infrastructure requirements
  • Planning and design considerations
  • Installation, configuration, and client provisioning

Advanced topics will include…

  • Redundancy and high availability+
  • Cloud-based deployments
  • Third-party VPN infrastructure and client support
  • Multifactor authentication
  • Always On VPN migration strategies

Windows 10 Always On VPN Hands-On Training Classes for 2018

Register Today

Reservations are being accepted now! The cost for this 3-day hands-on training class is $4995.00 USD. Space is limited, so don’t wait to register! Fill out the form below to save your seat now.

What is the Difference Between DirectAccess and Always On VPN?

Always On VPN Device Tunnel Configuration Guidance Now AvailableDirectAccess has been around for many years, and with Microsoft now moving in the direction of Always On VPN, I’m often asked “What’s the difference between DirectAccess and Always On VPN?” Fundamentally they both provide seamless and transparent, always on remote access. However, Always On VPN has a number of advantages over DirectAccess in terms of security, authentication and management, performance, and supportability.

Security

DirectAccess provides full network connectivity when a client is connected remotely. It lacks any native features to control access on a granular basis. It is possible to restrict access to internal resources by placing a firewall between the DirectAccess server and the LAN, but the policy would apply to all connected clients.

Windows 10 Always On VPN includes support for granular traffic filtering. Where DirectAccess provides access to all internal resources when connected, Always On VPN allows administrators to restrict client access to internal resources in a variety of ways. In addition, traffic filter policies can be applied on a per-user or group basis. For example, users in accounting can be granted access only to their department servers. The same could be done for HR, finance, IT, and others.

Authentication and Management

DirectAccess includes support for strong user authentication with smart cards and one-time password (OTP) solutions. However, there is no provision to grant access based on device configuration or health, as that feature was removed in Windows Server 2016 and Windows 10. In addition, DirectAccess requires that clients and servers be joined to a domain, as all configuration settings are managed using Active Directory group policy.

Windows 10 Always On VPN includes support for modern authentication and management, which results in better overall security. Always On VPN clients can be joined to an Azure Active Directory and conditional access can also be enabled. Modern authentication support using Azure MFA and Windows Hello for Business is also supported. Always On VPN is managed using Mobile Device Management (MDM) solutions such as Microsoft Intune.

Performance

DirectAccess uses IPsec with IPv6, which must be encapsulated in TLS to be routed over the public IPv4 Internet. IPv6 traffic is then translated to IPv4 on the DirectAccess server. DirectAccess performance is often acceptable when clients have reliable, high quality Internet connections. However, if connection quality is fair to poor, the high protocol overhead of DirectAccess with its multiple layers of encapsulation and translation often yields poor performance.

The protocol of choice for Windows 10 Always On VPN deployments is IKEv2. It offers the best security and performance when compared to TLS-based protocols. In addition, Always On VPN does not rely exclusively on IPv6 as DirectAccess does. This reduces the many layers of encapsulation and eliminates the need for complex IPv6 transition and translation technologies, further improving performance over DirectAccess.

Supportability

DirectAccess is a Microsoft-proprietary solution that must be deployed using Windows Server and Active Directory. It also requires a Network Location Server (NLS) for clients to determine if they are inside or outside the network. NLS availability is crucial and ensuring that it is always reachable by internal clients can pose challenges, especially in very large organizations.

Windows 10 Always On VPN supporting infrastructure is much less complex than DirectAccess. There’s no requirement for a NLS, which means fewer servers to provision, manage, and monitor. In addition, Always On VPN is completely infrastructure independent and can be deployed using third-party VPN servers such as Cisco, Checkpoint, SonicWALL, Palo Alto, and more.

Summary

Windows 10 Always On VPN is the way of the future. It provides better overall security than DirectAccess, it performs better, and it is easier to manage and support.

Here’s a quick summary of some important aspects of VPN, DirectAccess, and Windows 10 Always On VPN.

Traditional VPN DirectAccess Always On VPN
Seamless and Transparent No Yes Yes
Automatic Connection Options None Always on Always on, app triggered
Protocol Support IPv4 and IPv6 IPv6 Only IPv4 and IPv6
Traffic Filtering No No Yes
Azure AD Integration No No Yes
Modern Management Yes No (group policy only) Yes (MDM)
Clients must be domain-joined? No Yes No
Requires Microsoft Infrastructure No Yes No
Supports Windows 7 Yes Yes Windows 10 only

Always On VPN Hands-On Training

If you are interested in learning more about Windows 10 Always On VPN, consider registering for one of my hands-on training classes. More details here.

Additional Resources

Always On VPN and the Future of Microsoft DirectAccess

5 Important Things DirectAccess Administrators Should Know about Windows 10 Always On VPN

3 Important Advantages of Windows 10 Always On VPN over DirectAccess

Always On VPN Hands-On Training Classes for 2018

Windows 10 Always On VPN Hands-On Training Classes for 2018I’m pleased to announce I will be delivering Windows 10 Always On VPN hands-on training classes in various locations around the U.S. this year. As Microsoft continues to move away from DirectAccess in favor of Windows 10 Always On VPN, many organizations now must come up to speed on this new technology. Spoiler alert…it’s not trivial to implement! There’s lots of moving parts, critical infrastructure dependencies, and many configuration options to choose from. Additionally, Windows 10 Always On VPN is managed in a completely different way than DirectAccess, which is sure to present its own unique challenges.

Comprehensive Education

My Windows 10 Always On VPN hands-on training classes will cover all aspects of designing, implementing, and supporting an Always On VPN solution in the enterprise. This three-day course will cover topics such as…

  • Windows 10 Always On VPN overview
  • Introduction to CSP
  • Infrastructure requirements
  • Planning and design considerations
  • Installation, configuration, and client provisioning

Advanced topics will include…

  • Redundancy and high availability
  • Cloud-based deployments
  • Third-party VPN infrastructure and client support
  • Multifactor authentication
  • Always On VPN migration strategies

Upcoming Training Classes

Reservations are being accepted immediately for classes held on March 27-29, 2018 in Southern California and April 10-12 in Chicago. The cost for this 3 day hands-on, in-depth training class is $4995.00 USD. Later this year I’ll be delivering classes in other parts of the country as well. Those locations will be chosen based on demand, so if you can’t make this first class, please register anyway and let me know your location preference. If there’s enough interest in a specific locale I will schedule a class for that region soon. Although I currently have no plans to deliver my training classes outside the U.S., I’m more than happy to consider it if there is enough demand, so let me know!

Windows 10 Always On VPN Hands-On Training Classes for 2018

Reservations Available Now

Reservations are being accepted now! The cost for this 3-day hands-on training class is $4995.00 USD. Space is limited, so don’t wait to register! Fill out the form below to save your seat now.

5 Things DirectAccess Administrators Should Know About Always On VPN

5 Things DirectAccess Administrators Should Know About Always On VPNWindows 10 Always On VPN hands-on training classes now forming. Details here.

As I’ve written about previously, Microsoft is no longer investing in DirectAccess going forward. There will be no new features or functionality added to the product in the future. Microsoft is now investing in Always On VPN in Windows 10, with new features being released with each semi-annual update of the operating system. But as Microsoft continues to make the push toward Always On VPN over DirectAccess, many administrators have asked about the ramifications of this shift in focus for enterprise remote access. Here are a few points to consider.

It’s the same thing, only different.

Always On VPN provides the same seamless, transparent, always on experience as DirectAccess. Under the covers, the mechanics of how that’s accomplished changes a bit, but fundamentally the user experience is exactly the same. Once a user logs on to their device, a VPN connection is established automatically and the user will have secure remote access to corporate resources.

The connection is still secure.

Where DirectAccess uses IPsec and Connection Security Rules (CSRs) to establish its secure tunnels, Always On VPN uses traditional client-based VPN protocols such as IKEv2, SSTP, L2TP, and PPTP. Both DirectAccess and Always On VPN use certificates for authentication. However, where DirectAccess uses machine certificates to authenticate the computer, Always On VPN leverages user certificates to authenticate the user.

(Note: Machine certificates will be required for Always On VPN when using the optional device tunnel configuration. I will publish more details about this configuration option in a future article.)

Provisioning and managing clients is different.

The administrative experience for Always On VPN is much different than it is with DirectAccess. Where DirectAccess made use of Active Directory and group policy for managing client and server settings, Always On VPN clients must be provisioned using a Mobile Device Management (MDM) solution such as Microsoft Intune, or any third-party MDM platform. Optionally, Always On VPN clients can be provisioned using Microsoft System Center Configuration Manager (SCCM), or manually using PowerShell.

Security is enhanced.

Always On VPN has the potential to provide much more security and protection than DirectAccess. Always On VPN supports traffic filtering, allowing administrators to restrict remote client communication by IP address, protocol, port, or application. By contrast, DirectAccess allows full access to the internal network after user logon with no native capability to restrict access. In addition, Always On VPN supports integration with Azure Active Directory, which enables conditional access and multifactor authentication scenarios.

It’s built for the future.

Always On VPN also provides support for modern authentication mechanisms like Windows Hello for Business. In addition, Windows Information Protection (WIP) integration is supported to provide essential protection for enterprise data.

Summary

Microsoft set the bar pretty high with DirectAccess. Users love the seamless and transparent access it provides, and administrators reap the benefit of improved systems management for field based devices. Always On VPN provides those same benefits, with additional improvements in security and protection. If you’d like more information about Always On VPN, fill out the form below and I’ll get in touch with you.

Additional Information

Always On VPN and the Future of DirectAccess

3 Important Advantages of Windows 10 Always On VPN over Microsoft DirectAccess

Windows 10 Always On VPN Hands-On Training

%d bloggers like this: