The Windows VPN Policy in Swif.ai allows administrators to deploy fully-customized VPN connection profiles to Windows 10+ devices.
This policy supports nearly every configuration field exposed by Windows’ native VPN CSP, including authentication, routing, traffic filters, DNS rules, and XML-based configuration.
This policy is designed for both BYOD and company-owned devices.
Requirements
Windows 10+
What This Policy Does
This policy configures the Windows VPN profile on the device. You can:
Create a new VPN profile.
Configure authentication (username/password, EAP, certificates).
Specify connection behavior (always-on, auto-connect, trusted network rules).
Define traffic filters using Windows Firewall–style rule syntax.
Configure DNS rules, routing tables, and proxy settings.
Use a full XML configuration, if preferred.
1. Basic Profile Information
VPN Profile Name
Defines the name of the VPN profile shown in Windows Settings.
Config Type
XML – Allows full XML VPN configuration.
If XML is selected, you must paste the full XML payload into XML Content.
XML Content
Paste the complete VPN XML configuration. This overrides most UI-level fields.
2. Connection Properties
VPN Server
Set the VPN server’s hostname or IP.
Connection Name
The display name used in Windows.
Tunnel Type
Examples include:
IKEv2
L2TP
PPTP
AlwaysOn / Automatic
Remember Credentials
Toggle whether Windows stores the user’s VPN credentials.
Authentication Parameters
Fields include:
Authentication Method (EAP, MSCHAPv2, Pre-shared key)
EAP Configuration (raw XML)
Shared Secret
Use Internal Network
3. Proxy Configuration
Includes:
Automatic Configuration Script URL
Proxy Server
Bypass List
Auto Detect Settings
4. DNS Configuration
Fields include:
DNS Suffix
DNS Servers
Register DNS
Proxy DNS
Resolve DNS in VPN
5. Traffic Filter Rules
These optional fields create firewall-style traffic rules for the VPN connection.
Each filter includes:
App ID
Specifies an AppX package or desktop app path.
Claims
Security Descriptor Definition Language (SDDL) claim rules.
Protocol
0–255 protocol number (TCP = 6, UDP = 17).
Local Port Ranges
Comma-separated list (e.g., 100-120,200,300-320).
Remote Port Ranges
Local Address Ranges
Remote Address Ranges
Routing Policy Type
For example:
App
Network
Claims
Direction
Outbound (default)
Inbound
6. Route Configuration
You may add multiple route entries. Each contains:
Address
Destination prefix in IPv4 format.
Prefix Size
CIDR prefix length for the subnet (e.g., 24).
These routes will be added to the VPN interface routing table.
7. Trusted Network Rules
Options include:
Trusted Network Detection
Block Outside Connections
Always-On VPN
These settings allow the VPN to automatically establish or disconnect based on network conditions.
8. Connection Behavior Settings
Fields:
Disable State Detection
Disable IPv6
Lockdown Mode
Reconnect when Dropped
Auto-Trigger Conditions
WiFi SSIDs that trigger connection
Cellular/WiFi/Ethernet behavior
Best Practices
If using XML mode
XML overrides many UI fields—ensure that the XML includes all necessary configuration.
Validate your XML against Microsoft’s VPNv2 CSP documentation.
If using traffic filters
Start with minimal rules and add gradually.
Ensure routing rules align with split-tunneling or full-tunnel design.
If deploying to BYOD
Keep credentials external and avoid automatically storing passwords.
Troubleshooting
VPN profile not appearing on Windows
Confirm that VPN Profile Name is unique.
XML errors can silently break deployment.
Connection fails immediately
Verify tunnel type compatibility with your VPN server.
Ensure protocol, ports, and routing match server configuration.
DNS not resolving
Check DNS Servers, Proxy DNS, and split-tunnel rules.
Traffic rules blocking too much
Remove restrictive fields such as port/address ranges and retest.
Summary
The Windows VPN Policy is one of the most advanced policies in Swif.ai, enabling full lifecycle management of VPN connections on Windows. With support for XML, traffic filters, DNS, routing, proxy, authentication, and Always-On VPN features, it is suitable for even the most complex enterprise VPN deployments.