Note |
The information in this topic applies only to System Center
2012 R2 Configuration Manager. |
Create VPN profiles in System Center 2012
Configuration Manager to deploy VPN settings to users in your
company. By deploying these settings, you reduce the end-user
effort that is required to connect to resources on the company
network.
Steps to Create a VPN Profile
Use the following required steps to create a VPN
profile by using the Create VPN Profile Wizard.
Supplemental Procedures to Create a
New VPN Profile
Use the following information when the steps in the
preceding table require supplemental procedures.
Step 1: Start the Create VPN Profile
Wizard
Use this procedure to start the Create VPN Profile
Wizard.
To start the Create VPN Profile
Wizard
-
In the Configuration Manager console, click Assets
and Compliance.
-
In the Assets and Compliance workspace, expand
Compliance Settings, expand Company Resource Access,
and then click VPN Profiles.
-
On the Home tab, in the Create group,
click Create VPN Profile.
Step 2: Provide General Information about
the VPN Profile
Use this procedure to provide general information about
the VPN profile.
To provide general information
about the VPN profile
-
On the General page of the Create VPN Profile
Wizard, specify the following information:
- Name - Enter a unique name for the VPN
profile. You can use a maximum of 256 characters.
Important |
Do not use the characters \/:*?<>|, or the space
character in the VPN profile name, because these characters are not
supported by the Windows Server VPN profile. |
- Description - Enter a description that
gives an overview of the VPN profile and other relevant information
that helps identify it in the Configuration Manager console. You
can use a maximum of 256 characters.
- Import an existing VPN profile item from a
file – Select this option to display the Import VPN
Profile page. On this page, you can import VPN profile
information for the Windows 8.1 and Windows RT operating
systems that has previously been exported to an XML file.
Step 3: Provide Connection Information
for the VPN Profile
Use this procedure to specify connection information
for the VPN profile.
To provide connection information
for the VPN profile
-
On the Connection page of the Create VPN
Profile Wizard, specify the following information:
- Connection type: From the drop-down
list, select the connection type for the VPN connection. You can
choose from the connection types in the following table that shows
the platforms that each connection type supports.
Connection type |
iOS |
Windows 8.1 |
Windows RT |
Windows RT 8.1 |
Cisco AnyConnect
|
Yes
|
No
|
No
|
No
|
Juniper Pulse
|
Yes
|
Yes
|
No
|
Yes
|
F5 Edge Client
|
Yes
|
Yes
|
No
|
Yes
|
Dell SonicWALL Mobile Connect
|
Yes
|
Yes
|
No
|
Yes
|
Check Point Mobile VPN
|
Yes
|
Yes
|
No
|
Yes
|
Microsoft SSL (SSTP)
|
No
|
Yes
|
Yes
|
Yes
|
Microsoft Automatic
|
No
|
Yes
|
Yes
|
Yes
|
IKEv2
|
No
|
Yes
|
Yes
|
Yes
|
PPTP
|
Yes
|
Yes
|
Yes
|
Yes
|
L2TP
|
Yes
|
Yes
|
Yes
|
Yes
|
Note |
Computers that run the x86 or x64 versions of Windows 8.1
support automatic VPN connections. However, you cannot use the
option Use an automatic VPN connection (if configured), in
the Create Application Wizard to associate the application
with a VPN profile. In this case, you can configure a VPN profile
to establish an automatic connection from the Create VPN Profile
Wizard or import an XML VPN profile. |
- Server list: Click Add to add a
new VPN server to use for the VPN connection. Depending on the
connection type, you can add one or more VPN servers and also
specify which server is to be the default server.
Note |
Devices that run iOS do not support using multiple VPN servers.
If you configure multiple VPN servers and then deploy the VPN
profile to an iOS device, only the default server is used. |
The further options in the following table might be
displayed, which depends on the connection type that you selected.
See the VPN server documentation for more information about these
options.
Option |
More information |
Realm
|
Used by the Juniper Pulse connection type.
Specify the name of the authentication realm that you want to
use. An authentication realm is a grouping of authentication
resources that is used by the Juniper Pulse connection type.
|
Role
|
Used by the Juniper Pulse connection type.
Specify the name of the user role that has access to this
connection.
|
Login group or domain
|
Used by the Dell SonicWALL Mobile Connect connection
type.
Specify the name of the login group or domain that you want to
connect to.
|
Send all network traffic through the VPN connection
|
Used by the Microsoft SSL (SSTP), Microsoft
Automatic, IKEv2, PPTP and L2TP connection
types.
If this option is not selected, you can specify additional
routes for the connection, which is known as split or VPN
tunneling.
Only connections to the company network are sent over a VPN
tunnel. VPN tunneling is not used when you connect to resources on
the Internet.
If this option is selected, automatic VPN connections do not
function.
|
Connection specific DNS suffix
|
Used by the Microsoft SSL (SSTP), Microsoft
Automatic, IKEv2, PPTP and L2TP connection
types.
Optionally, specify the connection-specific Domain Name System
(DNS) suffix for the connection.
|
Use certificate for authentication
|
Used by the Microsoft Automatic and L2TP
connection types.
Select this option if you use a certificate for connection
authentication.
|
Step 4: Configure the Authentication
Method for the VPN Profile
Use this procedure to configure the authentication
method for the VPN profile.
To configure the authentication
method for the VPN profile
-
On the Authentication Method page of the
Create VPN Profile Wizard, specify the following
information:
- Authentication method: From the
drop-down list, select the authentication method that the VPN
connection will use. The items in the drop-down list might differ;
they depend on the connection type that you previously selected.
The available authentication methods and the supported connection
types are listed in the following table.
Authentication method |
Supported connection types |
Certificates
Tip |
If the client certificate is used to authenticate to a RADIUS
server, such as a Network Policy Server, the Subject Alternative
Name in the certificate must be set to the User Principal
Name. |
|
Cisco AnyConnect, Juniper Pulse, F5 Edge Client, Dell SonicWALL
Mobile Connect, Check Point Mobile VPN
|
User name and Password
|
Juniper Pulse, F5 Edge Client, Dell SonicWALL Mobile Connect,
Check Point Mobile VPN
|
Microsoft EAP-TTLS
|
Microsoft SSL (SSTP), Microsoft Automatic, IKEv2, PPTP, L2TP
|
Microsoft protected EAP (PEAP)
|
Microsoft SSL (SSTP), Microsoft Automatic, IKEv2, PPTP, L2TP
|
Microsoft secured password (EAP-MSCHAP v2)
|
Microsoft SSL (SSTP), Microsoft Automatic, IKEv2, PPTP, L2TP
|
Smart Card or other certificate
|
Microsoft SSL (SSTP), Microsoft Automatic, IKEv2, PPTP, L2TP
|
MSCHAP v2
|
Microsoft SSL (SSTP), Microsoft Automatic, PPTP, L2TP
|
RSA SecurID
|
Microsoft SSL (SSTP), Microsoft Automatic, PPTP, L2TP
|
Use machine certificates
|
IKEv2
|
- Remember the user credentials at each
logon: Select this option to ensure that the user credentials
are remembered so that the user does not have to enter credentials
each time a connection is established.
Step 5: Configure Proxy Settings for the
VPN Profile
Use this procedure to provide optional proxy settings
for the VPN profile.
To configure proxy settings for
the VPN profile
-
On the Proxy Settings page of the Create VPN
Profile Wizard, select the Configure proxy settings for this
VPN profile check box if your VPN connection uses a proxy
server.
-
Specify details about your proxy server and its
settings. For more information, see the Windows Server
documentation.
Step 6: Configure an Automatic VPN
Connection for the VPN Profile
Use this procedure to configure automatic VPN
connection for the VPN profile.
To configure an automatic VPN
connection
-
On the Automatic VPN page of the Create VPN
Profile Wizard, select Enable VPN on-demand if you want
users to establish an automatic VPN connection.
-
Click Add to add a DNS suffix, DNS server
addresses, and to specify the on-demand action that occurs when
users connect to that domain.
Note |
The on-demand action Establish if needed is not
applicable to devices that run Windows. |
If a DNS suffix is specified without a corresponding
DNS server address, the automatic VPN connection is not established
when the resource in the suffix is accessed.
When you specify a DNS suffix, the VPN connection also
opens when any resource in a subdomain of that domain is
accessed.
-
Specify further options for Windows devices only, such
as the trusted network list and the suffix search list. Even if you
do not configure a DNS suffix, the DNS server name and an action,
you can still configure the trusted server list. These networks are
to be used when you configure an application to automatically
establish a VPN connection. For more details about configuring an
application to automatically establish a VPN connection, see
How to Create
Applications in Configuration Manager.
Step 7: Configure Supported Platforms for
the VPN Profile
Use the following procedure to specify the supported
platforms for the VPN profile.
Supported platforms are the operating systems on which
the VPN profile will be installed.
To specify supported platforms
for the VPN Profile
-
On the Supported Platforms page of the Create
VPN Profile Wizard, select the operating systems on which the
VPN profile will be installed, or click Select all to
install the VPN profile on all available operating systems.
Step 8: Complete the Wizard
On the Summary page of the wizard, review the
actions to be taken, and then complete the wizard. The new VPN
profile is displayed in the VPN Profiles node in the
Assets and Compliance workspace.
For information about how to deploy the VPN profile,
see How to
Deploy VPN Profiles in Configuration Manager.
See Also