Remote Access Overview Lesson

Lesson Objectives After completing this lesson, you will be able to:

 Describe how to use VPNs to connect to a remote network.

 Explain how DirectAccess can help remote users connect.
 Discuss the considerations of enabling remote access for your users.

Overview of VPNs

 A VPN provides a point-to-point connection between components of a private network, through a

public network such as the Internet.
 Tunneling protocols enable a VPN client to establish and maintain a connection to the listening
virtual port of a VPN server.
 To emulate a point-to-point link, the data is encapsulated, or wrapped, and prefixed with a header.
 This header provides routing information that enables the data to traverse the public network to
reach its endpoint.
 To emulate a private link, the data is encrypted to ensure confidentiality.
 Packets that are intercepted on the public network are indecipherable without encryption keys.

Two types of VPN connections exist:

Remote access.
 Remote access VPN connections enable users who are working at home, at customer sites, or from
public wireless access points to access a server that exists in your organization’s private network.
 They do so by using the infrastructure that a public network, such as the Internet, provides.
 From the user’s perspective, the VPN is a point-to-point connection between the computer, the VPN
client, and your organization’s server.
 The exact infrastructure of the shared or public network is irrelevant, because it logically appears as
if the data is sent over a dedicated private link.

Site-to-site. Site-to-site
 VPN connections, which also are known as router-to-router VPN connections, enable your
organization to have routed connections between separate offices or with other organizations over a
public network, while maintaining secure communications.

Properties of VPN connections

 VPN connections in Windows 10 can use:
o Point-to-Point Tunneling Protocol (PPTP)
o Layer Two Tunneling Protocol with IPsec (L2TP/IPsec)
o Secure Socket Tunneling Protocol (SSTP)
o Internet Key Exchange version 2 (IKEv2)
 Note: An IKEv2 VPN provides resilience to the VPN client when the client either moves from one
wireless hotspot to another or switches from a wireless to a wired connection.
 Point-to-site VPN can use one of the following protocols:
o OpenVPN® Protocol, an SSL/TLS based VPN protocol. An SSL VPN solution can penetrate
firewalls, since most firewalls open TCP port 443 outbound, which SSL uses. OpenVPN can be
 used to connect from Android, iOS (versions 11.0 and above), Windows, Linux and Mac
devices (OSX versions 10.13 and above).
o Secure Socket Tunneling Protocol (SSTP), a proprietary SSL-based VPN protocol. An SSL VPN
solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which SSL
uses. SSTP is only supported on Windows devices. Azure supports all versions of Windows
that have SSTP (Windows 7 and later). SSTP supports up to 128 concurrent connections only
regardless of the gateway SKU.
o IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from
Mac devices (OSX versions 10.11 and above).
 VPN Reconnect.
 All VPN connections, irrespective of tunneling protocol, share some common characteristics:
o Encapsulation. With VPN technology, private data is encapsulated with a header that
contains routing information, which allows the data to traverse the transit network.
o Authentication. Authentication ensures that the two communicating parties know with
whom they are communicating.
o Data encryption. To ensure data confidentiality as the data traverses the shared or public
transit network, the sender encrypts the data and the receiver decrypts it.
 The encryption and decryption processes depend on both the sender and the
receiver using a common encryption key.
 Intercepted packets sent along the VPN connection in the transit network will be
unintelligible to anyone who does not have the common encryption key.

Conditional Access Framework

 Starting with Windows 10 version 1607, you can provide additional security for your remote access
connections by integrating VPN with the Conditional Access Framework.
 The Conditional Access Framework is a Microsoft Azure Active Directory–based policy engine that in
combination with a mobile device management (MDM) solution such as Microsoft Intune, can verify
device compliance before granting access to a corporate network or Microsoft Online.

Windows Information Protection

 Another security-related feature is the VPN client integration with Windows Information Protection.
 Windows Information Protection is a feature that uses a number of technologies (including BitLocker
Drive Encryption, AppLocker, and Microsoft Azure Rights Management) to protect enterprise data
against leakage and unauthorized use.
 It relies on Microsoft Intune, Microsoft System Center Configuration Manager, or another third-
party MDM solution to create and deploy policies that you use to specify protected apps, and to
apply desired protection levels to your data.
 With the new VPNv2 configuration service provider, you have the ability to use an MDM solution to
configure VPN profiles on managed devices.
 In case of Microsoft Intune, you have access to pre-defined policy templates that include built-in
support for VPN plug-ins.
 Windows 10 version 1607 also includes a number of remote access usability improvements that you
can configure via VPN profiles, including:
o Always On. This feature triggers automatic connections following a user sign-in or a network
change.
 o App-triggered VPN. This feature triggers automatic connections following a launch of
applications that you specify, based on a Universal Windows Platform package family name
or a file path.
o Note: Note that this functionality is available on both workgroup and domain-joined
computers, unlike Windows 8.1, which is limited it to workgroup computers only.
o Traffic filters. With this feature, you can control the types of network traffic that will be able
to reach your corporate network.
o You can accomplish this by defining either app-based or traffic-based rules.
o With app-based rules, you specify a list of allowed applications.

The definition of traffic-based rules consists of 5-tuple policies, that take into account the source and
destination IP addresses, the source and destination ports, and the network protocol.

LockDown VPN. This feature enforces a number of VPN device settings that affect its connectivity.

For example, you can ensure that a user cannot modify the VPN profile or disconnect an active VPN
connection.

You also can implement forced tunneling and block outbound traffic if the VPN connection is not
available.

Creating a VPN Connection in Windows 10

To create a VPN connection in Windows 10, use the following procedure:

1. Tap the Network icon in the notification area, and then tap Network settings.
2. In Network & internet, tap the VPN tab.
3. Tap Add a VPN connection.
4. In the Add a VPN connection dialog box, in the VPN provider list, tap Windows (built-in).
5. In the Connection name box, enter a meaningful name, such as Office Network.
6. In the Server name or address text box, type the FQDN of the server to which you want to
connect. This is usually the name of the VPN server.
7. In the VPN type list, select between Point to Point Tunneling Protocol (PPTP), L2TP/IPsec with
certificate, L2TP/IPSec with pre-shared key, Secure Socket Tunneling Protocol (SSTP), and IKEv2.
This setting must match the setting and policies configured on your VPN server. If you are
unsure, tap Automatic.
8. In the Type of sign-in info list, select either User name and password, Smart card, One-time
password, or Certificate. Again, this setting must match your VPN server policies.
9. In the User name (optional) box, type your user name, and then in the Password (optional) box,
type your password. Select the Remember my sign-in info check box, and then tap Save. To
manage your VPN connection, from within Network & internet, on the VPN tab, tap the VPN
connection, and then tap Advanced options. You can then reconfigure the VPN settings as
needed. Note: Your VPN connection will appear on the list of available networks when you tap
the network icon in the notification area.

Always On VPN
 With traditional VPNs, the end user typically initiates the VPN connection by launching the VPN
client and authenticating. There are two common disadvantages with this:
 Users have to be aware of what resources require VPN access and the additional steps the user must
perform every time they need to connect over VPN.
 Traditional VPNs are an “all or nothing” solution.
 Once connected, all network traffic is tunneled over the VPN.
 This can lead to large amounts of bandwidth on the organization’s network being consumed when it
isn’t necessary.
 The most notable example being remote users who frequently use publicly accessible websites and
resources.
 They might need VPN access for one or two tasks, but inadvertently pass all internet traffic over the
organization’s network instead of directly through the end user’s ISP.
 Always On VPN provides a more seamless experience for end users.
 It supports remote access for domain-joined, nondomain-joined (workgroup), or Azure AD–joined
devices, and personally owned devices.
 Administrators configure routing policies to determine when the client should direct traffic over the
VPN.
 Policies can be based on user, hardware, or software criteria.
 For example, you could enable device authentication for remote device management, and then
enable user authentication for connectivity to internal company sites and services.
 Because it’s controlled by policies, the user no longer has to be concerned with when to connect or
disconnect from the VPN, whether they are remote or on the internal network.
 Most organizations supporting VPN access typically have the technologies deployed that are needed
for Always On VPN.
 Other than your Domain Controller and DNS servers, the Always On VPN deployment requires an
NPS (RADIUS) server, a Certification Authority (CA) server, and a Remote Access (Routing/VPN)
server.
 Once the infrastructure is set up, you must enroll clients and then connect the clients to your on-
premises securely through several network changes.

Always On VPN and Direct Access

 Always On VPN is the successor to Direct Access.
 While both solutions are supported, Microsoft recommends deploying or migrating to Always On
VPN. Direct Access also provide seamless access, but required IPv6 and that clients be domain-
joined.
 Always On VPN can use either IPv4 or IPv6, and supports non-domain joined devices.
 Always On VPN also provides more granular controls over how traffic is routed and support for
conditional access policies.
 Always On VPN only supports Windows 10 clients, while Direct Access support Windows 7 and
higher. Administrators should review each solution to assess which solution meets their needs.

Configuring Clients for Always On VPN

 Windows 10 clients are configured for Always On VPN through ProfileXML.
 ProfileXML is a uniform resource identifier (URI) node within the VPNv2 configuration service
provider (CSP).
 Conceptually, CSPs work similar to how Group Policy works.
 Similar to how you use the Group Policy Management Editor to configure Group Policy objects
(GPOs), you configure CSP nodes by using a mobile device management (MDM) solution such as
Microsoft Intune.
 In this case, configuring a specific node called ProfileXML in the VPNv2 CSP, which contains all the
settings necessary. The settings and XML file are typically created by the Administrator responsible
for the VPN infrastructure. Once the XML file is created, it can be deployed to clients with either a
device profile in Intune or as a package in Configuration Manager. It can also be deployed using
PowerShell.