How to Create VPN profiles in System Center Configuration Manager

Applies to: System Center Configuration Manager (Current Branch)

The connection types available for the different device platforms are described in VPN profiles in System Center Configuration Manager.

For third-party VPN connections, distribute the VPN app before deploying the VPN profile. If you don't deploy the app, users will be prompted to do so when they try to connect to the VPN. To learn how to deploy apps, see Deploy applications with System Center Configuration Manager.

Create a VPN profile

  1. In the Configuration Manager console, choose Assets and Compliance > Compliance Settings > Company Resource Access > VPN Profiles.

  2. On the Home tab, in the Create group, choose Create VPN Profile.

  3. Complete the General page. Note the following:

    • Select the appropriate Platform.

      • If you select the Windows 8.1 platform, you have the option to select Import an existing VPN profile item from a file to import VPN profile information that was exported to an XML file.
    • Do not use the characters \/:*?<>|, or the space character in the VPN profile name. These characters are not supported by the Windows Server VPN profile.

  4. On the Connection page, specify:

    • Connection type: Choose the VPN connection type. You can choose from the connection types in the following table.

    • Server list: Add a new server to use for the VPN connection. Depending on the connection type, you can add one or more VPN servers and specify the default server.

      Note

      Devices that run iOS do not support using multiple VPN servers. If you configure multiple VPN servers and then deploy the VPN profile to an iOS device, only the default server is used.

      This table provides options for connection types. See your VPN server documentation for more information.

  Option   More information   Connection type  
Realm The authentication realm that you want to use. An authentication realm is a grouping of authentication resources that is used by the Pulse Secure connection type. Pulse Secure
Role The user role that has access to this connection. Pulse Secure
Login group or domain The name of the login group or domain that you want to connect to. Dell SonicWALL Mobile Connect
Fingerprint A string, for example "Contoso Fingerprint Code" that will be used to verify that the VPN server can be trusted.

A fingerprint can be:

- Sent to the client so it knows to trust any server presenting that same fingerprint when connecting.

- If the device doesn't already have the fingerprint it will prompt the user to trust the VPN server they are connecting to while showing the fingerprint (the user manually verifies the fingerprint and chooses trust to connect).
Check Point Mobile VPN
Send all network traffic through the VPN connection If this option is not selected, you can specify additional routes for the connection (for Microsoft SSL (SSTP), Microsoft Automatic, IKEv2, PPTP and L2TP connection types), which is known as split or VPN tunneling.

Only connections to the company network are sent over a VPN tunnel. VPN tunneling is not used when you connect to resources on the Internet.
All
Connection specific DNS suffix The connection-specific Domain Name System (DNS) suffix for the connection. - Microsoft SSL (SSTP)

- Microsoft Automatic

- IKEv2

- PPTP

- L2TP
Bypass VPN when connected to company Wi-Fi network The VPN connection will not be used when the device is connected to the company Wi-Fi network. - Cisco AnyConnect

- Pulse Secure

- F5 Edge Client

- Dell SonicWALL Mobile Connect

- Check Point Mobile VPN

- Microsoft SSL (SSTP)

- Microsoft Automatic

- IKEv2

- L2TP
Bypass VPN when connected to home Wi-Fi network The VPN connection will not be used when the device is connected to a home Wi-Fi network. All
Per App VPN (iOS 7 and later, Mac OS X 10.9 and later ) Associate this VPN connection with an iOS app so that the connection will be opened when the app is run. You can associate the VPN profile with an app when you deploy it. - Cisco AnyConnect

- Pulse Secure

- F5 Edge Client

- Dell SonicWALL Mobile Connect

- Check Point Mobile VPN
Custom XML (optional) Specify custom XML commands that configure the VPN connection.

Examples:

For Pulse Secure:

<pulse-schema>
  <isSingleSignOnCredential>true</isSingleSignOnCredential>
</pulse-schema>


For CheckPoint Mobile VPN:

<CheckPointVPN
  port="443" name="CheckPointSelfhost"
  sso="true"
  debug="3"
/>


For Dell SonicWALL Mobile Connect:

<MobileConnect>
    <Compression>false</Compression>
    <debugLogging>True</debugLogging>
    <packetCapture>False</packetCapture>
</MobileConnect>


For F5 Edge Client:

<f5-vpn-conf><single-sign-on-credential></f5-vpn-conf>

Refer to each manufacturers VPN documentation for more information about how to write custom XML commands.
- Cisco AnyConnect

- Pulse Secure

- F5 Edge Client

- Dell SonicWALL Mobile Connect

- Check Point Mobile VPN

Note

For information specific to creating VPN profiles for mobile devices, see Create VPN Profiles

Complete the wizard. The new VPN profile is displayed in the VPN Profiles node in the Assets and Compliance workspace.

Next steps