mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-13 05:47:23 +00:00
stage
This commit is contained in:
jdeckerMS
parent
4001f90897
commit
e5c96e96e8
BIN
windows/keep-secure/images/vpn-name-intune.png
Normal file
BIN
windows/keep-secure/images/vpn-name-intune.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 14 KiB |
@ -15,8 +15,53 @@ localizationpriority: high
|
||||
- Windows 10
|
||||
- Windows 10 Mobile
|
||||
|
||||
In Windows 10, a number of “auto-triggering” features were added to VPN so users won’t have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules:
|
||||
|
||||
- App trigger
|
||||
- Name-based trigger
|
||||
- Always On
|
||||
|
||||
## App trigger
|
||||
|
||||
You can configure apps (desktop or Universal Windows Platform) to trigger a VPN connection. You can also configure per-app VPN and specify traffic rules for each app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details.
|
||||
|
||||
The app identifier for a desktop app is a file path. The app identifier for a UWP app is a package family name.
|
||||
|
||||
[Find a package family name (PFN) for per-app VPN configuration](https://docs.microsoft.com/intune/deploy-use/find-a-pfn-for-per-app-vpn)
|
||||
|
||||
|
||||
## Name-based trigger
|
||||
|
||||
|
||||
## Always On
|
||||
|
||||
Always On is a new feature in Windows 10 which enables the active VPN profile to connect automatically on the following triggers:
|
||||
|
||||
- User sign-in
|
||||
- Network change
|
||||
- Device screen on
|
||||
|
||||
When the trigger occurs, VPN tries to connect. If an error occurs or anyuUser input is needed, the user is shown a toast notification for additional interaction.
|
||||
|
||||
When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**.
|
||||
|
||||
## Trusted network detection
|
||||
|
||||
|
||||
|
||||
## Configure ,,,
|
||||
|
||||
See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration.
|
||||
|
||||
The following image shows name resolution options in a VPN Profile configuration policy using Microsoft Intune.
|
||||
|
||||
|
||||
|
||||
The fields in **Add or edit DNS rule*- in the Intune profile correspond to the XML settings shown in the following table.
|
||||
|
||||
| Field | XML |
|
||||
| --- | --- |
|
||||
| **Name*- | **VPNv2//*ProfileName*/DomainNameInformationList//*dniRowId*/DomainName*- |
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -15,6 +15,69 @@ localizationpriority: high
|
||||
- Windows 10
|
||||
- Windows 10 Mobile
|
||||
|
||||
When the VPN client connects to the VPN server, the VPN client receives the following addresses:
|
||||
|
||||
- Client IP address
|
||||
- IP address of the Domain Name System (DNS) server
|
||||
- IP address of the Windows Internet Name Service (WINS) server
|
||||
|
||||
The VPN client can access intranet resources by using names, which can be resolved to IP addresses using DNS-based and WINS-based resolution. DNS and WINS name resolution require a server address to be provisioned on the VPN client.
|
||||
|
||||
The name resolution setting in the VPN profile configures how name resolution should work on the system when VPN is connected. The networking stack first looks at the Name Resolution Policy table (NRPT) for any matches and tries a resolution in the case of a match. If no match is found, the DNS Suffix is appended to the name and a DNS query is sent out on all interfaces.
|
||||
|
||||
## Name Resolution Policy table (NRPT)
|
||||
|
||||
The NRPT is a table of namespaces that determines the DNS client’s behavior when issuing name resolution queries and processing responses. It is the first place that the stack will look after the DNSCache.
|
||||
|
||||
There are 3 types of Name matches that can be set up for NRPT
|
||||
|
||||
- Fully qualified domain name (FQDN) that can be used for direct matching to a name
|
||||
|
||||
- Suffix match results in either a comparison of suffixes (for FQDN resolution) or the appending of the suffix (in case of a short name)
|
||||
|
||||
- Any resolution should attempt to first resolve with the proxy server/DNS server with this entry
|
||||
|
||||
Examples of the following in VPNv2 CSP can be found here.
|
||||
|
||||
NRPT is set using the **VPNv2//*ProfileName*/DomainNameInformationList** node. This node also configures Web proxy server or domain name servers.
|
||||
|
||||
[Learn more about NRPT](https://technet.microsoft.com/library/ee649207%28v=ws.10%29.aspx)
|
||||
|
||||
|
||||
## DNS suffix
|
||||
|
||||
This setting is used to configure the primary DNS suffix for the VPN interface and the suffix search list after the VPN connection is established.
|
||||
|
||||
Primary DNS suffix is set using the **VPNv2//*ProfileName*/DnsSuffix** node.
|
||||
|
||||
Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md).
|
||||
|
||||
[Learn more about primaryDNS suffix](https://technet.microsoft.com/library/cc959611.aspx)
|
||||
|
||||
## Persistent
|
||||
|
||||
You can also configure *persistent* name resolution rules. Name resolution for specified items will only be performed over VPN.
|
||||
|
||||
Persistent name resolution is set using the **VPNv2//*ProfileName*/DomainNameInformationList//*dniRowId*/Persistent** node.
|
||||
|
||||
Currently, this can only be configured in [custom XML in the ProfileXML node](vpn-profile-options.md).
|
||||
|
||||
## Configure name resolution
|
||||
|
||||
See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration.
|
||||
|
||||
The following image shows name resolution options in a VPN Profile configuration policy using Microsoft Intune.
|
||||
|
||||
|
||||
|
||||
The fields in **Add or edit DNS rule** in the Intune profile correspond to the XML settings shown in the following table.
|
||||
|
||||
| Field | XML |
|
||||
| --- | --- |
|
||||
| **Name** | **VPNv2//*ProfileName*/DomainNameInformationList//*dniRowId*/DomainName** |
|
||||
| **Servers (comma separated)** | **VPNv2//*ProfileName*/DomainNameInformationList//*dniRowId*/DnsServers** |
|
||||
| **Proxy server** | **VPNv2//*ProfileName*/DomainNameInformationList//*dniRowId*/WebServers** |
|
||||
|
||||
## Related topics
|
||||
|
||||
- [VPN technical guide](vpn-guide.md)
|
||||
|
||||
@ -15,6 +15,33 @@ localizationpriority: high
|
||||
- Windows 10
|
||||
- Windows 10 Mobile
|
||||
|
||||
|
||||
## Lockdown VPN
|
||||
|
||||
Lockdown VPN is a setting in VPN which can enforce an Always On force tunneled VPN. The system will attempt to keep this VPN connection connected, and networking data will only be allowed to go over the VPN Interface. The only exceptions here are for getting underlying network connectivity going as well as for MDM configuration. Deploy this feature with caution as the resultant connection will not be able to send/receive any network traffic without the VPN being connected.
|
||||
This can be configured using
|
||||
VPNv2/ProfileName/LockDown
|
||||
This is not currently supported to be configured via Intune/SCCM. This can be configured via a custom XML in the ProfileXML node.
|
||||
|
||||
|
||||
## Traffic filters
|
||||
|
||||
Traffic filters is a feature that enables admins to effectively add interface specific firewall rules on the VPN Interface. With this feature, admins can specify networking 5 Tuple policies (IP, Port and Protocol based) to allow through the VPN interface. In addition, these rules can be applied at a per app level or a per device level. For eg. An admin could say that the Contoso HR App must be allowed to go through the VPN and only access port 4545 additionally the Contoso finance apps is allowed to go over the VPN and only access the Remote IP ranges of 10.10.0.40 - 10.10.0.201 on port 5889, apart from this all other apps on the device should be able to access only ports 80 or 443.
|
||||
|
||||
## Windows Information Protection (WIP) integration with VPN
|
||||
|
||||
Windows Information Protection provides capabilities allowing the separation and protection of enterprise data against disclosure across both company and personally owned devices without requiring additional changes to the environments or the apps themselves. Additionally, when used with Rights Management Services (RMS), WIP can help to protect enterprise data locally.
|
||||
In Windows 10, the Policy CSP was updated allowing administrators to enforce WIP policy. The VPNv2 CSP EdpModeId node allows a Windows 10 VPN client to integrate with WIP, extending its functionality to remote devices. Use case scenarios for WIP include:
|
||||
• Core Functionality: File encryption and file access blocking
|
||||
• UX Policy Enforcement: Restricting copy/paste, drag/drop, and sharing operations
|
||||
• EDP Network Policy Enforcement: Protecting intranet resources over corpnet and VPN
|
||||
• Network Policy Enforcement: Protecting SMB and Internet cloud resources over corpnet and VPN
|
||||
The value of the EdpModeId is an Enterprise ID. The networking stack will look for this ID in the app token to determine whether VPN should be triggered for that particular app.
|
||||
|
||||
This is not currently supported to be configured via Intune/SCCM. This can be configured via a custom XML in the ProfileXML node.
|
||||
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
- [VPN technical guide](vpn-guide.md)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user