Microsoft Tunnel is a new VPN gateway solution for Intune. First announced at Ignite in September 2020, Microsoft Tunnel Gateway provides access to on-premises corporate resources from Android and iOS devices. There are plenty of VPN solutions already on the market, including those that are part of Windows Server. So, why does the world need another VPN gateway?
What differentiates Microsoft Tunnel is that it is fully integrated with Microsoft 365, meaning that it supports single sign-on features and Azure Active Directory (AD) Conditional Access policies. And along with simple deployment, there is an app that can be pushed out to devices so that users can easily connect to the VPN gateway.
Microsoft said in a recent announcement that it intends to provide a remote access solution that acts like an appliance but that doesn’t need a lot of on-going maintenance. To achieve those aims, the gateway is enterprise-ready and it can be used with a load balancer for high availability. The VPN gateway(s) can be quickly deployed on a Linux server that supports Docker containers. The gateway server can be located on-premises, in a DMZ, or hosted in the cloud.
While server configuration is managed using Intune. Updates to the gateway server are applied automatically and logs are sent to the cloud for centralized troubleshooting. There’s also syslog support so that event logs can be sent to Azure Sentinel or other SIEM solutions.
Microsoft already has the Tunnel app in the iOS App Store and Google Play Store. The apps can be deployed seamlessly, and users onboarded from Intune. You can configure the app to provide full device tunneling to ensure that all network traffic goes through the VPN. Altneratively, split tunneling is also supported for organizations that are happy for some traffic to be routed via the public Internet. There’s also the option to configure the Tunnel app to work with specific applications on the device.
Due to limitations in iOS, only the Android version of the app can be configured to have an always-on VPN connection. If using Azure AD single sign-on, users might be able to use the VPN without needing to open the Tunnel app.
Android 10 and later, and iOS/iPadOS support using a proxy. The Tunnel app can authorize the connection using Azure AD with a username and password, or certificates. iOS supports split tunneling but split tunneling rules are ignored if the configured VPN profile uses ‘per-app’ VPN.
Microsoft Tunnel is available for customers with an Intune license. To install the VPN gateway, you’ll need to use one of the following versions of Linux with two network cards:
The Linux server must be running Docker version 19.03 CE or later. You’ll also need a Transport Layer Security (TLS) certificate to secure the connection between the remote devices and the VPN gateway server.
Microsoft Tunnel looks like a neat solution for mobile devices that need to securely connect to a VPN gateway. Integration with Azure AD brings additional security at a time where remote workers are increasingly targeted. Check back soon and I’ll walk you through setting up this remote access solution on Petri.