How to Create VPN Profiles in Configuration Manager

 

Updated: April 24, 2017

Applies To: System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

Note

The information in this topic applies only to System Center 2012 R2 Configuration Manager versions only.

Use the following links to learn about the steps to create VPN profiles in System Center 2012 Configuration Manager:

  • Step 1: Start the Create VPN Profile Wizard

  • Step 2: Provide General Information about the VPN Profile

  • Step 3: Provide Connection Information for the VPN Profile

  • Step 4: Configure the Authentication Method for the VPN Profile

  • Step 5: Configure Proxy Settings for the VPN Profile

  • Step 6: Configure Further DNS Settings (if required)

  • Step 7: Configure Supported Platforms for the VPN Profile

  • Step 8: Complete the Wizard

Step 1: Start the Create VPN Profile Wizard

  1. In the Configuration Manager console, click Assets and Compliance.

  2. In the Assets and Compliance workspace of the Configuration Manager console, expand Compliance Settings, expand Company Resource Access, and then click VPN Profiles.

  3. On the Home tab, in the Create group, click Create VPN Profile.

Step 2: Provide General Information about the VPN Profile

  1. On the General page of the Create VPN Profile Wizard, specify the following information:

    - **Name** - Enter a unique name for the VPN profile (up to 256 characters).
    
      <div class="alert">
    
    
      > [!IMPORTANT]
      > <P>Do not use the characters \/:*?&lt;&gt;|, or the space character in the VPN profile name, because these characters are not supported by the Windows Server VPN profile.</P>
    
    
      </div>
    
    - **Description** - Enter a description to help you find the profile it in the Configuration Manager console (up to 256 characters).
    
    - **Import an existing VPN profile item from a file** – Select this option to display the **Import VPN Profile** page. On this page, you can import VPN profile information that has previously been exported to an XML file (Windows 8.1 and Windows RT operating systems only).
    

Step 3: Provide Connection Information for the VPN Profile

  1. On the Connection page of the wizard, specify the following information:

    - **Connection type:** From the drop-down list, select the connection type for the VPN connection. You can choose from the connection types in the following table showing the supported platforms.
    
      <div class="alert">
    
    
      > [!IMPORTANT]
      > <P>Before you can use VPN profiles deployed to a device, you must ensure that any third-party VPN apps that you require are installed. You can use the information in the <A href="gg682159(v=technet.10).md">How to Create Applications in Configuration Manager</A> topic to help you deploy the app using Configuration Manager.</P>
    
    
      </div>
    
      <table>
      <colgroup>
      <col style="width: 12%" />
      <col style="width: 12%" />
      <col style="width: 12%" />
      <col style="width: 12%" />
      <col style="width: 12%" />
      <col style="width: 12%" />
      <col style="width: 12%" />
      <col style="width: 12%" />
      </colgroup>
      <thead>
      <tr class="header">
      <th><p>Connection type</p></th>
      <th><p>iOS</p></th>
      <th><p>Android</p></th>
      <th><p>Windows 8.1</p></th>
      <th><p>Windows RT</p></th>
      <th><p>Windows RT 8.1</p></th>
      <th><p>Windows Phone 8.1</p></th>
      <th><p><strong>Windows 10 Desktop and Mobile</strong></p></th>
      </tr>
      </thead>
      <tbody>
      <tr class="odd">
      <td><p><strong>Cisco AnyConnect</strong></p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>No</p></td>
      <td><p>No</p></td>
      <td><p>No</p></td>
      <td><p>No</p></td>
      <td><p>No</p></td>
      </tr>
      <tr class="even">
      <td><p><strong>Pulse Secure</strong></p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>No</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      </tr>
      <tr class="odd">
      <td><p><strong>F5 Edge Client</strong></p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>No</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      </tr>
      <tr class="even">
      <td><p><strong>Dell SonicWALL Mobile Connect</strong></p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>No</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      </tr>
      <tr class="odd">
      <td><p><strong>Check Point Mobile VPN</strong></p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>No</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      </tr>
      <tr class="even">
      <td><p><strong>Microsoft SSL (SSTP)</strong></p></td>
      <td><p>No</p></td>
      <td><p>No</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>No</p></td>
      <td><p>No</p></td>
      </tr>
      <tr class="odd">
      <td><p><strong>Microsoft Automatic</strong></p></td>
      <td><p>No</p></td>
      <td><p>No</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>No</p></td>
      <td><p>No</p></td>
      </tr>
      <tr class="even">
      <td><p><strong>IKEv2</strong></p></td>
      <td><p>No</p></td>
      <td><p>No</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      </tr>
      <tr class="odd">
      <td><p><strong>PPTP</strong></p></td>
      <td><p>Yes</p></td>
      <td><p>No</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>No</p></td>
      <td><p>No</p></td>
      </tr>
      <tr class="even">
      <td><p><strong>L2TP</strong></p></td>
      <td><p>Yes</p></td>
      <td><p>No</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>No</p></td>
      <td><p>No</p></td>
      </tr>
      </tbody>
      </table>
    
      <div class="alert">
    
    
      > [!NOTE]
      > <P>To support Windows Phone 8.1, you must install the optional Windows Phone 8.1 extension. For information on how to install the extension, see <A href="dn574730(v=technet.10).md">Planning to Use Extensions in Configuration Manager</A>. Beginning with System Center 2012 Configuration Manager SP2 this extension is incorporated into Configuration Manager.</P>
    
    
      </div>
    
    - **Server list:** Click **Add** to add a new server to use for the VPN connection. Depending on the connection type, you can add one or more VPN servers and also specify which server is to be the default server.
    
      <div class="alert">
    
    
      > [!NOTE]
      > <P>Devices that run iOS do not support using multiple VPN servers. If you configure multiple VPN servers and then deploy the VPN profile to an iOS device, only the default server is used.</P>
    
    
      </div>
    

    The further options in the following table might be displayed, which depends on the connection type that you selected. See your VPN server documentation for more information.

    Option

    More information

    Connection type

    Realm

    Specify the name of the authentication realm that you want to use. An authentication realm is a grouping of authentication resources that is used by the Pulse Secure connection type.

    • Pulse Secure

    Role

    Specify the name of the user role that has access to this connection.

    • Pulse Secure

    Login group or domain

    Specify the name of the login group or domain that you want to connect to.

    • Dell SonicWALL Mobile Connect

    Fingerprint

    Specify a string, for example "Contoso Fingerprint Code" that will be used to verify the VPN server can be trusted.

    A fingerprint can be:

    • Sent to the client so it knows to trust any server presenting that same fingerprint when connecting.

    • If the device doesn’t already have the fingerprint it will prompt the user to trust the VPN server they are connecting to while showing the fingerprint (the user manually verifies the fingerprint and clicks trust to connect).

    Check Point Mobile VPN

    Send all network traffic through the VPN connection

    If this option is not selected, you can specify additional routes for the connection (for Microsoft SSL (SSTP), Microsoft Automatic, IKEv2, PPTP and L2TP connection types), which is known as split or VPN tunneling.

    Only connections to the company network are sent over a VPN tunnel. VPN tunneling is not used when you connect to resources on the Internet.

    • All

    Connection specific DNS suffix

    Optionally, specify the connection-specific Domain Name System (DNS) suffix for the connection.

    • Microsoft SSL (SSTP)

    • Microsoft Automatic

    • IKEv2

    • PPTP

    • L2TP

    Bypass VPN when connected to company Wi-Fi network

    Specifies that the VPN connection will not be used when the device is connected to the company Wi-Fi network.

    • Cisco AnyConnect

    • Pulse Secure

    • F5 Edge Client

    • Dell SonicWALL Mobile Connect

    • Check Point Mobile VPN

    • Microsoft SSL (SSTP)

    • Microsoft Automatic

    • IKEv2

    • L2TP

    Bypass VPN when connected to home Wi-Fi network

    Specifies that the VPN connection will not be used when the device is connected to a home Wi-Fi network.

    • All

    Per App VPN (iOS 7 and later, Mac OS X 10.9 and later )

    Select this option if you want to associate this VPN connection with an iOS app so that the connection will be opened when the app is run. You can associate the VPN profile with an app when you deploy it.

    • Cisco AnyConnect

    • Pulse Secure

    • F5 Edge Client

    • Dell SonicWALL Mobile Connect

    • Check Point Mobile VPN

    Custom XML (optional)

    Allows you to specify custom XML commands that configure the VPN connection.

    Examples:

    • For Pulse Secure:

      <pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema>

    • For CheckPoint Mobile VPN:

      <CheckPointVPN port="443" name="CheckPointSelfhost" sso="true" debug="3" />

    • For Dell SonicWALL Mobile Connect:

      <MobileConnect><Compression>false</Compression><debugLogging>True</debugLogging><packetCapture>False</packetCapture></MobileConnect>

    • For F5 Edge Client:

      <f5-vpn-conf><single-sign-on-credential /></f5-vpn-conf>

    Refer to each manufacturers VPN documentation for more information about how to write custom XML commands.

    • Cisco AnyConnect

    • Pulse Secure

    • F5 Edge Client

    • Dell SonicWALL Mobile Connect

    • Check Point Mobile VPN

Step 4: Configure the Authentication Method for the VPN Profile

  1. On the Authentication Method page of the wizard, specify the following information:

    - **Authentication method:** From the drop-down list, select the authentication method that the VPN connection will use. The items in the drop-down list might differ; they depend on the connection type that you previously selected. The available authentication methods and the supported connection types are listed in the following table.
    
      <table>
      <colgroup>
      <col style="width: 50%" />
      <col style="width: 50%" />
      </colgroup>
      <thead>
      <tr class="header">
      <th><p>Authentication method</p></th>
      <th><p>Supported connection types</p></th>
      </tr>
      </thead>
      <tbody>
      <tr class="odd">
      <td><p><strong>Certificates</strong></p>
      <div class="alert">
    
      > [!TIP]
      > <P>If the client certificate authenticates to a RADIUS server, such as a Network Policy Server, the Subject Alternative Name in the certificate must be set to the User Principal Name.</P>
      > <P><BR></P>
      > <P>For Android deployments, select the EKU identifier and the certificate issuer thumbprint hash value. Otherwise, users must select the appropriate certificate manually.</P>
    
      </div></td>
      <td><ul>
      <li><p>Cisco AnyConnect</p></li>
      <li><p>Pulse Secure</p></li>
      <li><p>F5 Edge Client</p></li>
      <li><p>Dell SonicWALL Mobile Connect</p></li>
      <li><p>Check Point Mobile VPN</p></li>
      </ul></td>
      </tr>
      <tr class="even">
      <td><p><strong>Username and Password</strong></p></td>
      <td><ul>
      <li><p>Pulse Secure</p></li>
      <li><p>F5 Edge Client</p></li>
      <li><p>Dell SonicWALL Mobile Connect</p></li>
      <li><p>Check Point Mobile VPN</p></li>
      </ul></td>
      </tr>
      <tr class="odd">
      <td><p><strong>Microsoft EAP-TTLS</strong></p></td>
      <td><ul>
      <li><p>Microsoft SSL (SSTP)</p></li>
      <li><p>Microsoft Automatic</p></li>
      <li><p>IKEv2</p></li>
      <li><p>PPTP</p></li>
      <li><p>L2TP</p></li>
      </ul></td>
      </tr>
      <tr class="even">
      <td><p><strong>Microsoft protected EAP (PEAP)</strong></p></td>
      <td><ul>
      <li><p>Microsoft SSL (SSTP)</p></li>
      <li><p>Microsoft Automatic</p></li>
      <li><p>IKEv2</p></li>
      <li><p>PPTP</p></li>
      <li><p>L2TP</p></li>
      </ul></td>
      </tr>
      <tr class="odd">
      <td><p><strong>Microsoft secured password (EAP-MSCHAP v2)</strong></p></td>
      <td><ul>
      <li><p>Microsoft SSL (SSTP)</p></li>
      <li><p>Microsoft Automatic</p></li>
      <li><p>IKEv2</p></li>
      <li><p>PPTP</p></li>
      <li><p>L2TP</p></li>
      </ul></td>
      </tr>
      <tr class="even">
      <td><p><strong>Smart Card or other certificate</strong></p></td>
      <td><ul>
      <li><p>Microsoft SSL (SSTP)</p></li>
      <li><p>Microsoft Automatic</p></li>
      <li><p>IKEv2</p></li>
      <li><p>PPTP</p></li>
      <li><p>L2TP</p></li>
      </ul></td>
      </tr>
      <tr class="odd">
      <td><p><strong>MSCHAP v2</strong></p></td>
      <td><ul>
      <li><p>Microsoft SSL (SSTP)</p></li>
      <li><p>Microsoft Automatic</p></li>
      <li><p>IKEv2</p></li>
      <li><p>PPTP</p></li>
      <li><p>L2TP</p></li>
      </ul></td>
      </tr>
      <tr class="even">
      <td><p><strong>RSA SecurID</strong> (iOS only)</p></td>
      <td><ul>
      <li><p>Microsoft SSL (SSTP)</p></li>
      <li><p>Microsoft Automatic</p></li>
      <li><p>PPTP</p></li>
      <li><p>L2TP</p></li>
      </ul></td>
      </tr>
      <tr class="odd">
      <td><p><strong>Use machine certificates</strong></p></td>
      <td><ul>
      <li><p>IKEv2</p></li>
      </ul></td>
      </tr>
      </tbody>
      </table>
    
      Depending on the options you select, you might be asked to specify further information, such as:
    
        - **Remember the user credentials at each logon**: Select this option to ensure that the user credentials are remembered so that the user does not have to enter credentials each time a connection is established.
    
        - **Select a client certificate for client authentication** - Select the client SCEP certificate that you previously created that will be used to authenticate the VPN connection. For more information about how to use certificate profiles in Configuration Manager, see [Certificate Profiles in Configuration Manager](dn261202\(v=technet.10\).md).
    
          <div class="alert">
    
    
          > [!NOTE]
          > <P>For iOS devices, the SCEP profile you select will be embedded in the VPN profile. For other platforms, an applicability rule is added to ensure that the VPN profile is not installed if the certificate is not present, or not compliant.</P>
          > <P>If the SCEP certificate you specify is not compliant, or has not been deployed, then the VPN profile will not be installed on the device.</P>
    
    
          </div>
    
        - For some authentication methods, you can click **Configure** to open the Windows properties dialog box (if the version of Windows on which you are running the Configuration Manager console supports this authentication method) where you can configure the properties of the authentication method.
    
      <div class="alert">
    
    
      > [!NOTE]
      > <P>Devices that run iOS support only <STRONG>RSA SecurID</STRONG> and <STRONG>MSCHAP v2</STRONG> for the authentication method when the connection type is <STRONG>PPTP</STRONG>. To avoid reporting errors, deploy a separate PPTP VPN profile to devices that run iOS.</P>
    
    
      </div>
    

Step 5: Configure Proxy Settings for the VPN Profile

To configure proxy settings for the VPN profile

  1. On the Proxy Settings page of the Create VPN Profile Wizard, select the Configure proxy settings for this VPN profile check box if your VPN connection uses a proxy server.

  2. Specify details about your proxy server and its settings. For more information, see the Windows Server documentation.

Step 6: Configure Further DNS Settings (if required)

On the Configure Automatic VPN connection page of the wizard, you can configure the following settings:

  • Enable VPN on-demand – Select this option if you want to configure further DNS settings on this page of the wizard for Windows Phone 8.1 devices.

    Note

    This setting applies only to Windows Phone 8.1 devices and should only enabled on VPN profiles that are going to be deployed to Windows Phone 8.1 devices.

  • DNS Suffix list (for Windows Phone 8.1 devices only) – Configures domains that will establish a VPN connection. For each domain you specify, add the DNS suffix, the DNS server address, and one of the following on-demand actions:

    • Never establish – Never open a VPN connection

    • Establish if needed – Only open a VPN connection if the device needs to connect to resources

    • Always establish – Always open the VPN connection

  • Merge – Copies any DNS suffices you configured into the Trusted network list.

  • Trusted network list (for Windows Phone 8.1 devices only) - Specify one DNS suffix on each line. If the device is in a trusted network, the VPN connection will not be opened.

  • Suffix search list (for Windows Phone 8.1 devices only) - Specify one DNS suffix on each line. Each DNS suffix you specify will be searched when connecting to a website using a short name.

    For example, you specify the DNS suffices domain1.contoso.com and domain2.contoso.com and then visit the URL http://mywebsite. The following addresses will be searched:

Note

For Windows Phone 8.1 devices only

If the Send all network traffic through the VPN connection option is selected, and the VPN connection is using full tunneling, for the first profile provisioned on the device, the VPN connection will automatically open. If you want a different profile to automatically open a connection, you must make it the default profile on the device.

If the Send all network traffic through the VPN connection option is not selected, and the VPN connection is using split-tunneling, a VPN connection can automatically be opened if you configure routes, or a connection specific DNS suffix.

Step 7: Configure Supported Platforms for the VPN Profile

Use the following procedure to specify the supported platforms for the VPN profile.

Supported platforms are the operating systems on which the VPN profile will be installed.

To specify supported platforms for the VPN Profile

  1. On the Supported Platforms page of the Create VPN Profile Wizard, select the operating systems on which the VPN profile will be installed, or click Select all to install the VPN profile on all available operating systems.

Step 8: Complete the Wizard

On the Summary page of the wizard, review the actions to be taken, and then complete the wizard. The new VPN profile is displayed in the VPN Profiles node in the Assets and Compliance workspace.

For information about how to deploy the VPN profile, see How to Deploy VPN Profiles in Configuration Manager.