Always On VPN features and functionalities

Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows 10

« Previous: Always On VPN Deployment for Windows Server and Windows 10
» Next: Learn about the Always On VPN Enhancements

In this topic, you learn about the features and functionalities of Always On VPN. The following table is not an exhaustive list, however, it does include some of the most common features and functionalities used in remote access solutions.

Tip

If you currently use DirectAccess, we recommend that you investigate the Always On VPN functionality carefully to determine if it addresses all of your remote access needs before migrating form DirectAccess to Always On VPN.

Functional area Always On VPN
Seamless, transparent connectivity to the corporate network. You can configure Always On VPN to support auto-triggering based on application launch or namespace resolution requests.

Define using:
VPNv2/ProfileName/AlwaysOn
VPNv2/ProfileName/AppTriggerList
VPNv2/ProfileName/DomainNameInformationList/AutoTrigger

Use of a dedicated Infrastructure Tunnel to provide connectivity for users not signed into the corporate network. You can achieve this functionality by using the Device Tunnel feature in the VPN profile.

Note.
Device Tunnel can only be configured on domain-joined devices using IKEv2 with computer certificate authentication.

Define using:
VPNv2/ProfileName/DeviceTunnel

Use of manage-out to allow remote connectivity to clients from management systems located on the corporate network. You can achieve this functionality by using the Device Tunnel feature in the VPN profile combined with configuring the VPN connection to dynamically register the IP addresses assigned to the VPN interface with internal DNS services.

Note.
If you turn on traffic filters in the Device Tunnel profile, then the Device Tunnel denies inbound traffic (from the corporate network to the client).

Define using:
VPNv2/ProfileName/DeviceTunnel
VPNv2/ProfileName/RegisterDNS

Fall back when clients are behind firewalls or proxy servers. You can configure to fall back to SSTP (from IKEv2) by using the automatic tunnel/protocol type within the VPN profile.

Note.
User Tunnel supports SSTP and IKEv2, and Device Tunnel supports IKEv2 only with no support for SSTP fallback.

Define using:
VPNv2/ProfileName/NativeProfile/NativeProtocolType

Support for end-to-edge access mode. Always On VPN provides connectivity to corporate resources by using tunnel policies that require authentication and encryption until they reach the VPN gateway. By default, the tunnel sessions terminate at the VPN gateway, which also functions as the IKEv2 gateway, providing end-to-edge security.
Support for machine certificate authentication. The IKEv2 protocol type available as part of the Always On VPN platform specifically supports the use of machine or computer certificates for VPN authentication.

Note.
IKEv2 is the only supported protocol for Device Tunnel and there is no support option for SSTP fallback.

Define using:
VPNv2/ProfileName/NativeProfile/Authentication/MachineMethod

Use security groups to limit remote access functionality to specific clients. You can configure Always On VPN to support granular authorization when using RADIUS, which includes the use of security groups to control VPN access.
Support for servers behind an edge firewall or NAT device. Always On VPN gives you the ability to use protocols like IKEv2 and SSTP that fully support the use of a VPN gateway that is behind a NAT device or edge firewall.

Note.
User Tunnel supports SSTP and IKEv2, and Device Tunnel supports IKEv2 only with no support for SSTP fallback.

Ability to determine intranet connectivity when connected to the corporate network. Trusted network detection provides the capability to detect corporate network connections, and it is based on an assessment of the connection-specific DNS suffix assigned to network interfaces and network profile.

Define using:
VPNv2/ProfileName/TrustedNetworkDetection

Compliance using Network Access Protection (NAP). The Always On VPN client can integrate with Azure conditional access to enforce MFA, device compliance, or a combination of both. When compliant with conditional access policies, Azure AD issues a short-lived (by default, 60 minutes) IPsec authentication certificate that the client can then use to authenticate to the VPN gateway. Device compliance takes advantage of System Center Configuration Manager/Intune compliance policies, which can include the device health attestation state. At this time, Azure VPN conditional access provides the closest replacement to the existing NAP solution, although there is no form of remediation service or quarantine network capabilities. For more details, see VPN and conditional access.

Define using:
VPNv2/ProfileName/DeviceCompliance

Ability to define which management servers are accessible before user sign-in. You can achieve this functionality in Always On VPN by using the Device Tunnel feature (available in version 1709 – for IKEv2 only) in the VPN profile combined with traffic filters to control which management systems on the corporate network are accessible through the Device Tunnel.

Note.
If you turn on traffic filters in the Device Tunnel profile, then the Device Tunnel denies inbound traffic (from the corporate network to the client).

Define using:
VPNv2/ProfileName/DeviceTunnel
VPNv2/ProfileName/TrafficFilterList


Additional functionalities

Each item in this section is a use case scenario or commonly used remote access functionality for which Always On VPN has improved functionality—either through an expansion of functionality or elimination of a previous limitation.

Functional area Always On VPN
Domain-joined devices with Enterprise SKUs requirement. Always On VPN supports domain-joined, nondomain-joined (workgroup), or Azure AD–joined devices to allow for both enterprise and BYOD scenarios. Always On VPN is available in all Windows editions, and the platform features are available to third parties by way of UWP VPN plug-in support.

Note.
Device Tunnel can only be configured on domain-joined devices running Windows 10 Enterprise or Education version 1709 or later. There is no support for third-party control of the Device Tunnel.

Support for both IPv4 and IPv6. With Always On VPN, users can access both IPv4 and IPv6 resources on the corporate network. The Always On VPN client uses a dual-stack approach that doesn't specifically depend on IPv6 or the need for the VPN gateway to provide NAT64 or DNS64 translation services.
Support for two-factor or OTP authentication. The Always On VPN platform natively supports EAP, which allows for the use of diverse Microsoft and third-party EAP types as part of the authentication workflow. Always On VPN specifically supports smart card (both physical and virtual) and Windows Hello for Business certificates to satisfy two-factor authentication requirements. Also, Always On VPN supports OTP through MFA (not supported natively, only supported on third-party plugins) by way of EAP RADIUS integration.

Define using:
VPNv2/ProfileName/NativeProfile/Authentication

Support for multiple domains and forests. The Always On VPN platform has no dependency on Active Directory Domain Services (AD DS) forests or domain topology (or associated functional/schema levels) because it doesn't require the VPN client to be domain joined to function. Group Policy is therefore not a dependency to define VPN profile settings because you do not use it during client configuration. Where Active Directory authorization integration is required, you can achieve it through RADIUS as part of the EAP authentication and authorization process.
Support for both split and force tunnel for internet/intranet traffic separation. You can configure Always On VPN to support both force tunnel (the default operating mode) and split tunnel natively. Always On VPN provides additional granularity for application-specific routing policies.

Note.
Supported by User Tunnel only.

Define using:

VPNv2/ProfileName/NativeProfile/RoutingPolicyType
VPNv2/ProfileName/TrafficFilterList/App/RoutingPolicyType

Multiple protocol support. Always On VPN can be configured to support SSTP natively if Secure Sockets Layer fallback from IKEv2 is required.

Note.
User Tunnel supports SSTP and IKEv2, and Device Tunnel supports IKEv2 only with no support for SSTP fallback.

Connectivity Assistant to provide corporate connectivity status. Always On VPN is fully integrated with the native Network Connectivity Assistant and provides connectivity status from the View All Networks interface. With the advent of Windows 10 Creators Update (version 1703), VPN connection status and VPN connection control for User Tunnel are now available through the Network flyout (for the Windows built-in VPN client), as well.
Name resolution of corporate resources using short-name, fully qualified domain name (FQDN), and DNS suffix. Always On VPN can natively define one or more DNS suffixes as part of the VPN connection and IP address assignment process, including corporate resource name resolution for short names, FQDNs, or entire DNS namespaces. Always On VPN also supports the use of Name Resolution Policy Tables to provide namespace-specific resolution granularity.

Note.
Avoid the use of Global Suffixes as they interfere with shortname resolution when using Name Resolution Policy tables.

Define using:
VPNv2/ProfileName/DnsSuffix
VPNv2/ProfileName/DomainNameInformationList


Next steps