You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: memdocs/intune/protect/microsoft-tunnel-overview.md
+20-4Lines changed: 20 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ keywords:
5
5
author: brenduns
6
6
ms.author: brenduns
7
7
manager: dougeby
8
-
ms.date: 12/03/2021
8
+
ms.date: 01/28/2022
9
9
ms.topic: how-to
10
10
ms.service: microsoft-intune
11
11
ms.subservice: protect
@@ -121,14 +121,30 @@ The Microsoft Tunnel Gateway runs in containers that run on Linux servers.
121
121
-**5** - Device authenticates to Azure AD. Conditional Access policies are evaluated.
122
122
-**6** - With split tunnel:
123
123
-**6.a** - Some traffic goes directly to the public internet.
124
-
-**6.b** - Some traffic goes to your public facing IP address for the Tunnel. The VPN channel will use TCP, TLS, UDP, and DTLS over port 443.
125
-
-**7** - The Tunnel routes traffic to your internal proxy (optional) and your corporate network.
124
+
-**6.b** - Some traffic goes to your public facing IP address for the Tunnel. The VPN channel will use TCP, TLS, UDP, and DTLS over port 443. This requires inbound and outbound [Firewall ports](../protect/microsoft-tunnel-prerequisites.md#firewall) to be open
125
+
-**7** - The Tunnel routes traffic to your internal proxy (optional) and/or your corporate network. IT Admins must ensure that traffic from the Tunnel Gateway server internal interface can successfully route to internal corporate resource (IP address ranges and ports).
126
126
127
127
> [!NOTE]
128
128
>
129
129
> - Tunnel gateway maintains two channels with the client. A control channel is established over TCP, and TLS. This also serves as a backup data channel. It then looks to establish a UDP channel using DTLS (Datagram TLS, an implementation of TLS over UDP) that serves as the main data channel. If the UDP channel fails to establish or is temporarily unavailable, the backup channel over TCP/TLS is used. By default port 443 is used for both TCP and UDP, but this can be customized via the Intune Server Configuration - [*Server port* setting](../protect/microsoft-tunnel-configure.md#create-a-server-configuration). If changing the default port (443) ensure your inbound firewall rules are adjusted to the custom port.
130
130
>
131
-
> - Client traffic will have the source IP address of the Linux server host. Microsoft Tunnel Gateway uses port address translation (PAT). PAT is a type of network address translation (NAT) where the multiple private IP addresses are mapped into a single public IP (many-to-one) by using ports.
131
+
> - The assigned client IP addresses (the*IP address range* setting in a [Server configuration](../protect/microsoft-tunnel-configure.md#to-create-a-server-configuration) for Tunnel) are not visible to other devices on the network. These addresses won't conflict with any internal/corporate network IP address on the network. Client traffic will have the source IP address of the Linux server host. Microsoft Tunnel Gateway uses port address translation (PAT). PAT is a type of network address translation (NAT) where multiple private IP addresses from the Server configuration are mapped into a single IP (many-to-one) by using ports. Client traffic will have the source IP address of the Linux server host.
132
+
133
+
**Break and inspect**:
134
+
135
+
Many enterprise networks enforce network security for internet traffic using technologies like proxy servers, firewalls, SSL break and inspect, deep packet inspection, and data loss prevention systems. These technologies provide important risk mitigation for generic internet requests but can dramatically reduce performance, scalability, and the quality of end user experience when applied to Microsoft Tunnel Gateway and Intune service endpoints.
136
+
137
+
The following outlines where break and inspect is not supported and where it is supported with Microsoft Tunnel Gateway. References are to the architecture diagram from the preceding section.
138
+
139
+
-**Break and inspect is not supported in the following areas**:
140
+
141
+
- Tunnel Gateway does not support SSL break and inspect, TLS break and inspect, or deep packet inspection for client connections.
142
+
- The Use of firewalls, proxies, load balancers, or any technology that terminates and inspects the client sessions that go into the Tunnel Gateway is not supported and will cause clients connections to fail. (Refer to **F**, **D**, and **C** in the Architecture diagram).
143
+
- If Tunnel Gateway uses an outbound proxy for internet access, the proxy server cannot perform break and inspect. This is because Tunnel Gateway Management Agent uses TLS mutual authentication when connecting to Intune (Refer to **3** in the Architecture diagram above). If break and inspect is enabled on the proxy server, network admins that manage the proxy server must add the Tunnel Gateway server IP address and Fully Qualified Domain Name (FQDN) to an approve-list to these [Intune endpoints](../fundamentals/intune-endpoints.md#access-for-managed-devices).
144
+
145
+
-**Break and inspect is supported in the following area**:
146
+
147
+
The Microsoft Tunnel [client VPN profile](../protect/microsoft-tunnel-configure.md#create-a-vpn-profile) that gets delivered to mobile clients supports a proxy configuration. If using this setting, the proxy (Refer to **G** in the Architecture diagram) specified can use “Break and Inspect” on the client traffic routed out (refer to **7** in the Architecture diagram) of the Tunnel Gateway server to the corporate network.
Copy file name to clipboardExpand all lines: memdocs/intune/protect/microsoft-tunnel-prerequisites.md
+7-3Lines changed: 7 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ keywords:
5
5
author: brenduns
6
6
ms.author: brenduns
7
7
manager: dougeby
8
-
ms.date: 01/04/2022
8
+
ms.date: 01/28/2022
9
9
ms.topic: how-to
10
10
ms.service: microsoft-intune
11
11
ms.subservice: protect
@@ -159,7 +159,7 @@ When creating the Server configuration for the tunnel, you can specify a differe
159
159
160
160
You can use a proxy server with Microsoft Tunnel. The following considerations can help you configure the Linux server and your environment for success:
161
161
162
-
### Configure an internal proxy for Docker
162
+
### Configure an outbound proxy for Docker
163
163
164
164
- If you use an internal proxy, you might need to configure the Linux host to use your proxy server by using environment variables. To use the variables, edit the **/etc/environment** file on the Linux server, and add the following lines:
165
165
@@ -182,10 +182,14 @@ You can use a proxy server with Microsoft Tunnel. The following considerations c
182
182
> [!NOTE]
183
183
> Microsoft Tunnel doesn’t support Azure AD App Proxy, or similar proxy solutions.
184
184
185
-
### Configure an internal proxy for Podman
185
+
### Configure an outbound proxy for Podman
186
186
187
187
The following details can help you configure an internal proxy when using RHEL 8.4, and Podman:
188
188
189
+
- Authenticated proxies aren't supported.
190
+
191
+
- The proxy can’t perform break and inspect because the Linux server uses TLS mutual authentication when connecting to Intune.
192
+
189
193
- Podman reads HTTP Proxy information stored in **/etc/profile.d/http_proxy.sh**. If this file doesn't exist on your server, create it. Edit **http_proxy.sh** to add the following two lines. In the following lines, *10.10.10.1:3128* is an example address:port entry. When you add these lines, replace *10.10.10.1:3128* with the values for your proxy IP *address:port*:
0 commit comments