Windows 10 Per-App VPN

Per-App VPN on Windows 10 is one of the most powerful tools that you can leverage to prevent unintended/unauthorized network access from your Windows 10 applications to your internal network or public endpoints. Windows 10 introduces the ability to leverage client side micro-segmentation to define which application(s) (Desktop and Universal) can access which IP Address(es), Port(s), and/or IP Protocol(s). For example, your Finance application can only access your internal IP range to your finance related datacenters, while other applications cannot gain access via the VPN gateway. You also have the ability to further lockdown the VPN from being tampered with by your end-users or attackers.

Windows 10 Per-App VPN allows for client side micro-segmentation, if you/your customer are interested in extending this security to datacenters, take a look at the VMware NSX solution, a great compliment to the Per-App VPN solution for Windows 10.

1. Create a VPN Profile

When configuring the VPN payload we have many options, we will focus on some of the newer features with Windows 10 in this workshop. You would start by configuring your Connection Information and Authentication. AirWatch supports native VPN protocols, as well as all of the official third-party SSL clients such as the AirWatch Tunnel client.

1.1. Navigate to the Devices Profile List View

Navigate to the Devices Profile List View
  1. Click Devices
  2. Click Profiles
  3. Click List View
  4. Hover your mouse over Add
  5. Click Add Profile

1.2. Add a Windows Profile

Click on the Windows icon.

1.3. Add a Windows Desktop Profile

Click on Windows Desktop

1.4. Define the General Settings

Define the General Settings
  1. Click on “General” if it is not already selected.
  2. Give the profile a name such as “Windows VPN” by entering the string the in the “Name” field.
  3. Copy the profile name into the Description field.
  4. Click in the Assigned Smart Groups field.  This will pop-up the list of created Smart Groups. Click on the "All Devices" Smart Group you created in a previous step.

NOTE: You do not need to click SAVE AND PUBLISH at this point. This interface allows you to move around to different payload configuration screens before saving.

Click to the NEXT STEP in the lab manual to continue configuration of the profile.

1.5. Select the VPN Payload

Select the VPN Payload

NOTE: When initially setting a payload, a "Configure" button will show to reduce the risk of accidentally setting a payload configuration.

  1. Click on the "VPN" payload in the "Payload" section on the left.
  2. Click the "Configure" button to continue setting the VPN payload.

1.6. Adding a VPN Payload

Adding a VPN Payload
  1. Enter the friendly name Windows VPN in the "Connection Name" field
  2. Confirm IKEv2 is selected in the "Connection Type"
  3. Enter ikev2.airwlab.com in the "Server" field
  4. Select EAP-MSCHAPv2 (Username + Password) in the "EAP type" dropdown

2. Assigning Triggering Applications

When leveraging Per-App VPN you can designate applications (Desktop and Universal) based on the application’s Package Family Name (PFN) or the file path. PFN is used when designating Universal applications, while file paths are used when designating Desktop applications. You can add as many applications to the list by clicking “Add New Per-App VPN Rule”.

2.1. Store App

Store App

Fill in the Application ID by entering either the Package Family Name (for public apps we can do a lookup for the PFN, for internal apps get the developer to send you the PFN or read the note below to find PFNs) or File Path for your application.

  1. Click Add New Per App VPN Rule
  2. Select Store App from the drop-down menu
  3. Enter AirWatch into the search field
  4. Click the magnifier icon to search

Helpful Hint: Package Family Name (PFN) is used for Store Applications, while File Path is used for executables or Desktop Apps. To find all the PFNs on the device, run the following command in PowerShell: "Get-AppxPackage" In AirWatch 8.2, we have added this step into the UI. You can simply search for the app in the store and we auto-populate the PFN.

2.2. AirWatch Browser

AirWatch Browser
  1. Find AirWatch Browser and then click Select

2.3. Routing Rules

Routing Rules

Notice that the Package Family Name for AirWatch Browser has been automatically populated.

  1. Click DNS Routing Rules to define our filter rules for this app
  2. Click + Add New Filter
  3. Select Ports from the drop-down
  4. Enter 443 as your port
  5. Click + Add New Per-App VPN Rule

You can choose either to “Force All Traffic Through VPN” or “Allow Direct Access to External Resources” for the Routing Policy. We will leave our policy set to its default.

  • Force All Traffic Through VPN (Force Tunnel): For this traffic rule all IP traffic must go through the VPN Interface only.
  • Allow Direct Access to External Resources (Split Tunnel): For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces.

2.4. Desktop App

Desktop App
  1. Select Desktop App from the drop-down menu
  2. Enter the File Path "%ProgramFiles%/Internet Explorer/iexplore.exe", this will be IE not the Edge browser.
  3. Click DNS Routing Rules
  4. Click + Add New Filter 3x- three times
  5. Select IP Address from the drop-down
  6. Select Ports from the drop-down
  7. Select IP Protocol from the drop-down
  8. Enter "128.64.0.69" for your IP Address
  9. Enter "80,100-500" for your Ports
  10. Enter "6" for your Protocol. 6 refers to using TCP. Click here for a complete list of IP Protocols and their decimal values.

You can create a combination of filter types to achieve your desired traffic shaping policy for each application.

  • IP Address: A list of comma separated values specifying remote IP address ranges to allow.
  • Ports: A list of comma separated values specifying remote port ranges to allow. For example, 100-120, 200, 300-320. Ports are only valid when the protocol is set to TCP or UDP.
  • IP Protocol: Numeric value from 0-255 representing the IP protocol to allow. For example, TCP = 6 and UDP = 17.

3. Device Wide VPN Rule

If you simply want the entire device to leverage the VPN or want to add a fallback device wide rule for your other rules then you will want to add a Device Wide VPN Rule.

3.1. Device Wide VPN Rule (Information Only)

Informational Only

You can create a combination of filter types to achieve your desired traffic shaping policy for the entire device or as our fail back. Thus, if no applications match the list of per-app VPN applications, then the device wide profile will be applied.

  • IP Address: A list of comma separated values specifying remote IP address ranges to allow.
  • Ports: A list of comma separated values specifying remote port ranges to allow. For example, 100-120, 200, 300-320. Ports are only valid when the protocol is set to TCP or UDP.
  • IP Protocol: Numeric value from 0-255 representing the IP protocol to allow. For example, TCP = 6 and UDP = 17.

4. Additional Policies (Informational Only)

Additional Policies (Informational Only)

Informational Only

You can add additional policies to satisfy your VPN needs and use case.

  • Remember Credentials: Credentials are cached whenever possible.
  • Always On: Always On will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects.
  • VPN Lockdown: When the Lockdown is turned on, it does the following things:
    • First, it automatically becomes an "always on" profile.
    • Second, it can never be disconnected.
    • Third, if the profile is not connected, then the user has no network.
    • Fourth, no other profiles may be connected or modified.

Note: A Lockdown profile must be deleted before you can add, remove, or connect other VPN profiles.

  • Bypass For Local: Requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN.
  • Trusted Network Detection: Comma separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.

5. Save the VPN Profile

Save the VPN Profile
  1. Click Save & Publish

5.1. Publish the VPN Profile

Publish the VPN Profile
  1. Click Publish

5.2. Verify the VPN Profile Now Exists

Verify the VPN Profile Now Exists

You should now see your VPN Profile within the List View of the Devices Profiles window.

NOTE:  If you need to edit the VPN Profile, this is where you would come back to in order to do so. To edit the profile, click the profile name then select "Add Version", make your changes and click "Save & Publish" to push the new settings to the assigned devices. Feel free to explore the options available and continue to the next step when you are prepared to end the Module.