Always-On-VPN or MS Direct Access (or similar products) to protect against Rogue Wifi

To protect our corporate users from being compromised when they
connect to outside Wifi (which may be potentially rogue Wifi), is it
feasible if we implement MS Direct Access or Always-On-VPN?

The products above would establish a tunnel so the rogue Wifi can't
steal credentials nor data & with VPN established, I suppose malwares
can't infect the laptops as the rogue Wifi has no connection to the laptop
(tunnel-protected) or did I get this idea wrong ie can still get infected
even with such tunnel??

We still want the users to be able to access Internet but protect them
in the event they're using a rogue Wifi
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunhuxAuthor Commented:
Btw, is Always-On-VPN FOC or how is it charged?
Prabhin MPDevOps EngineerCommented:
 Always-On-VPN is a good idea to fight against this. Using the VPN all the traffic will be routed through the VPN server, hence all the data communications are encrypted, man in the middle attack wont be possible in this case. If you have IPS / IDS enabled it will protect them against the malware traffic.

if you have centralized endpoint system in the remote location, which connects automatically after once VPN is established will help the users stay away from malware and infections. You can tweak your configuration accordingly.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
is Always-On-VPN & Direct Access  free of charge or how is it charged?
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

sunhuxAuthor Commented:
Also, just when Wifi connection is established & just before the VPN/tunnel is established
(possibly a split second), is there a chance/risk of infection?
Prabhin MPDevOps EngineerCommented:

More than explaining here, please find the doc regarding the feature.
ALways ON VPN have got with the new feature which direct access doesn't have. r/remote/remote-access/vpn/always-on-vpn/always-on-vpn-enhancements
Here is the plan how to deploy the server.
sunhuxAuthor Commented:
Thanks, I've read the 2 links earlier before posting but still have doubts, thus the question below:
"Also, just when Wifi connection is established & just before the VPN/tunnel is established
(possibly a split second), is there a chance/risk of infection?"

Any idea on the costing?
Prabhin MPDevOps EngineerCommented:
always VPN on connection will get initiated before you sign in, it only connects the VPN server once you have the internet connection.
if wifi connection connected after your sign in, the moment internet connection is active, VPN client automatically connect the VPN server and reroute the default gateway to VPN server.
sunhuxAuthor Commented:
The MS links out there say  Direct Access (& possibly Always-On) will establish VPN/tunnel
prior to signing into Windows.

>if wifi connection connected after your sign in
As such, does it mean that Wifi is connected even before signing into Windows?
sunhuxAuthor Commented:
For Wifi that requires users to manually connect certainly only get connected
after user signs in but what about those Wifi that were previously set to
'auto-connect'?  Does such Wifi auto-connect before user sign in to Windows?
Prabhin MPDevOps EngineerCommented:
if your wifi is already known in your machine. it will be connected
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.