MS product that auto VPN/tunnel back to corporate when it detects laptop has Internet reachability

sunhux
sunhux used Ask the Experts™
on
An expert once recommended an MS product that would auto-tunnel / VPN connect
back to corporate office when a corporate laptop is connect to public Internet (even
prior to login to Windows) : someone I can't locate that thread in EE.

Q1:
Anyone know what's the name of that product and how it's licensed/charged?

Q2:
What's the version required to support Win 7 & Win 10 (for both 32bit & 64bit)?

Q3:
any known softwares that conflicts with it (eg: ForeScout NAC, Trendmicro endpoint
security, BC proxy clients?)
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759144(v=ws.11)

I think the product is MS Direct Access but the link above appears to indicate it's for
Win2008R2: would it work (or is there any alternate similar product) for Win 7 &
Win 10?

Author

Commented:
The above link is dated 2009 & is MS Direct Access still supported
or is there an alternate (I don't mind 3rd party) tools that do likewise?
Aaron TomoskyDirector of Solutions Consulting

Commented:
Yes direct access is still a thing but last I checked it required the enterprise windows 10 licensing. In general I’d recommend a software based vpn from PaloAlto, Cisco, sonicwall, etc... over direct access.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Lead Technical Architect
Commented:
DirectAccess is now deprecated and its replacement is AlwaysOn VPN.

However...AlwaysOn VPN requires Windows 10 clients.

DirectAccess requires Windows 7 Enterprise or Ultimate and as you'd expect, they need to be domain-joined.

DA can be a bit of a pig to configure but it's really quite good when it works; AlwaysOn is easier in some ways as it removes some of the components from DA such as the Network Location Service (Server) which is used to determine if a client is on the LAN or not and is a single point of failure.

Also, I really wouldn't advise trying to set up DA if you don't have Server 2012 R2 - 2008 R2 was especially difficult, requiring (for example) 2 contiguous external IP addresses - e.g. 1.1.1.1 and 1.1.1.2

If you can't go AlwaysOn (for example you aren't replacing Win 7 clients) then I'd second not using DA.

Author

Commented:
We are cost-conscious.  Concern is when corporate laptops are taken out & connect to rogue Wifi.

About 60% of our laptops are on Win8/10 while another 40% on Win 7 (in progress of being phased out but may take a while).

We do have Server 2012 R2 & Win 2008 R2.

Let's leave the Win 7 aside (as we're phasing out), so how's the licensing/charges like if we go for Always-On?

Presume Always-On will be lower-cost compared to 3rd party products in our case as we have Server 2012 R2?


One side question: from the time a laptop connects to a rogue Wifi till the Always-On-VPN is established, is there
a chance of infection from the rogue wifi during the split second?

Author

Commented:
Of higher priority is I need to establish the cost/licensing first: if it's a cost
constraint, will just drop the idea.

I read that DA will auto-establish the VPN prior to user signing into Windows:
I suppose this is for Wifi SSID that were previously set to "Auto-Connect":
for such Auto-connect or manually-connected Wifi, is the risk of compromise
/infections from rogue Wifi still there with Always-On/DA establishing the
VPN : is there a split-second exposure?

Certainly MITMA is mitigated with Always-On or DA but the concern is the
brief moment prior to VPN establishing.
Jian An LimSolutions Architect
Top Expert 2016
Commented:
"always on" is free when you install on Windows server (assume you need to pay for that server) so it will be an easy conversation.
you will need like CA, NPS and etc

you want to want to read the deployment guide. https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment


For brief moment prior to VPN establishing, i think you are looking for very very odd case, while the chance is there, but you need to actively accessing the internet and transmitting certain information, most website nowadays are using HTTP and making MITMA harder. but yes. it is possible when the user ignore the SSL cert prompt and continue what they are doing.
Tony JohncockLead Technical Architect
Commented:
The components of both AlwaysOn and DirectAccess are built into Windows so no additional licensing costs.

Depending on how you currently handle your certificates you may have to configure or setup from scratch a PKI or buy an external certificate (usually the latter isn't required unless you have no internal PKI and have no resources to build one).

There's some information about the AlwaysOn VPN here: https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/

Author

Commented:
So if I have a Win2012 R2 server, I can use it as Always-On VPN server
& all my Win10 laptops gets to tunnel back to corporate (ie the Win2012
R2 server) for free?
Tony JohncockLead Technical Architect
Commented:
Always On VPN = Windows Server 2016 and Windows 10
DirectAccess = Windows Server 2008R2+ and Windows 7+

But yes, the components you need are included.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial