1
00:00:00,240 --> 00:00:03,290
The core components of an Always On VPN infrastructure

2
00:00:03,290 --> 00:00:06,170
are VPN servers and RADIUS Servers.

3
00:00:06,170 --> 00:00:09,440
VPN servers are the primary component and they're used for

4
00:00:09,440 --> 00:00:12,740
terminating VPN connections from clients on the internet.

5
00:00:12,740 --> 00:00:16,620
The most popular option for VPN services is using Windows Server,

6
00:00:16,620 --> 00:00:19,240
and specifically, the Routing and Remote Access Service,

7
00:00:19,240 --> 00:00:20,250
or RRAS.

8
00:00:20,250 --> 00:00:23,940
RRAS has been around for many, many years and is quite stable.

9
00:00:23,940 --> 00:00:27,210
It's also the most popular deployment option simply because it's,

10
00:00:27,210 --> 00:00:29,440
it's just very easy to deploy and manage,

11
00:00:29,440 --> 00:00:32,420
it scales well, and it's very cost effective.

12
00:00:32,420 --> 00:00:37,720
There is no user licensing or per device licensing required for using RRAS.

13
00:00:37,720 --> 00:00:40,080
However, as I stated before,

14
00:00:40,080 --> 00:00:42,990
Always On VPN is infrastructure independent and you're by no

15
00:00:42,990 --> 00:00:45,400
means limited to using Windows Server.

16
00:00:45,400 --> 00:00:48,290
You can certainly use non‑Microsoft devices,

17
00:00:48,290 --> 00:00:52,210
such as VPNS or firewalls from Cisco, Palo Alto,

18
00:00:52,210 --> 00:00:55,640
Checkpoint, a variety of different vendors as well.

19
00:00:55,640 --> 00:00:57,740
There are some limitations associated with this,

20
00:00:57,740 --> 00:01:01,940
and we'll talk about those in detail a little bit later.

21
00:01:01,940 --> 00:01:05,080
If you plan to use a non‑Microsoft VPN,

22
00:01:05,080 --> 00:01:08,440
there is a couple of unique and very specific requirements to support this.

23
00:01:08,440 --> 00:01:12,130
First of all, you must use the native VPN client.

24
00:01:12,130 --> 00:01:15,320
This is the client software that's built into Windows,

25
00:01:15,320 --> 00:01:19,550
and of course, if you do this, you must use the IKEv2 VPN protocol.

26
00:01:19,550 --> 00:01:24,790
IKEv2 is an open standard and allows you to interoperate and integrate with a

27
00:01:24,790 --> 00:01:30,940
variety of different firewalls that are available to you.

28
00:01:30,940 --> 00:01:35,130
You can also use the plugin provider or plugin VPN client if

29
00:01:35,130 --> 00:01:38,300
your third‑party firewall vendor supports that.

30
00:01:38,300 --> 00:01:41,890
These are client software components that are available in the Microsoft store,

31
00:01:41,890 --> 00:01:45,760
and the advantage to using the plugin provider is that it uses TLS,

32
00:01:45,760 --> 00:01:51,340
which is a more firewall‑friendly protocol than IKEv2.

33
00:01:51,340 --> 00:01:51,720
Today,

34
00:01:51,720 --> 00:01:55,740
there are a number of firewall and load balancer vendors that support

35
00:01:55,740 --> 00:02:00,740
plugin providers for Windows 10 and Windows 11 VPN.

36
00:02:00,740 --> 00:02:03,010
The second critical component for Always On VPN

37
00:02:03,010 --> 00:02:04,880
infrastructure is the RADIUS Server.

38
00:02:04,880 --> 00:02:08,000
The RADIUS Server is used to provide authentication for our VPN

39
00:02:08,000 --> 00:02:10,600
clients that are connecting to the VPN server.

40
00:02:10,600 --> 00:02:13,920
Here again, Windows Server provides probably the best option,

41
00:02:13,920 --> 00:02:15,950
certainly the most common one, and by the way,

42
00:02:15,950 --> 00:02:19,120
we'll be covering Windows Server exclusively in this course.

43
00:02:19,120 --> 00:02:20,170
In Windows Server,

44
00:02:20,170 --> 00:02:22,860
Microsoft's implementation of RADIUS is known as

45
00:02:22,860 --> 00:02:26,380
Network Policy and Access Services, or NPAS,

46
00:02:26,380 --> 00:02:28,540
sometimes just referred to as NPS,

47
00:02:28,540 --> 00:02:30,850
and we'll use that throughout the course to create

48
00:02:30,850 --> 00:02:33,040
our network connection policies.

49
00:02:33,040 --> 00:02:37,010
But here again, you're not limited exclusively to using Windows Server.

50
00:02:37,010 --> 00:02:40,970
You can use any non‑Microsoft radius server you choose as long as it

51
00:02:40,970 --> 00:02:44,280
supports the open industry standard RADIUS protocol.

52
00:02:44,280 --> 00:02:48,290
There are RADIUS server offerings available from a wide number of vendors,

53
00:02:48,290 --> 00:02:53,640
both commercial and open source that you can choose from.

54
00:02:53,640 --> 00:02:56,120
In terms of the Windows Server requirements,

55
00:02:56,120 --> 00:03:00,860
the VPN server, I would suggest using a minimum of Windows Server 2019.

56
00:03:00,860 --> 00:03:06,240
You can certainly deploy this on 2016 and even 2012 and 2012 R2 if you like,

57
00:03:06,240 --> 00:03:08,530
but there are some critical components that are available in

58
00:03:08,530 --> 00:03:11,470
server 19 or that were introduced in server 19,

59
00:03:11,470 --> 00:03:14,740
2019, that might be helpful to you.

60
00:03:14,740 --> 00:03:16,360
Domain‑join is optional.

61
00:03:16,360 --> 00:03:18,850
If you're going to put it on a LAN, I would certainly recommend that,

62
00:03:18,850 --> 00:03:21,680
but if you want to put it in a perimeter or DMZ network,

63
00:03:21,680 --> 00:03:25,780
I would recommend not joining that to a domain, and VPN server,

64
00:03:25,780 --> 00:03:30,080
or the RRAS services supported on both Server GUI and Server Core.

65
00:03:30,080 --> 00:03:31,700
I'm a huge fan of server core.

66
00:03:31,700 --> 00:03:34,240
I advocate for that whenever possible,

67
00:03:34,240 --> 00:03:36,710
but fully understand that not every administrator is

68
00:03:36,710 --> 00:03:40,070
comfortable or even familiar with administering a Windows

69
00:03:40,070 --> 00:03:42,160
Server exclusively from the command line.

70
00:03:42,160 --> 00:03:44,220
So in in our course here on Pluralsight,

71
00:03:44,220 --> 00:03:46,540
we're going to cover the Server GUI model.

72
00:03:46,540 --> 00:03:47,870
As for the NPS Server,

73
00:03:47,870 --> 00:03:51,640
you can run NPS on any supported version of Windows Server,

74
00:03:51,640 --> 00:03:55,710
it does require that it be joined to your domain because it's going

75
00:03:55,710 --> 00:03:57,830
to perform authentication against the domain,

76
00:03:57,830 --> 00:03:59,490
so it has to be able to do that,

77
00:03:59,490 --> 00:04:02,440
it has to be able to talk to domain controllers and whatnot.

78
00:04:02,440 --> 00:04:06,170
The Network Policy Server, or NPS, is supported on server GUI only.

79
00:04:06,170 --> 00:04:13,000
It is not supported on Windows Server Core, so you must run this on the server GUI version.