An always-on VPN is a selective VPN that connects an external client so they can access the internet along with company resources when the computer is not on a trusted network, which protects the company from security threats.
- [Narrator] In addition to the highly regulated industries such as financial and healthcare, many other companies filter traffic and monitor client activity such as web browsing and communication via email and instant messaging. When employees are inside of the trusted LAN, all traffic adheres to corporate policies, such as acceptable use, content monitoring, web security, and email filtering.
However, when clients are outside of the trusted network, there is a risk of security threats and data exfiltration. With an always-on VPN, companies can force all traffic to travel through the corporate network, even when someone is off-premise. With an always-on VPN, you have control of corporate-owned devices and corporate-compliant external devices such as bring-your-own and mobile devices, and can enforce an always-on VPN.
External users adhere to the same policies as internal users, as they must come through the corporate network while accessing internal or external resources to ensure they are in line with corporate policies. When the network administrator enables always-on, the first thing that happens is location awareness. If the device is internal and on the trusted network, they do not need to connect to the VPN.
However, after an off-premise user logs in and the device detects that they're in an untrusted network, it automatically establishes a VPN session. The VPN session remains open until the session timer expires or the user logs off or shuts down the device. The network administrator can limit how long to maintain the VPN connection. The administrator can also set a maximum connection time or allow an unlimited connection time, which is the default.
With an always-on VPN, clients cannot drop off the VPN. If they do drop off, always on will reestablish and reactive the session. In some cases the network administrator can activate lock-down mode, which if they disconnect, this will prevent any traffic from leaving the device. During the course of an always-on VPN session, a device may enter sleep mode or simply stop responding.
The ASA maintains a connection with external devices and periodically sends "Keep alive" or "Are you there?" messages to monitor the device's responsiveness. The ASA can terminate the session if inactive for a specified time. If a VPN session goes idle, you can terminate the connection and force the client to reauthenticate their device and create a new VPN session. The default wait period is 30 minutes.
The advantages of always-on VPN include support for granular network access control, as the policy server will monitor the connection and provide access control. An always-on VPN will allow both IP version 4 and IP version 6. Once a client logs on, a VPN session begins. There are some limitations of an always-on VPN. It doesn't support connecting through a proxy and there may be some performance issues.
An always-on VPN ensures corporate compliance and monitors and protects the company from security threats.
- Using Packet Tracer
- Reviewing VPN topologies and components
- Encapsulating security payload protocol
- VPN configuration
- Hairpin and split tunnel VPN
- Clientless SSL VPN and AnyConnect SSL VPN
- Endpoint posture assessment
- Preparing sites for an IPsec VPN