Remote Access Always On VPN Deployment Guide for Windows Server and Windows 10

Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows 10

You can use this guide to deploy Always On Virtual Private Network (VPN) connections for remote employees by using Remote Access in Windows Server 2016 and Always On VPN profiles for Windows 10 client computers.


This guide is designed for deploying Always On VPN with the Remote Access server role on an on-premises organization network. Do not attempt to deploy Remote Access on a virtual machine (VM) in Microsoft Azure. Using Remote Access in Microsoft Azure is not supported, including both Remote Access VPN and DirectAccess. For more information, see Microsoft server software support for Microsoft Azure virtual machines.

This guide contains the following sections.

About this guide

This guide is designed for network and system administrators who want to manage remote computers that connect automatically to the organization network with VPN whenever the user logs on to the device, changes networks, or simply turns on the display. This type of automatically connecting VPN is called an Always On VPN - because the VPN connection appears to be a persistent connection.


This guide is available for download in Word format at TechNet Gallery.

This guide provides instructions on deploying Remote Access as a single tenant VPN RAS Gateway for point-to-site VPN connections that allow your remote employees to connect to your organization network with Always On VPN connections.

It is recommended that you review the design and deployment guides for each of the technologies that are used in this deployment scenario. These guides can help you determine whether this deployment scenario provides the services and configuration that you need for your organization's network. For more information, see Technology overviews.

Prerequisites for using this guide

This guide provides instructions on how to deploy Remote Access Always On VPN connections for remote client computers that are running Windows 10. Following are the prerequisites for performing the procedures in this guide.


For this deployment, it is not a requirement that your infrastructure servers, such as computers running Active Directory Domain Services, Active Directory Certificate Services, and Network Policy Server, are running Windows Server 2016. You can use earlier versions of Windows Server, such as Windows Server 2012 R2, for the infrastructure servers and for the server that is running Remote Access.

  • You must have an Active Directory domain infrastructure, including one or more Domain Name System (DNS) servers.
  • You must have a Public Key Infrastructure (PKI) and Active Directory Certificate Services (AD CS).
  • You must have a perimeter network that includes two firewalls. For more information, see Remote Access Always On VPN Deployment Overview
  • Remote client computers must be joined to the Active Directory domain.
  • Remote client computers must be running the Windows 10 Anniversary Update (version 1607) or later operating system.
  • You must be prepared to deploy one new physical server or virtual machine (VM) on your perimeter network, upon which you will install Remote Access. This server must have two physical Ethernet network adapters.
  • You must be prepared to install NPS as a RADIUS server on a server or VM. You can install NPS on a new physical server or on a new VM. If you already have NPS servers on your network, you can modify an existing NPS server configuration rather than adding a new server.
  • You must read the planning section of this guide to ensure that you are prepared for this deployment before you perform the deployment.
  • You must perform the steps in this guide in the order in which they are presented.

What this guide does not provide

This guide does not provide instructions for deploying the following items.

  • Active Directory Domain Services (AD DS)
  • Active Directory Certificate Services (AD CS) and a Public Key Infrastructure (PKI).
  • Dynamic Host Configuration Protocol (DHCP) automatic IP address assignment to computers and other devices that are configured as DHCP clients.
  • Network hardware, such as Ethernet cabling, firewalls, switches, and hubs.
  • Additional network resources, such as application and file servers, that remote users can access over an Always On VPN connection.
  • Internet connectivity

Technology Overviews

When performing the steps in this guide, you must install and configure the following technologies in Windows Server 2016.

If you already have some of these technologies deployed on your network, you can use the instructions in this guide to perform additional configuration of the technologies for this deployment purpose.

Following are brief overviews of these technologies and links to additional documentation.

Remote Access

In Windows Server 2016, the Remote Access server role is a multifaceted gateway and router that provides centralized administration, configuration, and monitoring of Virtual Private Network (VPN) remote access services.

You can manage Remote Access Service (RAS) Gateways by using Windows PowerShell commands and the Remote Access Microsoft Management Console (MMC).

For more information, see Remote Access.

Windows 10 VPN Clients

Remote client computers must be running the Windows 10 Anniversary Update (version 1607) or later operating system, and must be joined to your Active Directory domain.

For detailed feature descriptions and a full list of the VPN capabilities in Windows 10, see the Windows 10 VPN Technical Guide.

Active Directory Domain Services (AD DS)

AD DS provides a distributed database that stores and manages information about network resources and application-specific data from directory-enabled applications. Administrators can use AD DS to organize elements of a network, such as users, computers, and other devices, into a hierarchical containment structure. The hierarchical containment structure includes the Active Directory forest, domains in the forest, and organizational units (OUs) in each domain. A server that is running AD DS is called a domain controller.

AD DS contains the user accounts, computer accounts, and account properties that are required by Protected Extensible Authentication Protocol (PEAP) to authenticate user credentials and to evaluate authorization for VPN connection requests.

For information about deploying AD DS, see the Windows Server 2016 Core Network Guide.

Active Directory Users and Computers

Active Directory Users and Computers is a component of AD DS that contains accounts that represent physical entities, such as a computer, a person, or a security group. A security group is a collection of user or computer accounts that administrators can manage as a single unit. User and computer accounts that belong to a particular group are referred to as group members.

Group Policy Management

Group Policy Management enables directory-based change and configuration management of user and computer settings, including security and user information. You use Group Policy to define configurations for groups of users and computers.

With Group Policy, you can specify settings for registry entries, security, software installation, scripts, folder redirection, remote installation services, and Internet Explorer maintenance. The Group Policy settings that you create are contained in a Group Policy object (GPO). By associating a GPO with selected Active Directory system containers — sites, domains, and OUs — you can apply the GPO's settings to the users and computers in those Active Directory containers. To manage Group Policy objects across an enterprise, you can use the Group Policy Management Editor Microsoft Management Console (MMC).

Domain Name System (DNS)

DNS is a name resolution protocol for TCP/IP networks, such as the Internet or an organization network. A DNS server hosts the information that enables client computers and services to resolve easily recognized, alphanumeric DNS names to the IP addresses that computers use to communicate with each other.

For more overview information about DNS, see Domain Name System (DNS).

For information about deploying AD DS with DNS, see the Windows Server 2016 Core Network Guide.

Active Directory Certificate Services

AD CS in Windows Server 2016 provides customizable services for creating and managing the X.509 certificates that are used in software security systems that employ public key technologies. Organizations can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding public key. AD CS also includes features that allow you to manage certificate enrollment and revocation in a variety of scalable environments.

For more information, see Active Directory Certificate Services Overview and Public Key Infrastructure Design Guidance.

Certificate Templates

Certificate templates can greatly simplify the task of administering a certification authority (CA) by allowing you to issue certificates that are preconfigured for selected tasks. The Certificate Templates MMC snap-in allows you to perform the following tasks.

  • View properties for each certificate template.
  • Copy and modify certificate templates.
  • Control which users and computers can read templates and enroll for certificates.
  • Perform other administrative tasks relating to certificate templates.

Certificate templates are an integral part of an enterprise certification authority (CA). They are an important element of the certificate policy for an environment, which is the set of rules and formats for certificate enrollment, use, and management.

For more information, see Certificate Templates.

Digital Server Certificates

This guide provides instructions for using Active Directory Certificate Services (AD CS) to both enroll and automatically enroll certificates to Remote Access and NPS infrastructure servers. AD CS allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization.

When you use digital server certificates for authentication between computers on your network, the certificates provide:

  1. Confidentiality through encryption.
  2. Integrity through digital signatures.
  3. Authentication by associating certificate keys with computer, user, or device accounts on a computer network.

For more information, see AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment.

Network Policy Server (NPS)

NPS allows you to create and enforce organization-wide network access policies for connection request authentication and authorization. When you use NPS as a Remote Authentication Dial-In User Service (RADIUS) server, you configure network access servers, such as VPN servers, as RADIUS clients in NPS.

You also configure network policies that NPS uses to authorize connection requests, and you can configure RADIUS accounting so that NPS logs accounting information to log files on the local hard disk or in a Microsoft SQL Server database.

For more information, see Network Policy Server (NPS).

For the next section in this guide, see Remote Access Always On VPN Deployment Overview.