Forum Discussion
Always on VPN - Device Tunnel
Hi Bryan,
To support an Always On VPN device tunnel the endpoint must be domain joined. This can be exclusively on-premises Active Directory or hybird Azure AD joined. Either will work. Also, the endpoint must be running Windows Enterprise Edition. You can deploy a device tunnel to Professional Edition clients, but it won't connect automatically.
If you customer is moving from DirectAccess to Always On VPN, it is best to use the user tunnel for on-premises access. The device tunnel will work, but it isn't really designed for that. Details here.
https://directaccess.richardhicks.com/2020/04/06/always-on-vpn-device-tunnel-only-deployment-considerations/
Hope that helps!
thanks for the quick response. Yes on the way home I realised that a device tunnel for an AAD joined machine was not required really.
As the laptop is AAD joined and managed by Intune both these services are available with out having to establish the device tunnel. So we can manage out to teh device and teh logon services are available. So there is no real requirement for the device tunnel.
If the user requires access to on prem apps we can use a User based tunnel.
The hybrid join is a little more ambiguous. I'm going to suggest to the customer that we use user based tunnels for both case for consistency and see why they are so keen on device based tunnels.
Thanks again,
Regards
I agree. For your hybrid Azure AD joined devices you might consider using the device tunnel as a supplement to the user tunnel. It is helpful for domain-joined devices because it provides pre-logon connectivity to domain controllers, which is helpful for scenarios where user might need to logon without cached credentials. Commonly this occurs when users are provided a new device in the field (Autopilot, for example), but it can also be helpful to streamline password resets.
Have fun!