locked
Always On VPN - Device Tunnel RRS feed

  • Question

  • Hi Folks

    I just got confused while reading the details of device tunnel in below write-up.

    https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config

    Now, questions in my mind are

    1. Hope device tunnel is not only for Infra services like AD, DNS, DHCP,PKI,SCCM etc

    2. Is device tunnel only sufficient to access Infra Services (like AD, PKI, SCCM) and on-prem applications (HR, Business apps etc) or do we need to have user tunnel also for applications specifically?

    3.Can we use same VPN and NPS server to pass the device and user tunnel traffic and authentication? ( i hope yes with IKEv2)

    4.Is there a better documentation of implementing AO VPN end to end for on-prem Infra and application access?


    Regards:Mahesh

    Friday, June 26, 2020 11:19 AM

All replies

  • Hi,

    Please refer this document, it guides the steps of how to configure Always On VPN.

    https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment

    Best regards,

    Cherry 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 29, 2020 5:38 AM
  • Hi,
     
    Just want to confirm the current situations.
    Please feel free to let us know if you need further assistance.
     
    Best Regards,
    Cherry

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 1, 2020 1:47 AM
  • Hi Cherry,

    I have gone through he article but could not find any direct answer to the doubt i am having.

    2. Can we leverage on device tunnel to access on-prem applications (HR, Business apps etc) or do we need to have user tunnel also for applications specifically?

    3.Can we use same VPN and NPS server to pass the device and user tunnel traffic and authentication? ( i hope yes with IKEv2)


    Regards:Mahesh

    Wednesday, July 1, 2020 6:02 AM
  • Hi,
    Both the Device Tunnel that the User Tunnel they work independently and can use different authentication methods in same server. It enables the device authentication to manage it remotely through the Device Tunnel, and enable user authentication for connectivity to internal resources through the User Tunnel. The User Tunnel supports SSTP, and IKEv2, while the Device Tunnel only supports IKEv2. So if you want to deploy both channels, Ikev2 is the only choice.

    Best Regards,
    Cherry

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 1, 2020 7:09 AM
  • Hi Cherry,

    Thanks for the details, will test this and share the outcome.

    Thanks you again for clarifying


    Regards:Mahesh

    Wednesday, July 1, 2020 5:51 PM
  • Hi,

    Thanks for your efforts you have put into this case. We will waiting for your update.

    Best regards

    Cherry


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 2, 2020 1:32 AM
  • Hi Cherry,

    Looks like its not possible to configure both device tunnel and user tunnel through same VPN Servers.

    Reason is - while configuring Security setting in VPN Server (RRAS) - "Authentication provider" to be selected either RADIUS or Windows Authentication.

    As per my understanding, We need to select "Windows Authentication" in "Authentication Provider" for device tunnel and RADIUS for user tunnel.

    One more interesting point i got know and would like to understand is about NPS Server.

    Do we really NPS Server for device tunnel? If yes, how the NPS server will be used in device tunnel? What is the authentication flow...

    Unfortunately Microsoft documentation about AOVPN is not clear leaves lot of open questions.

    Appreciate if any one can help in for the above.


    Regards:Mahesh

    Friday, July 3, 2020 6:39 AM
  • Hi,
    This article shows how to configure Device Tunnel with Always On VPN by powershell or intune:

    https://directaccess.richardhicks.com/2017/12/11/always-on-vpn-windows-10-device-tunnel-step-by-step-configuration-using-powershell/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    It doesn't mention a NPS server is need, but client computer must also be domain-joined and have a computer certificate with the Client Authentication Enhanced Key Usage (EKU) issued by the organization’s Public Key Infrastructure (PKI).

    It also discussed some problems when both device tunnel and user tunnel built together, for reference.

    Best regards

    Cherry


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 3, 2020 9:12 AM
  • Hi Cherry,

    Thanks for response and i really appreciate your effort in trying to address this

    I was referring to below article and found more logical and in fact this triggered a question of NPS role requirement.

    https://directaccess.richardhicks.com/2020/03/30/always-on-vpn-device-tunnel-operation-and-best-practices/amp/?__twitter_impression=true

    At this stage i am very curious to understand below points.

    1.Documentation doesn't clearly call out the Infra requirement for Device Tunnel...do we need NPS Server in device tunnel or not? What is the authentication flow?

    2.Where does the logs stored in RRAS Server and how to redirect to SQL for repository?

    3.Is it possible to configure device tunnel and user tunnel using same RRAS/VPN
         Server?




    Regards:Mahesh

    Friday, July 3, 2020 2:20 PM
  • Hi,

    This article mentions where NPS server should be built:
    https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment#step-2-configure-the-always-on-vpn-server-infrastructure

    The detials are in this document:
    https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-server-infrastructure

    https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-server-infrastructure#create-the-vpn-users-vpn-servers-and-nps-servers-groups

    About RRAS log, please refer this article:
    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee922651(v=ws.10)

    And for SQL redirctory:
    https://solutioncenter.apexsql.com/how-to-deploy-changes-directly-to-a-sql-database-from-a-source-control-repository/

    Although not mentioned directly , it can be inferred from the text that it is standard to deploy two tunnels at the same time. Please refer to this link:
    https://directaccess.richardhicks.com/2020/03/30/always-on-vpn-device-tunnel-operation-and-best-practices/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best regards
    Cherry


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 6, 2020 6:57 AM
  • Hi,

     

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

     

    Best Regards,

    Cherry


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 8, 2020 1:09 AM
  • Hi,

     

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

     

    Best Regards,

    Cherry


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 10, 2020 1:50 AM
  • Hi

     

    As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

     

    BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.

     

    Best regards

    Cherry


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 13, 2020 1:32 AM
  • Hi Cherry,

    Sorry couldn't revert earlier.

    I am building the test environment to test these points and get the clarification for some of the points which i have gone through various forum and reading. will keep this thread updated on the test results soon.

    Thank you for your time to share all possible information.


    Regards:Mahesh

    Monday, July 13, 2020 5:57 AM
  • Hi,

    Thanks for your efforts you have put into this case. Feel free to post on this forum if you got any update.

    This "Network Access Protection" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

    Best regards

    Cherry


    "Network Access Protection" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Network Access Protection"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.


    Tuesday, July 14, 2020 1:30 AM
  • I'm looking for [url="webguidevpn.com/best-vpn-for-pc/"]vpn for better gaming[/url], I mean I dont care privacy, region block, payment walls and other stuffs...any recommendtaion?



    • Edited by BrainTomson Wednesday, July 22, 2020 3:09 PM
    Monday, July 20, 2020 1:14 PM