8 Security and Support Concerns to consider before deploying Microsoft’s new Always On VPN

Always On VPN Concerns

Windows Server 2016’s new “Always On VPN” provides new options for remote access to internal network resources. With Windows 10 Virtual Private Networking (VPN), you can create Always On VPN connections so that remote computers and devices are always connected to your organization network when they are turned on and Internet connected.

Requirements to Deploy Always On VPN

Is the new Always On VPN more secure or easier to administer and use than Direct Access or 3rd Party VPN’s? We looked at numerous blog articles to gather the requirements to deploy Always On VPN. Here are potential items that may lead to additional support costs and security concerns that enterprises will want to be aware of.

  1. AO VPN cannot be managed natively using Active Directory and group policy. It must be configured and managed using Microsoft System Center Configuration Manager (SCCM), Microsoft Intune, or PowerShell.
  2. AO VPN works only with Windows 10. It is not supported for Windows 7 or other operating systems.
  3. While AO VPN does add extensive filtering options, no additional blocking technologies exist to prevent viruses or malware, such as crypto locker, from encrypting files.
  4. A Public Key Infrastructure (PKI) is required along with Active Directory Certificate Services to authenticate clients.
  5. Like Direct Access, AO VPN requires two network adapters with one directly connecting to the external perimeter network.
  6. Remote Client Computers must be joined to the active directory domain.
  7. The IT Department will need to maintain an additional fleet of corporate laptops with VPN pre-configured for each potential remote user eliminating the BYOD option.
  8. Using an Always On VPN violates the principal of Zero Trust least privileged access as noted by ZScaler.

Browser Based VPN Alternatives

Tech Target encourages companies to consider Web Based VPN Software Alternatives – “Browser-based remote access services offer both cost and ease-of-use advantages. Web browsers are already present on nearly every computing device, public or private, large or small. Web-based solutions use this browser and dynamically downloaded code to avoid installing and configuring VPN client software on the worker’s device. This approach facilitates remote access from just about anywhere and can significantly reduce per-user VPN administration costs. Savings are even greater for companies that eliminate corporate laptops by leveraging existing desktops for Web-based remote access.”


MyWorkDrive.com’s browser based file access software helps companies reduce their VPN support costs while reducing their security exposure risks. Users simply open a browser to access their work files using their existing Windows Active Directory credentials from any device. Once logged in, they can access company shares and home drives, and edit/view documents online. For security, all MyWorkDrive clients also have DUO Two Factor authentication. Even if only half of a company’s employees are directed to use MyWorkDrive’s Browser Based File Access client, they can achieve annual savings of up to 50% while improving security when compared to traditional VPN alternatives.

Daniel, Founder of MyWorkDrive.com, has worked in various technology management roles serving enterprises, government and education in the San Francisco bay area since 1992. Daniel writes about information technology, security and strategy.