« Back to myAirWatch

Configure a VPN Profile (Windows Desktop)

Configure device VPN settings to access corporate infrastructure remotely and securely. You can also configure Per-app VPN connections that limit traffic through the VPN to specific applications and set the VPN to connect automatically whenever the specified application starts.

Looking to use certificate-based EAP authentication for VPN and Wi-Fi profiles? See the Knowledge Base article : https://support.air-watch.com/articles/115001664448

To enforce a VPN profile:

  1. Navigate to Devices > Profiles > List View > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.
  3. Select User Profile or Device Profile.
  4. Configure the profile General settings.

    These settings determine how the profile deploys and who receives it. For more information on General settings, see Add General Profile Settings.

  5. Select the VPN profile.
  6. Configure the Connection Info settings:
    SettingsDescriptions
    Connection NameEnter the name of the VPN connection.
    Connection Type

    Select the type of VPN connection:

    ServerEnter the VPN server hostname or IP Address.
    PortEnter the port the VPN server uses.
    Advanced Connection SettingsEnable to configure advanced routing rules for device VPN connection.
    Routing Addresses

    Select Add to enter the IP Addresses and Subnet Prefix Size of the VPN server.

    You may add more routing addresses as needed.

    DNS Routing Rules

    Select Add to enter the Domain Name that governs when to use the VPN. Enter the DNS Servers and Web Proxy Servers to use for each specific domain.

    Routing Policy

    Choose either to Force All Traffic Through VPN or Allow Direct Access to External Resources.

    • Force All Traffic Through VPN (Force Tunnel): For this traffic rule, all IP traffic must go through the VPN Interface only.

    • Allow Direct Access to External Resources (Split Tunnel): For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces.

    ProxySelect Auto Detect to detect automatically any proxy servers used by the VPN. Select Manual to configure the proxy server.
    Server

    Enter the IP Address for the proxy server.

    Displays when Proxy is set to Manual.

    Proxy Server Config URL

    Enter the URL for the proxy server configuration settings.

    Displays when Proxy is set to Manual.

    Bypass proxy for localEnable to bypass the proxy server when the device detects it is on the local network.
    Authentication
    Protocol

    Select the authentication protocol for the VPN:

    • EAP – Allows for various authentication methods
    • Machine Certificate – Detects a client certificate in the device certificate store to use for authentication.
    EAP Type

    Select the type of EAP authentication:

    • EAP-TLS – Smart Card or client certificate authentication
    • PEAP
    • EAP-MSCHAPv2 – User name and Password
    • Custom Configuration – Allows all EAP configurations
    • EAP-TTLS
     

    Displays only if Protocol is set to EAP.

    Credential Type

    Select Use Certificate to use a client certificate. Select Use Smart Card to use a Smart Card to authenticate.

    Displays when EAP Type is set to EAP-TLS.

    Simple Certificate Selection

    Enable to simplify the list of certificates from which the user selects. The certificates display by the most recent certificated issued for each entity.

    Displays when EAP Type is set to EAP-TLS.

    Use Windows Log On Credentials

    Enable to use the same credentials as the Windows device.

    Displays when EAP Type is set to EAP-MSCHAPv2.

    Identity Privacy

    Enter the value to send servers before the client authenticates the server identity.

    Displays when EAP Type is set to EAP-TTLS.

    Inner Authentication Method

    Select the authentication method for inner identity authentication.

    Displays when EAP Type is set to EAP-TTLS.

    Enable Fast Reconnect

    Enable to reduce the delay in time between an authentication request by a client and the response from the server.

    Displays when EAP Type is set to PEAP.

    Enable Identity PrivacyEnable to protect the user identity until the client authenticates with the server.
    VPN Traffic Rules
    Per-app VPN RulesSelect Add to add traffic rules for specific Legacy and Modern applications. For more information on Per-app VPN, see Per-app VPN
    Application ID

    First select whether the app is a Store App or a Desktop App. Then enter the application file path for Desktop apps or package family name for Store Apps to specify the app the traffic rules apply to.

    • File Path example: %ProgramFiles%/ Internet Explorer/iexplore.exe
    • Package Family Name example: AirWatchLLC.AirWatchMDMAgent_htcwkw4rx2gx4

    The PFN Lookup allows you to search for the application PFN by selecting the Search icon. A display window opens allowing you to select the app you want to configure Per-app VPN rules to govern. The PFN is then autopopulated.

    VPN On DemandEnable to have the VPN connection automatically connect when the application is launched.
    Routing Policy

    Select the routing policy for the app.

    • Allow Direct Access to External Resources allows for both VPN traffic and traffic through the local network connection.
    • Force All Traffic Through VPN forces all traffic through the VPN.
    DNS Routing Rules

    Enable to add DNS routing rules for the app traffic.

    Select Add to add Filter Types and Filter Values for the routing rules. Only traffic from the specified app that matches these rules can be sent through the VPN.

    • IP Address: A list of comma-separated values specifying remote IP address ranges to allow.
    • Ports: A list of comma-separated values specifying remote port ranges to allow. For example, 100–120, 200, 300–320. Ports are only valid when the protocol is set to TCP or UDP.
    • IP Protocol: Numeric value from 0-255 representing the IP protocol to allow. For example, TCP = 6 and UDP = 17.

    For more information on how these filters and policies function and the logic used, see Per-app VPN.

    Device Wide VPN Rules

    Select Add to add traffic rules for the entire device.

    Select Add to add Filter Types and Filter Values for the routing rules. Only traffic that matches these rules can be sent through the VPN.

    • IP Address: A list of comma-separated values specifying remote IP address ranges to allow.
    • Ports: A list of comma-separated values specifying remote port ranges to allow. For example, 100–120, 200, 300–320. Ports are only valid when the protocol is set to TCP or UDP.
    • IP Protocol: Numeric value from 0–255 representing the IP protocol to allow. For example, TCP = 6 and UDP = 17.
    Policies
    Remember CredentialsEnable to remember the end user login credentials.
    Always OnEnable to force the VPN connection to be always on.
    VPN Lockdown

    Enable to force the VPN to always be on, never disconnect, disable any network access if the VPN is not connected, and prevent other VPN profiles from connecting on the device.

    A VPN profile with VPN Lockdown enabled must be deleted before you push a new VPN profile to the device.

    Bypass for LocalEnable to bypass the VPN connection for local intranet traffic.
    Trusted Network DetectionEnter, separated by commas, trusted network addresses. The VPN does not connect when a trusted network connection is detected
    Domain Name Resolution via VMware Tunnel Server
    Domain

    Select Add New Domain to add domains to resolve through the VMware Tunnel server.

    Any domains added resolve though the VMware Tunnel server regardless of the app originating the traffic. For example, if you add www.air-watch.com, any traffic to that domain routes through the VMware Tunnel server if it comes from the configured Chrome app and the not-configured Edge app.

  7. Select Save & Publish when you are finished to push the profile to devices.