Export (0) Print
Expand All

How to Create VPN Profiles in Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

  1. In the Configuration Manager console, click Assets and Compliance.

  2. In the Assets and Compliance workspace of the Configuration Manager console, expand Compliance Settings, expand Company Resource Access, and then click VPN Profiles.

  3. On the Home tab, in the Create group, click Create VPN Profile.

  1. On the General page of the Create VPN Profile Wizard, specify the following information:

    • Name - Enter a unique name for the VPN profile (up to 256 characters).

      System_CAPS_importantImportant

      Do not use the characters \/:*?<>|, or the space character in the VPN profile name, because these characters are not supported by the Windows Server VPN profile.

    • Description - Enter a description to help you find the profile it in the Configuration Manager console (up to 256 characters).

    • Import an existing VPN profile item from a file – Select this option to display the Import VPN Profile page. On this page, you can import VPN profile information that has previously been exported to an XML file (Windows 8.1 and Windows RT operating systems only).

  1. On the Connection page of the wizard, specify the following information:

    • Connection type: From the drop-down list, select the connection type for the VPN connection. You can choose from the connection types in the following table showing the supported platforms.

      System_CAPS_importantImportant

      Before you can use VPN profiles deployed to a device, you must ensure that any third-party VPN apps that you require are installed. You can use the information in the How to Create Applications in Configuration Manager topic to help you deploy the app using Configuration Manager.

      Connection type

      iOS

      Android

      Windows 8.1

      Windows RT

      Windows RT 8.1

      Windows Phone 8.1

      Cisco AnyConnect

      Yes

      Yes

      No

      No

      No

      No

      Juniper Pulse

      Yes

      Yes

      Yes

      No

      Yes

      Yes

      F5 Edge Client

      Yes

      Yes

      Yes

      No

      Yes

      Yes

      Dell SonicWALL Mobile Connect

      Yes

      Yes

      Yes

      No

      Yes

      Yes

      Check Point Mobile VPN

      Yes

      Yes

      Yes

      No

      Yes

      Yes

      Microsoft SSL (SSTP)

      No

      No

      Yes

      Yes

      Yes

      No

      Microsoft Automatic

      No

      No

      Yes

      Yes

      Yes

      No

      IKEv2

      No

      No

      Yes

      Yes

      Yes

      Yes

      PPTP

      Yes

      No

      Yes

      Yes

      Yes

      No

      L2TP

      Yes

      No

      Yes

      Yes

      Yes

      No

      System_CAPS_noteNote

      To support Windows Phone 8.1, you must install the optional Windows Phone 8.1 extension. For information on how to install the extension, see Planning to Use Extensions in Configuration Manager. Beginning with System Center 2012 Configuration Manager SP2 this extension is incorporated into Configuration Manager.

    • Server list: Click Add to add a new server to use for the VPN connection. Depending on the connection type, you can add one or more VPN servers and also specify which server is to be the default server.

      System_CAPS_noteNote

      Devices that run iOS do not support using multiple VPN servers. If you configure multiple VPN servers and then deploy the VPN profile to an iOS device, only the default server is used.

    The further options in the following table might be displayed, which depends on the connection type that you selected. See your VPN server documentation for more information.

    Option

    More information

    Connection type

    Realm

    Specify the name of the authentication realm that you want to use. An authentication realm is a grouping of authentication resources that is used by the Juniper Pulse connection type.

    • Juniper Pulse

    Role

    Specify the name of the user role that has access to this connection.

    • Juniper Pulse

    Login group or domain

    Specify the name of the login group or domain that you want to connect to.

    • Dell SonicWALL Mobile Connect

    Fingerprint

    Specify a string, for example "Contoso Fingerprint Code" that will be used to verify the VPN server can be trusted.

    A fingerprint can be:

    • Sent to the client so it knows to trust any server presenting that same fingerprint when connecting.

    • If the device doesn’t already have the fingerprint it will prompt the user to trust the VPN server they are connecting to while showing the fingerprint (the user manually verifies the fingerprint and clicks trust to connect).

    Check Point Mobile VPN

    Send all network traffic through the VPN connection

    If this option is not selected, you can specify additional routes for the connection (for Microsoft SSL (SSTP), Microsoft Automatic, IKEv2, PPTP and L2TP connection types), which is known as split or VPN tunneling.

    Only connections to the company network are sent over a VPN tunnel. VPN tunneling is not used when you connect to resources on the Internet.

    • All

    Connection specific DNS suffix

    Optionally, specify the connection-specific Domain Name System (DNS) suffix for the connection.

    • Microsoft SSL (SSTP)

    • Microsoft Automatic

    • IKEv2

    • PPTP

    • L2TP

    Bypass VPN when connected to company Wi-Fi network

    Specifies that the VPN connection will not be used when the device is connected to the company Wi-Fi network.

    • Cisco AnyConnect

    • Juniper Pulse

    • F5 Edge Client

    • Dell SonicWALL Mobile Connect

    • Check Point Mobile VPN

    • Microsoft SSL (SSTP)

    • Microsoft Automatic

    • IKEv2

    • L2TP

    Bypass VPN when connected to home Wi-Fi network

    Specifies that the VPN connection will not be used when the device is connected to a home Wi-Fi network.

    • All

    Per App VPN (iOS 7 and later)

    Select this option if you want to associate this VPN connection with an iOS app so that the connection will be opened when the app is run. You can associate the VPN profile with an app when you deploy it.

    • Cisco AnyConnect

    • Juniper Pulse

    • F5 Edge Client

    • Dell SonicWALL Mobile Connect

    • Check Point Mobile VPN

    Custom XML (optional)

    Allows you to specify custom XML commands that configure the VPN connection.

    Examples:

    • For Juniper Pulse:

      <pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema>

    • For CheckPoint Mobile VPN:

      <CheckPointVPN port="443" name="CheckPointSelfhost" sso="true" debug="3" />

    • For Dell SonicWALL Mobile Connect:

      <MobileConnect><Compression>false</Compression><debugLogging>True</debugLogging><packetCapture>False</packetCapture></MobileConnect>

    • For F5 Edge Client:

      <f5-vpn-conf><single-sign-on-credential /></f5-vpn-conf>

    Refer to each manufacturers VPN documentation for more information about how to write custom XML commands.

    • Cisco AnyConnect

    • Juniper Pulse

    • F5 Edge Client

    • Dell SonicWALL Mobile Connect

    • Check Point Mobile VPN

  1. On the Authentication Method page of the wizard, specify the following information:

    • Authentication method: From the drop-down list, select the authentication method that the VPN connection will use. The items in the drop-down list might differ; they depend on the connection type that you previously selected. The available authentication methods and the supported connection types are listed in the following table.

      Authentication method

      Supported connection types

      Certificates

      System_CAPS_tipTip

      If the client certificate is used to authenticate to a RADIUS server, such as a Network Policy Server, the Subject Alternative Name in the certificate must be set to the User Principal Name.

      • Cisco AnyConnect

      • Juniper Pulse

      • F5 Edge Client

      • Dell SonicWALL Mobile Connect

      • Check Point Mobile VPN

      Username and Password

      • Juniper Pulse

      • F5 Edge Client

      • Dell SonicWALL Mobile Connect

      • Check Point Mobile VPN

      Microsoft EAP-TTLS

      • Microsoft SSL (SSTP)

      • Microsoft Automatic

      • IKEv2

      • PPTP

      • L2TP

      Microsoft protected EAP (PEAP)

      • Microsoft SSL (SSTP)

      • Microsoft Automatic

      • IKEv2

      • PPTP

      • L2TP

      Microsoft secured password (EAP-MSCHAP v2)

      • Microsoft SSL (SSTP)

      • Microsoft Automatic

      • IKEv2

      • PPTP

      • L2TP

      Smart Card or other certificate

      • Microsoft SSL (SSTP)

      • Microsoft Automatic

      • IKEv2

      • PPTP

      • L2TP

      MSCHAP v2

      • Microsoft SSL (SSTP)

      • Microsoft Automatic

      • IKEv2

      • PPTP

      • L2TP

      RSA SecurID (iOS only)

      • Microsoft SSL (SSTP)

      • Microsoft Automatic

      • PPTP

      • L2TP

      Use machine certificates

      • IKEv2

      Depending on the options you select, you might be asked to specify further information, such as:

      • Remember the user credentials at each logon: Select this option to ensure that the user credentials are remembered so that the user does not have to enter credentials each time a connection is established.

      • Select a client certificate for client authentication - Select the client SCEP certificate that you previously created that will be used to authenticate the VPN connection. For more information about how to use certificate profiles in Configuration Manager, see Certificate Profiles in Configuration Manager.

        System_CAPS_noteNote

        For iOS devices, the SCEP profile you select will be embedded in the VPN profile. For other platforms, an applicability rule is added to ensure that the VPN profile is not installed if the certificate is not present, or not compliant.

        If the SCEP certificate you specify is not compliant, or has not been deployed, then the VPN profile will not be installed on the device.

      • For some authentication methods, you can click Configure to open the Windows properties dialog box (if the version of Windows on which you are running the Configuration Manager console supports this authentication method) where you can configure the properties of the authentication method.

      System_CAPS_noteNote

      Devices that run iOS support only RSA SecurID and MSCHAP v2 for the authentication method when the connection type is PPTP. To avoid reporting errors, deploy a separate PPTP VPN profile to devices that run iOS.

To configure proxy settings for the VPN profile

  1. On the Proxy Settings page of the Create VPN Profile Wizard, select the Configure proxy settings for this VPN profile check box if your VPN connection uses a proxy server.

  2. Specify details about your proxy server and its settings. For more information, see the Windows Server documentation.

On the Configure Automatic VPN connection page of the wizard, you can configure the following settings:

  • Enable VPN on-demand – Select this option if you want to configure further DNS settings on this page of the wizard for Windows Phone 8.1 devices.

  • DNS Suffix list (for Windows Phone 8.1 devices only) – Configures domains that will establish a VPN connection. For each domain you specify, add the DNS suffix, the DNS server address, and one of the following on-demand actions:

    • Never establish – Never open a VPN connection

    • Establish if needed – Only open a VPN connection if the device needs to connect to resources

    • Always establish – Always open the VPN connection

  • Merge – Copies any DNS suffices you configured into the Trusted network list.

  • Trusted network list (for Windows Phone 8.1 devices only) - Specify one DNS suffix on each line. If the device is in a trusted network, the VPN connection will not be opened.

  • Suffix search list (for Windows Phone 8.1 devices only) - Specify one DNS suffix on each line. Each DNS suffix you specify will be searched when connecting to a website using a short name.

    For example, you specify the DNS suffices domain1.contoso.com and domain2.contoso.com and then visit the URL http://mywebsite. The following addresses will be searched:

    • http://mywebsite.domain1.contoso.com

    • http://mywebsite.domain2.contoso.com

System_CAPS_noteNote

For Windows Phone 8.1 devices only

If the Send all network traffic through the VPN connection option is selected, and the VPN connection is using full tunneling, for the first profile provisioned on the device, the VPN connection will automatically open. If you want a different profile to automatically open a connection, you must make it the default profile on the device.

If the Send all network traffic through the VPN connection option is not selected, and the VPN connection is using split-tunneling, a VPN connection can automatically be opened if you configure routes, or a connection specific DNS suffix.

Use the following procedure to specify the supported platforms for the VPN profile.

Supported platforms are the operating systems on which the VPN profile will be installed.

To specify supported platforms for the VPN Profile

  1. On the Supported Platforms page of the Create VPN Profile Wizard, select the operating systems on which the VPN profile will be installed, or click Select all to install the VPN profile on all available operating systems.

On the Summary page of the wizard, review the actions to be taken, and then complete the wizard. The new VPN profile is displayed in the VPN Profiles node in the Assets and Compliance workspace.

For information about how to deploy the VPN profile, see How to Deploy VPN Profiles in Configuration Manager.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2015 Microsoft