Resource: AoVPN Baseline Build Documentation

In these unprecedented times we have seen a significant rise in customers looking to be able to expand their current VPN services capacity.

Many companies need to implement solutions as soon as possible, and the team wanted to do what we can to help.

With the influx of customer requests for the implementation of Microsoft Always On VPN (AoVPN) and requests for support we wanted to help by providing, for free, the internal build documentation that supports our consultants for core stage implementations.

These materials have been significantly expanded to be in a form that makes it user-friendly for those that have limited experience with AoVPN but do assume a good working knowledge of infrastructure and networking.

The free community content has been driven by lead author Leo D’Arcy and is aimed to enable IT teams to setup a baseline interim service configuration of AoVPN.


A full implementation of AoVPN, built to scale, with high availability and resilience does require specific configuration and detailed planning, therefore please note the resulting implementation is not intended to be used for long-term use, but to support short-term immediate needs.

We would highly recommend that these instances are decommissioned when short term needs subside.

If you wish to have a longer term solution then please get in touch and we can help with building alongside this short term fix to enable a full production environment robust to your needs.

The documentation provides detailed instructions of the certificate templates required, NPS Configuration and VPN configuration as well as a sample Client Profile. 

This should be enough for up to 500 users subject to IP address considerations and server resource allocation and user performance needs. The VPN Solution provides both a user tunnel for access to services while logged in but also a device tunnel to ensure that devices are patched and services such as remote control and password resets can work as expected without a user having to get into an office.

To scale beyond the 500 in this model you would be required to deploy multiple instances and appropriately assign your users to the instance for access support.

Additionally it would be noted that for resilience, as this is not setup as ‘Highly Available’ it is recommended to have the ability to clone or have a backup instance should issues occur and you need to switch users to an alternative instance to restore connectivity.

To reinforce the above interim statements it is important to understand that this is intended to support tactical “needs must” scenarios as the resulting configuration is NOT how PowerON would typically design a VPN solution for a customer.  While it is functional, and the tunnel is secure it aims to be relatively simple and infrastructure agnostic.  The trade-off is that it removes a lot of the best practices which we would typically include in a full AOVPN design and implementation.

As well as the above this solution does not:

  • Meet all NCSC guidelines
  • Support forcing all internet traffic into the organisation
  • Include instructions on backup, ongoing maintenance or patching
  • Provide a Highly Available Solution
  • Provide a scalable solution

All that being said we have released with the intent that this can support those customer that find themselves in a situation where they need something that will be functional and support larger user numbers quickly.

If you would like to receive the documentation click the button below to download!
Please note you will still receive the download, even if you do not tick the box to receive further comms from us following this.
Share on Facebook
Share on Twitter
Share on LinkedIn

More resources