Secure Mobile Access 12.4 Connect Tunnel User Guide

Provisioning of Connect Tunnel using SCCM or Intune

This section provides information on how to provision Connect Tunnel using SCCM or Intune.

Creating a Default Profile

Connect Tunnel setup executable accepts few command line parameters to initialize the default connection profile during setup.

NameName of the VPN profile
VpnServerHost name or IP address of the appliance
RealmRealm name (only user VPN realm, Device VPN realm is not recommended)

Example configuration:

MCTSetup.exe Name=Vpnname Realm=”Split Tunnel”

The above configuration process accepts additional parameters for either silent or non-interactive installation.

/sSilent installation without any UI display
/passiveNon-interactive installation with minimal UI display
/log logfileInstaller logs can be redirected to logfile instead of default location %temp%

Uninstalls legacy Connect Tunnel when installing the Modern Connect Tunnel.

Pass a value true or yes to uninstall legacy CT.


MCTSetup.exe /passive Name=Vpnname Realm=”Split Tunnel” RemoveLegacy=yes

If RemoveLegacy parameter is not specified and if the installer is running in interactive mode, then setup will prompt user to uninstall Legacy Connect Tunnel.

Example configuration:

MCTSetup.exe /passive Name=Vpnname Realm=”Split Tunnel”

The configuration set up does not accept any INI file for configuration other than the parameters mentioned above.

When the parameters are passed for default profile, it does not create the profile during installation but only on first launch. The parameters are kept in registry for initialization while launching the application.

Configuration of Device VPN

The Legacy Connect Tunnel and Connect Tunnel Service (CTS) is deprecated from 12.4.1 onwards, if you still wish to use CTS in 12.4.1, SMA recommends to use the Device VPN which is similar to Connect Tunnel Service.

The setup accepts additional parameters to allow configuration of Device VPN. VpnServer parameter mentioned above is a prerequisite for configuration.

DeviceVpnPass value 1 to enable Device VPN

Pass value 1 to restrict network access to VPN only network

This is effective only when the parameter DeviceVpn is enabled.


Pass value 1 to disable User VPN and run only Device VPN to get similar functionality like Connect Tunnel Service (Legacy).

This is effective only when the parameter DeviceVpn is enabled.

This disables the Connect button and user will not have any control to launch User VPN.

Example configuration:

MCTSetup.exe Name=Vpnname DeviceVpn=1

MCTSetup.exe Name=Vpnname DeviceVpn=1 DisableUserVpn=1

Support for Legacy Always-On VPN

Connect Tunnel client supports limited features of Legacy Always-On VPN and is configured during session based on administration configuration.

Support for Auto Launch at Windows Logon

Connect Tunnel client supports auto-launch at Windows logon and is useful when Device VPN or Always On VPN are not configured but users want automatically connect to VPN.

This setting can be enabled from Advanced Settings > General tab. By default, this setting is disabled.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.