Windows VPN Configuration

Virtual Private Networks, aka VPN, help organizations provide secure access to corporate resources that are behind a firewall. In most organizations, business-critical information, assets, and resources are often behind a firewall and not accessible over a public network. VPN software helps employees access this data from their devices irrespective of the network that they are in.

If your organization is using a VPN, then it becomes important to be able to configure a VPN on the corporate devices and/or employee/personal devices that are used to access the corporate data. Scalefusion provides the necessary mechanisms to remotely configure the VPN and publish to the Windows devices managed by Scalefusion.

The document below explains how to configure VPN settings on managed Windows devices.

Minimum Requirements for VPN

Let us first understand what are the basic requirements in order to configure VPN from the Scalefusion Dashboard,

1. Enrolled Windows device

How Does it Work?

1. Devices use a VPN connection profile to start a connection with the VPN server.  
2. VPN profiles assign VPN settings to devices in the organization so that they can easily and securely connect to the organizational network.

How to Configure VPN Service?

Here are a few reference links to understand how to configure them on the devices,

1. CSP Reference - https://docs.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp
2. EAP Configuration - https://docs.microsoft.com/en-us/windows/client-management/mdm/eap-configuration
3. Third-Party/Plugin type links
   1. Pulse Secure
   2. SonicWall Mobile Connect
   3. Check Point Capsule VPN
   4. F5 Access/F5 VPN Client

Which VPN types do we support?

We support the following VPN connection types

NativeProtocolType

1. PPTP
2. L2TP
3. IKEv2
4. Automatic

Third-Party/Plugin type

1. Pulse Secure
2. SonicWall Mobile Connect
3. Check Point Capsule VPN
4. F5 Access/F5 VPN Client

Configuration

1. Login to Scalefusion Dashboard
2. Navigate to Device Management > Device Profiles
3. Click on Create New Profile or edit an existing Windows profile
4. Navigate to Settings > VPN
   
5. Enable Configure VPN Settings

Base Settings

This section allows the admin to set the VPN profile name and VPN profile Type.

Per App Settings

This allows the admin to select a list of applications set to trigger the VPN. If any of these apps are launched, and the VPN profile is currently the active profile, then this VPN profile will be triggered to connect. Per-app VPN allows the admin to create granular, detailed control over the organization's VPN connections on an app-by-app basis.

1. Enable Trigger App: Connects to VPN whenever the app is launched.
   Enable Trigger App works in conjunction with Remember credentials under Advanced Settings.

   
   
2. Enable Allowed App: Enable Allowed App will allow those applications to work over VPN which are selected.
   Enable Allowed App works in conjunction with Force Tunnel as the Routing Policy Type.

   
   

For more information on the above, please click here

Advance Settings

Proxy Settings

You can enable post-connect proxy support for VPN by configuring proxy settings. The proxy defined for this profile is applied when this profile is active and connected.

Two options to define Proxy settings:

1. Automatic: Select this to automatically detect any proxy servers used by the VPN. You need to provide the URL to automatically retrieve proxy settings.
2. Manual: To manually configure the Proxy server, select this option and provide the proxy server address, which can be a hostname or an IP address

Route Settings

You can set route settings from this section. There are two Routing policy types to choose from:

1. Force Tunnel: When Force Tunnel is selected, all IP traffic goes through the VPN interface only.
2. Split Tunnel: When Split Tunnel is selected, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over other interfaces.
3. Disable Class Route: If split tunneling is enabled, the client will also be assigned a class-based route that is derived from the IP address assigned to it by the VPN server by default.

Provide the list of routes to be added to the routing table for the VPN interface (Address and Prefix). This is required for split tunneling cases where the VPN server site has more subnets than the default subnet based on the IP assigned to the interface. Adding a route here allows the networking stack to identify the traffic that needs to go over the VPN interface for split tunnel VPN.

After giving all settings, click Update Profile.

Once these VPN Settings get applied on a device, you can open the VPN Settings application on your enrolled Windows device. The VPN you have set up will be there, and you can connect to the same VPN.