This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 87%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJG%3C/text%3E%3C/svg%3E)
I am a bit confused about the order in whih the VPN and the NPS servers work together.
A client machine managed in Intune is set up with a VPN profile (user tunnel) to connect to Azure/Entra Conditonal access CA, It then downloads the 1 hour certificate if it meets the conditon.
Does the client then contact the on premise VPN server first and then the VPN server contacts the NPS/Radius server to verify the authentication(1 hour cert) or the does it contact NPS server which then contacts the VPN to set up the the connection?
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 11%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJZ%3C/text%3E%3C/svg%3E)
Hello,
Thank you for posting in Q&A forum.
In the situation you described, the general order is as follows:
Firstly, the client computer will attempt to establish a connection with the local VPN server.
Once the client computer contacts the local VPN server, the VPN server will verify the client's identity. In the case you provide, the VPN server may verify the certificate used by the client to ensure it has a valid 1-hour certificate.
After verifying the client's identity, the VPN server will contact the NPS or radius server to further verify the client's identity and authorization. The VPN server passes the client's identity information to the NPS server and decides whether to allow the client to establish a connection based on the NPS configured policy.
After receiving a request from the VPN server, the NPS server will verify and authorize it. It may check the validity of client certificates and decide whether to allow connections based on configured policies. If the client certificate is valid and meets the conditions, NPS will send an authorization response to the VPN server, allowing the connection to be established.
Once the VPN server receives an authorization response from NPS, it will allow the client computer to establish a connection with the VPN server. In this way, client computers can communicate with the target network through VPN.
Hope this answer can help you well.
Best regards,
Jill Zhou
Thanks Jill, very helpful.