Applies to: Windows 8, Windows 8.1
Windows Phone 8.1 introduces support for virtual private networks (VPNs), including app-specific VPN capabilities, IPsec, and SSL VPN gateways. The VPN functionality in Windows Phone 8.1 is supported by many major VPN vendors, such as Checkpoint, Del/SonicWALL, and Juniper, making it easier for to add Windows Phone 8.1 devices to corporate networks. In additon, you can configure Windows Phone 8.1 devices using your prefered mobile device management (MDM) solution so that VPN tunnels are automatically initiated by a specific app or location, enabling users to automatically reconnect when needed.
This article will walk you through the new and updated VPN functionality in Windows Phone 8.1, and show you how to configure the VPN functionality manually or using System Center 2012 R2 Configuration Manager.
Windows Phone 8.1 supports two VPN tunneling protocols:
IKEv2 allows Windows Phone 8.1 devices to tolerate interruptions in the underlying VPN connection. If the connection is temporarily lost, or if a user moves from one network to another, IKEv2 will automatically restore the VPN connection after the network connection is reestablished. For more information on IKEv2, please see Internet Key Exchange (IKEv2) Protocol and IP Encapsulating Security Payload (ESP).
For SSL-VPN, the user connects to the network via a web browser. The traffic between the web browser and the Windows Phone 8.1 device is encrypted with the SSL protocol or its successor, the TLS protocol. For more information on SSL and TLS, please see
The SSL Protocol Version 3.0 and
The Transport Layer Security (TLS) Protocol.
On Windows Phone 8.1, SSL-VPN methods are only supported via “proprietary” vendor plug-ins. These plug-ins need to be installed on the phone in order to connect to third-party VPN servers using SSL-VPN. Windows Phone 8.1 currently supports the following plug-ins, all of which can be downloaded via the Windows Phone store.
These can be downloaded through the Windows Phone Store.
Windows Phone 8.1 supports two tunneling options:
Authentication methods available for VPN connections in Windows Phone 8.1 are:
For more information on PEAP-MSCHAPv2, please see Protected Extensible Authentication Protocol (PEAP) and Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2). For more information on the EAP-TLS, please see EAP-TLS Authentication Protocol.
Multiple VPN profiles can be configured on a single phone. Profiles can be created and deployed locally on the phone by the user, or remotely via your MDM solution. Unlike locally created profiles, VPN profiles that are created by the MDM server are read-only and cannot be modified.
You can only have one active profile at a time. There are two types of VPN profiles that are available in Windows Phone 8.1: automatic and manual
Key behaviors for automatic profiles are as follows:
Key behaviors for manual profiles are as follows:
There are two different methods you can use to set up and deploy VPN profiles to Windows Phone 8.1 devices: manual setup and setup using System Center 2012 R2 Configuration Manager.
|Note: If a public key infrastructure (PKI) such as Verisign is used, no further action needs to be taken as Windows Phone 8.1 contains the publicly published certificates. If a private PKI is used, a copy of the Issuing CA of the RADIUS/VPN device's certificate needs to be deployed to the phone.|
|Note: The subject name of the certificate is the IP address of the external interface on the remote access server, or a regular expression containing a DNS name that resolves to that IP address. If the remote access server is located behind a network address translation (NAT) device, then the IP address or DNS name must be that of the external interface of the NAT device.|
To set up a VPN profile manually on a Windows Phone 8.1 device:
To set up a VPN profile via System Center 2012 R2 Configuration Manager: