• Secure Mobile Access 12.4
• Introduction to Connect Tunnel
  • About Connect Tunnel
  • Guide Conventions
  • Resources Available from Connect Tunnel
  • Downloading and Installing Connect Tunnel
• Connect Tunnel Client for Windows
  • Launching VPN Connection
  • Launching VPN Connection using Network Logon
  • Launching VPN Connection using Always-ON VPN (AoV)
  • Launching VPN Connection using Device VPN
  • Using Connect Tunnel
    • Viewing Connect Tunnel Status
    • Logging into Connect Tunnel
    • Choosing a Login Group
    • Processing Server Certificates
    • Disconnecting from Connect Tunnel
  • Customizing Connect Tunnel
    • Viewing Current Settings
    • Connecting to a Different VPN
    • Configuring Split Tunnel Mode
    • Configuring a Device VPN connection
    • Updating the Connect Tunnel Application
  • Provisioning of Connect Tunnel using SCCM or Intune
    • Support for using default browser for SAML Authentication
  • Troubleshooting Connect Tunnel
    • Unable to Connect
    • Troubleshooting ESP
    • Unable to Access Resources or the Internet
    • Using Logs
    • Installation Fails
    • EPC Zone Classification doesn't work as intended
    • OpswatWrapper Init Error
• Connect Tunnel Client for macOS and Linux
  • System Requirements for MacOS
  • System Requirements for Linux
  • Starting Connect Tunnel
    • Connect Tunnel on macOS
    • Connect Tunnel on Linux
    • Specifying a Login Group
    • Connecting to a Different VPN
    • Quitting Connect Tunnel
  • Managing Configurations
    • Viewing Connect Tunnel Settings
    • Deleting a Configuration
      • Editing Connect Tunnel Settings
    • Creating a New Configuration
    • Selecting the Advanced Button
    • Advanced Options
    • Credential Caching/Secure Network Detection
  • Processing Server Certificates
  • Configuring Proxy Server Settings (Linux Only)
  • Troubleshooting
    • Unable to Connect VPN
    • Troubleshooting ESP
    • Unable to Access Resources or the Internet
    • Unable to Access Resources on Linux
• SonicWall Support
  • About This Document

Provisioning of Connect Tunnel using SCCM or Intune

This section provides information on how to provision Connect Tunnel using SCCM or Intune.

Creating a Default Profile

Connect Tunnel setup executable accepts few command line parameters to initialize the default connection profile during setup.

Command	Description
Name	Name of the VPN profile
VpnServer	Host name or IP address of the appliance
Realm	Realm name (only user VPN realm, Device VPN realm is not recommended)

Example configuration:

MCTSetup.exe Name=Vpnname VpnServer=vpn.example.com Realm=”Split Tunnel”

The above configuration process accepts additional parameters for either silent or non-interactive installation.

Parameter	Description
/s	Silent installation without any UI display
/passive	Non-interactive installation with minimal UI display
/log logfile	Installer logs can be redirected to logfile instead of default location %temp%
RemoveLegacy	Uninstalls legacy Connect Tunnel when installing the Modern Connect Tunnel. Pass a value true or yes to uninstall legacy CT. Example: MCTSetup.exe /passive Name=Vpnname VpnServer=vpn.example.com Realm=”Split Tunnel” RemoveLegacy=yes If RemoveLegacy parameter is not specified and if the installer is running in interactive mode, then setup will prompt user to uninstall Legacy Connect Tunnel.

Example configuration:

MCTSetup.exe /passive Name=Vpnname VpnServer=vpn.example.com Realm=”Split Tunnel”

The configuration set up does not accept any INI file for configuration other than the parameters mentioned above.

When the parameters are passed for default profile, it does not create the profile during installation but only on first launch. The parameters are kept in registry for initialization while launching the application.

Configuration of Device VPN

The Legacy Connect Tunnel and Connect Tunnel Service (CTS) is deprecated from 12.4.1 onwards, if you still wish to use CTS in 12.4.2, SMA recommends to use the Device VPN which is similar to Connect Tunnel Service.

The setup accepts additional parameters to allow configuration of Device VPN. VpnServer parameter mentioned above is a prerequisite for configuration.

Parameter	Description
DeviceVpn	Pass value 1 to enable Device VPN
EnableVpnOnlyNetwork	Pass value 1 to restrict network access to VPN only network This is effective only when the parameter DeviceVpn is enabled.
DisableUserVpn	Pass value 1 to disable User VPN and run only Device VPN to get similar functionality like Connect Tunnel Service (Legacy). This is effective only when the parameter DeviceVpn is enabled. This disables the Connect button and user will not have any control to launch User VPN.

Example configuration:

MCTSetup.exe Name=Vpnname VpnServer=vpn.example.com DeviceVpn=1

MCTSetup.exe Name=Vpnname VpnServer=vpn.example.com DeviceVpn=1 DisableUserVpn=1

Support for Always-On VPN

Connect Tunnel client supports limited features of Always-On VPN from Legacy CT client. To achieve an alternative and better functionality uses a combination of Device VPN, Auto Launch, and Network Logon modes.

The Device VPN can be restricted to block all internet traffic except for the tunnel interface with the switch EnableVpnOnlyNetwork.

Support for Auto Launch at Windows Logon

Connect Tunnel client supports auto-launch at Windows logon and is useful when Device VPN or Always On VPN are not configured but users want automatically connect to VPN.

This setting can be enabled from Advanced Settings > General tab or by passing "AutoConnect=1" parameter to Connect Tunnel setup. By default, this setting is disabled.