Microsoft has delivered a managed VPN for mobile devices — using a Linux container.
Nine months into the pandemic, remote work remains an important tool in helping to supress the virus. But many of the resources we need to use are on machines in our corporate data centres, so we need secure access from home PCs over the public internet. That means setting up, running, and managing VPNs.
SEE: 3 ways to help your team stay connected while WFH (TechRepublic)
It’s not hard to set up and run a VPN, as they’re standard with most server operating systems or even integrated into many SME routers, although running one securely can be another story. Anyone can connect to a VPN, with the right username and password. And that connection can be from any device, anywhere. Technologies like DirectAccess tried to change the VPN model, but they were complex, requiring significant networking skills and dedicated hardware.
Protecting remote work
What’s to stop someone compromising a home PC that’s logged onto your network and accessing confidential data? It doesn’t even need to be deliberate — consider an iPad that’s being used for both work and for a child’s video lessons accidentally logging on to the corporate network in the middle of a class and displaying documents to everyone in the school.
Microsoft’s Endpoint Security, in conjunction with Azure Active Directory and Intune, offers a set of conditional access tools that set policies to control network access for both corporate fleets and BYOD hardware. They’re policies that cover more than PCs, working with Android and iOS, setting standards for device security, for supported versions, and managing a wide selection of security scenarios, like “the impossible traveller”, or ramping up and down security settings by log-on location.
While the default Windows Server VPN works well with most operating systems, and is ideal for use with Windows clients using tools like conditional access and modern authentication, you don’t get that same level of control with mobile devices. With the shift to remote working, those devices are an increasingly important part of a blended work environment, allowing users to quickly access mobile versions of key applications or work with tools like Teams and the Power Platform.
Introducing Microsoft Tunnel
Microsoft is currently previewing an alternative to the Windows VPN, Microsoft Tunnel, aimed at iOS, iPadOS, and Android Enterprise devices. It’s a policy-driven VPN that allows you to lock down access to devices that comply with your security policies, reducing the risk of intrusion from bad actors and of data leakage through misconfigured devices that don’t have appropriate separation of work and personal content.
Tunnel is provided as a container running on a Linux host. That host can run on-premises or in the cloud, and once installed is managed from Microsoft Endpoint Manager using Intune device profiles to control device access. Cloud-hosted servers do need a direct connection between the cloud and your on-premises network, unless you’re working with a cloud-hosted virtual infrastructure.
Microsoft recommends using its MPLS Express Route service for site-to-cloud connections, as you’re likely to want a connection with the lowest possible latency. Although you could use a point-to-point VPN connection, the overhead associated with this approach could add significant lag to connections, as well as struggling to carry all the traffic.
Multiple servers can be linked as a Site, with server configurations that are applied when servers join a Site using prepared scripts. These can be used with a load balancer to manage access and can link users directly to specific applications, rather than providing a general-purpose VPN. Per-app VPN policies can be applied, as well as rules for working with open VPN connections.
Getting started with Microsoft Tunnel
There are some pre-requisites before you can start using Tunnel. Currently only four Linux host OSs are supported, with Docker installed for the Tunnel container. They can either be standalone servers, or you can run them as virtual machines on Windows Server. Microsoft also suggests CPU and memory sizes based on the number of connections you expect to manage. You must have a TLS certificate for your servers that’s assigned to the either the Tunnel endpoint IP address or its fully qualified domain name.
Client devices need to run the Microsoft Tunnel app, which is available from both the Apple App Store and the Google Play Store. You can use Intune to manage installs where necessary, pushing the Tunnel client to managed devices. The Microsoft Endpoint Manager dashboard provides monitoring for Tunnel, with tools for handling configuration and displaying server health.
Once installed, Microsoft Tunnel operates as a managed solution. You don’t need to manage it beyond managing policies, and all updates are managed from Microsoft 365, even if you’re using a set of Tunnel containers configured as a site. Brad Anderson, Microsoft CVP for Microsoft 365, notes: “We built it in a way where, if you’ve got multiple of these gateways to handle the load, when we go to update we do it in a rolling pattern so that you have always got devices online.”
Bringing remote work to all your devices, securely
Tools like Microsoft Tunnel open up access to applications and services beyond PCs, allowing remote workers to use Android and iOS devices with the same level of assured security. By bundling the service as a Linux container, Microsoft makes it easy to get started: drop in a container, connect it to a Microsoft 365 Endpoint Security subscription, and away you go.
Anderson describes this approach as enabling access to services like Office 365 in a way that’s enterprise-friendly: “In order to understand ‘is it really a trusted session?’, you have to have a point of view on the trust of the identity, on the trust of the device, you have to take into consideration things like physical location, their network location — all these things have to come in. That literally was the genesis of what we now know is conditional access, which is the most implemented zero-trust model on the planet.”
Having a zero-trust approach to a VPN appliance like Microsoft Tunnel is important, as it ensures that you’re thinking in the right way about modern security, with a focus on protecting data and applications, and not on hardware or clients.