Upgrade Microsoft Tunnel for Microsoft Intune
Microsoft Tunnel, a VPN gateway solution for Microsoft Intune, periodically receives software upgrades, which must install on the tunnel servers to keep them in support. To stay in support, servers must run the most recent release, or at most be one version behind. The information in this article explains:
- The upgrade process
- Upgrade controls
- Status reports you can use to understand the software version of tunnel servers
- When upgrades are available
- How to control when upgrades happen.
Intune handles the upgrade of servers assigned to each tunnel site for you. When upgrades for site begin, all servers in the site upgrade one at a time, which is referred to as an upgrade cycle. While a server is upgrading, the Microsoft Tunnel on the server isn't available for use. Upgrading a single server at a time helps minimize disruptions to users when the site includes multiple servers.
During an upgrade cycle:
- Intune begins by upgrading one server in the site. The upgrade can start as soon as 10 minutes after the release becomes available.
- If a server was off, upgrade begins after the server turns on.
- After a successful upgrade of one server at a site, Intune waits a short time before it starts the upgrade of the next server.
Use upgrade controls
To help control when Intune begins the upgrade cycle, configure the following settings at each site. You can configure the settings when creating a new site, or by editing the properties of an existing site:
- Automatically upgrade servers at this site
- Limit server upgrades to maintenance window
Automatically upgrade servers at this site
This setting determines if an upgrade cycle for the site can begin automatically, or if an admin must explicitly approve the upgrade before the cycle can begin.
Yes (default) – When set to Yes, the site automatically upgrade servers as soon as possible after a new tunnel version becomes available. Upgrades begin without admin intervention.
If you set a maintenance window for the site, the upgrade cycle begins between the windows start and end time. When no maintenance window is set, the upgrade cycle starts as soon as possible.
No – When set to No, Intune doesn't upgrade servers until an admin explicitly chooses to begin the upgrade cycle.
After upgrade is approved for a site with a maintenance window, the upgrade cycle begins between the windows start and end time. If there's no maintenance window, the upgrade cycle starts as soon as possible.
Important
When you configure site for manual upgrades, periodically review the Health check tab to understand when newer versions of Microsoft Tunnel are available to install. The report also identifies when the current tunnel version at the site is out of support.
Limit server upgrades to maintenance window
Use this setting to define a maintenance window for the site.
When configured for site, the server upgrade cycle can begin only during the configured period. However, once begun, the cycle continues to update servers one-by-one until all servers assigned to the site complete the upgrade.
No (default) – No maintenance window is set. Sites that are configured to upgrade automatically do so as soon as possible. Sites configured to require explicit action to start the upgrade will do so as soon as possible after the upgrade is approved.
Yes – Set a maintenance window. The window limits when a server upgrade cycle can begin at the site. The maintenance window doesn’t define when individual servers assigned to the site might start to upgrade.
Sites that are configured to upgrade automatically start the upgrade cycle only during the configured period. Sites configured to require the admin to approve the upgrade before beginning, will do during the next maintenance window after the upgrade is approved.
When set to Yes, configure the following options:
- Time zone – The time zone you select determines when the maintenance window starts and ends on all servers in the site. The time zone of individual servers isn't used.
- Start time – Specify the earliest time that the upgrade cycle can start, based on the time zone you selected.
- End time - Specify the latest time that upgrade cycle can start, based on the time zone you selected. Upgrade cycles that start before this time will continue to run and can complete after this time.
View tunnel server status
You can view information about the status of Microsoft Tunnel servers, including the version of Microsoft Tunnel on a server.
For sites that don't support automatic upgrade, you can also view when upgrades to a new version are available.
Sign in to Microsoft Intune admin center > Tenant administration > Microsoft Tunnel Gateway > Health status. Select a server and then open the Health check tab to view the following information about it:
Server version - The status of the Tunnel Gateway Server software, in the context of the most recent version available.
- Healthy - Up to date with the most recent software version.
- Warning - One version behind.
- Unhealthy - Two or more versions behind, and out of support.
When a server doesn’t run the most recent software version, plan to install an available upgrade to keep the Microsoft Tunnel in support.
Approve upgrades
Sites that have the setting Automatically upgrade servers at this site set to No don't automatically upgrade servers. Instead, an admin must approve upgrades for servers at that site before the upgrade cycle starts.
To understand when an upgrade is available for servers, use the Health check tab to review server status.
To approve an upgrade
Sign in to Microsoft Intune admin center > Tenant administration > Microsoft Tunnel Gateway > Sites.
Select the site with an Upgrade type of Manual.
On the site’s properties, select Upgrade servers.
After you choose to upgrade servers, Intune starts the process to do so, which can't be canceled. The time that upgrades begin at the site depends on the configuration of maintenance windows for the site.
Microsoft Tunnel update history
Updates for the Microsoft Tunnel release periodically. When a new version is available, read about the changes here.
After an update releases, it rolls out to tenants over the following days. This rollout time means new updates might not be available for your tunnel servers for a few days.
The Microsoft Tunnel version for a server isn’t available in the Intune UI at this time. Instead, run the following command on the Linux server that hosts the tunnel to identify the hash values of agentImageDigest and serverImageDiegest: cat /etc/mstunnel/images_configured
Important
Container releases take place in stages. If you notice that your container images are not the most recent, please be assured that they will be updated and delivered within the following week.
October 2, 2024
Image hash values:
agentImageDigest: sha256:7921c2e97217fa17de4ab69396d943e4975d323417b8b813211e2f8b639f64e1
serverImageDigest: sha256:0efab5013351bcd81f186973e75ed5d9f91bbe6271e3be481721500f946fc9ec
Changes in this release: -Upgrade from .NET 6 to .NET 8
- Upgrade ocserv to version 1.3.0
- Fix rootless container bug in installer
September 12, 2024
Image hash values:
agentImageDigest: sha256:17158c73750ff2c7157e979c2f4ff4e175318730c16aa8d0ee6526a969c37c59
serverImageDigest: sha256:6484d311d1bd6cbe55d71306595715bafa6a20a000be6fd6f9e530716cef6c16
Changes in this release:
- Add diagnostic tools for host troubleshooting
- Upgrade Azure Linux image to 2.0.20240829
August 12, 2024
Image hash values:
agentImageDigest: sha256:4d16b1f458c69c3423626906b0b577cb42c8d22f4240205299355c6217e08a6b
serverImageDigest: sha256:66559e142d489491ca8f090b50f4a444a3394f850a5ec09fb9f3e6f986d93c46
Changes in this release:
- Support customizing container registry during installation
- Support customizing container creation options during installation
- Security updates on the base image
June 20, 2024
Image hash values:
agentImageDigest: sha256:2c700282bbb525ca42c4da0827a62bee6e8079b36572cf777db72810dac3a788
serverImageDigest: sha256:5ba3c960be6b9da4569a019fcd57509c25a89106fc689fbf4fe38f0bdb98fbdd
Changes in this release:
- AL base image - Use Azure Linux as the base image for the Tunnel containers
- Improvement on cert revocation check
May 16, 2024
Image hash values:
agentImageDigest: sha256:50b62c1d7f81e2941fc73a09856583ea752fe821e9fef448114fe7e00f90f25a
serverImageDigest: sha256:f6249bc16f90abc9e6fb278c74e07b1c3e295cc0614d38ae20036cee50ff5c56
Changes in this release:
- Hardened containers by reducing the container capabilities to minimum
- Security updates on the base image
April 22, 2024
Image hash values:
agentImageDigest: sha256:987028e043434cabf9a85a8be232a35cb10d6499ab9fa2b0ac33bd214455cdf6
serverImageDigest: sha256:95106796faa4648ffe877c1ae4635037fd8bd630498bb3caea366e3c832f84cc
Changes in this release:
- Added rootless Podman container support
- Fixed "mst-cli server capture" command
- Fixed some TLS certificate revocation check failures
March 14, 2024
Image hash values:
agentImageDigest: sha256:a0fa473b477c051445548f9e024cd58b3f87b0a87da7bafdf0d71ad6bb49a7c5
serverImageDigest: sha256:5f3f34f3f11a4d45efdd369e86d183cae0fafdd78c9c1d0a9275f26ce64e5510
Changes in this release:
- Bug fix: recreate the /tmp/mstunnel folder during upgrading if missing.
- Update OpenConnect VPN Server to version 1.2.3.
- Enhancements on the diagnostic tool.
- Security updates on the base image.
February 1, 2024
Image hash values:
agentImageDigest: sha256:845aee9cbe3e4c9bd70b1b8108cd5108e454aff38237b236f75092164c885023
serverImageDigest: sha256:6f444d251b56e467b8791201f554b22d1431a135a5f66bc45638cec453e22b47
Changes in this release:
- Bug fix: do not issue the "docker network reload" command to reset the network. The command is not supported on Docker.
- Security updates on the base image.
January 4, 2024
Image hash values:
agentImageDigest: sha256:9cd55c3f4ea4b4ff8212db46a81a0ceda29c3e9c534226ee4d0ce896bcc32596
serverImageDigest: sha256:0389d8c16794cf2f982a955a528b0bbba79b7c7180fd5706f44bb691ca61734d
Changes in this release:
- Bug fix: Rootless container fix
- MTG handling for Diagnostic and Log Upload request in HB response
November 14, 2023
Image hash values:
agentImageDigest: sha256:fd64c2f2ae3c2f411188a35da65e23385c9124c8f98b3614e0fb6500f59cf485
serverImageDigest: sha256:7385c838ed95f3f5fea48a3e277223e4faa502d64205f182cf43740ad4dd9573
Changes in this release:
- Bug fix: Resolved the issue causing the MSTunnel server container to become stuck in an improper state
- Enforce the use of TLS 1.2 in the agent and mstunnel apps
October 4, 2023
Image hash values:
agentImageDigest: sha256:6c19b0aa077692b0d70ede9928f02b135122951708f83655041d0a40e8448039
serverImageDigest: sha256:9b477e6bc029d2ebadcafd4db3f516e87f0209b50d44fa2a5933aa7f17e9203b
Changes in this release:
- Bug fix: add legacy NAT tables for the mstunnel-server container on Cent OS 7 and Red Hat 7 hosts
- Bug fix: add SELinux policy to allow TCP DNS traffic for the containers on Red Hat hosts
- Increase mstunnel-server container pid limit to 10000