diff --git a/windows/keep-secure/images/vpn-connection.png b/windows/keep-secure/images/vpn-connection.png index 288c801b01..c7d7a0d274 100644 Binary files a/windows/keep-secure/images/vpn-connection.png and b/windows/keep-secure/images/vpn-connection.png differ diff --git a/windows/keep-secure/images/vpn-profilexml-intune.png b/windows/keep-secure/images/vpn-profilexml-intune.png new file mode 100644 index 0000000000..7277b7a598 Binary files /dev/null and b/windows/keep-secure/images/vpn-profilexml-intune.png differ diff --git a/windows/keep-secure/vpn-auto-trigger-profile.md b/windows/keep-secure/vpn-auto-trigger-profile.md index d2559a3ceb..676c33cd40 100644 --- a/windows/keep-secure/vpn-auto-trigger-profile.md +++ b/windows/keep-secure/vpn-auto-trigger-profile.md @@ -36,12 +36,17 @@ You can configure a domain name-based rule so that a specific domain name trigge Name-based auto-trigger can be configured using the VPNv2//*ProfileName*/DomainNameInformationList/dniRowId/AutoTrigger setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx). -Domain names can even be configured such that VPN must be used to access that resource. If VPN is not connected, that resource will be inaccessible if the persistent node is configured to be true. +There are four types of name-based triggers: + +- Short name: for example, if **HRweb** is configured as a trigger and the stack sees a DNS resolution request for **HRweb**, the VPN will be triggered. +- Fully-qualified domain name (FQDN): for example, if **HRweb.corp.contoso.com** is configured as a trigger and the stack sees a DNS resolution request for **HRweb.corp.contoso.com**, the VPN will be triggered. +- Suffix: for example, if **.corp.contoso.com** is configured as a trigger and the stack sees a DNS resolution request with a matching suffix (such as **HRweb.corp.contoso.com**), the VPN will be triggered. For any short name resolution, VPN will be triggered and the DNS server will be queried for the *ShortName*.**corp.contoso.com**. +- All: if used, all DNS resolution should trigger VPN. ## Always On -Always On is a new feature in Windows 10 which enables the active VPN profile to connect automatically on the following triggers: +Always On is a feature in Windows 10 which enables the active VPN profile to connect automatically on the following triggers: - User sign-in - Network change @@ -49,7 +54,6 @@ Always On is a new feature in Windows 10 which enables the active VPN profile to When the trigger occurs, VPN tries to connect. If an error occurs or any user input is needed, the user is shown a toast notification for additional interaction. -Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md). When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**. @@ -59,7 +63,6 @@ This feature configures the VPN such that it would not get triggered if a user i Trusted network detection can be configured using the VPNv2//*ProfileName*/TrustedNetworkDetection setting in the [VPNv2 CCSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx). -Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md). ## Configure app-triggered VPN diff --git a/windows/keep-secure/vpn-conditional-access.md b/windows/keep-secure/vpn-conditional-access.md index 0e42e98869..d1b31b2fe5 100644 --- a/windows/keep-secure/vpn-conditional-access.md +++ b/windows/keep-secure/vpn-conditional-access.md @@ -15,7 +15,7 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -The built-in VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application. +The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application. >[!NOTE] >Conditional Access is an Azure AD Premium feature. diff --git a/windows/keep-secure/vpn-connection-type.md b/windows/keep-secure/vpn-connection-type.md index ecd032bc82..88218c2ae2 100644 --- a/windows/keep-secure/vpn-connection-type.md +++ b/windows/keep-secure/vpn-connection-type.md @@ -15,7 +15,7 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP-based protocols, called *tunneling protocols*, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization’s private network. +Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP and UDP-based protocols, called *tunneling protocols*, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization’s private network. There are many options for VPN clients. In Windows 10, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured. @@ -27,13 +27,13 @@ There are many options for VPN clients. In Windows 10, the built-in plug-in and - [Internet Key Exchange version 2 (IKEv2)](https://technet.microsoft.com/library/ff687731.aspx) - Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md). + Configure the IPsec/IKE tunnel cryptographic properties using the **Cryptography Suite** setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx). - [L2TP](https://technet.microsoft.com/library/ff687761.aspx) - Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md). + L2TP with pre-shared key (PSK) authentication can be configured using the **L2tpPsk** setting in the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx). diff --git a/windows/keep-secure/vpn-name-resolution.md b/windows/keep-secure/vpn-name-resolution.md index 88e5b76467..b0d5e30d57 100644 --- a/windows/keep-secure/vpn-name-resolution.md +++ b/windows/keep-secure/vpn-name-resolution.md @@ -15,23 +15,17 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -When the VPN client connects to the VPN server, the VPN client receives the following addresses: - -- Client IP address -- IP address of the Domain Name System (DNS) server -- IP address of the Windows Internet Name Service (WINS) server - -The VPN client can access intranet resources by using names, which can be resolved to IP addresses using DNS-based and WINS-based resolution. DNS and WINS name resolution require a server address to be provisioned on the VPN client. +When the VPN client connects to the VPN server, the VPN client receives the client IP address. The client may also receive the IP address of the Domain Name System (DNS) server and the IP address of the Windows Internet Name Service (WINS) server. The name resolution setting in the VPN profile configures how name resolution should work on the system when VPN is connected. The networking stack first looks at the Name Resolution Policy table (NRPT) for any matches and tries a resolution in the case of a match. If no match is found, the DNS suffix is appended to the name and a DNS query is sent out on all interfaces. ## Name Resolution Policy table (NRPT) -The NRPT is a table of namespaces that determines the DNS client’s behavior when issuing name resolution queries and processing responses. It is the first place that the stack will look after the DNSCache. +The NRPT is a table of namespaces that determines the DNS client’s havior when issuing name resolution queries and processing responses. It is the first place that the stack will look after the DNSCache. -There are 3 types of name matches that can be set up for NRPT: +There are 3 types of name matches that can set up for NRPT: -- Fully qualified domain name (FQDN) that can be used for direct matching to a name +- Fully qualified domain name (FQDN) that can used for direct matching to a name - Suffix match results in either a comparison of suffixes (for FQDN resolution) or the appending of the suffix (in case of a short name) @@ -48,17 +42,17 @@ This setting is used to configure the primary DNS suffix for the VPN interface a Primary DNS suffix is set using the **VPNv2//*ProfileName*/DnsSuffix** node. -Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md). + [Learn more about primaryDNS suffix](https://technet.microsoft.com/library/cc959611.aspx) ## Persistent -You can also configure *persistent* name resolution rules. Name resolution for specified items will only be performed over VPN. +You can also configure *persistent* name resolution rules. Name resolution for specified items will only performed over VPN. Persistent name resolution is set using the **VPNv2//*ProfileName*/DomainNameInformationList//*dniRowId*/Persistent** node. -Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md). + ## Configure name resolution diff --git a/windows/keep-secure/vpn-profile-options.md b/windows/keep-secure/vpn-profile-options.md index f344ba44ab..973dd202fb 100644 --- a/windows/keep-secure/vpn-profile-options.md +++ b/windows/keep-secure/vpn-profile-options.md @@ -21,7 +21,7 @@ Most of the VPN settings in Windows 10 can be configured in VPN profiles using M >[!NOTE] >If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers) first. -The following table lists the VPN settings and whether the setting can only be configured using **ProfileXML**. +The following table lists the VPN settings and whether the setting can be configured in Intune and Configuration Manager, or can only be configured using **ProfileXML**. | Profile setting | Can be configured in Intune and Configuration Manager | | --- | --- | @@ -42,451 +42,180 @@ The following table lists the VPN settings and whether the setting can only be c | Windows Information Protection (WIP) | no | | Traffic filters | yes | -The sections in this topic provide XML examples for the VPN profile settings in this guide. You can get additional examples in the [ProfileXML XSD](https://msdn.microsoft.com/library/windows/hardware/mt755930.aspx) topic. +The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This is particularly useful for deploying profiles with features that are not yet supported by MDMs. You can get additional examples in the [ProfileXML XSD](https://msdn.microsoft.com/library/windows/hardware/mt755930.aspx) topic. +## Sample VPN profile - -## Connection type - -**Example:** set connection type to **Automatic** +The following is a sample Native VPN profile. This blob would fall under the ProfileXML node. Profiles can be created for UWP apps as well. An example can be found in the link above as well. ``` -NativeProtocolType - - - 10002 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/NativeProtocolType - - Automatic - - + + TestVpnProfile + + testServer.VPN.com + IKEv2 + + + + Eap + Eap + + + + + 25 + 0 + 0 + 0 + + + + 25 + + + true + + d2 d3 8e ba 60 ca a1 c1 20 55 a2 e1 c8 3b 15 ad 45 01 10 c2 + d1 76 97 cc 20 6e d2 6e 1a 51 f5 bb 96 e9 35 6d 6d 61 0b 74 + + true + false + + 13 + + + + true + + + + true + + d2 d3 8e ba 60 ca a1 c1 20 55 a2 e1 c8 3b 15 ad 45 01 10 c2 + d1 76 97 cc 20 6e d2 6e 1a 51 f5 bb 96 e9 35 6d 6d 61 0b 74 + + false + true + false + + + + + AAD Conditional Access + 1.3.6.1.4.1.311.87 + + + + + AAD Conditional Access + + + + + + + false + true + + true + false + + + + + + + + + + + SplitTunnel + true + + +
192.168.0.0
+ 24 + + +
10.10.0.0
+ 16 + + + + + + Microsoft.MicrosoftEdge_8wekyb3d8bbwe + + + + + C:\windows\system32\ping.exe + + + + + + + %ProgramFiles%\Internet Explorer\iexplore.exe + + 6 + 10,20-50,100-200 + 20-50,100-200,300 + 30.30.0.0/16,10.10.10.10-20.20.20.20 + ForceTunnel + + + + Microsoft.MicrosoftEdge_8wekyb3d8bbwe + + 3.3.3.3/32,1.1.1.1-2.2.2.2 + + + + + hrsite.corporate.contoso.com + 1.2.3.4,5.6.7.8 + 5.5.5.5 + true + + + .corp.contoso.com + 10.10.10.10,20.20.20.20 + 100.100.100.100 + + + + corp.contoso.com + true + + + false + corp.contoso.com + contoso.com + + + HelloServer + + Helloworld.Com + + + + + true + + true + This is my Eku + This is my issuer hash + + + ``` -**Example:** set connection type for a Universal Windows Platform (UWP) VPN plug-in +## Apply ProfileXML using Intune -``` - - - 10002 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/PluginProfile/PluginPackageFamilyName - - TestVpnPluginApp-SL_8wekyb3d8bbwe - - -``` +After you configure the settings that you want using ProfileXML, you can apply it using Intune and a **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy. -**Example:** add custom configuration for UWP VPN plug-in - -``` - - - 10003 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/PluginProfile/CustomConfiguration - - <pluginschema><ipAddress>auto</ipAddress><port>443</port><networksettings><routes><includev4><route><address>172.10.10.0</address><prefix>24</prefix></route></includev4></routes><namespaces><namespace><space>.vpnbackend.com</space><dnsservers><server>172.10.10.11</server></dnsservers></namespace></namespaces></networksettings></pluginschema> - - -``` - -## Split-tunnel routing - -**Example:** route list and exclusion route - -``` - - 10008 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/Address - - 192.168.0.0 - - - - 10009 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/PrefixSize - - - int - - 24 - - - - 10010 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/ExclusionRoute - - - bool - - true - - -``` - ->[!NOTE] ->Forced-tunnel routing is used if no routes are specified. - - -## EAP authentication - -You can only configure EAP-based authentication if you select a built-in connection type (IKEv2, L2TP, PPTP, or automatic). See [EAP configuration](https://msdn.microsoft.com/library/windows/hardware/mt168513.aspx) for a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile. - - -## Conditional access - -**Example:** device compliance for conditional access - -``` - - 10011 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/Enabled - - - bool - - true - - - - 10011 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/IssuerHash - - ffffffffffffffffffffffffffffffffffffffff;ffffffffffffffffffffffffffffffffffffffee - - - - 10011 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/EKU - - 1.3.6.1.5.5.7.3.2 - - - -``` - -## Proxy settings - -**Example:** set proxy - -``` -Manual - - $CmdID$ - - - ./Vendor/MSFT/VPNv2/VPNProfileName/Proxy/Manual/Server - - 192.168.0.100:8888 - - - - AutoConfigUrl - - $CmdID$ - - - ./Vendor/MSFT/VPNv2/VPNProfileName/Proxy/AutoConfigUrl - - HelloWorld.com - - - ``` - -## NRPT name resolution - -**Example:** FQDN match with DNS server - -``` - - 10016 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DomainName - - finance.contoso.com - - - - 10017 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DnsServers - - 192.168.0.11,192.168.0.12 - - -``` - -**Example:** FQDN match with proxy server - -``` - - 10016 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/DomainName - - finance.contoso.com - - - - 10017 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/WebProxyServers - - 192.168.0.11:8080 - - -``` - -## DNS suffix name resolution - -**Example:** DNS suffix match with DNS server - -``` - - 10013 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DomainName - - .contoso.com - - - - 10014 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DnsServers - - 192.168.0.11,192.168.0.12 - - -``` - -**Example:** DNS suffix match with proxy server - -``` - - 10013 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/DomainName - - .contoso.com - - - - 10015 - - -./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/WebProxyServers - - 192.168.0.100:8888 - - -``` - -## Persistent name resolution - -**Example:** persistent name resolution - -``` - - 10010 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/Persistent - - - bool - - true - - -``` - -## App trigger - -**Example:** set Internet Explorer and Microsoft Edge to trigger VPN - -``` - - - 10013 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/0/App/Id - - %PROGRAMFILES%\Internet Explorer\iexplore.exe - - - - 10014 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/1/App/Id - - %PROGRAMFILES% (x86)\Internet Explorer\iexplore.exe - - - - - 10015 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/2/App/Id - - Microsoft.MicrosoftEdge_8wekyb3d8bbwe - - -``` - -## Name trigger - -**Example:** set domain name rule to trigger VPN - -``` - - 10010 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/AutoTrigger - - - bool - - true - - -``` - -## Always On - -Always On cannot be set with force tunnel. - -**Example:** set Always On. - -``` - - $CmdID$ - - - ./Vendor/MSFT/VPNv2/VPNProfileName/AlwaysOn - - - bool - - true - - -``` - -## Trusted network detection - -**Example:** configure trusted networks - -``` - - $CmdID$ - - - ./Vendor/MSFT/VPNv2/VPNProfileName/TrustedNetworkDetection - - Adatum.com - - -``` - -## LockDown - -For built-in VPN, Lockdown VPN is only available for the Internet Key Exchange version 2 (IKEv2) connection type. - -**Example:** set a LockDown profile. - -``` - - $CmdID$ - - - ./Vendor/MSFT/VPNv2/VPNProfileName/Lockdown - - - bool - - true - - -``` - -## Windows Information Protection - -If you are using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure WIP policies. - -**Example:** provide enterprise ID to connect VPN profile with WIP policy - -``` - - $CmdID$ - - - ./Vendor/MSFT/VPNv2/VPNProfileName/EDPModeID - - corp.contoso.com - - -``` - -## Traffic filters - -**Example:** traffic filter for desktop app - -``` - - 10013 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/0/App/Id - - %ProgramFiles%\Internet Explorer\iexplore.exe - - -``` - -**Example:** traffic filter for UWP app - -``` - - 10014 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/1/App/Id - - Microsoft.MicrosoftEdge_8wekyb3d8bbwe - - -``` - - -  +![Paste your ProfileXML in OMA-URI Setting value field](images/vpn-profilexml-intune.png) ## Learn more diff --git a/windows/keep-secure/vpn-routing.md b/windows/keep-secure/vpn-routing.md index 215bae3fe1..046edf1720 100644 --- a/windows/keep-secure/vpn-routing.md +++ b/windows/keep-secure/vpn-routing.md @@ -15,7 +15,7 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -Network routes are required to forward traffic across the VPN interface. One of the most important decision points for VPN configuration is whether you want to send all the data through VPN (*force tunnel*) or only some data through the VPN (*split tunnel*). This decision impacts the configuration and the capacity planning, as well as security expectations from the connection. +Network routes are required for the stack to understand which interface to use for outbound traffic. One of the most important decision points for VPN configuration is whether you want to send all the data through VPN (*force tunnel*) or only some data through the VPN (*split tunnel*). This decision impacts the configuration and the capacity planning, as well as security expectations from the connection. ## Split tunnel configuration @@ -29,8 +29,9 @@ For each route item in the list the following can be specified: - **Prefix size**: VPNv2//*ProfileName*/RouteList//*routeRowId*/Prefix - **Exclusion route**: VPNv2//*ProfileName*/RouteList//*routeRowId*/ExclusionRoute - Windows VPN platform now supports the ability to specify exclusion routes that specifically should not go over the physical interface. Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md). + Windows VPN platform now supports the ability to specify exclusion routes that specifically should not go over the physical interface. +Routes can also be added at connect time through the server for UWP VPN apps. ## Force tunnel configuration diff --git a/windows/keep-secure/vpn-security-features.md b/windows/keep-secure/vpn-security-features.md index 1896ec0e71..591b829433 100644 --- a/windows/keep-secure/vpn-security-features.md +++ b/windows/keep-secure/vpn-security-features.md @@ -32,7 +32,7 @@ A VPN profile configured with LockDown secures the device to only allow network Deploy this feature with caution as the resultant connection will not be able to send or receive any network traffic without the VPN being connected. -Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md). + ## Windows Information Protection (WIP) integration with VPN @@ -49,7 +49,7 @@ The value of the **EdpModeId** is an Enterprise ID. The networking stack will lo Additionally, when connecting with WIP, the admin does not have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced configuration is needed) because the WIP policies and App lists automatically take effect. -Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md). + ## Traffic filters