Microsoft tunnel

Microsoft tunnel

Microsoft tunnel

What is Microsoft tunnel ?

Microsoft Tunnel is a VPN gateway. This solution is used by microsoft Intune and allow access to on-premise solution at IOS/iPadOS or Android devices.

Microsoft Tunnel install a Docker container. He is run on Linux server, he can be a virtual or physical server. After that installed Microsoft tunnel, you can deploy on your device a VPN profile. If you hosted the server on Azure, you need deploy an express route or a VPN between on-premise infrastructure and Microsoft tunnel server.

If you have a lot of device, you can install multiple Linux server. All of this server support Microsoft tunnel. He is combine on a logical groups (Sites). One server can join only one Site.


The Microsoft Tunnel functionality has a few prerequisites.

VM size

Before configuring Microsoft tunnel, you need install physical or virtual Linux server. You can use this Linux distribution :

  • CentOS 7.4 (Version 8 is not supported)
  • Red Hat (RHEL) 7.4 (Version 8 is not supported)
  • Ubuntu 18.04 or 20.04

The size of the server depends of number of device.

Microsoft tunnel - Size of the server

Installation of Docker

For install docker, you can use the following link

TLS certificate

You need to use Transport Layer Security (TLS) certificate. This certificate secure the connection between your device and the Tunnel Gateway server.

  • The TLS certificate must have in the SAN, the FQDN of the Tunnel Gateway Server. You can also use IP Address.
  • The expiry date of the certificate may not be more than two years. Otherwise the IOS equipment will refuse this certificate.
  • If you use a private certificate, you need push the entire trust chain on the device.
  • The format of the certificate can be PEM or PFX.

Configure Firewall

You need to allow Inbound ports required by Microsoft Tunnel.

  • TCP 443
  • TCP 80

The Outbound ports must be allowed for access to Microsoft Intune. The TCP 443 is required by Docker for pull images.

  • TCP 443
  • TCP 80

Install Docker

I have installed Ubuntu on my ESXi, we will now be able to install Docker. Open a session with your user account and run the following command for set up the repository.

sudo apt-get update
sudo apt-get install apt-transport-https
Microsoft tunnel - install linux package

Repeat the same operation for the following command

sudo apt-get install ca-certificates
sudo apt-get install curl
sudo apt-get install gnupg-agent
sudo apt-get install software-properties-common

When all package has been installed, add Docker’s official GPG key. Run the command :

curl -fsSL | sudo apt-key add -
Microsoft tunnel -Docker’s official GPG key

Verify the key with the fingerprint. You need to have the fingerprint 9DC8 5822 9FC7 DD38 854A E2D8 8D81 803C 0EBF CD88. Run the command

sudo apt-key fingerprint 0EBFCD88
Microsoft tunnel -Docker’s official GPG key verify repository

We can now set up the stable repository. Run the command

sudo add-apt-repository "deb [arch=amd64] $(lsb_release -cs) stable"
Microsoft tunnel Add Repository

Docker can now be installed. Run the following command for install Docker.

sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli
install Docker

Create Server configuration

From the Microsoft Endpoint Manager Admin Center, click on Tenant administration then on Microsoft Tunnel Gateway. Select Server configurations then click on Create new.

Create server on Microsoft Tunnel

Enter the desired name and click on Next.

Enter the name of the MS Tunnel

On the IP address range field, enter the range IP are leased to devices when it is connect at the Tunnel Gateway Server. Enter on DNS Servers the IP address of your DNS Server.

Enter DNS Name and Range IP

On the DNS suffix search enter the domain name. It’s provide to client as default domain. You cab include or exclude IP Addresses which may or may not be routed to the Tunnel Gateway server. Enter the Server port that you want use. The Tunnel Gateway Server listens this port for connection.

Enter Server Configuration

Click on Next then on Create. The server configuration has been created.

Create Server configuration

Create a site configuration

From the Endpoint Manager admin center click on Sites and servers then on Create. Select New site.

Create Site Server

Enter the name of the site then the IP Adresse or FQDN. Select the Server configuration.

Create the new site

Run the readiness tool

Before install Microsoft Tunnel server, he is recommanded to run mst-readiness. This script must be running on Linux server and permit to confirms that the network configuration allows access to the required Microsoft Endpoints at the Microsoft Tunnel. He permit also to validates that the Azure Active Directory account has the required roles.

From the linux server, run the command.

wget --output-document=mst-readiness
chmod +X ./mst-readiness
Run readiness tool
Make file executable

Verify the network with ./mst-readiness network command and checking connectivity.

Verify connectivity

Install certificate

Before install Microsoft Tunnel, certificate must be imported on Linux Server. If the certificate is in PFX format, copy the certificate file to /etc/mstunnel/private/site.pfx. For the PEM format, copy the crt file on /etc/mstunnel/certs/ and the key file on /etc/mstunnel/private.

I choose to use private certificate. I need to create new template. From the Certification Authority console, right click on Certificate Templates and click on Manage.

Duplicate template

Right click on Web Server template and click on Duplicate Template.

Configure the Compatibility Settings and select General tab. Enter the desired name and choose the Validity period (two years max for iPhone/iPad).

Configure name of the template

Open Request Handling tab and check Allow private key to be exported.

Create certificate private key

On the Security Tab, allow Enroll right for the computer who the certificate has issue. I choose to use Active Directory group. The group contain only the computer who the certificate can be requested. On my lab, the PKI is on DC (to be avoided in production), so i add computer account on the group. I will request certificate from this server. If you want use another server, just add this server.

Add computer account on groups
Configure Security

Click on Apply then on OK. Close the Certificate Templates Console and right click on Certificate Templates. Select New then click on Certificate Template to Issue.

Import certificate for Issue

Select the template previously created and click on OK.

Select MS Tunnel template

The certificate can be issued. From the server, open MMC console and add Certificates Snap-In (Computer account). Expand Certificates and right click on Personal or Certificates. Select All Tasks / Request New Certificate.

Request new certificate

Check the template previously created and click on More information is required to enroll for this certificate.

Select certificate

Select Common name on Subject name and enter the FQDN or IP Address of the server. Click on Add then on OK.

Enter FQDN of the server

Click on Enroll. The certificate can be exported. Right click on it and select All Tasks / Export.

export certificate

Check Yes, export the private key and click on Next.

Export private key

Choose the password and click on Next.

Enter password

Export path and name of the file. Click on Next.

Enter path and File name

Click on Finish, the certificate has been imported. On the MMC console, double click on the certificate and select Certification Path tab. Select the Root CA certificate and click on view Certificate.

Select Root CA certificate

The Root CA certificate appear, select Details tab and click on Copy to file. Export the Root certificate on CER format.

Export Root CA

Rename the pfx file so that it has the name site.pfx and with WinSCP or other tools, upload the pfx file on the Linux server (/etc/mstunnel/private).

Certificate has been present on private

Upload the root CA certificate on the same folders and restart Linux server.

Root Ca has been uploaded

Install Microosft Tunnel

From the Linux server, run the following command for download installation script.

wget --output-document=mstunnel-setup
Download script for install Microsoft Tunnel

To make the file executable run the command.

chmod +x mstunnel-setup
Launch install script for install MS Tunnel

Enter the following command for launch install.

sudo ./mstunnel-setup
Install MSTunnel

Click on Yes to accept the terms of the licence.

Accept the terms of the licence

The certificate has been imported on Linux server, enter Yes

Certificate has been imported on Microsoft Tunnel

Enter the password of the certificate file. If the password is good, you need to authentificate on Intune. Open a web browser and connect to the URL prensent on Linux server console. Enter the code and click on Next

Authentification on Intune
Enter code

Enter credential of admin account on Azure AD.

Authentification on Intune

Connection has been established. You can close windows. The configuration of the Linux server is finished.

Linux server is now been configured

Deploy application

IOS Application or Android Application must be deployed on devices. From Microsoft Intune, access on Apps.

access to apps on intune

My device it’s an iPhone so I deploy iOS application. Click on iOS/iPadOS then on Add.

deploy Microsoft Tunnel application

Select iOS store app and click on Select.

Select IOS Store

Click on Search the App Store then select the desired country. Enter Microsoft Tunnel and click on the application.

select  Microsoft tunnel application

The properties of the application appear, click on Next

properties of the application

Configure assignments and click on Next.

assignments of the application

Click on Create. Application is been present in Intune.

Application has on Intune

Create VPN Profile

Before use Microsoft Tunnel, you need to create a VPN Profile. From the Intune portal, click on Devices then on Configuration profiles.

Configure VPN Profile

Click on Create profile and select the desired platform (Android or iOS). On the Profile select VPN.

Create VPN Profile on Intune

Enter the name of the profile and click on Next.

Enter the name of the profile

Select Microsoft Tunnel on Connection type

Select connection type

Expand Base VPN and enter the name of the connection. Click on Select a site.

enter name and select ms tunnel site

Select the site and click on OK

Select a site

Expand Per-app VPN and click on Enable. Click on Next.

Enable per-app VPN

Assign profile and click on Next. Click on Create to create new profile.

Assign VPN Profile

The profile has been apply on the device.

profile is been apply

Upload Root CA certificate on device

The Root CA certificate must be uploaded on each device that need connect to MS Tunnel. From the Intune portal, click on Devices then on Configuration profile. Click on Create Profile and select platform. On profile type select Trusted certificate and click on Create

Select Trusted certificate profile

Enter the name of the profile and click on Next.

Enter the name of the profile

Select the certificate of the root CA and click on Next. Assign the profil to the desired device.

Select the CA Root certificate

Deploy application

For test Microsoft Tunnel I deploy Firefox. I deploy with this application the MS Tunnel profile. From the Intune portal, click on App then on iOS/iPadOS. Click on Add and select iOS store app.

Select iOS application

Click on Search the App Store and select the desired country. Enter Firefox and select the application.

Add Firefox

App information appear click on Next. Assign application and click on None.

Assign VPN profile

Select the VPN profile and click on OK. Configure Assignments.

Assign VPN Profile

When application and profile is apply on device, restart it.

Profile is apply on device

The VPN profile is present on the device.

VPN profile is apply on device

Test MS Tunnel

From the device open Tunnel application

Launch Microsoft Tunnel

The application opens, click on Start

Start Tunnel application

Configuration is been apply but VPN is not connected.

Tunnel is configured

I open Firefox and I try to connect on my NAS. My device is connected on 4G and not on Wifi. I can connect on my NAS.

Acces to the nas

MS Tunnel is now been connected.

VPN is now connected

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.