Configuring remote access

Windows 10 helps users boost their efficiency regardless of where they are situated or the data they need. Windows 10 also allows the use of a VPN to allow users to access their work environments anywhere they connect.

An overview of VPNs

A VPN contains a point-to-point connection between individual network components via a public network such as the internet. Tunneling protocols allow a VPN client to link to a VPN server's listening virtual port and keep it attached. The data is encapsulated—or wrapped—and prefixed with a header to emulate a point-to-point connection. This header provides routing information that allows the data to reach its destination through a public network. The data is encrypted to ensure confidentiality to emulate a private link. Packets intercepted over the public network without encryption keys are indecipherable. There are two types of VPN connections:

• Remote access: Remote access VPN connections allow users at home, on customer sites, or from public wireless Access Points (APs), to access company resources that reside in the private network of their company. This is done by using the architecture offered by a public network, such as the internet.

  The VPN is a point-to-point communication between the device, the VPN client, and the server of the organization, from a user's perspective. The actual infrastructure of the shared or public network is meaningless and illogical, as it seems logical and preferable to send the data over a dedicated private connection line.

• Site-to-site: Site-to-site VPN connections, also known as router-to-router VPN connections, allow your organization to route connections across a public network between different offices or other organizations while maintaining secure communications.

VPN connections in Windows 10 can make use of the following protocols:

• Point-to-Point Tunneling Protocol (PPTP)
• Layer Two Tunneling Protocol with IPsec (L2TP/IPsec)
• Secure Socket Tunneling Protocol (SSTP)
• Internet Key Exchange version 2 (IKEv2)

  Important Note

  An IKEv2 VPN gives the VPN client resilience when the client either moves from one wireless hotspot to another or switches from wireless to wired.

All the previously mentioned VPN connections, regardless of their tunneling protocol, share some common characteristics, including the following:

• Encapsulation: Private data is encapsulated with a header with VPN technology that contains routing information, allowing the data to traverse the transit network.
• Authentication: Authentication ensures the two communicating parties know who they are communicating with.
• Data encryption: The sender encrypts the data and the recipient decrypts it to ensure data security as the data enters a mutual or public transit network. The processes of encryption and decryption rely on a common encryption key on both the sender and the recipient. Intercepted packets sent in the transit network along the VPN connection will be unintelligible to anyone who lacks the standard encryption key.

As of Windows 10 version 1607, you can configure several remote-access usability improvements via VPN profiles. These improvements are as follows:

• Always On: This feature activates automatic connections after a user signs in or there is a shift in the network.
• App-triggered VPN: This function activates automatic connections based on a Universal Windows Platform (UWP) packet family name or a file path, following the launch of the applications that you choose.

  Important Note

  Note that this functionality is available on both workgroup and domain-joined computers, unlike Windows 8.1, which is limited to workgroup computers only.

• Traffic filters: With this app, you can control the types of network traffic that can access your business network.
• LockDown VPN: This feature enforces multiple settings on VPN apps that affect their usability. For instance, you can make sure a user can't change the VPN profile or disconnect an active VPN connection. If the VPN link is not usable, you can also enforce forced tunneling and block outbound traffic.

By this point, you know what types of VPN are available and which protocol you can use and you can apply some remote access improvements. Next, we are going to create a VPN connection.

Creating a VPN connection

In this section, we are going to create a VPN connection using the following steps:

1. Click on the network icon in the notification area and then click on Network & Internet settings | VPN | Add a VPN connection tab.
2. In the VPN provider list of the Add a VPN connection dialog box, select Windows (built-in).
3. In the Connection name box, add a meaningful name.
4. In the Server name or address text box, fill in the Fully Qualified Domain Name (FQDN) of the VPN server you want to connect to.
5. In the VPN type list, choose a VPN protocol. This protocol must match the settings and policies configured on your VPN server. If you are unsure, tap Automatic.
6. In the Type of sign-in info list, choose the correct type of sign-in option. Again, your VPN server policies must suit this environment.
7. In the User name (optional) box, fill in your username, and then in the Password (optional) box, fill in your password and then click Save.

If you followed the previous steps, then you will see something as in the following screenshot:

Figure 8.7 - The Add a VPN connection dialog box

To manage your VPN connection, go to Network & Internet | VPN | VPN connection | Advanced options. You can then reconfigure your VPN settings as necessary, as shown in the following screenshot:

Figure 8.8 - Extra options are visible if you click on the VPN connection

If you click the network icon in the notification area, you will see your VPN connection on the list of available networks, as you can see in the following screenshot:

Figure 8.9 - VPN connections on the networks list

You now understand the basics of VPN connections. Nowadays, there is a demand to always have active VPN connectivity. In the next section, you learn what Always On VPN is.

Understanding Always On VPN

With conventional VPNs, the end user usually initiates and authenticates the VPN connection by opening the VPN client and authenticating it. However, there are two common disadvantages to this:

• Users need to be aware of what resources the VPN access requires and the additional steps that they need to take whenever they need to connect via VPN.
• Current VPNs are a method of everything or nothing. All network traffic is tunneled over the VPN when paired. This can result in large quantities of bandwidth being used on an organization's network when it's not needed.

  Remote users who frequently use publicly accessible databases and resources are the most notable example. For one or two activities, they may need VPN access, but they may unintentionally transfer all internet traffic over the organization's network, rather than directly through the ISP of the end user.

Always On VPN offers end users a more seamless experience. It allows remote access and personal owned computers for domain-joined, non-domain-joined (workgroup), or Azure AD-joined devices.

Routing policies are configured by administrators to determine when the client should direct traffic over the VPN. Policies can be based on certain criteria that are based on the user, hardware, or software. You may, for example, require device authentication for remote device management and then allow user authentication for access to internal company sites and services. Because it is governed by rules, when to connect or detach from the VPN or whether it's remote or on the internal network are things that no longer concern the user.

Many organizations that provide VPN access usually have the technology required for Always On VPN. Other than the domain controller and DNS servers, the Always On VPN implementation includes a Network Policy Server/Remote Authentication Dial-In User Service (NPS/RADIUS) server, a Certification Authority (CA) server, and a remote access (Routing/VPN) server. Once the system has been set up, you need to enroll clients and then securely connect the clients to your premises through several changes to the network.

Always On VPN is the successor to Direct Access. While it supports both options, Microsoft recommends implementing or switching to Always On VPN. Direct Access also offers seamless access but includes IPv6, so consumers are connected to the domain. Always On VPN can use either IPv4 or IPv6 and supports users that join on non-domain. Always On VPN also provides more granular restrictions on how traffic is routed and follows policies on conditional access.

Windows 10 clients are configured for Always On VPN through the ProfileXML setting. ProfileXML is a Uniform Resource Identifier (URI) node within the VPNv2 Configuration Service Provider (CSP).

Conceptually, CSPs work similarly to Group Policy. Similar to how you would use the Group Policy management editor to configure Group Policy Objects (GPOs), you configure CSP nodes by using Mobile Device Management (MDM) solutions, such as Microsoft Intune. In this case, this means configuring a specific node called ProfileXML in the VPNv2 CSP, which contains all the settings necessary. In the following screenshot, you will see an example of a VPN configuration with Always On enabled in Microsoft Intune:

Figure 8.10 - An example of a VPN configuration in Microsoft Intune

The settings and XML files are typically created by the administrator responsible for the VPN infrastructure. Once the XML file is created, it can be deployed to clients with either a device profile in Intune or as a package in Configuration Manager. It can also be deployed using PowerShell.

In this section, you learned what Always On VPN is and how you can make a configuration in Microsoft Intune. In the next section, you will learn how you can configure Wi-Fi profiles in Windows 10.