Microsoft Tunnel Gateway Setup step-by-step – Part 1

At Ignite 2020, Microsoft announced the preview of Microsoft MS Tunnel Gateway. Microsoft MS Tunnel Gateway is a solution that allows Intune enrolled iOS and Android devices to access on-premises apps and resources. You can find the announcement with demo here: Introducing Microsoft Tunnel for remote access to corporate resources from iOS and Android – Microsoft Tech Community

There are some blogs out there that covers the setup from Intune, but my struggle was how to configure the Linux machine in the correct way. In this blog post I will share how I did the setup. I did find the documentation from Microsoft lacking of explaining how to get your certificate on to the Linux Machine. You can find the Microsoft documentation here: Use the Microsoft Tunnel VPN solution for Microsoft Intune – Azure | Microsoft Docs


The Microsoft Tunnel Gateway runs in Docker containers that run on Linux servers.


  • A – Microsoft Intune.
  • B– Azure Active Directory (AD).
  • C – Linux server with Docker.
    • Ci – Microsoft Tunnel Gateway.
    • Cii – Management Agent.
    • Ciii – Authentication plugin – Authorization plugin, which authenticates with Azure AD.
  • D – Public facing IP or FQDN of the Microsoft Tunnel. This can represent a load balancer.
  • E – Mobile Device Management (MDM) enrolled device.
  • F – Firewall
  • G – Internal Proxy Server (optional).
  • H – Corporate Network.
  • I – Public internet.


  • 1 – Intune administrator configures Server configurations and Sites, Server configurations are associated with Sites.
  • 2 – Intune administrator installs Microsoft Tunnel Gateway and the authentication plugin authenticates Microsoft Tunnel Gateway with Azure AD. Microsoft Tunnel Gateway server is assigned to a site.
  • 3 – Management Agent communicates to Intune to retrieve your server configuration policies, and to send telemetry logs to Intune.
  • 4 – Intune administrator creates and deploys VPN profiles and the Tunnel app to devices.
  • 5 – Device authenticates to Azure AD. Conditional Access policies are evaluated.
  • 6 – With split tunnel:
    • 6a – Some traffic goes directly to the public internet.
    • 6b – Some traffic goes to your public facing IP address for the Tunnel.
  • 7 – The Tunnel routes traffic to your internal proxy (optional) and your corporate network.

Additional details:

  • Conditional Access is done in the VPN client and based on the cloud app Microsoft Tunnel Gateway. Non-compliant devices won’t receive an access token from Azure AD and can’t access the VPN server. For more information about using Conditional Access with Microsoft Tunnel, see Use Conditional Access with the Microsoft Tunnel.
  • The Management Agent is authorized against Azure AD using Azure app ID/secret keys.
  • The Tunnel Gateway server uses NAT to provide addresses to VPN clients that are connecting to the corporate network.


Before starting to configure Microsoft Tunnel Gateway there are some prerequisites that need to be in place. First there is a Linux Server needed, this can be a physical or an virtual machine. This Linux Server may run in Azure or in your data center. Microsoft support (at the moment) the following versions:

  • CentOS 7.4+ (CentOS 8+ isn’t supported)
  • Red Hat (RHEL) 7.4+ (RHEL 8+ isn’t supported)
  • Ubuntu 18.04
  • Ubuntu 20.04

Be sure to check the Microsoft documentation for updated versions and server size!

Docker needs to be installed, this needs to be version 19.03 CE or later.

A certificate is needed for a secure connection between devices and the tunnel gateway.

  • The TLS certificate used to secure the Tunnel Gateway endpoint must have the IP address or FQDN of the Tunnel Gateway server in the SAN.
  • TLS certificate can’t have an expiration date longer than two years. If the date is longer than two years, it won’t be accepted on iOS devices.
  • Use of wildcards has limited support. For example, * is supported. cont*.com isn’t supported.
  • During installation of the Tunnel Gateway server, you must copy the entire trusted certificate chain to your Linux server. The installation script provides the location where you copy the certificate files and prompts you to do so.
  • If you use a TLS certificate that’s not publicly trusted, you must push the entire trust chain to devices using an Intune Trusted certificate profile.
  • The TLS certificate can be in PEM or pfx format.

For network is the recommendation to use two NICs.

You need to open a few ports in the Firewall:

Inbound ports:

  • TCP 443 – Required by Microsoft Tunnel.
  • UDP 443 – Required by Microsoft Tunnel.
  • TCP 22 – Optional. Used for SSH/SCP to the Linux server.

Outbound ports:

  • TCP 443 – Required to access Intune services. Required by Docker to pull images.
  • TCP – 80 – Required to access Intune services.

When you create a Server configuration for the tunnel, you can specify a different port than the default of 443. If you specify a different port, be sure to configure firewalls to support your configuration.

Proxy settings are possible, but it you can only set an address. There is no option to use credentials.

In the next blogpost(s) I will setup all components needed to complete the setup.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.