Always-On VPN deployment and migration guides

As more people work outside the traditional office, providing network connectivity becomes more challenging. In Windows 8, Microsoft introduced the DirectAccess feature to address that exact challenge. It provided an always-on connection to the corporate network anywhere there was an internet connection. Many customers deployed this feature, even though it wasn’t the easiest thing in the world to do, because it was well worth the effort.

Now, we’re in a Bring Your Own Device world, and DirectAccess has weaknesses that make it less than perfect. For example, it works only on domain-joined clients, and it offers zero support for mobile device management (MDM) or Microsoft Azure Active Directory–joined devices. If that’s not enough, the infrastructure can be complicated and supports only IPv6.

Windows 10 Always-On VPN

To remedy these shortcomings, Microsoft introduced the Always-On Virtual Private Network (VPN) feature in Windows 10. Like DirectAccess, Always-On VPN provides a constant connection to the corporate network anywhere there’s an internet connection. This feature has several advantages, however, aside from working on clients that aren’t domain-joined and supporting MDM. It’s also easier to deploy because it’s based on time-tested technologies. There’s a long list of advantages that Always-On VPN offers. The problem we were tasked with solving was helping IT pros adopt Always-On VPN more easily. For this project, we developed two deeply technical guides. The first was a greenfield deployment guide that assumed no existing remote access infrastructure. The second was a brownfield migration guide to help customers migrate from DirectAccess to Always-On VPN. These guides were 300–400-level affairs, and you can find them at Virtual Private Networking (VPN).

Marvelous! This was a great collaboration effort. Please congratulate your team on our behalf—excellent job!

Always-On VPN deployment guide

The greenfield deployment guide is a 45-page deep dive into the planning and deployment of Always-On VPN. The planning sections prescribe a single scenario for Always-On VPN that includes detailed questions that IT pros need to answer and tasks they need to complete in advance to prepare the environment. Finally, it explains the Always-On VPN Configuration Service Provider (CSP) in detail.

More than half of the guide is dedicated to step-by-step deployment instructions. The deployment content includes step-by-step infrastructure configuration for Windows Server 2016 on multiple physical servers, including guidance for configuring Active Directory, the certificate authority, the network policy server, and the Remote Access Service server.

No Group Policy settings are available to configure Always-On VPN, so the guide dedicates a lot of space to deploying the client configuration. Configuring the CSP can be complex, so our guide takes a different tack. We ask the reader to configure a client computer to connect to the Always-On VPN infrastructure, which is an easy task that requires a few minutes, and we provide a Windows PowerShell script that captures the configuration in an .xml file. We generated a second script that applies the ProfileXML contained in the file to a computer. This approach makes the entire process virtually painless for the IT pro once the infrastructure is in place.

The remainder of the guide offers guidance for deploying the configuration to client computers. It provides step-by-step instructions for a scripted installation, for using Microsoft Intune to deploy the configuration, and for using Microsoft System Center Configuration Manager to deploy the configuration.

Always-On VPN migration guide

The second document is a 22-page brownfield guide that helps IT pros migrate from DirectAccess to Always-On VPN. It builds on the deployment guide to help IT pros make good decisions during the process. Beyond that, it offers guidance on running both the DirectAccess and Always-On VPN infrastructures side by side during the project. Last, it provides guidance on taking down the DirectAccess infrastructure when migration is complete.

Precision and quality were paramount

A lot was a stake with these guides. Customers were clamoring for help with this migration, and nothing was available yet. The field felt the pressure, and that uneasiness reverberated all the way up to the product group. Therefore, the pressure was on us to create something stellar.

From the beginning of the project, we collaborated with the Microsoft subject matter experts (SMEs) to design strong, detailed outlines.

We also set up a comprehensive test lab that we would use not only to develop our guidance but also later for quality assurance. We wanted to simulate a production environment as closely as possible, so this test lab was more complex than usual. We built it on Microsoft Hyper-V, as you’d expect, and it emulated the public internet, two perimeter networks, and an internal corporate network. It had all the server infrastructure the deployment guide requires. Our engineers went so far as to use packet sniffers to validate traffic in our lab.

To write the guides, we used a team-writing approach. We assigned two engineers to the project. The first is a desktop deployment and management SME who is intimately familiar with System Center Configuration Manager, Intune, and the Microsoft Deployment Toolkit. The second is a deeply technical network engineer. We also assigned a copywriter to the project to handle assembly of the guides into a final product. Our regular team of graphic designers, copyeditors, and project managers also pitched in.