Microsoft Tunnel is an VPN solution integrated with Microsoft Intune, that allows Mobile Devices managed by Intune (iOS, Android) to securely access on-premises resources. It enables IT administrators to manage and protect network access for devices and applications while ensuring a smooth user experience.
In this article, we’ll explain all possible options to update Microsoft Tunnel Servers to latest versions.
Table of Contents
1.0 Microsoft Tunnel Key Features
Microsoft Tunnel VPN offers key features tailored for organizations, including:
- Customizable VPN Profiles: Microsoft Tunnel provides a highly flexible solution that supports various customizations, such as Full Tunnel VPN, Per-App VPN, Split Tunneling, and configurations for Custom DNS and Proxy settings.
- Zero Trust Security: The VPN integrates seamlessly with Azure Conditional Access Policies, ensuring access is granted only to compliant devices. It also supports MFA authentication, adding additional layers of security.
- Simplified Deployment: With just a basic Linux server and a few Docker installation commands, the service can be up and running within minutes, aided by streamlined Tunnel scripts.
2.0 Microsoft Tunnel Update
Keeping Microsoft Tunnel updated to the latest version is essential to avoid potential bugs. Through the Tunnel Server Health feature, you can:
- Determine whether your Microsoft Tunnel server is up-to-date.
- Identify how many updates the server has missed compared to the latest version.
To see Tunnel Server Health Status, open Intune Portal > Tenant Administration > Microsoft Tunnel Gateway > Health Status then click on Server with warning.
3.0 How to upgrade Microsoft Tunnel
In this section, we’ll explain below all possible ways to run and control Microsoft Tunnel Updates efficiently.
3.1 Manual Update with Maintenance-Windows
You can set the Microsoft Tunnel Site Policy as :
- “Automatically upgrade Server”: No
- “Maintenance-Windows” : set to Yes > which is time defined for the servers to upgrade when Admin manually approve the new update.
3.2 Manual Update immediately
Can be configured through:
- “Automatically upgrade Server”: No
- “Maintenance-Windows” set to No.
3.2.1 How the Manual Update Works?!!
- To start Manual Tunnel-Server Update, go through Microsoft Intune Portal > Tenant Administration > Microsoft Tunnel Gateway > Sites and select the site you need to upgrade its server(s).
- Click on “Update Servers”
- Warning message will show confirming that all Microsoft Tunnel Servers attached to this Microsoft Tunnel Site will be restarted to complete the upgrade. Accordingly, Tunnel Services will be down at that time.
- When you click on yes, update command will be sent to all Site’s Servers.
- Microsoft Tunnel Servers check-in with Intune Service once every 5 mins.
- So, based on Maintenance Window Configuration Server will update
- If Maintenance-Window is set to No Update will start with next check-in.
- If Maintenance-Window is set to Yes, Update will start at the configured time.
- To trace upgrade download/install, you can access server via Terminal and hit command “sudo journalctl -t mstunnel_monitor -f”
- If upgrade is completed successfully, new Tunnel Server Hash can be also verified via terminal command “cat /etc/mstunnel/images_configured” and confirm hash showing as per Microsoft Article
- Finally, Microsoft Tunnel Health Checks will confirm Tunnel is up-to-date
3.3 Automatic Update with Maintenance-Windows
in this type you can set:
- “Automatic update” as ON
- “Maintenance-Window”: set to Yes (as explained before this is the time defined for the servers to upgrade when Admin manually approve the new update).
3.4 Automatic Update Once-Available
Final option:
- “Automatic Update”: Yes
- “Maintenance-Window”: set to No for Microsoft Tunnel to install any update once released from Microsoft side.
This is not the most preferable option because Update will definitely have a down-time for server (at least 5 mins) until server check-in again with Microsoft Intune Service.
Conclusion
Microsoft Tunnel VPN in Microsoft Intune is a powerful solution for organizations seeking secure, scalable, and manageable VPN access. By integrating with Microsoft Endpoint Manager and leveraging zero trust principles, it offers robust security and a seamless user experience, making it an essential tool for modern IT environments.
Interested to read more articles from IntuneBytes, this is the link for all posts
Leave a Reply