remove proxy topic

windows/keep-secure/vpn-authentication.md

@@ -25,7 +25,7 @@ Windows supports a number of EAP authentication methods.
 <tr><td>EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2)</td><td><ul><li>User name and password authentication</li><li>Winlogon credentials - can specify authentication with computer sign-in credentials</li></ul></td></tr>
 <tr><td>EAP-Transport Layer Security (EAP-TLS) </td><td><ul><li>Supports the following types of certificate authentication<ul><li>Certificate with keys in the software Key Storage Provider (KSP)</li><li>Certificate with keys in Trusted Platform Module (TPM) KSP</li><li>Smart card certficates</li><li>Windows Hello for Business certificate</li></ul></li><li>Certificate filtering<ul><li>Certificate filtering can be enabled to search for a particular certificate to use to authenticate with</li><li>Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based</li></ul></li><li>Server validation - with TLS, server validation can be toggled on or off<ul><li>Server name - specify the server to validate</li><li>Server certificate - trusted root certificate to validate the server</li><li>Notification - specify if the user should get a notification asking whether to trust the server or not</li></ul></li></ul></td></tr>
 <tr><td><a href="https://msdn.microsoft.com/library/cc754179.aspx">Protected Extensible Authentication Protocol (PEAP)</a></td><td><ul><li>Server validation - with PEAP, server validation can be toggled on or off<ul><li>Server name - specify the server to validate</li><li>Server certificate - trusted root certificate to validate the server</li><li>Notification - specify if the user should get a notification asking whether to trust the server or not</li></ul></li><li>Inner method - the outer method creates a secure tunnel inside while the inner method is used to complete the authentication<ul><li>EAP-MSCHAPv2</li><li>EAP-TLS</li></ul><li>Fast Reconnect: reduces the delay between an authentication request by a client and the response by the Network Policy Server (NPS) or other Remote Authentication Dial-in User Service (RADIUS) server. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials.<li><a href="https://msdn.microsoft.com/library/cc238384.aspx">Cryptobinding</a>: By deriving and exchanging values from the PEAP phase 1 key material (<b>Tunnel Key</b>) and from the PEAP phase 2 inner EAP method key material (<b>Inner Session Key</b>), it is possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks.</li></li></ul></td></tr>
-<tr><td>Tunneled Transport Layer Security (TTLS)</td><td><ul><li>Inner method<ul><li>Non-EAP<ul><li>Password Authentication Protocol (PAP)</li><li>CHAP</li><li>MSCHAP</li><li>MSCHAPv2</li></ul></li><li>EAP<ul><li>MSCHAPv2</li><li>TLS</li></ul></li></ul></li><li>Server validation: in TTLS, the server must be validated. The following can be configured:<ul><li>Server name</li><li></li>Trusted root certificate for server certificate<li>Whether there should be a server validation notification</li></ul></li></ul></td></tr></tbody>
+<tr><td>Tunneled Transport Layer Security (TTLS)</td><td><ul><li>Inner method<ul><li>Non-EAP<ul><li>Password Authentication Protocol (PAP)</li><li>CHAP</li><li>MSCHAP</li><li>MSCHAPv2</li></ul></li><li>EAP<ul><li>MSCHAPv2</li><li>TLS</li></ul></li></ul></li><li>Server validation: in TTLS, the server must be validated. The following can be configured:<ul><li>Server name</li><li>Trusted root certificate for server certificate</li><li>Whether there should be a server validation notification</li></ul></li></ul></td></tr></tbody>
 </table>
 </br>
 
@@ -47,7 +47,6 @@ The following image shows the field for EAP XML in a Microsoft Intune VPN profil
 - [VPN connection types](vpn-connection-type.md)
 - [VPN routing decisions](vpn-routing.md)
 - [VPN and conditional access](vpn-conditional-access.md)
-- [VPN proxy settings](vpn-proxy-settings.md)
 - [VPN name resolution](vpn-name-resolution.md)
 - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
 - [VPN security features](vpn-security-features.md)

windows/keep-secure/vpn-auto-trigger-profile.md

@@ -25,7 +25,6 @@ localizationpriority: high
 - [VPN routing decisions](vpn-routing.md)
 - [VPN authentication options](vpn-authentication.md)
 - [VPN and conditional access](vpn-conditional-access.md)
-- [VPN proxy settings](vpn-proxy-settings.md)
 - [VPN name resolution](vpn-name-resolution.md)
 - [VPN security features](vpn-security-features.md)
 - [VPN profile options](vpn-profile-options.md)

windows/keep-secure/vpn-conditional-access.md

@@ -61,7 +61,7 @@ Server-side infrastructure requirements to support VPN device compliance include
    
 After the server side is set up, VPN admins can add the policy settings for conditional access to the VPN profile using the VPNv2 DeviceCompliance node.
 
-Two client-side configuration service providers are leveraged for VPN Device Compliance.
+Two client-side configuration service providers are leveraged for VPN device compliance.
 
 - VPNv2 CSP DeviceCompliance settings
    - **Enabled**: enables the Device Compliance flow from the client. If marked as **true**, the VPN client will attempt to communicate with Azure AD to get a certificate to use for authentication. The VPN should be set up to use certificate authentication and the VPN server must trust the server returned by Azure AD.
@@ -75,8 +75,16 @@ Two client-side configuration service providers are leveraged for VPN Device Com
    - Provisions the Health Attestation Certificate received from the HAS
    - Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
 
+## Configure conditional access
 
+See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. 
 
+The following image shows conditional access options in a VPN Profile configuration policy using Microsoft Intune.
+
+![conditional access in profile](images/vpn-conditional-access-intune.png)
+
+>[!NOTE]
+>In Intune, the certificate selected in **Select a client certificate for client authentication** does not set any VPNv2 CSP nodes. It is simply a way to tie the VPN profile’s successful provisioning to the existence of a certificate. If you are enabling conditional access and using the Azure AD short-lived certificate for both VPN server authentication and domain resource authentication, do not select a certificate since the short-lived certificate is not a certificate that would be on the user’s device yet.
 
 ## Learn more about Conditional Access and Azure AD Health
 
@@ -91,7 +99,6 @@ Two client-side configuration service providers are leveraged for VPN Device Com
 - [VPN connection types](vpn-connection-type.md)
 - [VPN routing decisions](vpn-routing.md)
 - [VPN authentication options](vpn-authentication.md)
-- [VPN proxy settings](vpn-proxy-settings.md)
 - [VPN name resolution](vpn-name-resolution.md)
 - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
 - [VPN security features](vpn-security-features.md)

windows/keep-secure/vpn-connection-type.md

@@ -76,7 +76,6 @@ In Intune, you can also include custom XML for third-party plug-in profiles.
 - [VPN routing decisions](vpn-routing.md)
 - [VPN authentication options](vpn-authentication.md)
 - [VPN and conditional access](vpn-conditional-access.md)
-- [VPN proxy settings](vpn-proxy-settings.md)
 - [VPN name resolution](vpn-name-resolution.md)
 - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
 - [VPN security features](vpn-security-features.md)

windows/keep-secure/vpn-guide.md

@@ -29,9 +29,8 @@ This guide will walk you through the decisions you will make for Windows 10 clie
 | --- | --- |
 | [VPN connection types](vpn-connection-type.md) | Select a VPN client and tunneling protocol |
 | [VPN routing decisions](vpn-routing.md)  | Choose beetween split tunnel and force tunnel configuration |
-| [VPN authentication options](vpn-authentication.md)  | how to authenticate VPN connection: EAP-based, (?) |
+| [VPN authentication options](vpn-authentication.md)  | Select a method for Extensible Authentication Protocol (EAP) authentication. |
-| [VPN and conditional access](vpn-conditional-access.md)  | use Azure Active Directory policy evaluation to set access policies for VPN |
+| [VPN and conditional access](vpn-conditional-access.md)  | Use Azure Active Directory policy evaluation to set access policies for VPN connections. |
-| [VPN proxy settings](vpn-proxy-settings.md)  |  |
 | [VPN name resolution](vpn-name-resolution.md)  | how name resolution should happen |
 | [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)  | auto-connect clients to VPN: app-triggered, name-based trigger, "always on", trusted network detection |
 | [VPN security features](vpn-security-features.md)  | lockdown, traffic filtering, WIP |

windows/keep-secure/vpn-name-resolution.md

@@ -22,7 +22,6 @@ localizationpriority: high
 - [VPN routing decisions](vpn-routing.md)
 - [VPN authentication options](vpn-authentication.md)
 - [VPN and conditional access](vpn-conditional-access.md)
-- [VPN proxy settings](vpn-proxy-settings.md)
 - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
 - [VPN security features](vpn-security-features.md)
 - [VPN profile options](vpn-profile-options.md)

windows/keep-secure/vpn-profile-options.md

@@ -72,7 +72,6 @@ A VPN profile configured with LockDown secures the device to only allow network
 - [VPN routing decisions](vpn-routing.md)
 - [VPN authentication options](vpn-authentication.md)
 - [VPN and conditional access](vpn-conditional-access.md)
-- [VPN proxy settings](vpn-proxy-settings.md)
 - [VPN name resolution](vpn-name-resolution.md)
 - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
 - [VPN security features](vpn-security-features.md)

windows/keep-secure/vpn-proxy-settings.md

@@ -15,6 +15,14 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
+ 
+If your organization uses a proxy, especially in the case of force tunneled VPN, you can add an Interface Specific proxy with VPN. This can be configured using the MDM/SCCM configuration where you can provide either a Proxy auto-config (PAC) or Web Proxy Autodiscovery Protocol (WPAD) file, or specify a server and port.  
+
+**Bypass proxy settings for local addresses** is not currently supported.
+
+
+
+
 ## Related topics
 
 - [VPN technical guide](vpn-guide.md)

windows/keep-secure/vpn-routing.md

@@ -61,7 +61,6 @@ Next, in **Corporate Boundaries**, you add the routes that should use the VPN co
 - [VPN connection types](vpn-connection-type.md)
 - [VPN authentication options](vpn-authentication.md)
 - [VPN and conditional access](vpn-conditional-access.md)
-- [VPN proxy settings](vpn-proxy-settings.md)
 - [VPN name resolution](vpn-name-resolution.md)
 - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
 - [VPN security features](vpn-security-features.md)

windows/keep-secure/vpn-security-features.md

@@ -22,7 +22,6 @@ localizationpriority: high
 - [VPN routing decisions](vpn-routing.md)
 - [VPN authentication options](vpn-authentication.md)
 - [VPN and conditional access](vpn-conditional-access.md)
-- [VPN proxy settings](vpn-proxy-settings.md)
 - [VPN name resolution](vpn-name-resolution.md)
 - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
 - [VPN profile options](vpn-profile-options.md)