This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
You're preparing the TLS certificate for a new Microsoft Tunnel Gateway server that devices reach using the FQDN tunnel.contoso.com. What requirement must the certificate meet?
tunnel.contoso.com
It must be a self-signed certificate generated by the mst-cli tool on the Linux host.
mst-cli
The Subject Alternative Name (SAN) must include the IP address or FQDN that devices use to reach the server.
The certificate must be issued exclusively by the Microsoft Intune root CA.
Your organization wants unenrolled Android personal devices to use Microsoft Tunnel for accessing on-premises resources from Microsoft Edge. Which prerequisite must be in place?
The devices must first be fully enrolled in Intune as personally owned work-profile devices.
An Intune Plan 2 license (or Intune Suite add-on) covering the users, plus app configuration and app protection policies on Edge that enable Tunnel on app launch.
Each user must install OpenSSH on their device to authenticate to the Tunnel gateway.
You're rolling out Microsoft Tunnel for MAM on iOS for a line-of-business application. What scope of VPN coverage can you provide on this platform?
Device-wide VPN that routes all iOS traffic through the Tunnel gateway.
Per-app VPN only, scoped to the LOB app (and other apps such as Edge) that integrate the Tunnel for MAM iOS SDK.
Always-on VPN that connects automatically at device boot for any signed-in user.
A Tunnel Gateway server shows as offline in the admin center's Health status view, but devices are still connecting successfully through it. Which corrective action is recommended?
Run mst-cli server restart and consider the issue resolved if devices stay connected.
mst-cli server restart
Reinstall Microsoft Tunnel (sudo mst-cli uninstall followed by sudo ./mstunnel-setup) so the agent re-registers with Intune.
sudo mst-cli uninstall
sudo ./mstunnel-setup
Delete the site in the Intune admin center and recreate it from scratch.
Your network team won't let Tunnel use any UDP traffic to the gateway because of a firewall constraint. What configuration change supports this requirement?
Disable the mstunnel-agent service on the Linux host.
mstunnel-agent
In the server configuration, enable the Disable UDP connections option (supported when devices use the Microsoft Defender Tunnel client).
Add 0.0.0.0/0 to the split-tunneling exclude list to force TCP routing.
0.0.0.0/0
You must answer all questions before checking your work.
Was this page helpful?
Need help with this topic?
Want to try using Ask Learn to clarify or guide you through this topic?