Introducing Microsoft Tunnel for remote access to corporate resources from iOS and Android
Published Sep 22 2020 08:00 AM 64.1K Views
Microsoft

The rapid shift to work from home has left many companies scrambling to figure out the best, most cost-effective way to help users be productive on iOS and Android devices. Companies with workloads in the cloud have had a relatively smooth transition to remote work. However, many companies are still just beginning their cloud journey–and continue to run critical workloads on-premises.

 

To help meet customers where they are, Microsoft Endpoint Manager is pleased to announce a public preview of Microsoft Tunnel Gateway.

 

The Microsoft Tunnel Gateway solution allows Microsoft Intune-enrolled iOS and Android devices to access on-premises apps and resources. Tunnel is fully integrated with the Microsoft 365 cloud and takes advantage of single sign-on capabilities using Azure Active Directory (AAD) authentication from the client to Tunnel Gateway.

 

Conditional Access policies, which are integrated into the Tunnel, provide an additional layer of security for your network. By applying these policies, you can restrict network access to just users who are enrolled, compliant, and meet your defined user identity risk requirements. We consider Conditional Access integration with Tunnel to be a key part of your Zero Trust security journey.

 

Every organization’s network infrastructure is different. Tunnel Gateway installation is flexible to meet your unique network requirements. It can be installed on-premises, in your DMZ, or in the cloud.

 

Our intention is to provide a solution that acts like an appliance and doesn’t require a lot of on-going effort to maintain. Here are a few ways we’re making that goal a reality:

 

  • Tunnel Gateway is enterprise ready and can be used behind a load balancer for high availability.
  • Server configuration occurs using Microsoft Endpoint Manager console, making it easy to make changes to all servers from one central location.
  • Automatic updates are rolling, so you can maintain high uptime for your Tunnel Gateway infrastructure when new versions are installing.
  • Tunnel Gateway logs are sent to the cloud to help with centralized troubleshooting. You can also use syslog integration with Azure Sentinel or other SIEM tools to log and monitor events.

 

New Tunnel app for iOS and Android - A new Tunnel application is available for both the iOS App Store and Google Play Store. These apps can be deployed to your users and configured from Intune to make onboarding seamless.

 

The app can also be used to manage app access to the Tunnel. Support for full device tunneling ensures all traffic goes through the Tunnel Gateway. A per-app VPN option enables you to specify which apps may use the tunnel. The third option, split tunneling, ensures only certain IP ranges go through the tunnel.

 

The configuration options depend on the type of device. On Android, you can configure the connection to be always on, so users don’t have to manually connect via the app. Proxy is also supported on both iOS and Android. With AAD single sign-on, your users may not even need to launch the Tunnel app at all to connect, making it a truly seamless experience. (This is dependent on how you configure your VPN profile in Intune.)

 

 

Next steps:

A lot of you have been asking for this capability, and the work-from-home trend has made network security more important than ever. Watch Lance Crandall and Tyler Castaldo go into more details in this on-demand video. We are really excited for you to try it out and let us know what you think!

 

Be sure to bookmark the product documentation to stay up to date on What's New and What's Coming in Microsoft Intune.  

 

clipboard_image_6.pngFollow @MSIntune on Twitter

15 Comments
Copper Contributor

Good one

Bronze Contributor

Nice addition to the toolbox!

Brass Contributor

What about yourOS (Windows 10 ;). Or even macOS. 

Copper Contributor

It would have been better to have had the ability to push IKEv2 or SSTP profiles to mobile devices so they can connect to already existing RRAS servers which organisations already have set up to allow AOVPN? Or is there a plan to have this become AOVPN v2?

Copper Contributor

Hi, did I miss something or does Microsoft Tunnel really not support plain vanilla Safari Domains to connect to internal websites?

Microsoft

We hear you @Peter Meuser. Engineering teams have it in their roadmap. Stay tuned! 

Copper Contributor

Note to admins who have users in mainland China. Android phones are very common in China, but every vendor has their own app store, and Google services are not available. Intune is already quite a problem to use on Android phones here. Microsoft put in some effort and also distributed the Intune app to the major app store providers (see here: https://docs.microsoft.com/en-us/mem/intune/user-help/install-company-portal-android-china), but there are many other app stores in China and it's a pain to use. Before you roll out Intune and Tunnel, better check with some test users first.

Copper Contributor

This is a great addition.  Is there a planned date when this would become generally available?

Brass Contributor

As far as i can see the server part is based on ocserv, an Anyconnect compatible SSL VPN. I hope Microsoft brings Tunnel to Windows, there is an openconnect implementation for Windows.

 

 
Copper Contributor

Hi @Mayunk Jain ,

 

I have setup Tunnel Gateway in my On Premise Linux machine. The readiness tool shows everything is fine. From InTune Portal, the server is healthy and up.

However, in the linux server, when I run mst-cli server status, it shows "Restarting".

I have opened a ticket #23613927 to InTune support. The support Engineer is clueless about Docker and Linux. I have searched for few days and nothing can be found related to this issue in MS site.

Any hint from your end will be really helpful. My organization is keen to test out this solution. 

Steel Contributor

This would have been nice(er) if:

  • It ran on Windows
  • Configured itself
  • Didn't need a public IP
  • Was an MSI install like many other things that tie in with Azure AD/AAD Connect

I realize it's a lot to ask, but I imagine that is where this will eventually get to.  For now, requiring a Linux server to be setup, needing a public IP, public-CA certificate, yada yada - I'm not sure if it's outweighing the competition in any way.  I guess it has dedicated references in the Endpoint Manager interface so that makes it more official and enticing.  Will be interesting to see where this is at in 2 years from now.

Steel Contributor

@Jeremy Bradshaw 

I would run this from Linux with 3 public IPs if i could connect Win10 machines to it :)

Copper Contributor

@VJKumar_8002 do you still need help?

Copper Contributor

@Jeremy Bradshaw the setup is really easy and I would argue that it probably works better than most products I have worked with recently. I guess if you want a real zero-trust experience with no public IP, you should consider a solution such as Zscaler ZPA, though the connectors are also Linux appliances.

Brass Contributor

We have had it running for a while now and its been great no issues at all. Our TLS certificate is about to expire but we cant find any documentation on the process to renew this. Any ideas?

Version history
Last update:
‎Sep 22 2020 11:15 AM
Updated by: