When configuring a Microsoft Tunnel Gateway (MTG) server, the typical setup involves using the site’s Configuration options for MTG in the Microsoft Intune portal. This portal offers tools for managing fundamental server settings.
However, certain organizations may require more advanced configurations, such as adjusting the MTU, modifying session timeouts, or configuring supported TLS ciphers. These advanced settings remain accessible by deploying them via the Graph API.
This capability empowers administrators to make changes to settings reflected in the server’s configuration file (ocserv.conf) from a central location. These settings will apply to all servers associated with the same server configuration. In this post, I will guide you through the process of deploying custom configurations using Graph Explorer.
As part of this demonstration, let’s update the session-timeout value. Follow these steps:
From a browser, go to https://developer.microsoft.com/en-us/graph/graph-explorer to launch Graph Explorer.
Sign in with an admin account that has the necessary permissions to update MTG server settings.
Execute a GET command at: https://graph.microsoft.com/beta/deviceManagement/microsoftTunnelConfigurations
Copy the ID corresponding to the server configuration you want to edit. For example:
Include the ID as part of the previously used URL. In the ‘Request Body’ section, specify the name of the setting and the new value you wish to configure. Afterward, execute a PATCH operation to trigger the update. For instance, let’s say you want to update the session timeout to 5000:
Expect a 204 “No Content” response. Note that the request body section should contain the settings you wish to update. Pay attention to the format:
{
"advancedSettings": [
{
"name":
"session-timeout",
"value": "5000"
}
]
}
Next, you can run a new GET operation to verify the server configuration settings includes the new value
The new configuration should propagate to the servers during the next approximately 20 minutes.
Important! if a value is mistyped or misspelled, the VPN engine will disregard it. In case the value already exists, the old value will be replaced with the new one.
Additional Information
Note multiple values can also be included in the same request, for example, if we need to update the session-timeout, the MTU and disable the MTU discovery, the request body for the PATCH operation will be:
{
"advancedSettings": [
{
"name":
"session-timeout",
"value": "5000"
},
{
"name": "mtu",
"value": "1280"
},
{
"name": "try-mtu-discovery",
"value": "False"
}
]
}
The format follows a logic where ‘name’ represents the name of the setting you want to edit (obtained from the ocserv.conf file), and ‘value’ is the new value you wish to assign to that setting.
To view the available settings, execute the command ‘cat /etc/mstunnel/ocserv.conf’ from one of the MTG servers.