1 00:00:01,540 --> 00:00:03,430 So let's move on with the next demonstration, 2 00:00:03,430 --> 00:00:08,440 and we'll enable the Name Resolution Policy Table. 3 00:00:08,440 --> 00:00:10,810 So here in the Endpoint Manager admin center, 4 00:00:10,810 --> 00:00:14,360 I'm going to click on our Always On VPN User Tunnel that we 5 00:00:14,360 --> 00:00:17,000 created previously using the VPN profile type. 6 00:00:17,000 --> 00:00:25,360 And here I'm going to scroll down to the Configuration settings and click edit, 7 00:00:25,360 --> 00:00:28,900 and you'll find the NRPT settings under the DNS section. 8 00:00:28,900 --> 00:00:31,340 So we'll expand DNS Settings, 9 00:00:31,340 --> 00:00:34,860 and here you'll see that we already have our DNS suffix defined. 10 00:00:34,860 --> 00:00:38,680 But in this case, the NRPT has not been configured. 11 00:00:38,680 --> 00:00:42,340 So I'm going to go ahead and add a rule by clicking Add, 12 00:00:42,340 --> 00:00:44,890 and here I'm going to specify a domain name. 13 00:00:44,890 --> 00:00:50,350 And you'll notice that I included a leading dot. 14 00:00:50,350 --> 00:00:54,320 So if I were just to put in lab.richardhicks.net, 15 00:00:54,320 --> 00:00:56,030 even though that's my internal namespace, 16 00:00:56,030 --> 00:00:58,440 this is technically speaking a hostname. 17 00:00:58,440 --> 00:01:01,840 If I add the leading dot, or the preceding dot, 18 00:01:01,840 --> 00:01:04,100 this now delineates this as a namespace. 19 00:01:04,100 --> 00:01:10,520 So anything in the .lab.richardhicks.net namespace would apply to this rule, 20 00:01:10,520 --> 00:01:13,530 and then I would supply my VPN servers here, 21 00:01:13,530 --> 00:01:14,480 so I'll do that now. 22 00:01:14,480 --> 00:01:19,930 And you can supply more than one DNS server, of course. 23 00:01:19,930 --> 00:01:22,290 I just have one in my lab, so I'm going to leave it at that. 24 00:01:22,290 --> 00:01:25,490 Here is where you would define that proxy server setting. 25 00:01:25,490 --> 00:01:30,520 Again, this is only going to be used if you're using Internet Explorer. 26 00:01:30,520 --> 00:01:34,490 IE is the only browser that will recognize this setting. 27 00:01:34,490 --> 00:01:36,720 All other browsers will simply ignore it. 28 00:01:36,720 --> 00:01:39,230 So if you want, you can put a proxy server here, 29 00:01:39,230 --> 00:01:42,140 but it's probably not going to be of much help for you. 30 00:01:42,140 --> 00:01:46,120 We'll leave the Automatically Connect setting to Not configured because this is 31 00:01:46,120 --> 00:01:49,970 really only applicable for non‑Always On VPN connections. 32 00:01:49,970 --> 00:01:53,050 Our Always On VPN connection is, of course, always on. 33 00:01:53,050 --> 00:01:55,400 And there's no need to make this persistent. 34 00:01:55,400 --> 00:01:56,640 I leave this Not configured. 35 00:01:56,640 --> 00:01:58,650 If you set this to persistent, 36 00:01:58,650 --> 00:02:02,760 this policy will remain in place when the VPN is not connected, 37 00:02:02,760 --> 00:02:04,680 and that's not the behavior that we want. 38 00:02:04,680 --> 00:02:08,740 We only want this behavior to be enabled when the VPN tunnel is established. 39 00:02:08,740 --> 00:02:15,310 So we'll click Save, and then we'll review and save our configuration. 40 00:02:15,310 --> 00:02:17,000 Save it. 41 00:02:17,000 --> 00:02:21,510 And that's it. 42 00:02:21,510 --> 00:02:22,670 The profile has been saved. 43 00:02:22,670 --> 00:02:26,610 And at this point, the clients will get an updated configuration at some point, 44 00:02:26,610 --> 00:02:27,640 and you'll be able to see that. 45 00:02:27,640 --> 00:02:31,040 So let's go take a look at what that looks like on the endpoint. 46 00:02:31,040 --> 00:02:34,010 So once the endpoint has synchronized with Intune and 47 00:02:34,010 --> 00:02:37,480 gotten the new updated policy configuration, 48 00:02:37,480 --> 00:02:39,850 let's take a quick look and see what that looks like. 49 00:02:39,850 --> 00:02:47,180 So if I run Get‑NetIPConfiguration on my endpoint, the one thing 50 00:02:47,180 --> 00:02:50,750 you'll notice is that for our Always On VPN interface, 51 00:02:50,750 --> 00:02:57,170 the DNS server here is still showing as 172.16.0.200, which is the DNS 52 00:02:57,170 --> 00:03:01,170 server assigned to the internal interface of our VPN server. 53 00:03:01,170 --> 00:03:05,630 So it's important to know that the Name Resolution Policy Table does not 54 00:03:05,630 --> 00:03:10,710 overwrite this setting. The VPN adapter still has the setting or the DNS 55 00:03:10,710 --> 00:03:13,710 server that was given to it by the VPN server. 56 00:03:13,710 --> 00:03:14,780 However, 57 00:03:14,780 --> 00:03:17,690 the Name Resolution Policy Table simply overrides 58 00:03:17,690 --> 00:03:20,440 this, so let's take a look at that. 59 00:03:20,440 --> 00:03:23,640 So the PowerShell command to view the Name Resolution Policy Table 60 00:03:23,640 --> 00:03:30,370 is Get‑DnsClientNrptPolicy, and you'll see it returns a bunch of 61 00:03:30,370 --> 00:03:32,840 information. If we scroll to the top, 62 00:03:32,840 --> 00:03:35,850 you'll see here is our defined namespace. This is what we 63 00:03:35,850 --> 00:03:39,870 defined in the configuration. And you'll see now that our name 64 00:03:39,870 --> 00:03:47,040 server here is listed as 172.16.0.222, which is what we did in the demonstration. 65 00:03:47,040 --> 00:03:48,690 So in this scenario, 66 00:03:48,690 --> 00:03:55,350 even though the VPN interface has a DNS server of 172.16.0.200, any name 67 00:03:55,350 --> 00:04:01,210 queries for names in this namespace will be sent to this very specific DNS 68 00:04:01,210 --> 00:04:05,160 server. You'll also notice that Windows adds a few different entries here 69 00:04:05,160 --> 00:04:09,460 for LDAP, ISATAP, and WPAD and so forth. 70 00:04:09,460 --> 00:04:13,870 And this is added by default just to kind of make sure that if the 71 00:04:13,870 --> 00:04:19,400 administrator has defined a specific DNS server for a namespace, it's likely 72 00:04:19,400 --> 00:04:22,760 that that namespaces also going to be used for other things, 73 00:04:22,760 --> 00:04:24,640 other system services and things like that. 74 00:04:24,640 --> 00:04:26,800 So that's added for you by default. You don't have to 75 00:04:26,800 --> 00:04:29,040 go and add those things yourself. 76 00:04:29,040 --> 00:04:31,830 If you're interested in deploying these settings, 77 00:04:31,830 --> 00:04:36,030 the Name Resolution Policy Table settings, using XML, 78 00:04:36,030 --> 00:04:41,640 you'll include the code shown here in your XML. Let me 79 00:04:41,640 --> 00:04:43,420 demonstrate that for you real quick. 80 00:04:43,420 --> 00:04:47,140 So let's open our XML file here. 81 00:04:47,140 --> 00:04:50,840 And just to show you where this setting is defined here, 82 00:04:50,840 --> 00:04:54,520 it is in the DomainNameInformation element. 83 00:04:54,520 --> 00:04:55,020 Again, 84 00:04:55,020 --> 00:04:59,480 you can find this in the VPNv2 CSP reference, but here I've 85 00:04:59,480 --> 00:05:01,850 included the element DomainNameInformation, 86 00:05:01,850 --> 00:05:05,340 the DomainName, and the DnsServers. 87 00:05:05,340 --> 00:05:09,060 You can use multiple domain names, but they should 88 00:05:09,060 --> 00:05:11,640 be defined as separate elements. 89 00:05:11,640 --> 00:05:16,740 And so what that would look like was more than one of these blocks. 90 00:05:16,740 --> 00:05:19,010 If you have another domain to add, 91 00:05:19,010 --> 00:05:22,160 it would be another DomainNameInformation, DomainName 92 00:05:22,160 --> 00:05:26,020 corp.richardhicks.net, the DnsServers /DomainName. 93 00:05:26,020 --> 00:05:28,140 So you could have multiple blocks here. 94 00:05:28,140 --> 00:05:30,970 If you need to add multiple DNS servers, you can do that. 95 00:05:30,970 --> 00:05:42,000 That's a comma‑separated list. So I would just simply add another DNS server if I needed to do so.