Looking to setting up Microsoft Always on VPN into Azure. Microsoft has 2 deployment setups 1. is to deploy a windows server running RAS Gateway VPN Server and use that to authenticate the traffic through. The other is to use the Azure VPN getway built into Azure. We want to use the user tunnel instead of device tunnel because many places block IPSEC ports. What is the best options?
Below are some questions that i have:
- What is the best options? Using a RAS Gateway VPN server or using the Azure VPN gateway?
- If we have always on VPN setup on a laptop and they come into the office which has a site-to-site VPN setup does the VPN client on the PC disconnect?
- Can other clients on the VPN communicate with each out or does it segregate the traffic? I guess I could do a user defined route in the setup to not allow inner subnet traffic.
- Is anyone using the Azure VPN gateway to to Point-to-Site always on VPN? How does it work?
- Is anyone using a RAS Gateway VPN server in Azure? How does it work?
How does using a user tunnel vs a device tunnel get around IPsec blocks?
Be sure to check the user limit. VPN gateway has a max number of users. For more, you should be looking at Virtual WAN.
If I may ask why would you need to use always on VPN ? Like if the user need VPN then they can click on the WiFi icon and select the VPN connection and hit connect. You can setup the P2S in such a way that traffic that require VPN will go through the VPN otherwise traffic will go through the regular connection.
The general idea is if you need control spin up your own VMs and configure things. If you need more packaged solutions then go with the native azure solutions.
I think regarding #2, if you set the XML up for the profile, it will auto detect when you are connected to the network and disconnect the VPN. I’m doing this on prem, so unsure if this differs much built in Azure.
https://docs.microsoft.com/en-us/windows/security/identity-protection/vpn/vpn-auto-trigger-profile
Trusted network detection
This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffices. The VPN stack will look at the DNS suffix on the physical interface and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered.
Trusted network detection can be configured using the VPNv2/ProfileName/TrustedNetworkDetection setting in the VPNv2 CSP.
How does using a user tunnel vs a device tunnel get around IPsec blocks?
My understanding is that the User tunnel will try IPsec first, but if it doesn’t connect it will try SSTP which goes over 443. - https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-map-da
Be sure to check the user limit. VPN gateway has a max number of users. For more, you should be looking at Virtual WAN
We have around 500 PCs but most of them would be in the office and not require the VPN to be connected. We are using the VPNGw2 which supports 500 IPsec and 128 SSTP connections. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
Not sure about your user base, but anytime a resource is unavailable to a remote worker, we get some type of helpdesk call. Often they forget to connect the VPN, or even check if it has disconnected. Having a VPN that is set to always connect removes the user interaction.
Regarding always on device tunnels, this improves remote management and as I understand it removes issues with end user password changes and vpn device cached credentials.
https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-map-da
If I may ask why would you need to use always on VPN ? Like if the user need VPN then they can click on the WiFi icon and select the VPN connection and hit connect.
This is what we do today with Cisco anyconnect. It works well but over the last few weeks many help desk calls about can’t access this drive.
Than you this looks like what I want. Will test it out.
So, still, though… Disabling the device tunnel doesn’t make it work. It’ll work anyways. User tunnel will use SSTP, device tunnel will fail. Don’t need to turn it off for everybody.
I think device tunnels would be awesome with password changes and updates. The problem with device tunnels it is only supports IPsec, and many places block these ports. This is why we want to use the user tunnel as it trys IPsec first then failsback to SSTP. The more I read it looks like like people are doing both. Device tunnel for internal update server like SCCM and Domain controllers. There is a limientation on how many connections to the Azure VPN gateway. So if i setup both tunnels does it take twice the tunnels on the vpn gateway in azure?
I wasn’t going to use the device tunnel at all but the more I read it looks like like people are doing both. Device tunnel for internal update server like SCCM and Domain controlers. Does this take twice the tunnels on the vpn gateway in azure?