Tip of the Day: Configuring Windows 10 VPN Features

Today’s Tip…Windows 10 Networking:

Our last very exciting tip included a quick run-down on a few of the great new features coming to the Windows 10 client VPN plug-in platform.  However, the device management in the era enterprise mobility brings new concepts, methods and standards.  So before taking a feature deep dive, let’s take a step back to explore and put some context around VPN configuration tasks on the modern Windows platform.

A Simplified UI

Complicated interfaces and cumbersome connection processes can be a big source of user frustration and lost productivity.  For this reason, providing a simplified and consistent experience is important objective of Microsoft’s device convergence efforts.

Windows 10 provides a simplified UI, allowing configuration and review of base VPN settings. 

PowerShell

Though some advanced options can only be delivered via profile pushed by a Mobile Device Management (MDM) solution such as Intune, many settings can be configured using PowerShell.

The graphic below shows the set of available cmdlets in the VpnClient module.  

What is a Configuration Service Provider (CSP)?

A configuration service provider’s (CSP) function is similar to that of a Group Policy client side extension (CSE).  A CSP is an interface to read, set, modify, or delete configuration settings on the device.  These settings map to registry keys or files.

VPN specific CSP functions include the following:

• Create and Provision

• Create a VPN Profile
• Add Application-Triggers, Always-Connected capability etc.
• Configure appropriate credential mechanism
  • Negotiate Network Parameters
• Manage Route and Domain assignments
  • Traffic Filters
• Provision Per-Application VPN
• Restrict access to specified networks
  • Connect/Terminate
• Connect/Disconnect a VPN Connection

The VPNv2 configuration service provider allows the mobile device management (MDM) server to configure the VPN profile of the device.

SyncML Configuration Profile

Mobile Device Management (MDM) is an industry term used to refer to device management using platform-independent standards and protocols defined by the Open Mobile Alliance (OMA).

VPN configuration profiles are created using SyncML, an XML-based markup that is used as the basis for most protocols defined by OMA.  SyncML documents are called messages and conforms to the ‘well-formed’ XML structure; that is, configuration ‘elements’ are contained within matching open and close tags. 

The WMI-to-CSP Bridge

Despite the fact that Phone used a CSP, Windows 8.1 PC SKUs still relied on a WMI provider for configuration and management tasks.  Windows 10 is the first release to include a CSP as the primary configuration for both Phone and PC, offering complete compatibility for OMA MDM standards.

In order to support backwards compatibility however, a ‘WMI-to-CSP’ bridge is provided to convert WMI configurations into something the platforms CSP can understand.  The allows configuration of features, including VPN, using WMI.

This following example shows the syntax used to create a VPN Traffic Filter list using WMI. 

[dynamic, provider("DMWmiBridgeProv"), AMENDMENT]class MDM_VPNv2TrafficFilterList02_01

{

  string InstanceID;

  string ParentID;

  string Claims;

  string Protocol;

  string LocalPortRanges;

  string RemotePortRanges;

  string LocalAddressRanges;

  string RemoteAddressRanges;

  string RoutingPolicyType;

};