I am looking to move an environment away from Direct Access to Always On VPN. I have researched and as far as I can see, there is no additional Microsoft licensing required to get this working but I wanted to double check. I have been caught out before and don’t want to pitch this as a ‘free’ thing just to find out it will actually cost us £10,000 a year in licensing.
Anyone who is using Always On VPN can confirm?
Afaik you need Intune and PKI, if you want device tunnels then you need Windows Enterprise.
I currently have VPN needs for my Intune devices, rather then standup and manage PKI and a traditional VPN network system (We have a Palo Alto Global Protect system). I am evaluating Cloudflare Zero Trust instead.
For under x50 users its free. For licenses it varies by features from $3/user/month to $17/user/month.
The big takeaways for me are that Always On VPN, for Hello for Biz to work.
Basically I could use Always On to link up to my traditional VPN and manage access in a “traditional” way. For me that was outshined by the “Zero Trust” model and implementations I have seen. Where just in time access and per app/per user/ per network type rules can be as granular as needed with even a “justify your access request” option for just in time use.
IE User clicks on a company hosted app, say vcenter.example.com/admin. Rather then have to have this in a firewall policy with an allow/deny only option. Cloudflare’s and others offer a “request” access button/opiton, that will alert/email an approver who can grant limited time access.
The real killer for me is that my PA has been under a password spray attack and its caused a number of alert fatigues, caused our email system to temporally cut off the alert address, and all the other fun that brings. The Zero Trust option uses an SSL/QUIC tunnel that is initiated outbound only from the protected network out to the Cloudflare edge. A single small app, that run on port 443, and doesn’t need any inbound connectivity at all to work. Makes security every one of my sites and app easy. End users install an app, login to the app via any IDP with MFA (SSO to Entera works) that can be per device (using Service tokens) with pre login auth to grant line of sight back to on prem DC’s for Hybrid joined, or just to ensure your polices are active prior to user login. In addition this grants Cloudflare a lot control over the conversation such as L7 interception and decryption to block all sorts of attack vectors. IE block users from submitting SSN’s to sketchy websites.
To get that kind of protection on a traditional VPN you need L7 interception, and to back haul all VPN traffic from the client to the VPN network, only to filter then send it out to the internet, get it back then hop it back over to the client. This adds latency, and you don’t want that with VOIP or interactive video (Teams/Zoom etc.). Cloudflare processes all of that filtering at the datacenter side prior to sending the traffic to your secure network. Thus you save on bandwidth, latency and user aggravation.
All of this without the loss of MTU and no need for PKI, or even windows at all. This works on IOS, Android and just about any flavor of windows.
All the nice things aside, it kind of of hard to find specific examples to follow for the online docs. So I have had to do some trial and error. Overall I would rather put my investments in time and money into a more modern security system then traditional VPN’s
Avas_Accumulator’s comment is spot on as far a this goes.
The TLDR: I have the same needs, found Zero Trust models to be better then Always On VPN and have explored Cloudflare but there are others and please don’t take my post as an advertisement, its just a lot of lessons learned over the last 3 weeks of trying to implement Hello for Business with AAD joined devices (no hybrid). All while trying to access on prem resources. Just showed it to my boss who said “I didn’t know where you were going with this, but you sold me on it!”. Now I have an Autopilot setup that from start to finish requires next to no user interaction, gets pre login security and grants just in time access to critical apps. All without me having to have any VPN infrastructure and with lower average costs then PA GP or MS RADIUS servers.
I’d investigate an SSE solution in the year 2025.
Do you use a package license to get this such as Business Premium? Or do you get these individually?
Business Premium has Intune. PKI you need to build/buy saas separately. If you want device tunnels then E3/E5. And you need to deploy your devices to Intune Management in order to deploy Always On VPN profile.
I think you can do Always ON VPN with SCCM too but haven’t used it.
Richard M. Hicks has lots of good of good material, for example: