- 9 minutes to read
Microsoft Tunnel is a VPN gateway solution for Microsoft Intune that runs in a container on Linux and allows access to on-premises resources from iOS/iPadOS and Android Enterprise devices using modern authentication and Conditional Access.
This article introduces the tunnel, how it works, and its architecture.
If you're ready to deploy the Microsoft Tunnel, see Prerequisites for the Microsoft Tunnel, and then Configure the Microsoft Tunnel.
Microsoft Tunnel does not use Federal Information Processing Standard (FIPS) compliant algorithms.
Download the Microsoft Tunnel Deployment Guide v2 from the Microsoft Download Center.
Overview of Microsoft Tunnel
Microsoft Tunnel Gateway installs onto a container that runs on a Linux server. The Linux server can be a physical box in your on-premises environment or a virtual machine that runs on-premises or in the cloud. You'll deploy a Microsoft Defender for Endpoint as the Microsoft Tunnel client app and Intune VPN profiles to your iOS and Android devices to enable them to use the tunnel to connect to corporate resources. When the tunnel is hosted in the cloud, you’ll need to use a solution like Azure ExpressRoute to extend your on-premises network to the cloud.
Through the Microsoft Endpoint Manager admin center, you’ll:
- Download the Microsoft Tunnel installation script that you’ll run on the Linux servers.
- Configure aspects of Microsoft Tunnel Gateway like IP addresses, DNS servers, and ports.
- Deploy VPN profiles to devices to direct them to use the tunnel.
- Deploy the Microsoft Tunnel client apps to your devices.
Through the Defender for Endpoint app, iOS/iPadOS and Android Enterprise devices:
- Use Azure Active Directory (Azure AD) to authenticate to the tunnel.
- Use Active Directory Federation Services (AD FS) to authenticate to the tunnel.
- Are evaluated against your Conditional Access policies. If the device isn’t compliant, then it won’t have access to your VPN server or your on-premises network.
You can install multiple Linux servers to support Microsoft Tunnel, and combine servers into logical groups called Sites. Each server can join a single Site. When you configure a Site, you’re defining a connection point for devices to use when they access the tunnel. Sites require a Server configuration that you’ll define and assign to the Site. The Server configuration is applied to each server you add to that Site, simplifying the configuration of more servers.
To direct devices to use the tunnel, you create and deploy a VPN policy for Microsoft Tunnel. This policy is a device configuration VPN profile that uses Microsoft Tunnel for its connection type.
Prior to support for using Microsoft Defender for Endpoint as the tunnel client app on Android and iOS devices, a standalone tunnel client app was available in preview and used a connection type of Microsoft Tunnel (standalone client)(preview).
- As of June 14 2021, both the standalone tunnel app and standalone client connection type are deprecated and drop from support after January 31, 2022.
On April 29, 2022 both the Microsoft Tunnel connection type and Microsoft Defender for Endpoint as the tunnel client app became generally available. With this general availability, the use of the Microsoft Tunnel (standalone client)(preview) connection type and the standalone tunnel client app are deprecated and soon will drop from support.
- On July 29, 2022, the standalone tunnel client app will no longer be available for download. Only the generally available version of Microsoft Defender for Endpoint will be available as the tunnel client app.
- On August 1, 2022, the Microsoft Tunnel (standalone client) (preview) connection type will cease to connect to Microsoft Tunnel.
To avoid a disruption in service for Microsoft Tunnel, plan to migrate your use of the deprecated tunnel client app and connection type to those that are now generally available.
Features of the VPN profiles for the tunnel include:
- A friendly name for the VPN connection that your end users will see.
- The site that the VPN client connects to.
- Per-app VPN configurations that define which apps the VPN profile is used for, and if it's always-on or not. When always-on, the VPN will automatically connect and is used only for the apps you define. If no apps are defined, the always-on connection provides tunnel access for all network traffic from the device.
- For iOS devices that have the Tunnel client app configured to support per-app VPNs and TunnelOnly mode set to True, users don’t need to open or sign-in to Microsoft Defender on their device for the Tunnel to be used. Instead, with the user signed-in to the Company Portal on the device or to any other app that uses multi-factor authentication that has a valid token for access, the Tunnel per-app VPN is used automatically. TunnelOnly mode is supported for iOS/iPadOS, and disables the Defender functionality, leaving only the Tunnel capabilities.
- Manual connections to the tunnel when a user launches the VPN and selects Connect.
- On-demand VPN rules that allow use of the VPN when conditions are met for specific FQDNs or IP addresses. (iOS/iPadOS)
- Proxy support (iOS/iPadOS, Android 10+)
Server configurations include:
- IP address range – The IP addresses that are assigned to devices that connect to a Microsoft Tunnel.
- DNS servers – The DNS server devices should use when they connect to the server.
- DNS suffix search.
- Split tunneling rules – Up to 500 rules shared across include and exclude routes. For example, if you create 300 include rules, you can then have up to 200 exclude rules.
- Port – The port that Microsoft Tunnel Gateway listens on.
Site configuration includes:
- A public IP address or FQDN, which is the connection point for devices that use the tunnel. This address can be for an individual server or the IP or FQDN of a load-balancing server.
- The Server configuration that is applied to each server in the Site.
You assign a server to a Site at the time you install the tunnel software on the Linux server. The installation uses a script that you can download from within the admin center. After starting the script, you’ll be prompted to configure its operation for your environment, which includes specifying the Site the server will join.
To use the Microsoft Tunnel, devices will need to install the Microsoft Defender for Endpoint app. You get the applicable app from the iOS/iPadOS or Android app stores and deploy it to users.
The Microsoft Tunnel Gateway runs in containers that run on Linux servers.
- A – Microsoft Intune.
- B- Azure Active Directory (AD).
- C – Linux server with Podman or Docker CE (See the Linux server requirements for details about which versions require Podman or Docker)
- C.1 - Microsoft Tunnel Gateway.
- C.2 – Management Agent.
- C.3 – Authentication plugin – Authorization plugin, which authenticates with Azure AD.
- D – Public facing IP or FQDN of the Microsoft Tunnel, which can represent a load balancer.
- E – Mobile Device Management (MDM) enrolled device.
- F – Firewall
- G – Internal Proxy Server (optional).
- H – Corporate Network.
- I – Public internet.
- 1 - Intune administrator configures Server configurations and Sites, Server configurations are associated with Sites.
- 2 - Intune administrator installs Microsoft Tunnel Gateway and the authentication plugin authenticates Microsoft Tunnel Gateway with Azure AD. Microsoft Tunnel Gateway server is assigned to a site.
- 3 - Management Agent communicates to Intune to retrieve your server configuration policies, and to send telemetry logs to Intune.
- 4 - Intune administrator creates and deploys VPN profiles and the Defender app to devices.
- 5 - Device authenticates to Azure AD. Conditional Access policies are evaluated.
- 6 - With split tunnel:
- 6.a - Some traffic goes directly to the public internet.
- 6.b - Some traffic goes to your public facing IP address for the Tunnel. The VPN channel will use TCP, TLS, UDP, and DTLS over port 443. This requires inbound and outbound Firewall ports to be open
- 7 - The Tunnel routes traffic to your internal proxy (optional) and/or your corporate network. IT Admins must ensure that traffic from the Tunnel Gateway server internal interface can successfully route to internal corporate resource (IP address ranges and ports).
Tunnel gateway maintains two channels with the client. A control channel is established over TCP, and TLS. This also serves as a backup data channel. It then looks to establish a UDP channel using DTLS (Datagram TLS, an implementation of TLS over UDP) that serves as the main data channel. If the UDP channel fails to establish or is temporarily unavailable, the backup channel over TCP/TLS is used. By default port 443 is used for both TCP and UDP, but this can be customized via the Intune Server Configuration - Server port setting. If changing the default port (443) ensure your inbound firewall rules are adjusted to the custom port.
The assigned client IP addresses (the IP address range setting in a Server configuration for Tunnel) are not visible to other devices on the network. Microsoft Tunnel Gateway uses port address translation (PAT). PAT is a type of network address translation (NAT) where multiple private IP addresses from the Server configuration are mapped into a single IP (many-to-one) by using ports. Client traffic will have the source IP address of the Linux server host.(Video) Providing access to on-premises resources for mobile devices using Microsoft Tunnel
Break and inspect:
Many enterprise networks enforce network security for internet traffic using technologies like proxy servers, firewalls, SSL break and inspect, deep packet inspection, and data loss prevention systems. These technologies provide important risk mitigation for generic internet requests but can dramatically reduce performance, scalability, and the quality of end user experience when applied to Microsoft Tunnel Gateway and Intune service endpoints.
The following outlines where break and inspect isn't supported. References are to the architecture diagram from the preceding section.
Break and inspect is not supported in the following areas:
- Tunnel Gateway doesn't support SSL break and inspect, TLS break and inspect, or deep packet inspection for client connections.
- The Use of firewalls, proxies, load balancers, or any technology that terminates and inspects the client sessions that go into the Tunnel Gateway isn't supported and will cause clients connections to fail. (Refer to F, D, and C in the Architecture diagram).
- If Tunnel Gateway uses an outbound proxy for internet access, the proxy server can't perform break and inspect. This is because Tunnel Gateway Management Agent uses TLS mutual authentication when connecting to Intune (Refer to 3 in the Architecture diagram above). If break and inspect is enabled on the proxy server, network admins that manage the proxy server must add the Tunnel Gateway server IP address and Fully Qualified Domain Name (FQDN) to an approve-list to these Intune endpoints.
Conditional Access is done in the VPN client and based on the cloud app Microsoft Tunnel Gateway. Non-compliant devices won’t receive an access token from Azure AD and can't access the VPN server. For more information about using Conditional Access with Microsoft Tunnel, see Use Conditional Access with the Microsoft Tunnel.
The Management Agent is authorized against Azure AD using Azure app ID/secret keys.
Prerequisites for the Microsoft Tunnel in Intune
Microsoft Tunnel is a VPN gateway solution for Microsoft Intune that runs in a container on Linux and allows access to on-premises resources from iOS/iPadOS and Android Enterprise devices using modern authentication and Conditional Access.Is Microsoft Intune a VPN? ›
Microsoft Intune includes many VPN settings that can be deployed to your iOS/iPadOS devices. These settings are used to create and configure VPN connections to your organization's network. This article describes these settings. Some settings are only available for some VPN clients, such as Citrix, Zscaler, and more.What is Microsoft tunnel gateway? ›
The Microsoft Tunnel Gateway solution allows Microsoft Intune-enrolled iOS and Android devices to access on-premises apps and resources.What are 3 types of VPN tunnels? ›
- IPsec Tunnels. In principle, a network-based VPN tunnel is no different from a client-based IPsec tunnel. ...
- Dynamic Multi point VPN (DMVPN) ...
- MPLS-based L3VPN.
A VPN is a secure, encrypted connection over a publicly shared network. Tunneling is the process by which VPN packets reach their intended destination, which is typically a private network.What is Microsoft Intune called now? ›
The name Microsoft Endpoint Manager will no longer be used. Going forward, we'll refer to cloud management as Microsoft Intune and on-premises management as Microsoft Configuration Manager.What are the disadvantages of using Microsoft Intune? ›
- Intune CONS :
- * Narrow focus on mobile devices; not a full systems-management platform.
- * Doesn't support server-side applications.
- * Not intended for large applications.
- * Doesn't have the feature-set to handle complex package deployments.
Azure Active Directory (Azure AD) is a universal identity management platform that incorporates user credentials and strong authentication policies to safeguard your company's data, while Microsoft Intune provides cloud-based mobile device management (MDM) and mobile application management (MAM).Why VPN tunnel is used? ›
A VPN tunnel — short for virtual private network tunnel — can provide a way to cloak some of your online activity. How? A VPN tunnel connects your smartphone, laptop, computer, or tablet to another network in which your IP address is hidden and all the data you generate while surfing the web is encrypted.What is an advantage of VPN tunnel mode? ›
Tunnel mode, which is used in most VPNs, creates virtual tunnels between two subnets. This mode encrypts the payload and the IP header. The principal advantage of IPSec is that it offers confidentiality and authentication at the packet level between hosts and networks.
When connected to a VPN (the one often mentioned on Quora), that VPN is a gateway, behind your home gateway and a proxy behind your home gateway. Router is a device that does packet routing, address translation and often offers firewall to your home or office network.How do I deploy Microsoft tunnel? ›
- Create a Server configuration.
- Create a Site.
- Install Microsoft Tunnel Gateway.
- Deploy the Microsoft Tunnel client app.
- Create a VPN profile.
- Use custom settings for Microsoft Defender for Endpoint.
- Configure TunnelOnly mode to comply with the European Union Data Boundary.
- Upgrade Microsoft Tunnel.
- In the Google Cloud console, go to the VPN page. ...
- Click Create VPN tunnel.
- From the drop-down menu, select the gateway that requires the second tunnel, and then click Continue.
- Choose a Cloud Router. ...
- For Peer VPN gateway, select On-prem or Non Google Cloud.
Azure VPN Gateway connects your on-premises networks to Azure through Site-to-Site VPNs in a similar way that you set up and connect to a remote branch office. The connectivity is secure and uses the industry-standard protocols Internet Protocol Security (IPsec) and Internet Key Exchange (IKE).What are the four main tunneling protocols? ›
The most common VPN tunneling protocols include PPTP, L2TP/IPsec, OpenVPN and SSTP.What are the two phases of VPN tunnels? ›
VPN negotiations happen in two distinct phases: Phase 1 and Phase 2. The main purpose of Phase 1 is to set up a secure encrypted channel through which the two peers can negotiate Phase 2. When Phase 1 finishes successfully, the peers quickly move on to Phase 2 negotiations.What are the disadvantages of using tunneling VPN? ›
- Disadvantages of a VPN. Before deciding to use a VPN, it's important to understand the disadvantages of a VPN as well. ...
- Slow Connection Speeds. ...
- VPN Blocking Software Exists. ...
- Complicated Set Up. ...
- Dropped Connections. ...
- Gaming Cons.
TunnelBear is a safe VPN to use. It has strong encryption and a strict no logging policy. TunnelBear uses AES-256 for data encryption, SHA256 for data authentication, and the Diffie-Hellman exchange (2048-, 3072-, or 4096-bit) for handshake encryption.Is a VPN different than an IP address? ›
A VPN replaces your actual IP address to make it look like you've connected to the internet from a different location: the physical location of the VPN server, rather than your real location. This is just one reason why so many people use VPNs.What is Intune in layman's terms? ›
Microsoft Intune is a cloud-based endpoint management solution. It manages user access and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints. You can protect access and data on organization-owned and users personal devices.
Microsoft currently offers two mobile device management solutions: MDM for Office 365 and Microsoft Intune.Is Intune easy to learn? ›
Getting a trial version of Azure AD, Office 365, and Intune is a very straightforward process if you have never done this same process with your credit card and mobile number. Azure AD and Office 365 are prerequisites for Intune if you want to test/trial all the features of Intune.Can Intune see my browsing history? ›
Intune doesn't collect nor allow an Admin to see the following data: An end users' calling or web browsing history. Personal email. Text messages.How much is Intune monthly? ›
Intune Pricing Options
Pricing for Microsoft Intune starts at $10.60 per user per month. Microsoft Intune has two different packages: Enterprise Mobility + Security E3 and Enterprise Mobility + Security E5.
Microsoft Intune is the SaaS solution provided by Microsoft. Microsoft Intune is a cloud-based desktop and mobile device management tool. This supports Mac-OS, iOS, Android, and Windows 10.Can you use Intune without Azure? ›
@lalajee No, if you want to use intune, it is needed to connect to Azure AD.Does Intune require Azure? ›
To use features like automatic MDM enrollment in Intune, you'll need Azure AD Premium, which requires the purchase of an Enterprise Mobility + Security (EMS) subscription.What are the pros and cons of using a VPN? ›
|Protects your online privacy||Cheap or free VPNs are slow, insecure and may collect your data|
|Masks your IP address||Premium VPNs cost money|
|Works as a handy protction tool for activists in hostile environments||VPNs do not protect you from data hoarding on social media|
Use tunnel mode for network-to-network communications or host-to-network and host-to-host communications over the Internet. In tunnel mode, the entire IP packet (data, plus the message headers) is encrypted and/or authenticated. It must then be encapsulated into a new IP packet for routing to work.Is it better to put VPN on router or device? ›
Compared to configuring a VPN on only some of your devices, setting one up on your router can be advantageous: Your entire home network is protected, including Internet of Things (IoT) and smart home devices. Any device that can connect to your network can connect to the VPN.
A VPN gateway can be a router, server, firewall or similar device with internetworking and data transmission capabilities.Is gateway same as firewall? ›
A gateway is used to link two separate networks together, allowing users to communicate across several networks. In contrast, a firewall secures a network by deciding which data packets are allowed to pass through a network.Is Gateway Address same as IP address? ›
Your default gateway address will usually be your router's IP address. That's right: your Wi-fi router has its own unique IP tag.How does Microsoft Always On VPN work? ›
By using RAS Gateway, you can deploy VPN connections to provide end users with remote access to your organization's network and resources. Deploying Always On VPN maintains a persistent connection between clients and your organization network whenever remote computers are connected to the Internet.Does Microsoft have a VPN solution? ›
Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.How do I create a VPN tunnel in Azure? ›
- Create a virtual network.
- Create a VPN gateway.
- Create a local network gateway.
- Configure your VPN device.
- Create VPN connections.
- Verify the VPN connection.
- Connect to a virtual machine.
A VPN masks your IP address by acting as an intermediary and rerouting your traffic. It also adds encryption, or a tunnel around your identity, as you connect. The combination of the VPN server and the encryption tunnel blocks your ISP, governments, hackers, and anyone else from spying on you as you navigate the web.How many types of VPN protocols are there? ›
- PPTP. Point-to-Point Tunneling Protocol is one of the oldest VPN protocols in existence. ...
- L2TP/IPSec. Layer 2 Tunnel Protocol is a replacement of the PPTP VPN protocol. ...
- OpenVPN. OpenVPN is an open source protocol that allows developers access to its underlying code. ...
- SSTP. ...
- Secure Socket Tunneling Protocol (SSTP). SSTP is a Microsoft proprietary SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.
- OpenVPN. ...
- IKEv2 VPN.
Conclusion. Summing up in VNet Peering connection is private without Public IP endpoints. There is no public internet involved. Contrarily with VPN Gateways there is Public IP involved.
Multicast traffic forwarding – GRE tunnels can be used to forward multicast traffic, whereas a VPN cannot. Because of this, multicast traffic such as advertisements sent by routing protocols can be easily transferred between remote sites when using a GRE tunnel.Should you put your windows up in a tunnel? ›
' The response adds that Environmental Health advises that motorists should 'close their windows and switch off air vents' to 'reduce exposure to poor air quality' while using the Tunnel and 'when stationary, drivers should switch off engines'.How do I connect to Microsoft tunnel? ›
Open a web browser to https://Microsoft.com/devicelogin and enter the device code that's provided by the installation script, and then sign in with your Intune admin credentials. After Microsoft Tunnel Gateway registers with Intune, the script gets information about your Sites and Server configurations from Intune.What does workspace one tunnel do? ›
VMware Workspace ONE Tunnel securely connects both internally built and public App Store applications to corporate resources within your network. Tunnel natively gives your apps on-demand access to what you need to be productive, without touching your personal space.What should you do before entering a tunnel? ›
Make sure you get in lane early. Make sure your lights are on. It's really important to see and be seen – that sunny day won't make any difference when you're in a tunnel. Keep an eye out for speed limits, as they might change as you approach a tunnel so stay alert for signs near or on the tunnel entrance.What must you observe when you enter a tunnel? ›
turn on your headlights. take your sunglasses off (unless prescription glasses are required) obey all traffic signs, signals and pavement markings. avoid changing lanes if possible (this improves safety for everybody in the tunnel)How do I setup a Microsoft VPN server? ›
In Settings, select Network & internet > VPN. Next to the VPN connection you want to use, select Connect. If you're prompted, enter your username and password or other sign-in info.How do I enable tunnel VPN? ›
- In the administration interface, go to Interfaces.
- Click Add > VPN Tunnel.
- Type a name of the new tunnel.
- Set the tunnel as active and type the hostname of the remote endpoint. At least one endpoint must be set as active. ...
- Select Type: IPsec.
- Select Remote certificate:
VPN can be kept on all the time
To sum it up, keeping your VPN on all the time is not only perfectly safe but actually recommended. It can keep your online identity anonymous, protect you from attacks associated with unsecured public Wi-Fi networks and help you bypass various artificial restrictions.
A VPN encrypts and conceals your entire online traffic. It hides your IP address, location, and all digital activities, including downloads, streaming, and gaming activities. A VPN hides your browsing history from your ISP, websites, online snoopers, and even the government.
However, a VPN won't meet all your privacy and security needs. Also, it will slow down your internet speeds and increase your data usage. Even worse, a poor-quality VPN could carry serious security and privacy risks, and leave you worse off than if you weren't using one at all.What is the difference between a tunnel mode VPN and a split tunneling VPN? ›
What is the difference between a tunnel mode VPN and a split-tunneling VPN? Full tunnel mode uses VPN for all internet activities while the split tunneling divides traffic between the VPN and the local open internet.What is the difference between split tunnel and full tunnel VPN? ›
Full tunnel means using your VPN for all your traffic, whereas split tunneling means sending part of your traffic through a VPN and part of it through the open network. This means that full tunneling is more secure than split tunneling because it encrypts all your traffic rather than just some of it.