Microsoft tunnel is a new feature which was released during Microsoft Ignite 2020. Tunnel is a VPN gateway solution for Microsoft Intune. The tunnel allows access to on-premises resources from iOS/iPadOS and Android Enterprise devices using modern authentication and Conditional Access. As shown in the picture above, the service itself consists of multiple components where we also have a on-premises Container which is running the actual communication between Microsoft, the endpoint device and the internal services. (Should also be noted that during the time of this post Microsoft Tunnel is in public preview.)
The service also requries that you install the Microsoft Tunnel application on your device (iOS/Android) and is available in the app stores now.
Only devices that are enrolled to Intune are supported with Microsoft Tunnel. The following device platforms are supported:
- Android Enterprise (Fully managed, Corporate-Owned Work Profile, Work profile)
The following functionality is supported by all platforms:
- Azure Active Directory (Azure AD) authentication to the Tunnel using either username and password, or certificates.
- Per-app support.
- Manual full-device tunnel through a Tunnel app, where the user launches VPN and selects Connect.
- Split tunneling. However, on iOS split tunneling rules are ignored when your VPN profile uses per app VPN.
Support for a Proxy is limited to the following platforms:
- Android 10 and later
The configuration of the setup is done in 4 parts (Tenant configuration, Server Configuration, VPN Configuration and App Configuration)
1: Tenant configuration
First thing is to configure the tenant to support Microsoft Tunnel. In order to do this, Microsoft during the preview needs to create an application for the Tunnel which is used to authenticate the users.
(NOTE To run the script you need to change Set-ExecutionPolicy -executionPolicy Unrestricted because the script itself is not signed) change it back afterwards after running the script.
Run the script. Which will prompt you to login with your account to your Azure AD Tenant.
This will create an Azure AD application within your tenant, you can look for “Application ID: 3678c9e9-9681-447a-974d-d19f668fcd88”
If you want to block access to certain users for the VPN Tunnel you can define a Conditional Access Policy to block users from accessing the application.
1: Define a list of users which should be exluded from this (ergo those you want to provide access to)
2: Define Block Access
3: Define the application Microsoft Tunnel
After the application is created you need to do a site configuration from within the tenant portal.
1: Go into Server Configuration and setup a new configuration (Which will create a site) note that a site can contain multiple servers. Define a IP address range that the clients will receive when connecting, define DNS servers and also optionally define DNS suffix and split tunneling. Also you need to define which port the server should listen on (default 443)
2: Then go into Sites and Servers and choose Create a new Site. Here you just need to define the name of the Site also which Public IP or FQDN (Here I just used the public IP of the server in Azure) and attached it to the site configuration.
Then you in the wizard to back and choose create server, then click the download script for installer.
2: Server configuration
To setup a server use one of the following operating systems which are supported
Linux distribution – The following are supported:
- CentOS 7.4+(CentOS 8+ isn’t supported)
- Red Hat (RHEL) 7.4+ (RHEL 8+ isn’t supported)
- Ubuntu 18.04
- Ubuntu 20.04
It should also be configured with a public IP address and also two NIC’s one that is the public facing and another one that is facing the internal network. (For my example I used a VM in Microsoft Azure, where I used Ubuntu 18.04) which was also configured to run Docker https://docs.docker.com/engine/install/ubuntu/
Here is the full setup script that you need to run as sudo on the Ubuntu VM.
sudo apt-get update
sudo apt-get install \
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add –
sudo apt-key fingerprint 0EBFCD88
sudo add-apt-repository \
“deb [arch=amd64] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) \
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io
After the server is setup you should run the network assessment script that Microsoft has created to ensure connectivity to Intune
1: Download the script from Microsoft, and running this on the Ubuntu VM using CLI
wget –output-document=mst-readiness https://aka.ms/microsofttunnelready
2: Run the script as root
sudo ./mst-readiness network
You can read the different CLI commands supported for the script here –> https://docs.microsoft.com/en-us/mem/intune/protect/microsoft-tunnel-reference#mst-cli-command-line-tool-for-microsoft-tunnel-gateway
3: Install Docker CE on the VM (Ubuntu Wizard is here –> https://docs.docker.com/engine/install/ubuntu/)
4: Have a TLS certificate available which will be used for the VPN connection (The TLS certificate can be in PEM or pfx format.)
5: Download the Tunnel setup script (wget https://aka.ms/microsofttunneldownload -o mstunnel-setup) change the permissions using chmod +x mstunnel-setup then you can run the script ./mstunnel-setup
When you start the script, it downloads container images from Docker, and creates necessary folders and files on the server. Also display an EULA that you need to accept. You will also need to copy the PFX into a folder under
/etc/mstunnel/private or /certs depending if it is PFX or PEM format. And note that the PFX needs to be called site.pfx etc depending on usage.
Once this step is complete you will be asked to authenticate against Azure AD using device login. Then it should complete. You can view the status of the server by running the following command /usr/sbin/mst-cli server status
You can also view it in the Endpoint manager portal
3: VPN / Intune configuration
Once the server is up and running we need to define a VPN profile. Note that setting up VPN Profile using Microsoft Tunnel is only supported for devices that are onboarding using Android Enterprise or using iOS (They need to be managed using Microsoft Intune)
Microsoft Endpoint Manager –> Devices –> Configuration Policies –> Create Profile –> VPN
Then it will list out the VPN Site is configured on the tenant. This can be defined either using Base VPN or using Always-ON or App based VPN connections.
Then it needs to be assigned to either a user or device group.
4: User Configuration
Once the VPN Profile is configured and assigned to your users and or devices the user should see the connection information in the Microsoft tunnel application. You can also view a youtube video showing the client connection here –> https://www.youtube.com/watch?v=iH4N9YRYOWE&feature=emb_title