deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 19:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

need to swsitch forks

Browse Source
This commit is contained in:
jdeckerMS
2016-09-15 12:20:26 -07:00
parent a658190d61
commit 7abd1737e8
5 changed files with 36 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/keep-secure/images/vpn-intune-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.5 KiB

20
windows/keep-secure/vpn-authentication.md
View File

@ -15,7 +15,25 @@ localizationpriority: high
- Windows 10 - Windows 10
- Windows 10 Mobile - Windows 10 Mobile
In addition to older and less-secure password-based authentication methods (which should be avoided), the Inbox solution utilizes EAP to provide secure authentication using both username/password and certificate-based methods. In addition to older and less-secure password-based authentication methods (which should be avoided), the built-in VPN solution uses Extensible Authentication Protocol (EAP) to provide secure authentication using both user name and password, and certificate-based methods. You can only configure EAP-based authentication if you select a built-in VPN type (IKEv2, L2TP, PPTP or Automatic).
Windows supports a number of EAP authentication methods.
<table>
<thead><tr><th>Method</th><th>Details</th></thead>
<tbody>
<tr><td>EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2)</td><td><ul><li>User name and password authentication</li><li>Winlogon credentials - can specify authentication with computer sign-in credentials</li></ul></td></tr>
<tr><td>EAP-Transport Layer Security (EAP-TLS) </td><td><ul><li>Supports the following types of certificate authentication<ul><li>Certificate with keys in the software Key Storage Provider (KSP)</li><li>Certificate with keys in Trusted Platform Module (TPM) KSP</li><li>Smart card certficates</li><li>Windows Hello for Business certificate</li></ul></li><li>Certificate filtering<ul><li>Certificate filtering can be enabled to search for a particular certificate to use to authenticate with</li><li>Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based</li></ul></li><li>Server validation - with TLS, server validation can be toggled on or off<ul><li>Server name - specify the server to validate</li><li>Server certificate - trusted root certificate to validate the server</li><li>Notification - specify if the user should get a notification asking whether to trust the server or not</li></ul></li></ul></td></tr>
<tr><td>Protected Extensible Authentication Protocol (PEAP)</td><td></td></tr>
<tr><td>Tunneled Transport Layer Security (TTLS)</td><td></td></tr></tbody>
</table>
</br>
## Configure authentication
See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration.

16
windows/keep-secure/vpn-connection-type.md
View File

@ -25,21 +25,21 @@ There are many options for VPN clients. In Windows 10, the built-in plug-in and
- Tunneling protocols - Tunneling protocols
- [Internet Key Exchange version 2 (IKEv2)](https://technet.microsoft.com/en-us/library/ff687731.aspx) - [Internet Key Exchange version 2 (IKEv2)](https://technet.microsoft.com/library/ff687731.aspx)
Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md). Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md).
Configure the IPsec/IKE tunnel cryptographic properties using the **Cryptography Suite** setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914776.aspx). Configure the IPsec/IKE tunnel cryptographic properties using the **Cryptography Suite** setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
- [L2TP](https://technet.microsoft.com/en-us/library/ff687761.aspx) - [L2TP](https://technet.microsoft.com/library/ff687761.aspx)
Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md). Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md).
L2TP with pre-shared key (PSK) authentication can be configured using the **L2tpPsk** setting in the [VPNv2 CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914776.aspx). L2TP with pre-shared key (PSK) authentication can be configured using the **L2tpPsk** setting in the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
- [PPTP](https://technet.microsoft.com/en-us/library/ff687676.aspx) - [PPTP](https://technet.microsoft.com/library/ff687676.aspx)
- [SSTP](https://technet.microsoft.com/en-us/library/ff687819.aspx) - [SSTP](https://technet.microsoft.com/library/ff687819.aspx)
SSTP is supported for Windows desktop editions only. SSTP cannot be configured using mobile device management (MDM), but it is one of the protocols attempted in the **Automatic** option. SSTP is supported for Windows desktop editions only. SSTP cannot be configured using mobile device management (MDM), but it is one of the protocols attempted in the **Automatic** option.
@ -47,7 +47,7 @@ There are many options for VPN clients. In Windows 10, the built-in plug-in and
The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt from most secure to least secure. The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt from most secure to least secure.
Configure **Automatic** for the **NativeProtocolType** setting in the [VPNv2 CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914776.aspx). Configure **Automatic** for the **NativeProtocolType** setting in the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
@ -59,7 +59,7 @@ There are a number of Universal Windows Platform VPN applications, such as Pulse
## Configure connection type ## Configure connection type
See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914776.aspx) for XML configuration. See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration.
The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune. The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune.

8
windows/keep-secure/vpn-guide.md
View File

@ -16,7 +16,9 @@ localizationpriority: high
- Windows 10 - Windows 10
- Windows 10 Mobile - Windows 10 Mobile
This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914776.aspx). This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914776.aspx) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10.
![Intune VPN policy template](images/vpn-intune-policy.png)
>[!NOTE] >[!NOTE]
>This guide does not explain server deployment. It lists server dependencies, when relevant. >This guide does not explain server deployment. It lists server dependencies, when relevant.
@ -36,7 +38,9 @@ This guide will walk you through the decisions you will make for Windows 10 clie
| [VPN profile options](vpn-profile-options.md) | combine settings into single profile using XML | | [VPN profile options](vpn-profile-options.md) | combine settings into single profile using XML |
## Learn more
- [VPN connections in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/vpn-connections-in-microsoft-intune)

4
windows/keep-secure/vpn-routing.md
View File

@ -21,7 +21,7 @@ Network routes are required to forward traffic across the VPN interface. One of
In a split tunnel configuration, routes can be specified to go over VPN and all other traffic will go over the physical interface. In a split tunnel configuration, routes can be specified to go over VPN and all other traffic will go over the physical interface.
Routes can be configured using the VPNv2//*ProfileName*/RouteList setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914776.aspx). Routes can be configured using the VPNv2//*ProfileName*/RouteList setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
For each route item in the list the following can be specified: For each route item in the list the following can be specified:
@ -44,6 +44,8 @@ For a UWP VPN plug-in, this property is directly controlled by the app. If the V
## Configure routing ## Configure routing
See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration.
When you configure a VPN profile in Microsoft Intune, you select a checkbox to enable split tunnel configuration. When you configure a VPN profile in Microsoft Intune, you select a checkbox to enable split tunnel configuration.
![split tunnel](images/vpn-split.png) ![split tunnel](images/vpn-split.png)