Skip Navigation

Windows 10
: VPN profile settings

Windows
: VPN profile setting
Description
Connection type
This setting specifies the connection type that a
Windows 10
device uses for a VPN.
Possible values:
  • Microsoft
  • Junos Pulse
  • SonicWALL Mobile Connect
  • F5
  • Check Point Mobile
  • Manual connection definition
The default value is "
Microsoft
."
Server
This setting specifies the public or routable IP address or DNS name for the VPN. This setting can point to the external IP of a VPN, or a virtual IP for a server farm.
This setting is valid only if the "Connection type" is set to "
Microsoft
."
Server URL list
This setting specifies a comma-separated list of servers in URL, host name, or IP format.
This setting is valid only if the "Connection type" is not set to "
Microsoft
".
Routing policy type
This setting specifies the type of routing policy.
This setting is valid only if the "Connection type" is set to "
Microsoft
."
Possible values:
  • Split tunnel
  • Force tunnel
The default value is "Force tunnel."
Native protocol type
This setting specifies the type of routing policy used by the VPN.
This setting is valid only if the "Connection type" is set to "
Microsoft
."
Possible values:
  • L2TP
  • PPTP
  • IKEv2
  • Automatic
The default value is "Automatic."
Authentication
This setting specifies the method of authentication used for the native VPN.
The "Native protocol type" setting determines which authentication methods are supported and the default value for this setting:
  • If you select L2TP or PPTP, the possible values are MS-CHAPv2 and EAP. The default value is MS-CHAPv2
  • If you select IKEv2, the possible values are User method and Machine method. The default value is User method.
  • If you select Automatic, the only possible value is EAP.
Possible values:
  • EAP
  • MS-CHAPv2
  • User method
  • Machine method
EAP configuration
This setting specifies the XML of the EAP configuration.
For information about how to generate the EAP configuration XML, visit eap-configuration
This setting is valid only if the "Authentication " setting is set to "EAP."
User method
This setting specifies the type of user method authentication to use.
This setting is valid only if the "Authentication " setting is set to "User method."
Possible values:  EAP
achine method
This setting specifies the type of machine method authentication to use.
This setting is valid only if the "Authentication " setting is set to "Machine method."
Possible value: Certificate
Custom configuration
This setting specifies the HTML encoded XML blob for an SSL-VPN plug-in specific configuration, including authentication information, that is sent to the device to make it available for SSL-VPN plug-ins.
This setting is valid only if the "Connection type" is not set to "
Microsoft
."
Plugin package family name
This setting specifies the package family name of the custom SSL VPN.
This setting is valid only if the "Connection type" is set to "Manual connection definition."
L2TP preshared key
This setting specifies the preshared key used for an L2TP connection.
App trigger list
This setting specifies a list of apps that start the VPN connection.
App trigger list > App ID
This setting identifies an app for a per-app VPN.
Possible values:
  • Package family name. To find the package family name, install the app and run the
    Windows PowerShell
    command,
    Get-AppxPackage
    . For more information, visit hh856044.aspx
  • Installation location of the app. For example, C:\Windows\System\Notepad.exe.
Route list
This setting specifies a list of routes that the VPN can use. If the VPN uses split tunneling, a route list is required.
Subnet address
This setting specifies the IP address of the destination prefix using the IPv4 or IPv6 address format.
Subnet prefix
This setting specifies the subnet prefix of the destination prefix.
Exclusion
This setting specifies whether the route that is added must point to the VPN interface as the gateway or a physical interface. If you select the check box, traffic is directed over the physical interface. If you leave the box unchecked, traffic is directed over the VPN.
Domain name list
This setting specifies the Name Resolution Policy Table (NRPT) rules for the VPN.
Domain name
This setting specifies the FQDN or suffix of the domain.
DNS servers
This setting specifies the list of IP addresses of the DNS servers, separated by commas.
Web proxy server
This setting specifies the IP address of the web proxy server.
Trigger VPN
This setting specifies whether this domain name rule triggers the VPN.
Persistent
This setting specifies whether the domain name rule is applied when the VPN is not connected.
Traffic filter list
This setting specifies the rules that allow traffic over the VPN.
Traffic filter list > App ID
This setting identifies an app for an app-based traffic filter.
Possible values:
  • Package family name. To find the package family name, install the app and run the
    Windows PowerShell
    command,
    Get-AppxPackage
    . For more information, visit hh856044.aspx
  • Installation location of the app. For example,
    C:\Windows\System\Notepad.exe
    .
  • Type "SYSTEM" to enable Kernel Drivers to send traffic through the VPN (for example, PING or SMB).
Protocol
This setting specifies the protocol that the VPN uses.
Possible values:
  • All
  • TCP
  • UDP
The default value is "All."
Local port ranges
This setting specifies the list of allowed local port ranges separated by commas. For example, 100-120, 200, 300-320.
Remote port ranges
This setting specifies the list of allowed remote port ranges separated by commas. For example, 100-120, 200, 300-320.
Local address ranges
This setting specifies the list of allowed local IP address ranges, separated by commas.
Remote address ranges
This setting specifies the list of allowed remote IP address ranges, separated by commas.
Routing policy type
This setting specifies the routing policy that the traffic filter uses. If set to "Force tunnel," all traffic goes through the VPN. If set to "split tunnel," traffic can go through the VPN or the Internet.
Possible values:
  • Split tunnel
  • Force tunnel
The default setting is "Force tunnel."
Remember credentials
This setting specifies whether the credentials are cached whenever possible.
Always on
This setting specifies whether devices automatically connect to the VPN at sign-in and stay connected until the user manually disconnects the VPN.
Lock down
This setting specifies whether this VPN connection must be used when the device connects to a network. When this setting is enabled, the following applies:
  • The device stays connected to the VPN. It cannot be disconnected.
  • The device must be connected to this VPN to have any network connection.
  • The device cannot connect to, or modify, other VPN profiles.
DNS suffix
This setting specifies one or more DNS suffixes separated by commas. The first DNS suffix in the list is also used as the primary connection for the VPN. The list is added to the SuffixSearchList.
Trusted network detection
This setting specifies a comma-separated string to identify the trusted network. The VPN does not connect automatically when users are on their organization's wireless network.
IP Security properties
Authentication transform constants
Possible values:
  • MD596
  • SHA196
  • SHA256128
  • GCMAES128
  • GCMAE192
  • GCMAES256
The default setting is "MD596."
Cipher transform constants
Possible values:
  • DES
  • DES3
  • AES128
  • AES192
  • AES256
  • GCMAES128
  • GCMAES192
  • GCMAES256
The default setting is "DES."
Encryption method
Possible values:
  • DES
  • DES3
  • AES128
  • AES192
  • AES256
The default setting is "DES."
Integrity check method
Possible values:
  • MD5
  • SHA196
  • SHA256
  • SHA384
The default setting is "MD5."
Diffie-Hellman Group
Possible values:
  • Group1
  • Group2
  • Group14
  • ECP256
  • ECP384
  • Group24
The default setting is "Group1."
PFS Group
Possible values:
  • PFS1
  • PFS2
  • PFS2048
  • ECP256
  • ECP384
  • PFSMM
  • PFS24
The default value is "PFS1."
Proxy type
This setting specifies the type of proxy configuration for the VPN.
Possible values:
  • None
  • PAC configuration
  • Manual configuration
The default value is "None."
PAC URL
This setting specifies the URL for the web server that hosts the PAC file, including the PAC file name. For example, http://www.example.com/PACfile.pac.
This setting is valid only if the "Proxy type" setting is set to "PAC configuration."
Address
This setting specifies the FQDN or IP address for the proxy server.
This setting is valid only if the "Proxy type" setting is set to "Manual configuration."
Associated SCEP profile
This setting specifies the associated SCEP profile that a device uses to obtain a client certificate to authenticate with the VPN.