I'm designing an Always ON VPN solution and I'd like to use a serveless approach: No RRAS or NPS servers.
I'm thinking that those services can be provided by a physical firewall, like Palo Alto.
Using IKEv2 and certificate deployments controlled by Azure AD, this looks good on the paper, but in reality I have not seen even one document that talks about this way of using Always On VPN.
Has anyone successfully deployed such a solution, rep;lacing the RRAS and NPS servers with physical firewall and Azure AD?
Here is the traffic flow as I see it:
Step 1: Client has a VPN profile deployed with Intune oir via GPO
Step 2: Client requests a certificate a from Azure
Step 3: Azure AD issues a certificate to the client
Step 4: The client goes to the physical firewall with the certificate and get authenticated by the FW, who then gives access to whatever internal resources are configured in the policy.
My only worry so far is at the firewall level, as I cannot see how the Microsoft built in VPN client, although very IPSEC compliant, can be used to replace whatever custom client usually is provided by the HW vendor (Palo Alto in this case).