What is Microsoft tunnel ?
Microsoft Tunnel is a VPN gateway. This solution is used by microsoft Intune and allow access to on-premise solution at IOS/iPadOS or Android devices.
Microsoft Tunnel install a Docker container. He is run on Linux server, he can be a virtual or physical server. After that installed Microsoft tunnel, you can deploy on your device a VPN profile. If you hosted the server on Azure, you need deploy an express route or a VPN between on-premise infrastructure and Microsoft tunnel server.
If you have a lot of device, you can install multiple Linux server. All of this server support Microsoft tunnel. He is combine on a logical groups (Sites). One server can join only one Site.
The Microsoft Tunnel functionality has a few prerequisites.
Before configuring Microsoft tunnel, you need install physical or virtual Linux server. You can use this Linux distribution :
- CentOS 7.4 (Version 8 is not supported)
- Red Hat (RHEL) 7.4 (Version 8 is not supported)
- Ubuntu 18.04 or 20.04
The size of the server depends of number of device.
Installation of Docker
For install docker, you can use the following link
You need to use Transport Layer Security (TLS) certificate. This certificate secure the connection between your device and the Tunnel Gateway server.
- The TLS certificate must have in the SAN, the FQDN of the Tunnel Gateway Server. You can also use IP Address.
- The expiry date of the certificate may not be more than two years. Otherwise the IOS equipment will refuse this certificate.
- If you use a private certificate, you need push the entire trust chain on the device.
- The format of the certificate can be PEM or PFX.
You need to allow Inbound ports required by Microsoft Tunnel.
- TCP 443
- TCP 80
The Outbound ports must be allowed for access to Microsoft Intune. The TCP 443 is required by Docker for pull images.
- TCP 443
- TCP 80
I have installed Ubuntu on my ESXi, we will now be able to install Docker. Open a session with your user account and run the following command for set up the repository.
sudo apt-get update
sudo apt-get install apt-transport-https
Repeat the same operation for the following command
sudo apt-get install ca-certificates
sudo apt-get install curl
sudo apt-get install gnupg-agent
sudo apt-get install software-properties-common
When all package has been installed, add Docker’s official GPG key. Run the command :
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
Verify the key with the fingerprint. You need to have the fingerprint 9DC8 5822 9FC7 DD38 854A E2D8 8D81 803C 0EBF CD88. Run the command
sudo apt-key fingerprint 0EBFCD88
We can now set up the stable repository. Run the command
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
Docker can now be installed. Run the following command for install Docker.
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io
Create Server configuration
From the Microsoft Endpoint Manager Admin Center, click on Tenant administration then on Microsoft Tunnel Gateway. Select Server configurations then click on Create new.
Enter the desired name and click on Next.
On the IP address range field, enter the range IP are leased to devices when it is connect at the Tunnel Gateway Server. Enter on DNS Servers the IP address of your DNS Server.
On the DNS suffix search enter the domain name. It’s provide to client as default domain. You cab include or exclude IP Addresses which may or may not be routed to the Tunnel Gateway server. Enter the Server port that you want use. The Tunnel Gateway Server listens this port for connection.
Click on Next then on Create. The server configuration has been created.
Create a site configuration
From the Endpoint Manager admin center click on Sites and servers then on Create. Select New site.
Enter the name of the site then the IP Adresse or FQDN. Select the Server configuration.
Run the readiness tool
Before install Microsoft Tunnel server, he is recommanded to run mst-readiness. This script must be running on Linux server and permit to confirms that the network configuration allows access to the required Microsoft Endpoints at the Microsoft Tunnel. He permit also to validates that the Azure Active Directory account has the required roles.
From the linux server, run the command.
wget --output-document=mst-readiness https://aka.ms/microsofttunnelready
chmod +X ./mst-readiness
Verify the network with ./mst-readiness network command and checking connectivity.
Before install Microsoft Tunnel, certificate must be imported on Linux Server. If the certificate is in PFX format, copy the certificate file to /etc/mstunnel/private/site.pfx. For the PEM format, copy the crt file on /etc/mstunnel/certs/ and the key file on /etc/mstunnel/private.
I choose to use private certificate. I need to create new template. From the Certification Authority console, right click on Certificate Templates and click on Manage.
Right click on Web Server template and click on Duplicate Template.
Configure the Compatibility Settings and select General tab. Enter the desired name and choose the Validity period (two years max for iPhone/iPad).
Open Request Handling tab and check Allow private key to be exported.
On the Security Tab, allow Enroll right for the computer who the certificate has issue. I choose to use Active Directory group. The group contain only the computer who the certificate can be requested. On my lab, the PKI is on DC (to be avoided in production), so i add computer account on the group. I will request certificate from this server. If you want use another server, just add this server.
Click on Apply then on OK. Close the Certificate Templates Console and right click on Certificate Templates. Select New then click on Certificate Template to Issue.
Select the template previously created and click on OK.
The certificate can be issued. From the server, open MMC console and add Certificates Snap-In (Computer account). Expand Certificates and right click on Personal or Certificates. Select All Tasks / Request New Certificate.
Check the template previously created and click on More information is required to enroll for this certificate.
Select Common name on Subject name and enter the FQDN or IP Address of the server. Click on Add then on OK.
Click on Enroll. The certificate can be exported. Right click on it and select All Tasks / Export.
Check Yes, export the private key and click on Next.
Choose the password and click on Next.
Export path and name of the file. Click on Next.
Click on Finish, the certificate has been imported. On the MMC console, double click on the certificate and select Certification Path tab. Select the Root CA certificate and click on view Certificate.
The Root CA certificate appear, select Details tab and click on Copy to file. Export the Root certificate on CER format.
Rename the pfx file so that it has the name site.pfx and with WinSCP or other tools, upload the pfx file on the Linux server (/etc/mstunnel/private).
Upload the root CA certificate on the same folders and restart Linux server.
Install Microosft Tunnel
From the Linux server, run the following command for download installation script.
wget --output-document=mstunnel-setup https://aka.ms/microsofttunneldownload
To make the file executable run the command.
chmod +x mstunnel-setup
Enter the following command for launch install.
Click on Yes to accept the terms of the licence.
The certificate has been imported on Linux server, enter Yes
Enter the password of the certificate file. If the password is good, you need to authentificate on Intune. Open a web browser and connect to the URL prensent on Linux server console. Enter the code and click on Next
Enter credential of admin account on Azure AD.
Connection has been established. You can close windows. The configuration of the Linux server is finished.
IOS Application or Android Application must be deployed on devices. From Microsoft Intune, access on Apps.
My device it’s an iPhone so I deploy iOS application. Click on iOS/iPadOS then on Add.
Select iOS store app and click on Select.
Click on Search the App Store then select the desired country. Enter Microsoft Tunnel and click on the application.
The properties of the application appear, click on Next
Configure assignments and click on Next.
Click on Create. Application is been present in Intune.
Create VPN Profile
Before use Microsoft Tunnel, you need to create a VPN Profile. From the Intune portal, click on Devices then on Configuration profiles.
Click on Create profile and select the desired platform (Android or iOS). On the Profile select VPN.
Enter the name of the profile and click on Next.
Select Microsoft Tunnel on Connection type
Expand Base VPN and enter the name of the connection. Click on Select a site.
Select the site and click on OK
Expand Per-app VPN and click on Enable. Click on Next.
Assign profile and click on Next. Click on Create to create new profile.
The profile has been apply on the device.
Upload Root CA certificate on device
The Root CA certificate must be uploaded on each device that need connect to MS Tunnel. From the Intune portal, click on Devices then on Configuration profile. Click on Create Profile and select platform. On profile type select Trusted certificate and click on Create
Enter the name of the profile and click on Next.
Select the certificate of the root CA and click on Next. Assign the profil to the desired device.
For test Microsoft Tunnel I deploy Firefox. I deploy with this application the MS Tunnel profile. From the Intune portal, click on App then on iOS/iPadOS. Click on Add and select iOS store app.
Click on Search the App Store and select the desired country. Enter Firefox and select the application.
App information appear click on Next. Assign application and click on None.
Select the VPN profile and click on OK. Configure Assignments.
When application and profile is apply on device, restart it.
The VPN profile is present on the device.
Test MS Tunnel
From the device open Tunnel application
The application opens, click on Start
Configuration is been apply but VPN is not connected.
I open Firefox and I try to connect on my NAS. My device is connected on 4G and not on Wifi. I can connect on my NAS.
MS Tunnel is now been connected.