Skip to main content

Try it out: Windows Phone 8.1 VPN

Applies to: Windows 8, Windows 8.1

Windows Phone 8.1 introduces support for virtual private networks (VPNs), including app-specific VPN capabilities, IPsec, and SSL VPN gateways. The VPN functionality in Windows Phone 8.1 is supported by many major VPN vendors, such as Checkpoint, Del/SonicWALL, and Juniper, making it easier for to add Windows Phone 8.1 devices to corporate networks. In additon, you can configure Windows Phone 8.1 devices using your prefered mobile device management (MDM) solution so that VPN tunnels are automatically initiated by a specific app or location, enabling users to automatically reconnect when needed.

This article will walk you through the new and updated VPN functionality in Windows Phone 8.1, and show you how to configure the VPN functionality manually or using System Center 2012 R2 Configuration Manager.

VPN tunneling protocols

Windows Phone 8.1 supports two VPN tunneling protocols:

  • IKEv2 - Supported natively
  • SSL-VPN - Supported for third-party servers via a plug-in model


IKEv2 allows Windows Phone 8.1 devices to tolerate interruptions in the underlying VPN connection. If the connection is temporarily lost, or if a user moves from one network to another, IKEv2 will automatically restore the VPN connection after the network connection is reestablished. For more information on IKEv2, please see Internet Key Exchange (IKEv2) Protocol and IP Encapsulating Security Payload (ESP).


For SSL-VPN, the user connects to the network via a web browser. The traffic between the web browser and the Windows Phone 8.1 device is encrypted with the SSL protocol or its successor, the TLS protocol. For more information on SSL and TLS, please see The SSL Protocol Version 3.0 and The Transport Layer Security (TLS) Protocol.

On Windows Phone 8.1, SSL-VPN methods are only supported via “proprietary” vendor plug-ins. These plug-ins need to be installed on the phone in order to connect to third-party VPN servers using SSL-VPN. Windows Phone 8.1 currently supports the following plug-ins, all of which can be downloaded via the Windows Phone store.

  • Juniper Networks JunOS Pulse VPN
  • SonicWall MobileConnect VPN
  • F5 Networks VPN
  • Checkpoint Mobile VPN

These can be downloaded through the Windows Phone Store.

VPN tunneling options

Windows Phone 8.1 supports two tunneling options:

  • Split tunneling - Internet traffic is not passed through the VPN server.
  • Forced tunneling - Internet traffic is passed through the VPN server.

VPN authentication methods

Authentication methods available for VPN connections in Windows Phone 8.1 are:

  • PEAP-MSCHAPv2 (password-based)
  • EAP-TLS (certificate-based)

For more information on PEAP-MSCHAPv2, please see  Protected Extensible Authentication Protocol (PEAP) and Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2). For more information on the EAP-TLS, please see EAP-TLS Authentication Protocol.

VPN profile types

Multiple VPN profiles can be configured on a single phone. Profiles can be created and deployed locally on the phone by the user, or remotely via your MDM solution. Unlike locally created profiles, VPN profiles that are created by the MDM server are read-only and cannot be modified.

You can only have one active profile at a time. There are two types of VPN profiles that are available in Windows Phone 8.1: automatic and manual

Automatic VPN profile

Key behaviors for automatic profiles are as follows:

  • VPN connection lifecycle is tied to corporate applications and network requests to protected/corporate resources.
    • If the app is terminated, the VPN connection is closed.
    • If an app or network request to a protected/corporate resource is received, the VPN connection will be reopened.
  • VPN connection will close if the networking stack has not seen VPN protected traffic for 30 seconds (timeout interval) or more.

Manual VPN profile

Key behaviors for manual profiles are as follows:

  • VPN connection lifecycle is tied to the user/MDM server. 
    • VPN connection will not close until the user/MDM server sends a request to do so.
    • VPN connection remains on even when the phone goes to sleep or enters a low power state. There is no timeout request for a manual profile.
  • VPN connection will follow network transitions. When waking up from sleep mode, if the phone has moved from a cellular connection to a Wi-Fi connection, the VPN connection will transition accordingly. The same goes vice versa.

Set up a VPN profile

There are two different methods you can use to set up and deploy VPN profiles to Windows Phone 8.1 devices: manual setup and setup using System Center 2012 R2 Configuration Manager.

note iconNote: If a public key infrastructure (PKI) such as Verisign is used, no further action needs to be taken as Windows Phone 8.1 contains the publicly published certificates. If a private PKI is used, a copy of the Issuing CA of the RADIUS/VPN device's certificate needs to be deployed to the phone.
note iconNote: The subject name of the certificate is the IP address of the external interface on the remote access server, or a regular expression containing a DNS name that resolves to that IP address. If the remote access server is located behind a network address translation (NAT) device, then the IP address or DNS name must be that of the external interface of the NAT device.

Manual setup

To set up a VPN profile manually on a Windows Phone 8.1 device:

  1. Go to Settings. Select VPN. Turn on the VPN status. Select + to add/create a new profile.

  2. Enter the server name or IP address. Select IKEv2. To utilize SSL-VPN, select the link shown and download a third-party plugin.
  3. For a password-based VPN, select user name+password. Enter the necessary details. Toggle the desired settings. To input more details, select Advanced. Select Save.

  4. For a certificate-based VPN, select certificate. Choose the desired certificate. Toggle the desired settings. Enter the necessary details. To view the selected certificate details, select details.

  5. When setting up a certificate-based VPN, the first certificate that is selected under Connect is used for establishing the VPN connection.
  6. If the Server certificate validation option is enabled, an option will be provided to select another certificate. This certificate will be used for the VPN authentication process after the connection has been established.
  7. To input more details, select Advanced. Select Save. The automatic VPN profile has now been created. To make changes or view details on the profile, click and hold the profile. To switch to a manual profile, select Switch to Manual.

Set up VPN using System Center 2012 R2 Configuration Manager

To set up a VPN profile via System Center 2012 R2 Configuration Manager:

  1. Select Assets and Compliance. In the tab, select Compliance Settings > Company Resources Access. Select Create VPN Profile.

  2. Fill in the desired name and description. Select Next.

  3. Select the desired connection type. Select Add… to add or edit a VPN server. Select OK. Toggle the desired settings. Select Next.

  4. Select the desired authentication method. Note that EAP-TLS is coded as Smart Card or other certificate in SCCM. Select Configure… to configure additional settings. Select Next.

  5. Configure the desired proxy settings. Select Next.

  6. Configure the desired Automatic VPN connection. Select Next.

  7. Select the desired platforms that will be provisioned. Select Next.

  8. Select Next twice, then select Finish to complete the creation of the VPN profile. Select Deploy to deploy the VPN profile to the desired devices.


Additional resources