deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 04:13:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 7355: fixed typo and added metadata

Browse Source
This commit is contained in:
Patti Short
2018-04-20 21:34:00 +00:00
parent b43942da48 315b0edfdb
commit 137eaa62ab
2 changed files with 11 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
windows/security/identity-protection/vpn/vpn-conditional-access.md
View File

@ -7,9 +7,10 @@ ms.sitesec: library
ms.pagetype: security, networking
author: shortpatti
ms.author: pashort
manager: elizapo
ms.reviewer:
ms.localizationpriority: high
ms.date: 04/17/2018
ms.date: 04/20/2018
---
# VPN and conditional access
@ -44,14 +45,13 @@ Conditional Access Platform components used for Device Compliance include the fo
- Encryption compliance
- Device health attestation state (validated against attestation service after query)
The following client-side components are also required:
- [HealthAttestation Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn934876.aspx)
- [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) DeviceCompliance node settings
- Trusted Platform Module (TPM)
## VPN device compliance
According to the VPNv2 CSP, these settings options are **Optional**. If you want your users to access on-premises resources, such as files on a network share, based on the credential of a certificate that was issued by an on-premises CA, and not the Cloud CA certificate, you add these settings to the VPNv2 profile. Alternatively, if you add the cloud root certs to the NTAuth store in on-prem AD, your user's cloud cert will chain and KDC will issue TGT and TGS tickets to them.
According to the VPNv2 CSP, these settings options are **Optional**. If you want your users to access on-premises resources, such as files on a network share, based on the credential of a certificate that was issued by an on-premises CA, and not the Cloud CA certificate, you add these settings to the VPNv2 profile. Alternatively, if you add the cloud root certificates to the NTAuth store in on-prem AD, your user's cloud certificate will chain and KDC will issue TGT and TGS tickets to them.
Server-side infrastructure requirements to support VPN device compliance include:
@ -77,8 +77,12 @@ Two client-side configuration service providers are leveraged for VPN device com
- Provisions the Health Attestation Certificate received from the HAS
- Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
>[!NOTE]
>Enabling SSO is not necessarily required unless you want VPN users to be issued Kerberos tickets to access on-premises resources using a certificate issued by the on-premises CA; not the cloud certificate issued by AAD.
## Client connection flow
The VPN client side connection flow works as follows:
The VPN client side connection flow works as follows:
![Device compliance workflow when VPN client attempts to connect](images/vpn-device-compliance.png)
@ -94,13 +98,6 @@ When a VPNv2 Profile is configured with \<DeviceCompliance> \<Enabled>true<\/Ena
See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration.
The following image shows conditional access options in a VPN Profile configuration policy using Microsoft Intune.
![conditional access in profile](images/vpn-conditional-access-intune.png)
>[!NOTE]
>In Intune, the certificate selected in **Select a client certificate for client authentication** does not set any VPNv2 CSP nodes. It is simply a way to tie the VPN profiles successful provisioning to the existence of a certificate. If you are enabling conditional access and using the Azure AD short-lived certificate for both VPN server authentication and domain resource authentication, do not select a certificate since the short-lived certificate is not a certificate that would be on the users device yet.
## Learn more about Conditional Access and Azure AD Health
- [Azure Active Directory conditional access](https://azure.microsoft.com/documentation/articles/active-directory-conditional-access/)
@ -112,9 +109,7 @@ The following image shows conditional access options in a VPN Profile configurat
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/16/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4/)
## Related topics
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)