Exploring Microsoft Tunnel (Part 2)

In Part 1, we looked at some of the pre-requisites and installation of the Microsoft Tunnel. In this post, we will look at the Intune side. In part 3, we will go over the solution in action as well as ways to troubleshoot any issues.

Intune Server and Site Configuration

On the Intune side, you have to create a Server Configuration and Site Configuration.

Server Configuration - Defines DNS servers, split tunneling and server port information.

  • IP Address Range - Defines the ip addresses reserved for clients when connecting to MS Tunnel VPN
  • DNS Servers - Defines DNS servers to be used when connected to MS Tunnel VPN
  • Split Tunneling - Defines subnets where the client will route traffic through MS Tunnel VPN
  • Server Port - Defines port to connect to the server

Server Configuration

  • Public IP address or FQDN - Defines the public ip address or DNS name of the server.
  • Server Configuration - Select a previously defined server configuration.

Site Configuration - Defines the public IP address as well as server configuration.

Site Configuration

Server Configuration - Is where you go to download the installer script. Once the script is run, this section will highlight the servers that are configured.

The file is a bash script that runs a function to configure the server.

Run the tunnel setup

Before the setup can be run, the PFX file needs to be copied to MStunnel directory

1
2
wget https://aka.ms/microsofttunneldownload -O mstunnel-setup
sudo ./mstunnel-setup

Intune Client Configuration

Also on the Intune side, two configuration profiles were created to deploy the root and trusted CA certs to the mobile device.

A VPN profile was deployed as well with the Microsoft tunnel. The connection type was set to Microsoft Tunnel.
VPN Configuration

Lastly, the per-app VPN needs to be associated at the app deployment level. In my case, the app I wanted the on-demand VPN for was configured to use my MSTunnel configuration policy.

App Configuration

The Microsoft Tunnel App also needs to be deployed to the clients as well. This app is used to connect to the VPN and also to enforce conditional acccess rules (2FA for example). In the next and last part of this blog, we will go over the solution end to end.