Aman feedback

windows/keep-secure/vpn-authentication.md

@@ -29,6 +29,14 @@ Windows supports a number of EAP authentication methods.
 </table>
 </br>
 
+For a UWP VPN plug-in, the app vendor controls the authentication method to be used. The following credential types can be used:
+
+- Smart card
+- Certificate
+- Windows Hello for Business
+- User name and password
+- One-time password
+- Custom credential type
 
 ## Configure authentication
 

windows/keep-secure/vpn-conditional-access.md

@@ -23,15 +23,15 @@ The VPN client is now able to integrate with the cloud-based Conditional Access
 Conditional Access Platform components used for Device Compliance include the following cloud-based services:
 - [Conditional Access Framework](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn/)
 
-- [Azure AD Connect Health](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect-health/)
+- [Azure AD Connect Health](https://azure.microsoft.com/documentation/articles/active-directory-Azure ADconnect-health/)
 
 - [Windows Health Attestation Service](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices#device-health-attestation)
 
 - Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA).  An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA. 
 
-- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the AAD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules.  If compliant, AAD sends back a short-lived certificate that is used to authenticate the VPN.  Note that certificate authentication methods such as EAP-TLS can be used. 
+- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules.  If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN.  Note that certificate authentication methods such as EAP-TLS can be used. 
 
-    Additional details regarding the AAD issued short-lived certificate: 
+    Additional details regarding the Azure AD issued short-lived certificate: 
     - The default lifetime is 60 minutes and is configurable
     - When that certificate expires, the client will again check with Azure AD so that continued health can be validated before a new certificate is issued allowing continuation of the connection
 
@@ -74,6 +74,23 @@ Two client-side configuration service providers are leveraged for VPN device com
    - Forwards the data to the Health Attestation Service (HAS)
    - Provisions the Health Attestation Certificate received from the HAS
    - Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
+   
+## Client connection flow
+
+
+The  VPN client side connection flow works as follows:
+
+![Device compliance workflow when VPN client attempts to connect](images/vpn-device-compliance.png)
+ 
+When a Device Compliance-enabled VPN connection profile is triggered (either manually or automatically):
+
+1.	 The VPN client calls into Windows 10’s AAD Token Broker, identifying itself as a VPN client.
+2.	 The Azure AD Token Broker authenticates to Azure AD and provides it with information about the device trying to connect. The Azure AD Server checks if the device is in compliance with the policies.
+3.	 If compliant, Azure AD requests a short-lived certificate
+4.	 Azure AD pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection  processing.
+5. The VPN client uses the Azure AD-issued certificate to authenticate with the VPN server.
+
+
 
 ## Configure conditional access
 

windows/keep-secure/vpn-connection-type.md

@@ -15,7 +15,7 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
-Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP and UDP-based protocols, called *tunneling protocols*, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization’s private network.
+Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called *tunneling protocols*, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization’s private network.
 
 There are many options for VPN clients. In Windows 10, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured. 
 
@@ -27,15 +27,11 @@ There are many options for VPN clients. In Windows 10, the built-in plug-in and
 
     - [Internet Key Exchange version 2 (IKEv2)](https://technet.microsoft.com/library/ff687731.aspx)
 
-        
-    
-        Configure the IPsec/IKE tunnel cryptographic properties using the **Cryptography Suite** setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
+      Configure the IPsec/IKE tunnel cryptographic properties using the **Cryptography Suite** setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
            
     - [L2TP](https://technet.microsoft.com/library/ff687761.aspx)
 
-        
-    
-        L2TP with pre-shared key (PSK) authentication can be configured using the **L2tpPsk** setting in the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
+      L2TP with pre-shared key (PSK) authentication can be configured using the **L2tpPsk** setting in the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
     
     - [PPTP](https://technet.microsoft.com/library/ff687676.aspx)
 

windows/keep-secure/vpn-name-resolution.md

@@ -17,7 +17,7 @@ localizationpriority: high
 
 When the VPN client connects to the VPN server, the VPN client receives the client IP address. The client may also receive the IP address of the Domain Name System (DNS) server and the IP address of the Windows Internet Name Service (WINS) server.
 
-The name resolution setting in the VPN profile configures how name resolution should work on the system when VPN is connected. The networking stack first looks at the Name Resolution Policy table (NRPT) for any matches and tries a resolution in the case of a match. If no match is found, the DNS suffix is appended to the name and a DNS query is sent out on all interfaces. 
+The name resolution setting in the VPN profile configures how name resolution should work on the system when VPN is connected. The networking stack first looks at the Name Resolution Policy table (NRPT) for any matches and tries a resolution in the case of a match. If no match is found, the DNS suffix on the most preferred interface based on the interface metric is appended to the name (in the case of a short name) and a DNS query is sent out on the preferred interface. If the query times out, the DNS suffix search list is used in order and DNS queries are sent on all interfaces. 
 
 ## Name Resolution Policy table (NRPT)
  

windows/keep-secure/vpn-profile-options.md

@@ -44,9 +44,10 @@ The following table lists the VPN settings and whether the setting can be config
 
 The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This is particularly useful for deploying profiles with features that are not yet supported by MDMs. You can get additional examples in the [ProfileXML XSD](https://msdn.microsoft.com/library/windows/hardware/mt755930.aspx) topic.
 
-## Sample VPN profile
 
-The following is a sample Native VPN profile. This blob would fall under the ProfileXML node. Profiles can be created for UWP apps as well. An example can be found in the link above as well.
+## Sample Native VPN profile
+
+The following is a sample Native VPN profile. This blob would fall under the ProfileXML node. 
 
 ```
 <VPNProfile>  
@@ -211,10 +212,91 @@ The following is a sample Native VPN profile. This blob would fall under the Pro
 </VPNProfile> 
 ```
 
+## Sample plug-in VPN profile
+
+The following is a sample plug-in VPN profile. This blob would fall under the ProfileXML node. 
+
+```
+<VPNProfile>
+	<ProfileName>TestVpnProfile</ProfileName>
+	<PluginProfile>
+		<ServerUrlList>testserver1.contoso.com;testserver2.contoso..com</ServerUrlList>
+		<PluginPackageFamilyName>JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy</PluginPackageFamilyName>
+		<CustomConfiguration>&lt;pulse-schema&gt;&lt;isSingleSignOnCredential&gt;true&lt;/isSingleSignOnCredential&gt;&lt;/pulse-schema&gt;</CustomConfiguration>
+	</PluginProfile>
+	<Route>
+		<Address>192.168.0.0</Address>
+		<PrefixSize>24</PrefixSize>
+	</Route>
+	<Route>
+		<Address>10.10.0.0</Address>
+		<PrefixSize>16</PrefixSize>
+	</Route>
+	<AppTrigger>
+		<App>
+			<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
+		</App>
+	</AppTrigger>
+	<AppTrigger>
+		<App>
+			<Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>
+		</App>
+	</AppTrigger>
+	<TrafficFilter>
+		<App>
+			<Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>
+		</App>
+		<Protocol>6</Protocol>
+		<LocalPortRanges>10,20-50,100-200</LocalPortRanges>
+		<RemotePortRanges>20-50,100-200,300</RemotePortRanges>
+		<RemoteAddressRanges>30.30.0.0/16,10.10.10.10-20.20.20.20</RemoteAddressRanges>
+		<!--<RoutingPolicyType>ForceTunnel</RoutingPolicyType>-->
+	</TrafficFilter>
+	<TrafficFilter>
+		<App>
+			<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
+		</App>
+		<LocalAddressRanges>3.3.3.3/32,1.1.1.1-2.2.2.2</LocalAddressRanges>
+	</TrafficFilter>
+	<TrafficFilter>
+		<App>
+			<Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
+		</App>
+		<Claims>O:SYG:SYD:(A;;CC;;;AU)</Claims>
+		<!--<RoutingPolicyType>SplitTunnel</RoutingPolicyType>-->
+	</TrafficFilter>
+	<DomainNameInformation>
+		<DomainName>corp.contoso.com</DomainName>
+		<DnsServers>1.2.3.4,5.6.7.8</DnsServers>
+		<WebProxyServers>5.5.5.5</WebProxyServers>
+		<AutoTrigger>false</AutoTrigger>
+	</DomainNameInformation>
+	<DomainNameInformation>
+		<DomainName>corp.contoso.com</DomainName>
+		<DnsServers>10.10.10.10,20.20.20.20</DnsServers>
+		<WebProxyServers>100.100.100.100</WebProxyServers>
+	</DomainNameInformation>
+	<!--<EdpModeId>corp.contoso.com</EdpModeId>-->
+	<RememberCredentials>true</RememberCredentials>
+	<AlwaysOn>false</AlwaysOn>
+	<DnsSuffix>corp.contoso.com</DnsSuffix>
+	<TrustedNetworkDetection>contoso.com,test.corp.contoso.com</TrustedNetworkDetection>
+	<Proxy>
+		<Manual>
+			<Server>HelloServer</Server>
+		</Manual>
+		<AutoConfigUrl>Helloworld.Com</AutoConfigUrl>
+	</Proxy>
+</VPNProfile>  
+
+```
+
 ## Apply ProfileXML using Intune
 
 After you configure the settings that you want using ProfileXML, you can apply it using Intune and a **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy.
 
+The OMS-URI setting to apply ProfileXML is **./user/vendor/MSFT/*VPN profile name*/ProfileXML**.
+
 ![Paste your ProfileXML in OMA-URI Setting value field](images/vpn-profilexml-intune.png)
 
 ## Learn more