What decides weather Always on VPN should try to connect or not?

Lars 21 Reputation points
2021-06-15T09:06:38.56+00:00

Always on installed on Windows Server 2019, clients deployed through Intune as device tunnel (machine certificate)

It works in most cases. No VPN if you are in the office, and auto connecting when roaming.

But. We have some branch offices with Branch Office VPN's (Split tunnel IPsec), and even though the clients on this branch office can access the DC DNS (thus logging on to the domain) getting the network location shown as

domain.local
Connected

AOVPN still tries to establish AOVPN, succeeding and resulting to two VPN's and a network location saying:

domain.local 3 (Unauthenticated)
No Internet

rasdial /disconnect run and then it reconnects again, ending up with:
domain.local
Connected

My question is: what makes the AOVPN decide to "dial" a connection? I would assume that if the client decides that is is on domain network, it will not dial AOVPN. But apparantly this is not the case when on BO split VPN.

Regards, Lars.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,921 questions
{count} votes

Accepted answer
  1. Jiang Zhang 786 Reputation points
    2021-06-17T07:12:16.097+00:00

    Hi,

    You mentioned “I would assume that if the client decides that is on domain network, it will not dial AOVPN. But apparently this is not the case when on BO split VPN.” For my understanding, when deploying Windows 10 Always On VPN, the Trusted Network Detection (TND) can be configured which enables clients to detect when they are on the internal network. The VPN client will evaluate the DNS suffix assigned to all physical adapters that are active. If they match the trusted network setting, the client is determined to be on the internal network and the VPN connection will not connect. If the DNS suffix is not present on any of these adapters, the client is determined to be outside the internal network and the VPN connection will establish automatically.

    In my opinion, you may check whether all the branch offices’ adapters have been assigned the DNS suffix.

    The following link is how you configure the DNS suffix being presenting on adapters for your reference.

    https://directaccess.richardhicks.com/2020/03/24/always-on-vpn-trusted-network-detection/

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Best Regards,
    Mulder Zhang

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.