Table of Contents
This is part 1 of my Always On VPN series
You can review the pervious posts if required:
- Always On VPN Entra Join – Part 1 Whats needed – Andy Kemp
- Always On VPN Entra Join – Part 2 Certificate Templates – Andy Kemp
- Always On VPN Entra Join – Part 3 Core Always On VPN Infrastructure – Andy Kemp
- Always On VPN Entra Join – Part 4 Configure Always On VPN for Entra Joined Devices – Andy Kemp
- Always On VPN Entra Join – Part 5 Deploy Always On VPN for Entra Joined Devices – Andy Kemp
Introduction
Always on VPN is a technology thats been around for some time now almost 10 years or so. It replaced Direct Access that enabled Windows 7 and Windows 8.1 (oh and 8) Enterprise clients to connect directly back to the corporate network by using certificates for authentication.
There are many posts out there for this but none that take you end to end I think. Most of them (like this one) references the Microsoft Learn articles, and “translates” them. I don’t know about you, but some times I find them hard reading.
I have decided to do another mini-series on this for deploying Always On VPN to Entra Joined devices and what is needed. This firstly will focus on using your own Certificate Authority with NDES in place to allow the ability to publish SCEP certificates to Entra Joined clients, I will however also look at Cloud PKI from Microsoft. to do this, but from my understanding I still need the Internal CA (Certificate Authority) to issue the certificates to my servers. Cloud PKI is only for clients managed by Intune.
Whats required
Whats needed to get Always On VPN for Entra Join up and running? In sort you need the following:
- Active Directory Domain Services (ADDS)
- Active Directory Security Groups for the VPN Server, Network Policy Server, NDES Server and VPN Users
- Service account for NDES (Domain User)
- Microsoft Entra ID Tenant (EID)(Formerly Azure AD)
- Windows Enterprise Licenses
- Intune Licenses
- Active Directory Certificate Services (ADCA)
- Entra Joined Devices
- Network Policy Services (NPS)
- Routing and Remote Access (RRAS)
- Network Device Enrollment Services (NDES)
- Public IP Address for the RRAS
- Public DNS settings
For this example I am going to assume you have 1 to 6 all taken care of, if not drop me a message to let me know if you want any examples of setting these all up.
Core Components
So for Always On VPN you will need to configure the following:
- Certificate Templates
- AD Groups for Templates
- NPS Certificate
- RRAS Certificate
- Always On VPN User (Domain Joined)
- SCEP Certificate
- NDES Certificate
- Servers
- NPS Server
- RRAS Server
- NDES Infrastructure
- Client
- Trusted Root Certificate
- SCEP Certificate
- Template VPN Profile
- VPN Profile
- Service Accounts
- svc_NDES – NDES Service Account (Domain User)
These components make up the infrastructure required to get Always On VPN up and running.
However, if you’re utilising Windows Hello for Business (WHfB) then there are a few extra steps needed to enable authentication back to on premises resources using WHfB and not the traditional username and password combination. This required additional certificate templates and infrastructure requirements. However, Microsoft now has Cloud Kerberos, so I will also do a post about that after this series.
Series Posts
I plan to break this down in to 4 additional posts:
- Always On VPN Entra Join – Part 2 Certificate Templates – Andy Kemp
- Always On VPN Entra Join – Part 3 Core Always On VPN Infrastructure – Andy Kemp
- Always On VPN Entra Join – Part 4 Configure Always On VPN for Entra Joined Devices – Andy Kemp
- Always On VPN Entra Join – Part 5 Deploy Always On VPN for Entra Joined Devices – Andy Kemp
So, without any further delay, lets get straight in to Part 2 – Certificate Templates