MS product that auto VPN/tunnel back to corporate when it detects laptop has Internet reachability

An expert once recommended an MS product that would auto-tunnel / VPN connect
back to corporate office when a corporate laptop is connect to public Internet (even
prior to login to Windows) : someone I can't locate that thread in EE.

Q1:
Anyone know what's the name of that product and how it's licensed/charged?

Q2:
What's the version required to support Win 7 & Win 10 (for both 32bit & 64bit)?

Q3:
any known softwares that conflicts with it (eg: ForeScout NAC, Trendmicro endpoint
security, BC proxy clients?)
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunhuxAuthor Commented:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759144(v=ws.11)

I think the product is MS Direct Access but the link above appears to indicate it's for
Win2008R2: would it work (or is there any alternate similar product) for Win 7 &
Win 10?
0
sunhuxAuthor Commented:
The above link is dated 2009 & is MS Direct Access still supported
or is there an alternate (I don't mind 3rd party) tools that do likewise?
0
Aaron TomoskySD-WAN SimplifiedCommented:
Yes direct access is still a thing but last I checked it required the enterprise windows 10 licensing. In general I’d recommend a software based vpn from PaloAlto, Cisco, sonicwall, etc... over direct access.
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

Tony JohncockLead Technical ArchitectCommented:
DirectAccess is now deprecated and its replacement is AlwaysOn VPN.

However...AlwaysOn VPN requires Windows 10 clients.

DirectAccess requires Windows 7 Enterprise or Ultimate and as you'd expect, they need to be domain-joined.

DA can be a bit of a pig to configure but it's really quite good when it works; AlwaysOn is easier in some ways as it removes some of the components from DA such as the Network Location Service (Server) which is used to determine if a client is on the LAN or not and is a single point of failure.

Also, I really wouldn't advise trying to set up DA if you don't have Server 2012 R2 - 2008 R2 was especially difficult, requiring (for example) 2 contiguous external IP addresses - e.g. 1.1.1.1 and 1.1.1.2

If you can't go AlwaysOn (for example you aren't replacing Win 7 clients) then I'd second not using DA.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
We are cost-conscious.  Concern is when corporate laptops are taken out & connect to rogue Wifi.

About 60% of our laptops are on Win8/10 while another 40% on Win 7 (in progress of being phased out but may take a while).

We do have Server 2012 R2 & Win 2008 R2.

Let's leave the Win 7 aside (as we're phasing out), so how's the licensing/charges like if we go for Always-On?

Presume Always-On will be lower-cost compared to 3rd party products in our case as we have Server 2012 R2?


One side question: from the time a laptop connects to a rogue Wifi till the Always-On-VPN is established, is there
a chance of infection from the rogue wifi during the split second?
0
sunhuxAuthor Commented:
Of higher priority is I need to establish the cost/licensing first: if it's a cost
constraint, will just drop the idea.

I read that DA will auto-establish the VPN prior to user signing into Windows:
I suppose this is for Wifi SSID that were previously set to "Auto-Connect":
for such Auto-connect or manually-connected Wifi, is the risk of compromise
/infections from rogue Wifi still there with Always-On/DA establishing the
VPN : is there a split-second exposure?

Certainly MITMA is mitigated with Always-On or DA but the concern is the
brief moment prior to VPN establishing.
0
Jian An LimSolutions ArchitectCommented:
"always on" is free when you install on Windows server (assume you need to pay for that server) so it will be an easy conversation.
you will need like CA, NPS and etc

you want to want to read the deployment guide. https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment


For brief moment prior to VPN establishing, i think you are looking for very very odd case, while the chance is there, but you need to actively accessing the internet and transmitting certain information, most website nowadays are using HTTP and making MITMA harder. but yes. it is possible when the user ignore the SSL cert prompt and continue what they are doing.
0
Tony JohncockLead Technical ArchitectCommented:
The components of both AlwaysOn and DirectAccess are built into Windows so no additional licensing costs.

Depending on how you currently handle your certificates you may have to configure or setup from scratch a PKI or buy an external certificate (usually the latter isn't required unless you have no internal PKI and have no resources to build one).

There's some information about the AlwaysOn VPN here: https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/
0
sunhuxAuthor Commented:
So if I have a Win2012 R2 server, I can use it as Always-On VPN server
& all my Win10 laptops gets to tunnel back to corporate (ie the Win2012
R2 server) for free?
0
Tony JohncockLead Technical ArchitectCommented:
Always On VPN = Windows Server 2016 and Windows 10
DirectAccess = Windows Server 2008R2+ and Windows 7+

But yes, the components you need are included.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.