1
00:00:03,340 --> 00:00:05,070
All right, moving onto the next demonstration.

2
00:00:05,070 --> 00:00:10,340
Let's deploy a user tunnel using Intune.

3
00:00:10,340 --> 00:00:15,020
So to provision our Always On VPN device configuration profiles using Intune,

4
00:00:15,020 --> 00:00:19,490
we're going to open our web browser and navigate to endpoint.microsoft.com.

5
00:00:19,490 --> 00:00:23,170
Once we're there, we'll click on Devices in the navigation tree here.

6
00:00:23,170 --> 00:00:29,820
And then we'll click on Configuration profiles, and then click Create profile.

7
00:00:29,820 --> 00:00:34,560
From the platform, we will select Windows 10 and later.

8
00:00:34,560 --> 00:00:37,560
And Select profile type will choose Templates,

9
00:00:37,560 --> 00:00:40,940
and we will choose the VPN template.

10
00:00:40,940 --> 00:00:45,340
And once that's done, you can click Create.

11
00:00:45,340 --> 00:00:47,570
So let's provide a descriptive name here,

12
00:00:47,570 --> 00:00:50,100
and this is the name as it appears in Intune,

13
00:00:50,100 --> 00:00:50,980
not on the endpoint.

14
00:00:50,980 --> 00:00:52,160
We'll get to that shortly.

15
00:00:52,160 --> 00:00:58,940
So we can call this whatever it is that we want.

16
00:00:58,940 --> 00:01:01,310
You can provide a description if you like.

17
00:01:01,310 --> 00:01:03,740
I'm going to go ahead and choose Next.

18
00:01:03,740 --> 00:01:07,760
And then we need to select whether this is a User or a Device‑based connection.

19
00:01:07,760 --> 00:01:09,710
In this case, we're going to select User.

20
00:01:09,710 --> 00:01:12,440
From the Connection type drop‑down list,

21
00:01:12,440 --> 00:01:15,910
there's a handful of choices that you have to make here.

22
00:01:15,910 --> 00:01:18,480
Most of these here are third‑party clients.

23
00:01:18,480 --> 00:01:22,500
The ones that were interested in specifically here are the Native types,

24
00:01:22,500 --> 00:01:27,520
and interestingly, what you'll find here is that there is no SSTP.

25
00:01:27,520 --> 00:01:31,770
You'll see that we have a bunch of different protocols here including Automatic,

26
00:01:31,770 --> 00:01:34,870
but we don't have one that says specifically SSTP.

27
00:01:34,870 --> 00:01:39,170
And that's fine because automatic is defacto SSTP.

28
00:01:39,170 --> 00:01:43,860
It really is SSTP because Automatic prefers SSTP.

29
00:01:43,860 --> 00:01:46,910
So when we want to deploy an SSTP‑based connection,

30
00:01:46,910 --> 00:01:50,040
we'll choose Automatic there.

31
00:01:50,040 --> 00:01:54,540
So next, we'll expand Base VPN, and we'll give this connection a name.

32
00:01:54,540 --> 00:01:57,250
And this is the name as it appears in Windows,

33
00:01:57,250 --> 00:02:07,140
so choose your name here carefully.

34
00:02:07,140 --> 00:02:09,350
So next, we'll supply the name of our VPN server,

35
00:02:09,350 --> 00:02:12,260
and we need to first provide a description.

36
00:02:12,260 --> 00:02:16,230
And then we'll enter the public FQDN, or hostname,

37
00:02:16,230 --> 00:02:24,740
of our VPN server and select True for the Default server.

38
00:02:24,740 --> 00:02:27,780
And by the way, if you have more than one server,

39
00:02:27,780 --> 00:02:30,010
this is not the place to actually do this.

40
00:02:30,010 --> 00:02:31,840
This does not work as you would expect.

41
00:02:31,840 --> 00:02:34,360
You can't have multiple servers here and have it just

42
00:02:34,360 --> 00:02:36,020
automatically fall back to that.

43
00:02:36,020 --> 00:02:39,180
We will certainly talk at length about that when we get to

44
00:02:39,180 --> 00:02:41,650
the module covering high availability.

45
00:02:41,650 --> 00:02:43,940
Anyway, so moving on.

46
00:02:43,940 --> 00:02:49,040
We want to Register IP addresses with internal DNS, and this is optional.

47
00:02:49,040 --> 00:02:54,260
If this is a user tunnel and you want to be able to manage your devices

48
00:02:54,260 --> 00:02:58,340
remotely from the internal or the on‑premises network,

49
00:02:58,340 --> 00:03:04,040
then you should be able to register those VPN client IP addresses internally,

50
00:03:04,040 --> 00:03:05,940
but there's a caveat.

51
00:03:05,940 --> 00:03:09,390
If you're going to do both device and user‑based connections,

52
00:03:09,390 --> 00:03:14,660
you should only pick one, and you should pick the device‑based connection.

53
00:03:14,660 --> 00:03:19,390
In this case since we're going to use both user tunnels and device tunnels,

54
00:03:19,390 --> 00:03:23,400
I'm only going to configure internal DNS registration on the device tunnel.

55
00:03:23,400 --> 00:03:25,030
So I'm going to leave this set to Disable.

56
00:03:25,030 --> 00:03:28,780
But if you're just doing a user tunnel only, you certainly can enable this here.

57
00:03:28,780 --> 00:03:30,530
Do we want to enable Always On?

58
00:03:30,530 --> 00:03:30,900
Of course.

59
00:03:30,900 --> 00:03:35,140
This is a course about Always On VPN, so we want to select Always On there.

60
00:03:35,140 --> 00:03:38,630
Remember credentials, since we're using certificates we don't want to do that,

61
00:03:38,630 --> 00:03:40,360
so we'll select Not configured.

62
00:03:40,360 --> 00:03:45,190
For our Authentication method, we're going to use Derived credential,

63
00:03:45,190 --> 00:03:47,010
so select that from the list.

64
00:03:47,010 --> 00:03:49,570
And here in this EAP XML field,

65
00:03:49,570 --> 00:03:53,300
this is where you will paste the content from the XML file

66
00:03:53,300 --> 00:03:55,850
that we exported in the previous lesson.

67
00:03:55,850 --> 00:03:58,990
You'll recall that we ran the PowerShell module or the

68
00:03:58,990 --> 00:04:01,350
PowerShell command get EAP configuration.

69
00:04:01,350 --> 00:04:02,580
It produced a file.

70
00:04:02,580 --> 00:04:05,960
Open that file with Notepad, put it on your clipboard,

71
00:04:05,960 --> 00:04:13,640
and we'll just paste that right in here.

72
00:04:13,640 --> 00:04:13,970
Next,

73
00:04:13,970 --> 00:04:18,200
we'll expand the DNS Settings. And here we want to enter

74
00:04:18,200 --> 00:04:20,710
our DNS suffix for our internal domain,

75
00:04:20,710 --> 00:04:30,240
so this is your internal or on‑premises Active Directory domain name.

76
00:04:30,240 --> 00:04:34,770
We're not going to define the NRPT, or the Name Resolution Policy table,

77
00:04:34,770 --> 00:04:35,630
just yet.

78
00:04:35,630 --> 00:04:37,890
We're going to talk about that in the next module.

79
00:04:37,890 --> 00:04:41,340
So for now, we're going to leave this empty.

80
00:04:41,340 --> 00:04:43,240
So expand Split tunneling.

81
00:04:43,240 --> 00:04:46,600
If you are planning to do force tunneling, there's nothing to do here,

82
00:04:46,600 --> 00:04:50,240
but if you're following best practices and using split tunneling,

83
00:04:50,240 --> 00:04:51,270
then select Enable.

84
00:04:51,270 --> 00:04:54,890
And here we're going to define our internal routes.

85
00:04:54,890 --> 00:05:00,860
So we'll enter our first IPv4 address here,

86
00:05:00,860 --> 00:05:08,540
and we'll include our Prefix size here as well.

87
00:05:08,540 --> 00:05:15,620
Now, unfortunately, we are unable to use IPv6 in this particular UI.

88
00:05:15,620 --> 00:05:18,570
Today, as it stands, as we're recording this,

89
00:05:18,570 --> 00:05:22,310
there is a validation bug in the UI that prevents us from

90
00:05:22,310 --> 00:05:25,540
entering the IPv6 prefixes correctly.

91
00:05:25,540 --> 00:05:28,550
I'll show that to you just so that you can see what it looks like.

92
00:05:28,550 --> 00:05:44,240
So let's enter our IPv6 prefix here (typing),

93
00:05:44,240 --> 00:05:47,420
and here you'll see that the UI complains that the

94
00:05:47,420 --> 00:05:49,900
value must be between 1 and 32.

95
00:05:49,900 --> 00:05:50,750
Quite clearly,

96
00:05:50,750 --> 00:05:55,410
this is expecting an IPv4 address here because 32 is

97
00:05:55,410 --> 00:05:57,810
the longest subnet length in IPv4.

98
00:05:57,810 --> 00:06:03,200
The standard subnet length in IPv6 is 64, and in this case,

99
00:06:03,200 --> 00:06:06,230
I'm actually routing the entire /48,

100
00:06:06,230 --> 00:06:09,440
which is a site prefix for this particular location.

101
00:06:09,440 --> 00:06:11,640
I'm actually sending that over this tunnel,

102
00:06:11,640 --> 00:06:14,050
and so it doesn't allow me to do that.

103
00:06:14,050 --> 00:06:16,170
So unfortunately, this is broken.

104
00:06:16,170 --> 00:06:18,790
If you're doing IPv6, there's another way to do that.

105
00:06:18,790 --> 00:06:23,840
We'll see that in the next lesson.

106
00:06:23,840 --> 00:06:27,400
Moving on to the Trusted network detection. Here is,

107
00:06:27,400 --> 00:06:30,840
Trusted Network Detection is basically a feature of Always On

108
00:06:30,840 --> 00:06:34,010
VPN that prevents the VPN from connecting automatically if

109
00:06:34,010 --> 00:06:35,510
it's on your internal network.

110
00:06:35,510 --> 00:06:38,680
There's no point in establishing an Always On VPN connection if you're

111
00:06:38,680 --> 00:06:41,440
already on the same LAN connected to those resources,

112
00:06:41,440 --> 00:06:41,980
right?

113
00:06:41,980 --> 00:06:47,100
So in this scenario, we need to tell it what is our trusted network,

114
00:06:47,100 --> 00:06:50,990
and it basically works by matching the DNS suffix that's

115
00:06:50,990 --> 00:06:53,410
assigned by DHCP on the internal network.

116
00:06:53,410 --> 00:06:57,970
So if you get a DNS suffix that matches what the administrator inputs here,

117
00:06:57,970 --> 00:06:59,510
then the connection will not start.

118
00:06:59,510 --> 00:07:03,040
And this is most commonly your Active Directory domain name,

119
00:07:03,040 --> 00:07:08,240
but it could be something else.

120
00:07:08,240 --> 00:07:11,360
And of course, if you have multiple internal DNS suffixes,

121
00:07:11,360 --> 00:07:13,440
you certainly can add those here.

122
00:07:13,440 --> 00:07:16,440
So once that's done, go ahead and click Next.

123
00:07:16,440 --> 00:07:21,500
And now we're going to assign it to a group, so I'm going to click Add groups.

124
00:07:21,500 --> 00:07:32,140
And I'm going to find my VPN Users group, select that, and click OK.

125
00:07:32,140 --> 00:07:36,840
And once that's done, we'll choose Next.

126
00:07:36,840 --> 00:07:41,470
And if you choose to use Applicability Rules, you certainly can do that.

127
00:07:41,470 --> 00:07:44,040
I don't, but I'll go ahead and choose Next.

128
00:07:44,040 --> 00:07:48,780
And at this point, I can click Create.

129
00:07:48,780 --> 00:07:53,720
And now the profile has been created.

130
00:07:53,720 --> 00:07:58,250
If I go back to my Devices and Configuration profiles,

131
00:07:58,250 --> 00:08:01,990
you will see I have an Always On VPN User Tunnel here.

132
00:08:01,990 --> 00:08:13,000
And now this VPN profile will be pushed out to anyone who is in the Always On VPN Users group.