I am looking at moving away from Direct Access and deploying Always On VPN.
I am just starting to gather information and finding it seems somewhat scattered leaving me with a high level understanding of what is going on but unsure of more of the technical details.
Some things I am unsure of at the moment are:
- With DA already installed and working with a domain, will installing a new RRAS server with the Direct access role automatically deploy GPO's to the domain? Possibly destroying existing DA GPO's? I would like to deploy Always On VPN in parallel and eventually migrate everyone over to it. We are still migrating machines to Windows 10 so I cannot just kill DA yet.
- Are device tunnels working as expected with Windows 10 1803 or are their still issues? Has anything been fixed with 1709?
- Will applying any traffic filters to device tunnels still break manage-out functionality? Or was that resolved in 1803?
- Is it possible to deploy both user and device tunnels to use IKE by default but switch to SSTP is IKE fails? Or is SSTP considered a better option to just avoid connectivity issues and accept the slightly less secure configuration (if it even is less secure, I'm not 100% clear on that either).
- If using SCCM to deploy VPN profiles, can it deploy profiles that will do device and user tunnels? Anything it doesn't do that I should know about?
These a few questions I have after reading about Always On VPN today for the first time.