none
Combine DirectAccess with AutoVPN? RRS feed

  • Question

  • Are they compatible on the same laptop?

    We are considering deploying DirectAccess using the Getting Started Wizard default settings and configuring only select servers to be available (Config Manager servers,  A/V server etc..)

    We want laptops to be able to auto update and report status in SCCM and  ePO whenever they are online and users to be able to change passwords remotely without VPN, but still require the user to use VPN when they want access to file shares and RDP.


    I found that with Anniversary Update, it should be easy for users to connect to VPN as needed for file server and RDP access.  The info I saw about it says users can use Windows Hello to connect to AutoVPN.  I assume they can just swipe their finger or use a facial recognition camera on device like the Surface Pro 4.

    They currently use Cisco AnyConnect and connect to an ASA to connect to VPN.   We would like user of domain joined computers to be able to AutoVPN into their previous connections without needing AnyConnect software or RSA tokens.

    Should this all work?

    Where is documentation on how to configure AutoConnect on the server side?  I only see basic info for users:

     

    Monday, April 17, 2017 8:07 PM

Answers

  • Hi There

    The problem you will have by combining DirectAccess and AutoVPN is that the DA Tunnel, even if you place it in Deply DirectAccess for Remote Management Only (which achieves your aims of updates / AV etc and the clients cannot connect to the Intranet Tunnel), will drop as soon as you connect using the AutoVPN. Therefore IMHO it seems as if you are mixing the two technologies whereas deciding on one or the other will achieve both goals. Full DirectAccess eliminates the need for using the AutoVPN and allows patching and password changes, files and RDP. Happy to be proved wrong but the AutoVPN would not always allow that seamless patching , I usually have to do some sort of discovery or wake up. Not sure which is the right tech for you but both are viable but I wouldn't mix the two personally.

    Some light reading

    https://technet.microsoft.com/en-us/security/jj991832.aspx

    https://technet.microsoft.com/en-gb/itpro/windows/keep-secure/vpn-guide

    Hope this helps

    J

    • Marked as answer by Kalimanne Monday, April 24, 2017 2:36 PM
    Monday, April 24, 2017 1:12 PM

All replies

  • Hi There

    The problem you will have by combining DirectAccess and AutoVPN is that the DA Tunnel, even if you place it in Deply DirectAccess for Remote Management Only (which achieves your aims of updates / AV etc and the clients cannot connect to the Intranet Tunnel), will drop as soon as you connect using the AutoVPN. Therefore IMHO it seems as if you are mixing the two technologies whereas deciding on one or the other will achieve both goals. Full DirectAccess eliminates the need for using the AutoVPN and allows patching and password changes, files and RDP. Happy to be proved wrong but the AutoVPN would not always allow that seamless patching , I usually have to do some sort of discovery or wake up. Not sure which is the right tech for you but both are viable but I wouldn't mix the two personally.

    Some light reading

    https://technet.microsoft.com/en-us/security/jj991832.aspx

    https://technet.microsoft.com/en-gb/itpro/windows/keep-secure/vpn-guide

    Hope this helps

    J

    • Marked as answer by Kalimanne Monday, April 24, 2017 2:36 PM
    Monday, April 24, 2017 1:12 PM
  • OK, It looks like AutoVPN is not for us.  We will see if we can deploy DirectAccess with full connectivity instead.
    Monday, April 24, 2017 2:36 PM