Want to deploy AOVPN / Always on VPN Connections with Group Policy or other tools? It doesn't have to be insanely difficult. With PolicyPak VPN Manager just take your EAP profile and you've got all you need. Connections can be always on (forced) or not.
Hi, this is Jeremy Moskowitz. In this video I’m going to show you how you can create VPN and Always On VPN Connections using PolicyPak. If you’ve ever tried to do this before, you know this is a hugely difficult thing. However, we’re going to try to show you how to do it very fast. What is true is that you need what we call a template connection, one that does, in fact, already connect you over to your VPN server.
Once you have this, you’re ready to go. Be sure to get started only after you have your template connection that works. Once you have this, there’s a script you need to run called MakeProfile.ps1 that you can get from Microsoft. I’ll have the link available in the documentation.
Once you run this script, what it does is it takes your template connection and gets you what’s called your EAP profile. This is the meaty guts that makes the thing work. What we’re going to do is we’re going to take this and we’re going to copy it and hold onto that for just a second.
What we’ll then do is go over to PolicyPak land. For my sales team, I can either do user or computer side tunneling. I’m going to go ahead and create a GPO here called PP VPN Demo 1. Then I’m going to edit this. I can create, like I said, either user side or device side tunneling. I just simply go to user or computer side. I’ll do one first and then the other.
I’ll go to VPN Manager here. I will right-click Add a New Policy here. Just fill in the blanks. We’ll call this USER VPN 1. This can be an always on connection, if that’s what you want to do.
Just give a description. This is VPN 1 for Fabrikam. My address is vpn1.fabrikam.com. This will be the default server. If you have multiple servers, that’s fine.
Pretty much after this, all you’re going to do is take your EAP configuration and drop it in there. For user method, you’re going to want certificates. Go ahead and click Next. The rest is pretty optional.
I’m going to just slam through all this. I don’t have any DNS requirements or proxy settings or split tunneling. You can enable it if you want to. It would probably be a good idea, depending on your scenario. I don’t have any trusted network detections that I need to do here. I’m ready to go.
I’ll call this User VPN Always On. I’m ready to configure it. I’ll go ahead and hit Finish. Let’s see if it goes. If I go over here and close this up, I don’t need this anymore. I’ll just open a command prompt and run GP Update.
Let’s go ahead and see what happens in real time. There it is, My User VPN 1, and it’s always connected. If you go ahead and try to disconnect, too bad, it’s always on. It’s called Always On VPN.
We’re done with that one. If you don’t want to use it anymore, you can right-click, delete it, or you can set it to disabled. When we do this, we’re going to automatically nuke that for you. I’ll go ahead and show what that looks like here too. I’ll go ahead and run GP Update. We’ll say goodbye to that connection. There it goes.
Now that we’re done with that, let’s go ahead and create a computer side device tunnel. We’ll do that on the computer side. We’ll right-click Add a New Policy here. We’ll go ahead and click Next. The connection type can’t be automatic. If you want to do Always On VPN on the computer side for tunneling, it’s got to be IKEv2 specifically, and then you can set it to always on. We’ll call this Computer Side Device Tunnel. In the description here we can just call it Fabrikam, and this will be vpn1.fabrikam.com.
We’ll make this the default server here, and we’re ready to continue. Now you’re going to be using machine certificates to do this. Then you’ll go ahead and click Continue. If you have unusual settings on the server, you can match those here that can be set. DNS settings are optional. Proxy settings are optional.
Split tunneling is optional. You do have to select that here for Always On VPN Tunneling on the computer side. I’m going to go ahead and set it. If you make a mistake, we actually help you at the very end. Here is where you get to select Device Tunnel. We’ll call this Device 123 Demo. Again, if you make a mistake at this stage, we’ll go ahead and let you know that. We’re ready to check it.
Now we’ll go to GP Update here, and let’s see what happens. We’re creating our device tunnel on the fly. Computer Side Device Tunnel Connected, and there’s no way to disconnect. To try to disconnect, that’s not a thing because it’s Always On VPN.
That’s it. That’s how fast you can create Always On VPN Connections on the user or the computer side. You don’t have to make them Always On VPN. You just uncheck the Always On checkbox, and you can have standard VPN Connections. I hope this helps you out. Looking forward to getting you started with PolicyPak real soon. Thanks so much.