File and command reference for Microsoft Tunnel Gateway, a VPN solution for Micr...
source link: https://docs.microsoft.com/en-us/mem/intune/protect/microsoft-tunnel-reference?WT_mc_id=EM-MVP-5001447
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Reference for Microsoft Tunnel Gateway
- 09/23/2020
- 5 minutes to read
In this article
The information in this reference for Microsoft Tunnel Gateway is provided to support installation and maintenance of the tunnel installation in your environment.
mst-cli command-line tool for Microsoft Tunnel Gateway
Mst-cli is a command-line tool for use with Microsoft Tunnel Gateway. This tool is available on the Linux server after the tunnel completes installation and is found at /usr/sbin/mst-cli. Some tasks you can use this tool to complete include:
- Get information about the tunnel server.
- Set or update the configuration of the tunnel server.
- Restart the tunnel server.
- Uninstall the tunnel server. The following are common command line uses of the tool.
Command-line interface:
mst-cli –help
- Usage: mst-cli [command]Commands:
agent
- Operate on the agent component.server
- Operate on the server component.uninstall
- Uninstall the Microsoft Tunnel.eula
- Show the EULA.import_cert
- Import the TLS certificate.
mst-cli agent –help
- Usage: mst-cli agent [command]Commands:
logs
- Show the agent logs (-h for more information).status
- Show the agent status.start
- Start the agent service.stop
- Stop the agent service.restart
- Restart the agent service.
mst-cli agent logs help
- Usage: mst-cli agent logs [flags]Flags:
-f, --follow
- Follow log output. The default is false.--since string
- Show logs since TIMESTAMP.--tail uint
- Output the specified number of LINES at the end of the logs. Defaults to zero (0), which prints all lines.-t, --timestamps
- Output the timestamps in the log.
mst-cli agent status
- The following returns are examples of results you might see:- State: running
- Health: healthy
mst-cli agent start
- Starts the agent if it's stopped.mst-cli agent stop
- Stops the agent. Must be started manually after stopped.mst-cli agent restart
- Restarts the agent.mst-cli server --help
- Usage: mst-cli server [command]Commands:
logs
- Show the server logs. Use -h for more information.status
- Show the server status.start
- Start the server service.stop
- Stop the server service.restart
- Restart the server service.show
- Show various server stats. Use -h for more information.
mst-cli server logs –help
- Usage: mst-cli server logs [flags]Flags:
-f, --follow
- Follow log output. The default is false.--since string
- Show logs since TIMESTAMP--tail uint
- Output the specified number of LINES at the end of the logs. Defaults to zero (0), which prints all lines.-t, --timestamps
- Output the timestamps in the log.
mst-cli server status
- The following returns are examples of results you might see:- State: running
- Health: healthy
mst-cli server start
- Starts the server if it's stopped.mst-cli server stop
- Stops the server. Must be started manually after stopped.mst-cli server restart
- Restarts the server.mst-cli server show
show status
- Prints the status and statistics of the server.show users
- Prints the connected users.show ip bans
- Prints the banned IP addresses.show ip ban points
- Prints all the known IP addresses that have points.show iroutes
- Prints the routes provided by users of the server.show sessions all
- Prints all the session IDs.show sessions valid
- Prints all the valid for reconnection sessions.show session [SID]
- Prints information on the specified session.show user [NAME]
- Prints information on the specified user.show id [ID]
- Prints information on the specified ID.show events
- Provides information about connecting users.show cookies all
- Alias for show sessions all.show cookies valid
- Alias for show sessions valid.
Environment variables
Following are environment variables you might want to configure when you install the Microsoft Tunnel Gateway software on the Linux server. These variables are found in the environment file /etc/mstunnel/env.sh:
- http_proxy=[address] - The HTTP address for your proxy server.
- https_proxy=[address] - The HTTPs address for your proxy server.
Data Paths
Data Paths Path/File Description Permissions /…/mstunnel The root directory for all configuration. Owner root, Group mstunnel /…/mstunnel/admin-settings.json Contains the settings for the server install. This file is managed by Intune and shouldn't be edited manually.
/…/mstunnel/certs The directory where the TLS certificate is stored. Owner root, Group mstunnel /…/mstunnel/private The directory where the Intune Agent certificate and the TLS private key are stored. Owner root, Group mstunnel
Files add during server installation
/etc/mstunnel:
admin-settings.json:
- Contains the serialized Server configuration from Intune.
- Created after the server has enrolled.
agent-info.json:
- Created when the enrollment is complete.
- AgentId, IntuneTenantId, AADTenantId, and the agent certificate RenewalDate.
- Updated on agent certificate renewal.
private/agent.p12:
- PFX certificate used for agent authentication to Intune.
- Automatically renewed.
version-info.json:
- Contains version information for the various components.
- ConfigVersion, DockerVersion, AgentImageHash, AgentCreateDate, ServerImageHash, ServerCreateDate.
ocserv.conf:
- Server configuration
Images_configured
The Docker images used to create the containers:
- agentImageDigest
- serverImageDigest
Example of admin-settings.json
{
"PolicyName": "Auto Generated Policy for rh7vm",
"DisplayName": "rh7vm Policy",
"Description": "This policy was auto generated for rh7vm",
"Network": "169.100.0.0/16",
"DNSServers": ["168.63.129.16"],
"DefaultDomainSuffix": "nmqjwlanybmubp4imht0k2b4qd.xx.internal.cloudapp.net",
"RoutesInclude": ["default"],
"RoutesExclude": [],
"ListenPort": 443
}
Docker commands
The following are common commands for Docker that can be of use if you must investigate problems on a tunnel server.
Command-line interface:
docker ps –a
– See all containers.- mstunnel-server – This container runs the ocserv server components, and uses inbound Port 443 (default), or a custom port configuration.
- mstunnel-agent - This container runs the Intune connector and uses outbound Port 443.
To restart Docker:
systemctl restart docker
To run something in a container:
docker exec –it mstunnel-server bash
docker exec –it mstunnel-agent bash
Linux commands
The following are common Linux commands you might use with a tunnel server.
sudo su
– Makes you root on the box. Use this command before running the following commands, and before you run mstunnel-setup.ls
– list contents of the directory.ls – l
– List contents of directory including timestamps.cd
– change to another directory. For example,cd /etc/test/stuff
changes you from the root directory to the etc subfolder > to the test subfolder > and then to the stuff folder.cp <source> <destination>
- Useful for copying the certs to the right location.ln –s <source> <target>
- Create a softlink.curl <URL>
– Checks access to a website. For example:curl https://microsoft.com
./<filename>
- Run a script.
Is this page helpful?
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK