Immediate Access is a replacement for Microsoft's Direct Access "Always On VPN" technology. This service behaves in the same manner as Microsoft's Direct Access, but instead of connecting via IPHTTPS or Teredo, the service will start a VPN connection of your choice. (Must be a Windows VPN profile: IPSec, SSTP, L2TP, PPTP...)
This service -- along with starting a VPN connection -- will automatically close the VPN connection if the computer is on the corporate network.
In a nutshell, this service will check if the current computer is on the corporate network by attempting to reach an internal only "probe". The probe is a web server that responds via HTTPS with any content (a blank page is best). The HTTPS site needs to present a trusted certificate to the client, or the Immediate Access service will not except the probe attempt. If the probe attempt is successfull, the Immediate Access service will sleep until the next "network change event" (aka: an IP address changes) or until the Health Check Interval lapses.
After an event or the Health Check Interval lapses, the Immediate Access service will re-check for a probe connection.
If the Immediate Access service cannot reach the probe, the service will connect to the GPO specified VPN profiles. If Immediate Access can once again reach the probe, the service will disconnect the GPO specified VPN profiles.
https://github.com/belowaverage-org/ImmediateAccess/releases
Simply run the MSI install file, and the service should immediately start.
If you wish to push this installer via GPO, create a GPO policy and add the MSI to the software installation section of GPO. You can find more information on how to do that here:
https://support.microsoft.com/en-us/help/816102/
The internal probe is a vital part of how Immediate Access works. The internal probe is simply a web server that is available only from the internal network, and has a valid HTTPS certificate.
Here is an article on how to set up a web server using Windows:
Once the web server is installed, make sure you create an HTTPS binding with a valid certificate:
https://docs.microsoft.com/en-us/iis/manage/configuring-security/how-to-set-up-ssl-on-iis
By default, when installing via the MSI file, GPO templates are installed on the local template store located at C:\Windows\PolicyDefinitions
.
If you wish to install these templates on the domain wide policy store copy the following files from:
C:\Windows\PolicyDefinitions\ImmediateAccess.admx
C:\Windows\PolicyDefinitions\en-US\ImmediateAccess.adml
to:
\\contoso-dc1\SYSVOL\ad.contoso.com\Policies\PolicyDefinitions\*
GPO Path: Computer Configuration\Administrative Templates\Network\Immediate Access
Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Below Average\Immediate Access
The Internal Probe is the HTTPS enabled URL that the Immediate Access VPN service will use to determine if the comptuer is currently connected to the corporate network. The probe must only be accessible within the corporate network and have a valid certificate.
The Vpn Profile List is a list of VPN profiles that Immediate Access VPN service will dial when the Internal Probe is not available. Seperate each entry by a return. (Enter in order of most priority to least priority)
The Probe Timeout is a time in seconds that the Immediate Access service will timeout when trying to reach the internal probe.
After a network event, Immediate Access will start testing the network to see if the Internal Probe is available.
This option will create a delay between when Immediate Access will start the probe test, and the last network change event.
The Health Check Interval is a time in seconds that the Immediate Access service will test for the Internal Probe on an interval.
This settings changes the ammount of attempts Immediate Access will make to connect to a VPN profile.
This setting represents a timeout in milliseconds for when Immediate Access pings a VPN server.