I am looking at migrating to Always-On VPN, from DirectAccess. In my research so far, it is seeming like AOVPN has a lot of shortcomings and not a lot of documentation. (Remember when companies used to consider documentation to be an actual part of their
product instead of a half-baked afterthought they release months/years later? Sigh.)
There are a few shortcomings in particular that I'm hoping to get some clarification on, to make sure I am understanding these shortcomings correctly:
1. If I use User Tunnels, then RRAS+NPS has to be configured to allow connections from the appropriate user accounts. But then there is no way for me to prevent those users from configuring a VPN client on their personally-owned malware-infected home PC
and connecting to the VPN with their user account credentials.
2. If I use Device Tunnels, then there is no NPS and basically no meaningful authentication at all. RRAS server can check what CA the client certificate was signed by, and that's it. So anybody possessing a keypair for any certificate whatsoever from the enterprise
CA could use it to connect to the VPN. There's no way to accept connections only from specific devices, other than to deploy and maintain a dedicated enterprise CA just for those specific devices.
3. Configuring traffic filters in the connection profile is touted as a way to protect the corporate network from unauthorized actions of the VPN client device, but this appears to be little more than security theatre. This filtering happens on the actual client
device that the filters are supposedly intended to protect the network from. So anybody with appropriate permission on the client device could just change the filters to access whatever IPs they want.
4. It seems like Microsoft's suggested approach is to use both User Tunnel and Device Tunnel simultaneously. But it also sounds anecdotally like AOVPN is full of bugs that mean using both at once almost never works properly. Also, it seems like using both would
be almost entirely pointless. User Tunnel adds the ability to have SSTP fallback, but other than that, I do not understand what would be the point of using both. Is there a point?
Is my understanding on these points accurate? If so then I would say AOVPN is mostly a joke and definitely not a replacement for DirectAccess yet. Hopefully this is not the case and I'm just missing something simple that somebody can clue me in on....
↧
Always-On VPN shortcomings
↧