TLDR; Do you use Microsoft Always on VPN for users roaming between home and office? Do you like it?
We are replacing alot of old “on-site” thin clients with notebooks and docking stations to give users the ability to work partly from home. We want a solution that gives us good control (AD, GPO, Patchmanagement, AV, etc. is all available on-premise). It also should be as close of a on-site experience as possible. Users only use Citrix on their devices so the bandwith for on-site apps is pretty much not a problem.
We’re using it. It’s generally pretty good, but sometimes the tunnel locks up and takes a reboot to come good.
If users are only using Citrix apps I’d look at whether you can accelerate a push to cloud and just Azure AD Join the laptops. Move your GPOs to Intune, patch management and AV to Intune or your preferred RMM, etc. Just remove the need for a VPN at all. It really does simplify a lot.
We set this up over a year ago now and I love it. It’s one of them products that just works. The only issue we have is the same as above and its due to the device tunnel. If your running both user and device tunnel. If you have crappy home bb and it disconnects a lot the device tunnel doesnt register the disconnect and thinks its still connected so stops flowing traffic. The user tunnel is fine reconnects a treat. You can manually disconnect the device tunnel but you need admin rights to do it. For users it’s easier to reboot.
Part of our rollout involved just pushing the user tunnel first then we have slowly added the device tunnel later.
We use it. Device tunnels to AD and DNS servers that correlate with sites and services for VPN subnets, then user tunnels with SSTP and fallback to ikev2. User tunnels use MFA via radius and either Duo or MS Authenticator.
What the end user sees is regular sign-in with MFA requirements (we force MFA for PC logins internally too, so it’s the same to the user). New users can log in like they are in the office, and cached credentials are no longer needed.
As the others pointed out, there are times where the device tunnel gets hung up and a reboot fixes it. Users don’t have much issue with it as it’s not common and reboots are already part of their normal troubleshooting process before reaching out to us.
Be aware that there are two types of vpn for MS. The older direct access and the newer always on.
Direct access is a pain in the ass. With many issues and not realy supported anymore. Always On is basically a modified IKEv2 VPN with cert based authentication. MS want you to use intune for the deploymend but basically it´s just an scripted vpn solution that is using buildin resources.
Working good and you are able to debug it as long as the vpn server itself will show you some logs…
Probably a good place to ask this question. We currently use full tunnel VPN for remote users, which is currently most of them. We’re exploring splitting the tunnel for things like 365 traffic but that’s another issue. When we’ve discussed always on VPN (I’m infosec fwiw) with the network team they’ve always said “this will increase our bandwidth requirements 4-6x!”
For the life of me I can’t see why that would be if we’re already full tunnel VPN, am I missing something really obvious or are they just trying to snow everyone because they don’t want to use always on?
I have used it in the past for clients who had their domain/servers hosted in Azure and it worked pretty great.
Spread out your cert creations though so you don’t have everyone’s expire all at once. In fact the expiration is something you should probably get ahead of with automation.
Exactly what we explored but cost for M365 put us off and we are currently evaluation this move for 2025. We have to migrate exchange around that time, we have the EOL of Office 2019 and all this combined could be a nice M365 pakage.
If you have crappy home bb and it disconnects a lot the device tunnel doesnt register the disconnect and thinks its still connected so stops flowing traffic.
I managed for it to detect being down by changing NetworkOutageTime to 30 (seconds) in “C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk”. Does not reconnect for us as long as the user tunnel is still up though.
DirectAccess is basically a NAT64+DNS64, server only supported on Microsoft Server, that is supported on Windows 7 but required Enterprise licensing. Boil it down like that and it’s simple. The big blockers to adoption were the requirement of Enterprise licensing on any potential client, and the requirement of terminating on a Microsoft Server instead of a router or firewall. Also, applications had to be new enough to support IPv6.
“Always-On VPN” is a dual-stack tunnel that can terminate on third-party equipment, and originally didn’t require Enterprise licensing but did require Windows 10. Overall it was a reasonable trade-off at first. But the “Device Tunnel” was added to establish connectivity before Windows login, and that now requires Enterprise licensing. Since the Device Tunnel is actually-always-on and isn’t subject to authentication and credential issues, it can be argued that it’s now mandatory for the thing to work as intended. Yet Device Tunnel requires Enterprise licensing, removing a key advantage that made it worth using in the first place.
“Always-on” is orthogonal to whether the tunnels are split-tunnel. Microsoft recommends split-tunneling for better performance and reduced bandwidth required.
Full-tunneling is mainly a solution that’s used to work around other problems. It’s not desirable in itself.
Main issue with DA is, that there is not real log. So if it´s failing you´re doomed. Combined with a high impact off latency to bandwith that will also impact all(!) connected clients we had remote worker with a 30kbps connection.
The wna line itself was 50mbit as bottleneck latency ~60ms.
If you´re running your vpn prior user login you will be able to run gpos even for remote workers BUT you will have to run them if there is a tunnel.
In the end we had users who needed to wait 60 minutes until their desktion went online. Only workaround was to disable the whole DA and get a interim vpn.
MS event had a KB articel about this latency issue somewhere. Their recomendation was to drop DA.What a funny week…
Right now we are running all on Citrix ADC Always On. Working as expected.
That’s where I’m lost as well. We’re already passing all the traffic through the VPN tunnels, not sure how a different VPN mechanism would change that value so drastically.