077: VPN tunnel

Overview

Let's dive into Microsoft Tunnel, a VPN gateway solution for Microsoft Intune. Here's what you need to know:

1. Overview of Microsoft Tunnel:

   • Purpose: Microsoft Tunnel allows secure access to on-premises resources from iOS/iPadOS and Android Enterprise devices using modern authentication and Conditional Access.
   • Architecture: It runs in a container on a Linux server (either physical or virtual).
   • Deployment Steps:
     • Install Microsoft Tunnel Gateway on the Linux server.
     • Deploy the Microsoft Defender for Endpoint (the Tunnel client app) to devices.
     • Configure VPN profiles on iOS and Android devices to direct them to use the tunnel.
   • Authentication Methods:
     • Devices use Microsoft Entra ID or Active Directory Federation Services (AD FS) to authenticate to the tunnel.
     • Conditional Access policies evaluate device compliance before granting access.
   • Sites: You can install multiple Linux servers and group them into logical units called Sites for better management.

2. Benefits:

   • Secure Access: Provides secure access to on-premises resources.
   • Conditional Access: Integrates with Conditional Access policies for granular control.
   • Per-App VPN: Supports per-app VPN on iOS and Android devices.
   • Trusted Set of IPs: Ensures access to SaaS apps from known, trusted IPs.

3. Drawbacks:

   • Linux Dependency: Requires a Linux server for hosting the tunnel.
   • Complex Setup: Initial setup and configuration may be complex.
   • No FIPS Compliance: Doesn't use FIPS-compliant algorithms.

4. Impact to End Users:

   • Transparent: For iOS devices with Microsoft Defender configured for per-app VPNs, users don't need to manually open or sign in to the app for the tunnel to work.
   • User Experience: End users experience seamless access to corporate resources.

5. Difference from Entra App Proxy:

   • Microsoft Tunnel: Provides full VPN tunneling for on-premises resources.
   • Entra App Proxy: Focuses on secure access to SaaS apps from known IPs, without full VPN functionality.

Remember, Microsoft Tunnel is a powerful tool for secure connectivity, but it's essential to plan and configure it correctly to maximize its benefits!

Reference

• Learn about the Microsoft Tunnel VPN solution for Microsoft Intune: https://learn.microsoft.com/en-us/mem/intune/protect/microsoft-tunnel-overview
• Intune - Microsoft Tunnel VPN Gateway - Nathan McNulty: https://blog.nathanmcnulty.com/intune-microsoft-tunnel-vpn-gateway/
• Use the Microsoft Tunnel app for iOS - Microsoft Intune. https://learn.microsoft.com/en-us/mem/intune/user-help/use-microsoft-tunnel-ios