Overview of Microsoft Tunnel
Microsoft Tunnel Gateway installs onto a container that runs on a Linux server. The Linux server can be a physical box in your on-premises environment or a virtual machine that runs on-premises or in the cloud. You'll deploy a Microsoft Defender for Endpoint as the Microsoft Tunnel client app and Intune VPN profiles to your iOS and Android devices to enable them to use the tunnel to connect to corporate resources. When the tunnel is hosted in the cloud, you’ll need to use a solution like Azure ExpressRoute to extend your on-premises network to the cloud.
Through the Microsoft Endpoint Manager admin center, you’ll:
Download the Microsoft Tunnel installation script that you’ll run on the Linux servers.
Configure aspects of Microsoft Tunnel Gateway like IP addresses, DNS servers, and ports.
Deploy VPN profiles to devices to direct them to use the tunnel.
Deploy the Microsoft Tunnel client apps to your devices.
Through the Defender for Endpoint app, iOS/iPadOS and Android Enterprise devices:
Use Azure Active Directory (Azure AD) to authenticate to the tunnel.
Use Active Directory Federation Services (AD FS) to authenticate to the tunnel.
Are evaluated against your Conditional Access policies. If the device isn’t compliant, then it won’t have access to your VPN server or your on-premises network.
You can install multiple Linux servers to support Microsoft Tunnel, and combine servers into logical groups called Sites. Each server can join a single Site. When you configure a Site, you’re defining a connection point for devices to use when they access the tunnel. Sites require a Server configuration that you’ll define and assign to the Site. The Server configuration is applied to each server you add to that Site, simplifying the configuration of more servers.
To direct devices to use the tunnel, you create and deploy a VPN policy for Microsoft Tunnel. This policy is a device configuration VPN profile that uses Microsoft Tunnel for its connection type.
Features of the VPN profiles for the tunnel include:
A friendly name for the VPN connection that your end users will see.
The site that the VPN client connects to.
Per-app VPN configurations that define which apps the VPN profile is used for, and if it's always-on or not. When always-on, the VPN will automatically connect and is used only for the apps you define. If no apps are defined, the always-on connection provides tunnel access for all network traffic from the device.
Manual connections to the tunnel when a user launches the VPN and selects Connect.
On-demand VPN rules that allow use of the VPN when conditions are met for specific FQDNs or IP addresses. (iOS/iPadOS)
Proxy support (iOS/iPadOS, Android 10+)
Server configurations include:
IP address range – The IP addresses that are assigned to devices that connect to a Microsoft Tunnel.
DNS servers – The DNS server devices should use when they connect to the server.
DNS suffix search.
Split tunneling rules – Up to 500 rules shared across include and exclude routes. For example, if you create 300 include rules, you can then have up to 200 exclude rules.
Port – The port that Microsoft Tunnel Gateway listens on.
Site configuration includes:
A public IP address or FQDN, which is the connection point for devices that use the tunnel. This address can be for an individual server or the IP or FQDN of a load-balancing server.
The Server configuration that is applied to each server in the Site.
Also, to know more about different Microsoft aspects such as Microsoft SIP for Teams or HIPAA compliant email, visit O365CloudExperts.