Always On VPN Split vs. Force Tunneling

Always On VPN Split vs. Force TunnelingDuring the planning phase of a Windows 10 Always On VPN implementation the administrator must decide between two tunneling options for VPN client traffic – split tunneling or force tunneling. When split tunneling is configured, only traffic for the on-premises network is routed over the VPN tunnel. Everything else is sent directly to the Internet. With force tunneling, all client traffic, including Internet traffic, is routed over the VPN tunnel. There’s been much discussion recently on this topic, and this article serves to outline the advantages and disadvantages for both tunneling methods.

Force Tunneling

Force tunneling is typically enabled to meet the following requirements.

Visibility and Control

By routing all the client’s Internet traffic over the VPN tunnel, administrators can inspect, filter, and log Internet traffic using existing on-premises security solutions such as web proxies, content filters, or Next Generation Firewalls (NGFW).

Privacy

Enabling force tunneling ensures privacy and protection of all Internet communication. By routing all Internet traffic over the VPN, administrators can be certain that all communication from the Always On VPN client is encrypted, even when clients access unencrypted web sites or use untrusted or insecure wireless networks.

Force Tunneling Drawbacks

While configuring force tunneling for Always On VPN has some advantages, it comes with some serious limitations as well.

Poor User Experience

User experience is often degraded when all Internet traffic is routed over the VPN. These suboptimal network paths increase latency, and VPN encapsulation and encryption overhead increase fragmentation, leading to reduced throughput. Most Internet traffic is already encrypted in some form, and encrypting traffic that is already encrypted makes the problem even worse. In addition, force tunneling short-circuits geographic-based Content Delivery Networks (CDNs) further reducing Internet performance. Further, location-based services are often broken which can lead to improper default language selection or inaccurate web search results.

Increased Resource Consumption

Additional resources may need to be provisioned to support force tunneling. With corporate and Internet traffic coming over the VPN, more CPU, memory, and network resources may be required. Deploying additional VPN servers and higher throughput load balancers to support the increase in network traffic may also be necessary. Force tunneling also places higher demands on Internet Service Provider (ISP) links to the corporate datacenter.

Split Tunneling

The alternative to force tunneling is “split tunneling”. With split tunneling configured, only traffic destined for the internal corporate network is routed over the VPN. All other traffic is sent directly to the Internet. Administrators define IP networks that should be routed over the VPN, and those networks are added to the routing table on the VPN client.

Security Enforcement

The challenge of providing visibility and control of Internet traffic with split tunneling enabled can be met using a variety of third-party security solutions. Microsoft Defender ATP recently introduced support for web content filtering. Also, there are numerous cloud-based security offerings from many vendors that allow administrators to monitor and control client-based Internet traffic. Zscaler and Cisco Umbrella are two popular solutions, and no doubt there are many more to choose from.

Recommendations

The general guidance I provide customers is to use split tunneling whenever possible, as it provides the best user experience and reduces demands on existing on-premises infrastructure. Enabling split or force tunneling is ultimately a design decision that must be made during the planning phase of an Always On VPN implementation project. Both configurations are supported, and they each have their merits.

In today’s world, with many applications accessible via public interfaces, force tunneling is an antiquated method for providing visibility and control for managed devices in the field. If required, investigate the use of Microsoft or other third-party solutions that enforce security policy in place without the requirement to backhaul client Internet traffic to the datacenter over VPN for inspection, logging, and filtering.

Additional Information

Whitepaper: Enhancing VPN Performance at Microsoft

Whitepaper: How Microsoft Is Keeping Its Remote Workforce Connected

Microsoft Defender ATP Web Content Filtering

Always On VPN Force Tunneling with Office 365 Exclusions

Always On VPN Force Tunneling with Office 365 ExclusionsWith the COVID-19 global pandemic forcing nearly everyone to work from home these days, organizations that implemented force tunneling for their VPN clients are likely encountering unexpected problems. When force tunneling is enabled, all client traffic, including Internet traffic, is routed over the VPN tunnel. This often overloads the VPN infrastructure and causes serious slowdowns, which degrades the user experience and negatively impacts productivity. This is especially challenging because so many productivity applications like Microsoft Office 365 are optimized for Internet accessibility. It is one of the main reasons that force tunneling is not generally recommended.

Force Tunneling with Exceptions

When enabling split tunneling is not an option, administrators frequently ask about enabling force tunneling with some exceptions. The most common configuration is enabling force tunneling while still allowing Office 365 traffic to go outside of the tunnel. While this is something that third-party solutions do easily, it has been a challenge for Always On VPN. Specifically, Always On VPN has no way to route traffic by hostname or Fully-Qualified Domain Name (FQDN).

Exclusion Routes

To address this challenge, the administrator can configure Exclusion Routes. Exclusion Routes are supported in Windows 10 1803 with update KB4493437, Windows 10 1809 with update KB4490481, and Windows 10 1903/1909.

Exclusion routes are defined in the client routing table that are excluded from the VPN tunnel. The real challenge here is determining all the required IP addresses required for Office 365.

Microsoft Published Guidance

Given current events and the heavy demands placed on enterprises supporting exclusively remote workforces, Microsoft has recently published guidance for configuring Always On VPN force tunneling while excluding Office 365 traffic. Their documentation includes all the required IP addresses to configure exclusions for. This will make it much simpler for administrators to configure Always On VPN to support this unique scenario. The following links provide detailed configuration guidance for enabling force tunneling for Always On VPN with exceptions.

Additional Information

Windows 10 Always On VPN Split vs. Force Tunneling

Windows 10 Always On VPN Routing Configuration

Windows 10 Always On VPN Lockdown Mode

DirectAccess and Windows 10 in Education

DirectAccess and Windows 10 in EducationIntroduction

DirectAccess provides seamless and transparent, always on remote network connectivity for managed Windows clients. It is commonly installed in large enterprises to provide better management for field-based assets, and to streamline the remote access experience for end users. Today, DirectAccess is a mature technology that is widely deployed across many verticals, but education is one that is often overlooked.

Benefits of DirectAccess

For commercial enterprises, the benefits of DirectAccess are many. Windows 10 DirectAccess clients have ubiquitous access to on-premises applications and data without requiring user interaction. This streamlined user access improves productivity and reduces helpdesk costs. DirectAccess is always on, allowing client machines to stay in contact with domain controllers and systems management servers, ensuring they are always managed.

DirectAccess in Education

Many of the same benefits DirectAccess provides for the enterprise are also important in the education sector. Often administrators for schools and colleges have many Windows-based machines that they must both manage and provide secure remote access for. In addition, they struggle with the same issues that enterprises do, such as maintaining configuration and security posture for devices that are predominantly remote.

Windows 10 and Education

Windows 10 November Update Available TodayThe Windows 10 Education SKU is a supported client operating system for DirectAccess, enabling educational institutions using this license to implement a remote access solution with DirectAccess using Windows Server 2012 R2 or Windows Server 2016. Implementing a DirectAccess remote access solution can result in significant cost savings, as DirectAccess requires no investments in proprietary hardware and has no associated per-user licensing.

Windows 10 Anniversary Update

Microsoft is making a concerted effort to address the education sector with new and compelling features to be included in the Windows 10 Anniversary Update, released earlier this week. For example, they have introduced apps that simplify the setup of school PCs. App discovery and purchasing are easier, and stylus support is improved. Native integration with Office 365 is another important factor. There are also a number of significant new security features that will make migrating to Windows 10 a worthy investment.

DirectAccess and Windows 10 in Education

Summary

If you are an administrator working for any educational institution and are struggling with maintaining and supporting your field-based Windows devices, consider a DirectAccess remote access solution today. With DirectAccess implemented, users will be more productive and remote machines better managed. DirectAccess can also be deployed using existing infrastructure, and it supports flexible network deployment along with many scalability features that will ensure the highest levels of availability.

Additional Resources

Video: DirectAccess and Windows 10 in Action
3 Important Things about Windows 10 and DirectAccess
DirectAccess and Windows 10 Better Together
DirectAccess Consulting Services
Book: Implementing DirectAccess with Windows Server 2016