Forum Discussion
Always on VPN - Device Tunnel
Hello, I have a customer who is migrating from on-premises to Azure. They currently use Direct Access for their on premises access. They wish to start using Always On VPN for its extra features unt...
Hi Bryan,
To support an Always On VPN device tunnel the endpoint must be domain joined. This can be exclusively on-premises Active Directory or hybird Azure AD joined. Either will work. Also, the endpoint must be running Windows Enterprise Edition. You can deploy a device tunnel to Professional Edition clients, but it won't connect automatically.
If you customer is moving from DirectAccess to Always On VPN, it is best to use the user tunnel for on-premises access. The device tunnel will work, but it isn't really designed for that. Details here.
https://directaccess.richardhicks.com/2020/04/06/always-on-vpn-device-tunnel-only-deployment-considerations/
Hope that helps!
Hi Richard,
thanks for the quick response. Yes on the way home I realised that a device tunnel for an AAD joined machine was not required really.
As the laptop is AAD joined and managed by Intune both these services are available with out having to establish the device tunnel. So we can manage out to teh device and teh logon services are available. So there is no real requirement for the device tunnel.
If the user requires access to on prem apps we can use a User based tunnel.
The hybrid join is a little more ambiguous. I'm going to suggest to the customer that we use user based tunnels for both case for consistency and see why they are so keen on device based tunnels.
Thanks again,
Regards
thanks for the quick response. Yes on the way home I realised that a device tunnel for an AAD joined machine was not required really.
As the laptop is AAD joined and managed by Intune both these services are available with out having to establish the device tunnel. So we can manage out to teh device and teh logon services are available. So there is no real requirement for the device tunnel.
If the user requires access to on prem apps we can use a User based tunnel.
The hybrid join is a little more ambiguous. I'm going to suggest to the customer that we use user based tunnels for both case for consistency and see why they are so keen on device based tunnels.
Thanks again,
Regards