You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: memdocs/intune/configuration/vpn-settings-ios.md
+17-8Lines changed: 17 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -278,20 +278,29 @@ These settings apply when you choose **Connection type** > **IKEv2**.
278
278
-**Establish VPN**: If there's a match between the device value and your on-demand rule, then a VPN connection is created.
279
279
-**Disconnect VPN**: If there's a match between the device value and your on-demand rule, then the VPN connection is disconnected.
280
280
-**Evaluate each connection attempt**: If there's a match between the device value and your on-demand rule, then use the **Choose whether to connect** setting to decide what happens for *each* VPN connection attempt:
281
-
-**Connect if needed**: If there isn't an existing VPN connection, then for each VPN connection attempt, decide if users should connect using a DNS domain name:
282
-
-**When users try to access these domains**: Enter one or more DNS domains, like `contoso.com`. If users try to connect to a domain in this list, then the device uses DNS to resolve the domains you enter. If the domain doesn't resolve, then a VPN connection is created. If the domain does resolve, then a VPN connection isn't created.
281
+
-**Connect if needed**: If the device is on an internal network, or if there's already an established VPN connection to the internal network, then the on-demand VPN won't connect. These settings aren't used.
283
282
284
-
Remember, domains are internal resources that aren't resolved by public DNS. A device can't access the domain from an external network. When a VPN connection is established, the internal domain can be accessed.
283
+
If there isn't an existing VPN connection, then for *each* VPN connection attempt, decide if users should connect using a DNS domain name. This rule only applies to domains in the **When users try to access these domains** list. All other domains are ignored.
285
284
286
-
-**Use the following DNS servers to resolve these domains (optional)**: Enter one or more DNS server IP addresses, like `10.0.0.22`. The DNS servers you enter are used to resolve the domains in the **When users try to access these domains** setting.
285
+
-**When users try to access these domains**: Enter one or more DNS domains, like `contoso.com`. If users try to connect to a domain in this list, then the device uses DNS to resolve the domains you enter. If the domain doesn't resolve, meaning it doesn't have access to internal resources, then a VPN connection is created on-demand. If the domain does resolve, meaning it already access to internal resources, then a VPN connection isn't created.
287
286
288
-
-**When this URL is unreachable, force-connect the VPN**: Optional. Enter an HTTP or HTTPS probing URL that the rule uses as a test. This URL is probed every time a user tries to access a domain in the **When users try to access these domains** setting. The user doesn't see the URL string probe site.
287
+
- If the **When users try to access these domains** setting is empty, then the device uses the DNS servers configured on the network connection service (Wi-Fi/ethernet) to resolve the domain.
288
+
289
+
The idea is that these DNS servers are public servers and the domains in the **When users try to access these domains** list are internal resources. Internal resources aren’t on public DNS servers and can't be resolved. So, the device creates a VPN connection. Now, the domain is resolved using the VPN connection’s DNS servers and the internal resource is available.
290
+
291
+
If the device is on the internal network, the domain resolves, and a VPN connection isn't created because the internal domain is already available. You don't want to waste VPN resources on devices already on the internal network.
292
+
293
+
- If the **When users try to access these domains** setting is populated, then the DNS servers on this list are used to resolve the domains in the list.
289
294
290
-
For example, a URL string probe is an auditing web server URL that checks device compliance before connecting the VPN. Or, the URL tests the VPNs ability to connect to a site before the device connects to the target URL through the VPN.
295
+
The idea is the opposite of the first bullet (**When users try to access these domains** setting is empty). For instance, the **When users try to access these domains** list has internal DNS servers. A device on an external network can't route to the internal DNS servers. The name resolution times out, and a VPN connection is created on-demand. Now the internal resources are available.
291
296
292
-
If the probe fails because the URL is unreachable or doesn't return a 200 HTTP status code, then a VPN connection is created.
297
+
Remember this only applies to domains in the **When users try to access these domains** list. All other domains are resolved with public DNS servers. When the device is connected to the internal network, the DNS servers in the list are accessible, and there's no need to create a VPN connection.
298
+
299
+
-**Use the following DNS servers to resolve these domains (optional)**: Enter one or more DNS server IP addresses, like `10.0.0.22`. The DNS servers you enter are used to resolve the domains in the **When users try to access these domains** setting.
300
+
301
+
-**When this URL is unreachable, force-connect the VPN**: Optional. Enter an HTTP or HTTPS probing URL that the rule uses as a test. This URL is probed every time a user tries to access a domain in the **When users try to access these domains** setting. The user doesn't see the URL string probe site.
293
302
294
-
Remember, an internal URL can't be accessed because the device is connected to an external network. A VPN connection is created on demand. Once the VPN connection is established, internal resources are available.
303
+
If the probe fails because the URL is unreachable or doesn't return a 200 HTTP status code, then a VPN connection is created. The idea is that the URL is only accessible on the internal network. If the URL can be accessed, then a VPN connection isn't needed. If the URL can't be accessed, then the device is on an external network, and a VPN connection is created on-dmand. Once the VPN connection is established, internal resources are available.
295
304
296
305
-**Never connect**: For each VPN connection attempt, when users try to access the domains you enter, then a VPN connection is never created.
0 commit comments