Windows VPN Configuration

Virtual Private Networks aka VPN, helps organization provide secure access to corporate resources that are behind a firewall. In most organizations, business critical information, assets, and resources are often behind a firewall and not accessible over public network. A VPN software helps employees access this data from their devices irrespective of the network that they are in.

If your organization is using a VPN then it becomes important to be able to configure VPN on the corporate devices and/or employee/personal devices that are used to access the corporate data. Scalefusion provides the necessary mechanisms to remotely configure the VPN and publish to the Windows devices managed by Scalefusion.

The document below explains how to configure VPN settings on managed Windows devices.

Minimum Requirements for VPN

Let us first understand what are the basic requirements in-order to configure VPN from Scalefusion Dashboard,

  1. Enrolled Windows 10 device

How Does it Work?

  1. Devices use a VPN connection profile to start a connection with the VPN server.  
  2. VPN profiles assign VPN settings to devices in the organization, so that they can easily and securely connect to organizational network.

How to Configure VPN Service?

Here are a few reference links to understand how to configure them on the devices,

  1. CSP Reference - https://docs.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp
  2. EAP Configuration - https://docs.microsoft.com/en-us/windows/client-management/mdm/eap-configuration
  3. Third Party/Plugin type links
    1. Pulse Secure
    2. SonicWall Mobile Connect
    3. Check Point Capsule VPN
    4. F5 Access/F5 VPN Client

Which VPN types do we support?

We support following VPN connection types

NativeProtocolType

  • PPTP
  • L2TP
  • IKEv2
  • Automatic

Third Party/Plugin type

Configuration

  1. Login to Scalefusion Dashboard
  2. Navigate to Device Management > Device Profiles
  3. Click on Create New Profile or edit an existing Windows profile
  4. Navigate to Settings > VPN

  1. Enable Configure VPN Settings

Base Settings

This section allows admin to set VPN profile name and VPN profile Type

Setting

Description

Profile Name

Specify the name which needs to be displayed as the VPN name on the device.

The name must not include a forward slash (/)

Profile Type

Specify VPN connection type from the following:

  • Native
  • Plugin (Third Party)
    If it is Plugin (Third Party) , select the Plugin Package Family Name and other related details

Native Protocol Type

It is a type of tunneling protocol used. Select a Native Protocol Type from the following

  • PPTP
  • L2TP with Certificate
  • L2TP with Preshared key
  • IKEv2
  • Automatic
    By default Automatic is selected, which means the device will try each of the built-in tunnelling protocols until any one succeeds.

Servers

It is the Public or routable IP address or DNS name for the VPN gateway. For eg., 208.147.66.130 or https://www.vpnbook.com/

Authentication User Method

Select the authentication protocol for the VPN, from the following:

  • EAP
  • Not Configured
  • MSChapv2
    MSChapv2 is not supported for IKEv2

Authentication Machine Method

This comes up only when IKEv2 is selected as the Native Protocol type. Select one of the following methods:

  • Not Configured
  • Certificate

EAP Configuration

HTML encoded XML of the EAP configuration. For more information about EAP configuration XML, see EAP configuration.

Per App Settings

This allows admin to select list of applications set to trigger the VPN. If any of these apps are launched and the VPN profile is currently the active profile, then this VPN profile will be triggered to connect. Per-app VPN allows admin to create granular, detailed control over organisation's VPN connections on an app by app basis.

All Whitelisted apps are listed here
  • Enable Trigger App: Connects to VPN whenever app is launched.
    Enable Trigger App works in conjunction with Remember credentials under Advanced Settings.
  • Enable Allowed App: Enable Allowed App will allow those applications to work over VPN which are selected.
    Enable Allowed App works in conjunction with Force Tunnel as the Routing Policy Type.
    For more information on the above, please click here

Advance Settings

Setting

Description

Remember Credentials

For making the user login credentials remembered/cached, enable this setting.

Always On

Enable this setting to force the VPN connection to be always on.

Always On only works for the active profile.

Lock Down

Enable this to force the VPN to always be on, never disconnect.

DNS Suffixs

Add connection specific DNS Suffix for the VPN Interface. Use comma “,” to add multiple DNS Suffixs.

Trusted Network Detection

Enter a comma separated string to identify the trusted network. The VPN does not connect automatically when a trusted network connection is detected.

Proxy Settings

You can enable a post-connect proxy support for VPN by configuring proxy settings. The proxy defined for this profile is applied when this profile is active and connected.

Two options to define Proxy settings:

Automatic: Select this to automatically detect any proxy servers used by the VPN. You need to provide the URL to automatically retrieve proxy settings.

Manual: To manually configure Proxy server, select this option and provide the proxy server address which can be a hostname or an IP address

Route Settings

You can set route settings from this section. There are two Routing policy types to choose from:

  1. Force Tunnel: When Force Tunnel is selected, all IP traffic goes through the VPN interface only.
  2. Split Tunnel: When Split Tunnel is selected, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over other interfaces.
  • Disable Class Route: If split tunnelling is enabled, the client will also be assigned a class based route that is derived from the IP address assigned to it by the VPN server, by default.

Provide the list of routes to be added to the routing table for the VPN interface (Address and Prefix). This is required for split tunneling case where the VPN server site has more subnets that the default subnet based on the IP assigned to the interface. Adding a route here allows the networking stack to identify the traffic that needs to go over the VPN interface for split tunnel VPN.

Difference between Force Tunnel and Split Tunnel is, the Split tunnel will uncheck the Default Gateway on remote network.

After giving all settings, click Update Profile.

Once these VPN Settings get applied on a device you can open VPN Settings application on your enrolled Windows device. The VPN you have set up would be there and you can connect to the same VPN.


How did we do?


Powered by HelpDocs (opens in a new tab)