1
00:00:03,840 --> 00:00:05,810
So now that we have our user tunnel provisioned,

2
00:00:05,810 --> 00:00:09,340
let's move on to deploying our device tunnel.

3
00:00:09,340 --> 00:00:13,440
So here we are, once again, in the Endpoint Manager Management Console.

4
00:00:13,440 --> 00:00:19,040
We're going to navigate to Devices, Configuration profiles.

5
00:00:19,040 --> 00:00:22,890
Once again, we'll click Create profile, and just as before,

6
00:00:22,890 --> 00:00:26,230
we'll select our Windows 10 and later for the platform,

7
00:00:26,230 --> 00:00:32,240
and we'll choose our templates, and we'll also choose VPN.

8
00:00:32,240 --> 00:00:43,440
Click Create, give this a name.

9
00:00:43,440 --> 00:00:48,110
And here, we're going to select Device from the drop‑down list,

10
00:00:48,110 --> 00:00:51,480
and our connection type here has to be IKEv2.

11
00:00:51,480 --> 00:00:55,140
Remember, IKEv2 is the only supported protocol for the device tunnel.

12
00:00:55,140 --> 00:00:57,230
So if you're setting up a device‑based connection,

13
00:00:57,230 --> 00:01:00,140
then we must use the IKEv2 protocol.

14
00:01:00,140 --> 00:01:04,280
Expand based VPN, provide a name for the connection,

15
00:01:04,280 --> 00:01:06,510
and again, this is much like the user tunnel.

16
00:01:06,510 --> 00:01:18,340
This is the name as it appears in the UI on your Windows endpoints.

17
00:01:18,340 --> 00:01:28,540
And once again, write a description, enter the public FQDN of the server again,

18
00:01:28,540 --> 00:01:31,610
select it as the default server, and in this case,

19
00:01:31,610 --> 00:01:34,620
I'm going to register my IP address with internal DNS

20
00:01:34,620 --> 00:01:36,640
because this is a device‑based connection,

21
00:01:36,640 --> 00:01:39,720
so I'm using it in combination with a user tunnel,

22
00:01:39,720 --> 00:01:43,140
so this is the tunnel that I want to register, Always On,

23
00:01:43,140 --> 00:01:45,270
of course, remember credentials.

24
00:01:45,270 --> 00:01:48,340
We don't need that because we're using certificate authentication.

25
00:01:48,340 --> 00:01:53,640
The Authentication method here now is Machine Certificates.

26
00:01:53,640 --> 00:01:57,990
Now it's going to prompt you for an authentication certificate here,

27
00:01:57,990 --> 00:02:00,230
you can actually safely ignore this.

28
00:02:00,230 --> 00:02:02,950
As long as the certificate is already deployed on the machine,

29
00:02:02,950 --> 00:02:05,240
there is no point in doing anything here.

30
00:02:05,240 --> 00:02:06,590
So you can ignore that.

31
00:02:06,590 --> 00:02:10,140
This is a device tunnel, of course, so we're going to choose enable,

32
00:02:10,140 --> 00:02:14,140
and here, you'll notice that we have some IKE SA,

33
00:02:14,140 --> 00:02:18,540
or security association parameters, so we need to choose these carefully.

34
00:02:18,540 --> 00:02:22,100
They need to match exactly what we defined on our server.

35
00:02:22,100 --> 00:02:23,920
So if you'll recall,

36
00:02:23,920 --> 00:02:33,510
we were using GCM‑AES‑128 and SHA‑256 and the DH group was 14,

37
00:02:33,510 --> 00:02:36,390
so that's our main mode SA parameters.

38
00:02:36,390 --> 00:02:40,890
For our child mode or for our quick mode parameters,

39
00:02:40,890 --> 00:02:50,740
once again, using GCM‑AES‑128 and GCM‑AES‑128 again,

40
00:02:50,740 --> 00:02:57,830
and our PFS, if you recall, was ECP 256 when we defined that on the VPN tunnel,

41
00:02:57,830 --> 00:03:02,740
that is technically speaking, DH group 19.

42
00:03:02,740 --> 00:03:06,470
So we'll go to the DNS settings, and much like we did with the user tunnel,

43
00:03:06,470 --> 00:03:14,740
supply our DNS suffix, select Split tunneling,

44
00:03:14,740 --> 00:03:19,860
and choose Enable, add our IPv4 prefix here.

45
00:03:19,860 --> 00:03:24,410
And remember on the device tunnel from our conversations earlier in this course,

46
00:03:24,410 --> 00:03:28,570
we don't typically use broad subnets when we're

47
00:03:28,570 --> 00:03:30,650
defining our device tunnel connections.

48
00:03:30,650 --> 00:03:33,360
Our device tunnel, we want to provide limited access.

49
00:03:33,360 --> 00:03:34,240
Remember,

50
00:03:34,240 --> 00:03:37,140
the device tunnel is really only there to provide pre‑logon

51
00:03:37,140 --> 00:03:40,790
connectivity to support things like logging on without,

52
00:03:40,790 --> 00:03:41,750
with cache credentials.

53
00:03:41,750 --> 00:03:45,260
So in this scenario, I'm not going to add,

54
00:03:45,260 --> 00:03:50,910
you know, /8 or /12 or 16 networks, I'm actually going to add /32s,

55
00:03:50,910 --> 00:03:52,070
which are host routes.

56
00:03:52,070 --> 00:03:56,630
So I want to restrict the VPN device tunnel to my domain controller,

57
00:03:56,630 --> 00:04:02,940
in this case, so I'll put in that IP address here,

58
00:04:02,940 --> 00:04:08,440
and then the prefix size is 32, meaning a host route.

59
00:04:08,440 --> 00:04:12,700
And if you have more than one domain controller, you can certainly put those in.

60
00:04:12,700 --> 00:04:17,510
If you have other servers that you want to be reachable over the device tunnel,

61
00:04:17,510 --> 00:04:19,610
you can add those as well.

62
00:04:19,610 --> 00:04:23,950
Those could be SCCM distribution point servers,

63
00:04:23,950 --> 00:04:27,840
they could be other systems update or patch management servers,

64
00:04:27,840 --> 00:04:29,880
any number of servers you want,

65
00:04:29,880 --> 00:04:32,440
it could be even a management workstation and so forth.

66
00:04:32,440 --> 00:04:35,000
So you would enter those IP addresses here.

67
00:04:35,000 --> 00:04:37,450
So we'll choose Trusted network detection,

68
00:04:37,450 --> 00:04:42,860
and once again, put in our DNS suffix.

69
00:04:42,860 --> 00:04:50,540
We'll choose Next, and click Add groups,

70
00:04:50,540 --> 00:05:00,640
and let's find our VPN Devices group, click Select, Next.

71
00:05:00,640 --> 00:05:04,840
I'll skip the applicability rules, we'll choose Next,

72
00:05:04,840 --> 00:05:11,250
and then click Create, and once again, our profile has been created.

73
00:05:11,250 --> 00:05:29,000
So let's go back and review, (Working) and you'll see we now have a device‑based connection or a device tunnel provisioned.