Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Windows 10 Always On VPN Configuration

As a stated direction, Microsoft is moving away from DirectAccess which we have used for many years in favor of Windows 10 Always on VPN.  In the example documentation from Microsoft all of the configurations use Windows RRAS and NPS.  I would rather use a Fortigate configuration, but I'm new to the platform and looking for some best practices and sample configurations for both the Fortigate and Windows 10 client side.


Specifically with DirectAccess there was an infrastructure tunnel established when the laptop booted using a machine certificate for authentication.  Windows 10 Always on VPN has a similar concept with Device + User Tunnel with split tunneling and I would like to continue that configuration.  Users have gotten used to just booting the laptop logging in via smartcard and they are in.


Any help or guidance on the Fortigate configuration to make this work would be much appreciated.

New Contributor

Hey, redparadox,


Have you got anybody replied to you? I am looking for the same solution...






This document from Fortinet explains the process:

New Contributor III

isamt wrote:

This document from Fortinet explains the process:

That document explains how to use FortiClient's "autoconnect" feature which is not the same as Microsoft's "Always on VPN".  


I think the documentation you will need for Fortigate configuration when setting up Microsoft's Always on VPN is this:


I'm completely new to Always on VPN but am looking at implementing it.  I have been using FortiClient's "autoconnect" for myself and it works okay, but the FortiClient software itself is total garbage, (so too is EMS).  In the end I just want a seamless user experience and don't want to be constantly upgrading a VPN client.


p1/p2 auto negatiation plus DPD and NAT Keepalive might be helpful.


"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
New Contributor

+1. I am interested in a full guide also.

I was speaking to a Fortinet Engineer (Technical Presales I think) then did some research.

What I have found out so far.

Apparently it needs to be an IKEv2 VPN. Device based, using Certificate for Authentication. It needs to be configured on the Windows device using PowerShell or MDM. Apparently now works for Windows 10 Pro as well.


That is unfortunately not entirely true depending on what part of Always On VPN is intended/required


(or has this changed some time in the middle/end of 2020. Would be nice to reference a new link from Microsoft then) 


Device tunnel requires SKU Education or Enterprise (IKEv2 only) and requires domain membership (similar to DirectAccess)User tunnel however is supported on Pro version (IKEv2 or SSTP) (this is the Always On VPN)

Device tunnels are required to allow seamless authentication of devices towards the domain. Seamless configuration through GPO and so on. Also for users to logon to the computer the first time if no cached credentials exists, then the device tunnel is also required.


As most open wireless (airports, hotels and such) pretty much block everything but HTTPS the device tunnel will fail quite often (as well as User tunnel IKEv2 falling back to SSTP)


New Contributor

Did you get anywhere with this, we are looking for the same, user tunnel comes up and works well but struggling to configure the device tunnel….


 A step by step guide would be perfect if anyone has one?


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors