Before you set up Tunnel for Windows 10

Review the following before proceeding with setting up Tunnel for Windows 10:

Required components for deploying Tunnel for Windows 10

The following components are required for a Tunnel deployment:

Standalone Sentry with AppTunnel enabled or Access.

Unified Endpoint Management (UEM):

- Core


- Cloud

Windows 10 devices registered with a UEM.

For supported versions see the Tunnel for Windows Release Notes.

Requirements for configuring Tunnel for Windows 10

Ensure the following before configuring Tunnel for Windows 10:

If your deployment uses Standalone Sentry:
- You have installed Standalone Sentry. See the Standalone Sentry Installation Guide.
- Standalone Sentry is set up for AppTunnel using identity certificates for device authentication.

For information about setting up a Standalone Sentry for AppTunnel, see the MobileIron Sentry Guide for your Unified Endpoint Management (UEM).

If your deployment uses Access, you have set up Access.

For more information, see the Access Guide.

The appropriate ports are open.

Core: See the On-Premise Installation Guide for information on required ports and firewall rules associated with license activation, Standalone Sentry, and different content servers.

Cloud: See the Cloud Architecture and Port Requirements document for more information on ports and firewall rules.

You cannot use an existing Tunnel for Windows Phone devices (WP8.1) setup. Create separate configurations for Tunnel for Windows 10 Desktop devices.

A separate Standalone Sentry is not required for Tunnel for Windows 10 Desktop setup. However, you cannot use the Standalone Sentry that is being used for Tunnel for Windows Phone devices (WP8.1)

Recommendation for setting up Tunnel for Windows 10

Ivanti, Inc recommends that Standalone Sentry use a trusted CA certificate.

If Standalone Sentry uses a self-signed certificate, do the following additional setup in Core:

- In the Services > Sentry page, for the Standalone Sentry, click the View Certificate link. This makes the Standalone Sentry’s certificate known to Core.
- Follow the instructions in the Using a Self-signed certificate with Standalone Sentry and Tunnel knowledge base article in the Support and Knowledge Base portal at

Ivanti, Increcommends using Windows 10 TH2.

Limitations for Tunnel for Windows 10

UDP functionality and scale will vary dependent on specific applications. Performance of real-time audio and video apps has not been tested.

Windows 10 app behavior may vary. Some Windows 10 apps may not trigger Tunnel VPN.

Trusted front-end deployments are not supported.

Context headers are not supported.

Domain names and IP addresses are not supported for triggering Tunnel VPN.

Per app triggering does not work as expected with Windows 10 TH1.

Windows Explorer triggers Tunnel only after a system restart.