Aug 16 2022 05:09 PM
Aug 16 2022 05:09 PM
I have a customer who is migrating from on-premises to Azure. They currently use Direct Access for their on premises access. They wish to start using Always On VPN for its extra features until they have completed their migration to Azure and no longer require access to on-premises services.
They were asking about device tunnels.
One of the requirements for Device Tunnels is that the device is domain joined. The assumption is that this is AD Domain joined and not Azure AD joined?
Would hybrid joined work ?
Or does it need to be pure AD Domain joined?
Understand a user based tunnel can be established from an Azure AD Joined device.
This is only for the migration period as they move to Azure. Once in Azure they will no longer use the VPN. (Nothing will be on premises).
They are using Intune now and want to build new laptops using autopilot going forward so want to AAD join the new laptops but still allow them access to on-premises. My assumption is that on these devices they will need to use a user based tunnel.
They will still have hybrid joined laptops through the transition. So will use Intune to manage all the laptops.
Thanks and regards
Aug 17 2022 08:13 AM
To support an Always On VPN device tunnel the endpoint must be domain joined. This can be exclusively on-premises Active Directory or hybird Azure AD joined. Either will work. Also, the endpoint must be running Windows Enterprise Edition. You can deploy a device tunnel to Professional Edition clients, but it won't connect automatically.
If you customer is moving from DirectAccess to Always On VPN, it is best to use the user tunnel for on-premises access. The device tunnel will work, but it isn't really designed for that. Details here.
Hope that helps!
Aug 17 2022 05:45 PM
Aug 17 2022 05:52 PM
I agree. For your hybrid Azure AD joined devices you might consider using the device tunnel as a supplement to the user tunnel. It is helpful for domain-joined devices because it provides pre-logon connectivity to domain controllers, which is helpful for scenarios where user might need to logon without cached credentials. Commonly this occurs when users are provided a new device in the field (Autopilot, for example), but it can also be helpful to streamline password resets.