deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 10:53:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Aman feedback

Browse Source
This commit is contained in:
jdeckerMS
2016-09-27 10:01:55 -07:00
parent ed6a3ff281
commit 7174ef3066
9 changed files with 190 additions and 463 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/keep-secure/images/vpn-connection.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 91 KiB

After

Width:  |  Height:  |  Size: 94 KiB

BIN
windows/keep-secure/images/vpn-profilexml-intune.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 53 KiB

11
windows/keep-secure/vpn-auto-trigger-profile.md
View File

@ -36,12 +36,17 @@ You can configure a domain name-based rule so that a specific domain name trigge
Name-based auto-trigger can be configured using the VPNv2//*ProfileName*/DomainNameInformationList/dniRowId/AutoTrigger setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
Domain names can even be configured such that VPN must be used to access that resource. If VPN is not connected, that resource will be inaccessible if the persistent node is configured to be true.
There are four types of name-based triggers:
- Short name: for example, if **HRweb** is configured as a trigger and the stack sees a DNS resolution request for **HRweb**, the VPN will be triggered.
- Fully-qualified domain name (FQDN): for example, if **HRweb.corp.contoso.com** is configured as a trigger and the stack sees a DNS resolution request for **HRweb.corp.contoso.com**, the VPN will be triggered.
- Suffix: for example, if **.corp.contoso.com** is configured as a trigger and the stack sees a DNS resolution request with a matching suffix (such as **HRweb.corp.contoso.com**), the VPN will be triggered. For any short name resolution, VPN will be triggered and the DNS server will be queried for the *ShortName*.**corp.contoso.com**.
- All: if used, all DNS resolution should trigger VPN.
## Always On
Always On is a new feature in Windows 10 which enables the active VPN profile to connect automatically on the following triggers:
Always On is a feature in Windows 10 which enables the active VPN profile to connect automatically on the following triggers:
- User sign-in
- Network change
@ -49,7 +54,6 @@ Always On is a new feature in Windows 10 which enables the active VPN profile to
When the trigger occurs, VPN tries to connect. If an error occurs or any user input is needed, the user is shown a toast notification for additional interaction.
Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md).
When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**.
@ -59,7 +63,6 @@ This feature configures the VPN such that it would not get triggered if a user i
Trusted network detection can be configured using the VPNv2//*ProfileName*/TrustedNetworkDetection setting in the [VPNv2 CCSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md).
## Configure app-triggered VPN

2
windows/keep-secure/vpn-conditional-access.md
View File

@ -15,7 +15,7 @@ localizationpriority: high
- Windows 10
- Windows 10 Mobile
The built-in VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.
The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.
>[!NOTE]
>Conditional Access is an Azure AD Premium feature.

6
windows/keep-secure/vpn-connection-type.md
View File

@ -15,7 +15,7 @@ localizationpriority: high
- Windows 10
- Windows 10 Mobile
Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP-based protocols, called *tunneling protocols*, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organizations private network.
Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP and UDP-based protocols, called *tunneling protocols*, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organizations private network.
There are many options for VPN clients. In Windows 10, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured.
@ -27,13 +27,13 @@ There are many options for VPN clients. In Windows 10, the built-in plug-in and
- [Internet Key Exchange version 2 (IKEv2)](https://technet.microsoft.com/library/ff687731.aspx)
Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md).
Configure the IPsec/IKE tunnel cryptographic properties using the **Cryptography Suite** setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
- [L2TP](https://technet.microsoft.com/library/ff687761.aspx)
Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md).
L2TP with pre-shared key (PSK) authentication can be configured using the **L2tpPsk** setting in the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).

20
windows/keep-secure/vpn-name-resolution.md
View File

@ -15,23 +15,17 @@ localizationpriority: high
- Windows 10
- Windows 10 Mobile
When the VPN client connects to the VPN server, the VPN client receives the following addresses:
- Client IP address
- IP address of the Domain Name System (DNS) server
- IP address of the Windows Internet Name Service (WINS) server
The VPN client can access intranet resources by using names, which can be resolved to IP addresses using DNS-based and WINS-based resolution. DNS and WINS name resolution require a server address to be provisioned on the VPN client.
When the VPN client connects to the VPN server, the VPN client receives the client IP address. The client may also receive the IP address of the Domain Name System (DNS) server and the IP address of the Windows Internet Name Service (WINS) server.
The name resolution setting in the VPN profile configures how name resolution should work on the system when VPN is connected. The networking stack first looks at the Name Resolution Policy table (NRPT) for any matches and tries a resolution in the case of a match. If no match is found, the DNS suffix is appended to the name and a DNS query is sent out on all interfaces.
## Name Resolution Policy table (NRPT)
The NRPT is a table of namespaces that determines the DNS clients behavior when issuing name resolution queries and processing responses. It is the first place that the stack will look after the DNSCache.
The NRPT is a table of namespaces that determines the DNS clients havior when issuing name resolution queries and processing responses. It is the first place that the stack will look after the DNSCache.
There are 3 types of name matches that can be set up for NRPT:
There are 3 types of name matches that can set up for NRPT:
- Fully qualified domain name (FQDN) that can be used for direct matching to a name
- Fully qualified domain name (FQDN) that can used for direct matching to a name
- Suffix match results in either a comparison of suffixes (for FQDN resolution) or the appending of the suffix (in case of a short name)
@ -48,17 +42,17 @@ This setting is used to configure the primary DNS suffix for the VPN interface a
Primary DNS suffix is set using the **VPNv2//*ProfileName*/DnsSuffix** node.
Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md).
[Learn more about primaryDNS suffix](https://technet.microsoft.com/library/cc959611.aspx)
## Persistent
You can also configure *persistent* name resolution rules. Name resolution for specified items will only be performed over VPN.
You can also configure *persistent* name resolution rules. Name resolution for specified items will only performed over VPN.
Persistent name resolution is set using the **VPNv2//*ProfileName*/DomainNameInformationList//*dniRowId*/Persistent** node.
Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md).
## Configure name resolution

605
windows/keep-secure/vpn-profile-options.md
View File

@ -21,7 +21,7 @@ Most of the VPN settings in Windows 10 can be configured in VPN profiles using M
>[!NOTE]
>If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers) first.
The following table lists the VPN settings and whether the setting can only be configured using **ProfileXML**.
The following table lists the VPN settings and whether the setting can be configured in Intune and Configuration Manager, or can only be configured using **ProfileXML**.
| Profile setting | Can be configured in Intune and Configuration Manager |
| --- | --- |
@ -42,451 +42,180 @@ The following table lists the VPN settings and whether the setting can only be c
| Windows Information Protection (WIP) | no |
| Traffic filters | yes |
The sections in this topic provide XML examples for the VPN profile settings in this guide. You can get additional examples in the [ProfileXML XSD](https://msdn.microsoft.com/library/windows/hardware/mt755930.aspx) topic.
The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This is particularly useful for deploying profiles with features that are not yet supported by MDMs. You can get additional examples in the [ProfileXML XSD](https://msdn.microsoft.com/library/windows/hardware/mt755930.aspx) topic.
## Sample VPN profile
## Connection type
**Example:** set connection type to **Automatic**
The following is a sample Native VPN profile. This blob would fall under the ProfileXML node. Profiles can be created for UWP apps as well. An example can be found in the link above as well.
```
NativeProtocolType
<!-- Configure VPN Protocol Type (L2tp, Pptp, Ikev2) -->
<Add>
<CmdID>10002</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/NativeProtocolType</LocURI>
</Target>
<Data>Automatic</Data>
</Item>
</Add>
<VPNProfile>
<ProfileName>TestVpnProfile</ProfileName>
<NativeProfile>
<Servers>testServer.VPN.com</Servers>
<NativeProtocolType>IKEv2</NativeProtocolType>
<!--Sample EAP profile (PEAP)-->
<Authentication>
<UserMethod>Eap</UserMethod>
<MachineMethod>Eap</MachineMethod>
<Eap>
<Configuration>
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapMethod>
<Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type>
<VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
</EapMethod>
<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
<Type>25</Type>
<EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1">
<ServerValidation>
<DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation>
<ServerNames></ServerNames>
<TrustedRootCA>d2 d3 8e ba 60 ca a1 c1 20 55 a2 e1 c8 3b 15 ad 45 01 10 c2 </TrustedRootCA>
<TrustedRootCA>d1 76 97 cc 20 6e d2 6e 1a 51 f5 bb 96 e9 35 6d 6d 61 0b 74 </TrustedRootCA>
</ServerValidation>
<FastReconnect>true</FastReconnect>
<InnerEapOptional>false</InnerEapOptional>
<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
<Type>13</Type>
<EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
<CredentialsSource>
<CertificateStore>
<SimpleCertSelection>true</SimpleCertSelection>
</CertificateStore>
</CredentialsSource>
<ServerValidation>
<DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation>
<ServerNames></ServerNames>
<TrustedRootCA>d2 d3 8e ba 60 ca a1 c1 20 55 a2 e1 c8 3b 15 ad 45 01 10 c2 </TrustedRootCA>
<TrustedRootCA>d1 76 97 cc 20 6e d2 6e 1a 51 f5 bb 96 e9 35 6d 6d 61 0b 74 </TrustedRootCA>
</ServerValidation>
<DifferentUsername>false</DifferentUsername>
<PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation>
<AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName>
<TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">
<FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3">
<EKUMapping>
<EKUMap>
<EKUName>AAD Conditional Access</EKUName>
<EKUOID>1.3.6.1.4.1.311.87</EKUOID>
</EKUMap>
</EKUMapping>
<ClientAuthEKUList Enabled="true">
<EKUMapInList>
<EKUName>AAD Conditional Access</EKUName>
</EKUMapInList>
</ClientAuthEKUList>
</FilteringInfo>
</TLSExtensions>
</EapType>
</Eap>
<EnableQuarantineChecks>false</EnableQuarantineChecks>
<RequireCryptoBinding>true</RequireCryptoBinding>
<PeapExtensions>
<PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">true</PerformServerValidation>
<AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName>
</PeapExtensions>
</EapType>
</Eap>
</Config>
</EapHostConfig>
</Configuration>
</Eap>
</Authentication>
<!--Sample routing policy: in this case, this is a split tunnel configuration with two routes configured-->
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
<DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
</NativeProfile>
<Route>
<Address>192.168.0.0</Address>
<PrefixSize>24</PrefixSize>
</Route>
<Route>
<Address>10.10.0.0</Address>
<PrefixSize>16</PrefixSize>
</Route>
<!--VPN will be triggered for the two apps specified here-->
<AppTrigger>
<App>
<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
</App>
</AppTrigger>
<AppTrigger>
<App>
<Id>C:\windows\system32\ping.exe</Id>
</App>
</AppTrigger>
<!--Example of per-app VPN. This configures traffic filtering rules for two apps. Internet Explorer is configured for force tunnel, meaning that all traffic allowed through this app must go over VPN. Microsoft Edge is configured as split tunnel, so whether data goes over VPN or the physical interface is dictated by the routing configuration.-->
<TrafficFilter>
<App>
<Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>
</App>
<Protocol>6</Protocol>
<LocalPortRanges>10,20-50,100-200</LocalPortRanges>
<RemotePortRanges>20-50,100-200,300</RemotePortRanges>
<RemoteAddressRanges>30.30.0.0/16,10.10.10.10-20.20.20.20</RemoteAddressRanges>
<RoutingPolicyType>ForceTunnel</RoutingPolicyType>
</TrafficFilter>
<TrafficFilter>
<App>
<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
</App>
<LocalAddressRanges>3.3.3.3/32,1.1.1.1-2.2.2.2</LocalAddressRanges>
</TrafficFilter>
<!--Name resolution configuration. The AutoTrigger node configures name-based triggering. In this profile, the domain "hrsite.corporate.contoso.com" triggers VPN.-->
<DomainNameInformation>
<DomainName>hrsite.corporate.contoso.com</DomainName>
<DnsServers>1.2.3.4,5.6.7.8</DnsServers>
<WebProxyServers>5.5.5.5</WebProxyServers>
<AutoTrigger>true</AutoTrigger>
</DomainNameInformation>
<DomainNameInformation>
<DomainName>.corp.contoso.com</DomainName>
<DnsServers>10.10.10.10,20.20.20.20</DnsServers>
<WebProxyServers>100.100.100.100</WebProxyServers>
</DomainNameInformation>
<!--EDPMode is turned on for the enterprise ID "corp.contoso.com". When a user accesses an app with that ID, VPN will be triggered.-->
<EdpModeId>corp.contoso.com</EdpModeId>
<RememberCredentials>true</RememberCredentials>
<!--Always On is turned off, and triggering VPN for the apps and domain name specified earlier in the profile will not occur if the user is connected to the trusted network "contoso.com".-->
<AlwaysOn>false</AlwaysOn>
<DnsSuffix>corp.contoso.com</DnsSuffix>
<TrustedNetworkDetection>contoso.com</TrustedNetworkDetection>
<Proxy>
<Manual>
<Server>HelloServer</Server>
</Manual>
<AutoConfigUrl>Helloworld.Com</AutoConfigUrl>
</Proxy>
<!--Device compliance is enabled and an alternate certificate is specified for domain resource authentication.-->
<DeviceCompliance>
<Enabled>true</Enabled>
<Sso>
<Enabled>true</Enabled>
<Eku>This is my Eku</Eku>
<IssuerHash>This is my issuer hash</IssuerHash>
</Sso>
</DeviceCompliance>
</VPNProfile>
```
**Example:** set connection type for a Universal Windows Platform (UWP) VPN plug-in
## Apply ProfileXML using Intune
```
<!-- Configure VPN Plugin AppX Package ID (ThirdPartyProfileInfo=) -->
<Add>
<CmdID>10002</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/PluginProfile/PluginPackageFamilyName</LocURI>
</Target>
<Data>TestVpnPluginApp-SL_8wekyb3d8bbwe</Data>
</Item>
</Add>
```
After you configure the settings that you want using ProfileXML, you can apply it using Intune and a **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy.
**Example:** add custom configuration for UWP VPN plug-in
```
<!-- Configure Microsoft's Custom XML (ThirdPartyProfileInfo=) -->
<Add>
<CmdID>10003</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/PluginProfile/CustomConfiguration</LocURI>
</Target>
<Data>&lt;pluginschema&gt;&lt;ipAddress&gt;auto&lt;/ipAddress&gt;&lt;port&gt;443&lt;/port&gt;&lt;networksettings&gt;&lt;routes&gt;&lt;includev4&gt;&lt;route&gt;&lt;address&gt;172.10.10.0&lt;/address&gt;&lt;prefix&gt;24&lt;/prefix&gt;&lt;/route&gt;&lt;/includev4&gt;&lt;/routes&gt;&lt;namespaces&gt;&lt;namespace&gt;&lt;space&gt;.vpnbackend.com&lt;/space&gt;&lt;dnsservers&gt;&lt;server&gt;172.10.10.11&lt;/server&gt;&lt;/dnsservers&gt;&lt;/namespace&gt;&lt;/namespaces&gt;&lt;/networksettings&gt;&lt;/pluginschema&gt;</Data>
</Item>
</Add>
```
## Split-tunnel routing
**Example:** route list and exclusion route
```
<Add>
<CmdID>10008</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/Address</LocURI>
</Target>
<Data>192.168.0.0</Data>
</Item>
</Add>
<Add>
<CmdID>10009</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/PrefixSize</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>24</Data>
</Item>
</Add>
<Add>
<CmdID>10010</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/ExclusionRoute</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Add>
```
>[!NOTE]
>Forced-tunnel routing is used if no routes are specified.
## EAP authentication
You can only configure EAP-based authentication if you select a built-in connection type (IKEv2, L2TP, PPTP, or automatic). See [EAP configuration](https://msdn.microsoft.com/library/windows/hardware/mt168513.aspx) for a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile.
## Conditional access
**Example:** device compliance for conditional access
```
<Add>
<CmdID>10011</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/Enabled</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Add>
<Add>
<CmdID>10011</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/IssuerHash</LocURI>
</Target>
<Data>ffffffffffffffffffffffffffffffffffffffff;ffffffffffffffffffffffffffffffffffffffee</Data>
</Item>
</Add>
<Add>
<CmdID>10011</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/EKU</LocURI>
</Target>
<Data>1.3.6.1.5.5.7.3.2</Data>
</Item>
</Add>
```
## Proxy settings
**Example:** set proxy
```
Manual
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/Proxy/Manual/Server</LocURI>
</Target>
<Data>192.168.0.100:8888</Data>
</Item>
</Add>
AutoConfigUrl
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/Proxy/AutoConfigUrl</LocURI>
</Target>
<Data>HelloWorld.com</Data>
</Item>
</Add>
```
## NRPT name resolution
**Example:** FQDN match with DNS server
```
<Add>
<CmdID>10016</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DomainName</LocURI>
</Target>
<Data>finance.contoso.com</Data>
</Item>
</Add>
<Add>
<CmdID>10017</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DnsServers</LocURI>
</Target>
<Data>192.168.0.11,192.168.0.12</Data>
</Item>
</Add>
```
**Example:** FQDN match with proxy server
```
<Add>
<CmdID>10016</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/DomainName</LocURI>
</Target>
<Data>finance.contoso.com</Data>
</Item>
</Add>
<Add>
<CmdID>10017</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/WebProxyServers</LocURI>
</Target>
<Data>192.168.0.11:8080</Data>
</Item>
</Add>
```
## DNS suffix name resolution
**Example:** DNS suffix match with DNS server
```
<Add>
<CmdID>10013</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DomainName</LocURI>
</Target>
<Data>.contoso.com</Data>
</Item>
</Add>
<Add>
<CmdID>10014</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DnsServers</LocURI>
</Target>
<Data>192.168.0.11,192.168.0.12</Data>
</Item>
</Add>
```
**Example:** DNS suffix match with proxy server
```
<Add>
<CmdID>10013</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/DomainName</LocURI>
</Target>
<Data>.contoso.com</Data>
</Item>
</Add>
<Add>
<CmdID>10015</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/WebProxyServers</LocURI>
</Target>
<Data>192.168.0.100:8888</Data>
</Item>
</Add>
```
## Persistent name resolution
**Example:** persistent name resolution
```
<Add>
<CmdID>10010</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/Persistent</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Add>
```
## App trigger
**Example:** set Internet Explorer and Microsoft Edge to trigger VPN
```
<!-- Internet Explorer -->
<Add>
<CmdID>10013</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/0/App/Id</LocURI>
</Target>
<Data>%PROGRAMFILES%\Internet Explorer\iexplore.exe</Data>
</Item>
</Add>
<Add>
<CmdID>10014</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/1/App/Id</LocURI>
</Target>
<Data>%PROGRAMFILES% (x86)\Internet Explorer\iexplore.exe</Data>
</Item>
</Add>
<!-- Edge -->
<Add>
<CmdID>10015</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/2/App/Id</LocURI>
</Target>
<Data>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Data>
</Item>
</Add>
```
## Name trigger
**Example:** set domain name rule to trigger VPN
```
<Add>
<CmdID>10010</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/AutoTrigger</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Add>
```
## Always On
Always On cannot be set with force tunnel.
**Example:** set Always On.
```
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/AlwaysOn</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Add>
```
## Trusted network detection
**Example:** configure trusted networks
```
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrustedNetworkDetection</LocURI>
</Target>
<Data>Adatum.com</Data>
</Item>
</Add>
```
## LockDown
For built-in VPN, Lockdown VPN is only available for the Internet Key Exchange version 2 (IKEv2) connection type.
**Example:** set a LockDown profile.
```
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/Lockdown</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Add>
```
## Windows Information Protection
If you are using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure WIP policies.
**Example:** provide enterprise ID to connect VPN profile with WIP policy
```
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/EDPModeID</LocURI>
</Target>
<Data>corp.contoso.com</Data>
</Item>
</Add>
```
## Traffic filters
**Example:** traffic filter for desktop app
```
<Add>
<CmdID>10013</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/0/App/Id</LocURI>
</Target>
<Data>%ProgramFiles%\Internet Explorer\iexplore.exe</Data>
</Item>
</Add>
```
**Example:** traffic filter for UWP app
```
<Add>
<CmdID>10014</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/1/App/Id</LocURI>
</Target>
<Data>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Data>
</Item>
</Add>
```
 
![Paste your ProfileXML in OMA-URI Setting value field](images/vpn-profilexml-intune.png)
## Learn more

5
windows/keep-secure/vpn-routing.md
View File

@ -15,7 +15,7 @@ localizationpriority: high
- Windows 10
- Windows 10 Mobile
Network routes are required to forward traffic across the VPN interface. One of the most important decision points for VPN configuration is whether you want to send all the data through VPN (*force tunnel*) or only some data through the VPN (*split tunnel*). This decision impacts the configuration and the capacity planning, as well as security expectations from the connection.
Network routes are required for the stack to understand which interface to use for outbound traffic. One of the most important decision points for VPN configuration is whether you want to send all the data through VPN (*force tunnel*) or only some data through the VPN (*split tunnel*). This decision impacts the configuration and the capacity planning, as well as security expectations from the connection.
## Split tunnel configuration
@ -29,8 +29,9 @@ For each route item in the list the following can be specified:
- **Prefix size**: VPNv2//*ProfileName*/RouteList//*routeRowId*/Prefix
- **Exclusion route**: VPNv2//*ProfileName*/RouteList//*routeRowId*/ExclusionRoute
Windows VPN platform now supports the ability to specify exclusion routes that specifically should not go over the physical interface. Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md).
Windows VPN platform now supports the ability to specify exclusion routes that specifically should not go over the physical interface.
Routes can also be added at connect time through the server for UWP VPN apps.
## Force tunnel configuration

4
windows/keep-secure/vpn-security-features.md
View File

@ -32,7 +32,7 @@ A VPN profile configured with LockDown secures the device to only allow network
Deploy this feature with caution as the resultant connection will not be able to send or receive any network traffic without the VPN being connected.
Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md).
## Windows Information Protection (WIP) integration with VPN
@ -49,7 +49,7 @@ The value of the **EdpModeId** is an Enterprise ID. The networking stack will lo
Additionally, when connecting with WIP, the admin does not have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced configuration is needed) because the WIP policies and App lists automatically take effect.
Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md).
## Traffic filters