blog posts

Direct access Or AOVPN, Which One Performs Better On Windows Server 2019?

Direct access Or AOVPN, Which One Performs Better On Windows Server 2019?

It Is Important to Note That You Can Run Both Direct Access and VPN Connections on Windows Server 2019, Which Has the Remote Access Server Feature Installed. 

This feature allows client devices that use DA, AOVPN, and traditional VIPs to connect to the network.

Click here to read the last part of the free  Windows Server 2019  tutorial. 

Problems With Passwords And Login Via A Traditional Virtual Private Network

Suppose you’ve worked as a helpdesk expert for a company communicating over a virtual private network. You had to respond to calls centered around the VPN and passwords in such a company.
Sometimes, users forget their expired passwords, which need to be changed! The virtual private network does not work well in such scenarios.

Sometimes, an employee changes their password at work because it has expired. Still, when they arrive home and try to connect remotely to the organization’s network, they cannot remember what password they used. What is the solution to the problems with passwords in the virtual private network?
Reset the user password and then use the company laptop at work. Unfortunately, a helpdesk expert should respond to such calls throughout the day, but there is a potentially real problem with old virtual private networks.

New Remote Access Solutions Microsoft does not have this type of problem! Because DA and AOVPN are part of the operating system, they can be ready whenever Windows goes online.

Even when I’m on the login or lock screen, and the system waits for me to input my username and password, I still maintain a DirectAccess tunnel or an Always On VPN Device Tunnel connection when connected to the Internet.
This ensures that I can effectively manage tasks like password updates and other network-dependent activities without interruptions.

I will do this if the password has expired and I need to update it. If I forget my password and can’t log in to my laptop, I can call the organization’s response center and ask them to reset my password and log in to my computer without DA or AOVPN without delay.
Another exciting feature of this integrated technology is the ability to log in to a new account. Have you ever tried logging in to your laptop using a different account?

We must say that DA and AOVPN work without any problems. Have you tried logging into your computer or laptop using a different account?

It is important to note that you can run DirectAccess and VPN connections on Windows Server 2019, which is the installed Remote Access Server. This feature allows client devices that use DA, AOVPN, and traditional VIPs to connect to the network.

Firewalls block doors.AOVPN

Another standard virtual network call that a helpdesk responds to is that my connection firewall block doors are not through a hotel or (rarely a home). Unfortunately, most protocols virtual private networks use to connect are incompatible with firewalls.
Home routers often allow any traffic to enter so that you can connect via the Internet over a virtual remote network protocol as soon as you move the laptop to another location, such as a public coffee shop, hotel, or airport.
And while you are trying to communicate, suddenly, a virtual private network shows a strange error and does not communicate.
This problem usually occurs with public Internet communications, whose traffic is routed through a firewall blocking the gateway.

Some firewalls impose restrictions on inbound and outbound access, as with ICMP and UDP, which may interfere with virtual private network communications.
In the worst case, firewalls may only allow access to the two output ports, TCP 80 for HTTP and TCP 443 for HTTPS website traffic, and block everything. How do new remote access technologies address this issue? What do you do when behind a fire barrier blocking a door?

DirectAccess also has a solution to this problem. Remember the three protocols that DA uses to make a connection? One of those protocols is IP-HTTPS, whose traffic flows through TCP 443.
Therefore, the DA will communicate automatically and without hesitation when your communication is behind a solid firewall.

Always-on VPN is generally deployed with the best templates, including prioritizing IKEv2 as the virtual private network connection protocol.

Some companies deploy AOVPN only with IKEv2.AOVPN

A port-limit firewall is troublesome for these people for a VPN connection that uses only IKEv2. So, it is best to note that when setting up AOVPN, the most necessary steps to enable an SSTP VPN connection are as a backup method. SSTP also transmits traffic via TCP 443, communicating traffic through even the strictest firewalls.

Sometimes, network administrators are unsure if it is best to use DirectAccess or Always On VPN to connect devices remotely. For example, suppose a company plans to build several computers for physicians and hospitals and allow computers to connect to the primary data center automatically.
In this scenario, DirectAccess or Always On VPN are ideal options. But to make the right choice, you have to experiment. For example, in an experiment, you may find that some hospital networks offer limited Internet access. DA can only overcome this problem through IP-HTTPS; the only way AOVPN allows communication is through SSTP.
There seems to be no particular problem. The only problem is that these remote workstations are often used as kiosks where different doctors log in to their panels.
In other words, doctors or users who have never logged in to these computers and whose credentials have not been stored on them may use them.

If you encounter such a problem, you have no choice but to go for the DirectAccess solution. The DA is always connected to the login screen, even when using the IP-HTTPS method rollback mode. Always On VPN can only use IKEv2 after logging in because the Device Tunnel requires IKEv2 to use UDP blocked by the firewall.
Hence, the only way AOVPN can always connect is to use SSTP, but only until it is impossible to set up a User Tunnel. This technique works after the user logs in.

Manual Cut

If you are still unconvinced that traditional virtual private networks no longer meet today’s needs, let me give you another example. When you use VPNs that require the user to communicate manually, your connection depends on the user to enable the link manually.
Of course, automated systems like WSUS, SCCM, and Group Policy do this. Still, when the laptop is off, and you’re not on a local network, those management systems are only capable when the user disconnects a virtual private network. They are to do their jobs.

Automatic connection options such as Always On VPN or DirectAccess are used to solve such problems. These options allow the laptop to stay connected throughout the day and receive all security policies.

It would help if you did not allow users to turn off their DA tunnels to step forward on a device connected to DirectAccess. You can provide them with a Disconnect button indicating that the connection is disconnected and the DA is offline. At the same time, the IPsec tunnels are still active in the background and doing their everyday work.

Native load-balancing capabilities

Remote Access Management console in Windows Server 2019 is equipped with capabilities to configure and manage arrays of DA servers. You can stack multiple DA servers together, tie them together, and create a balanced variety without additional or traditional hardware.
Configuring an entity called DirectAccess multisite is also possible. This allows you to configure DirectAccess servers in different geographic locations and create flexible arrays.
Almost every company running DirectAccess configures an additional user interface to balance internal or in-company internal load because the built-in capabilities are easily customizable. Unfortunately, these features have not been introduced into the Microsoft Microsoft VPN world.