I’ve been searching for a couple of days now how to set up a VPN profile that connects to an Azure Virtual Network Gateway using a Point to Site configuration for new enrolled devices.
When configuring it manually, I just have to install a .pfx certificate, a .cer certificate and the .exe with the VPN client (downloadable from the Virtual Network Gateway settings page) on the device.
But I don’t know where to start to configure this as a configuration profile on Intune for new devices.
Any help would be greatly appreciated
Thank you!
EDIT: User u/jvldn posted this nice guide that works with an OpenVPN tunnel type and Azure AD Auth:
Disclaimer; have no experience with Azure Virtual Network Gateway. Is this a VPN appliance from a third party, or a native Azure service?
It looks like you need two configuration policies to install the certificates, and a Win32 package that contains the Client and VPN Profile, deployed with a script that installs the client, then adds the profile.
Wild assumptions ahead:
I’m guessing the cer is the CA public certificate? That’s easy to distribute via Intune.
Regarding the pfx. Is this to distribute a private key? I’m guessing this is for client authentication, and if so, it can’t be identical for all, and distributing the private key would be a security risk
I would look into distributing NDES certificates via Intune instead. It gives you some benefits with certificate based trust, and access to on prem resources as well, depending on how you use them.
Finally, the VPN profile might be possible to distribute via Intune separately, easing the VPN Client install. This depends on the VPN client type. It might also be possible to use the built in Windows VPN client, and just create a VPN profile for this.
It works pretty much perfectly for what we want and is zero touch with a store app deployment of the VPN client as a required app.
The only thing I’m not loving is the hard switching of the always on. I want it to be optional for users, but also have some who want to be able to set it to automatically connect. I’ll be testing leaving that blank.
I’ve tried the configuration profiles way, but I didn’t find a way to install the .pfx this way.
Yes, I’ve managed to distribute the .cer, the problem comes with the .pfx
Yes, it contais a private key, so select memebers of a certain group can access a specific VM on the cloud. I know this isn’t the optimal way, but it’s how it was set up, and I can’t change it currently.
I’ll have a look at NDES, thank you very much!
Yeah the VPN profile can be configured using the built Windows VPN client, but since the procedure is installing the .exe I would like to stick to it, although I will have a look at it and discuss it with department partners, thank you very much!
Again thank you very much for your time and suggestions, they are greatly appreciated!
You can set it to false, which allows you to turn the VPN on and off via the Azure VPN client; but you can’t interact with it through the VPN section of Network Settings.
I’ve got to test leaving that blank to see what the behaviour is. I’m pretty sure it’ll be as it is with a manually configured profile so you can opt to set it to connect automatically.
I’ve only got a half dozen pilot users on it at the mo, but they’ve been very positive about it.
