Virtual Private Network(VPN)

A Virtual Private Network(VPN) ensures all data is transmitted via secured tunnel which means, it strictly requires authentication or a special certificate to establish connectivity. So, every enterprise prefers to configure VPN, to ensure all the corporate data is secured from hackers or unauthentic users. VPN is a necessity, without which users cannot reach the corporate network away from work. Since mobile devices have become a part of productivity, corporate data should be reachable for employees from anywhere or everywhere. As an administrator, you have the need to configure VPN for all the managed mobile devices. You can create and associate VPN profiles to devices.

VPN and VPN On-Demand

When a VPN profile is configured on a device, users have to turn on the VPN settings on the mobile device every time before accessing a secured corporate data. Since VPN runs over the Wi-Fi or cellular data, VPN connectivity turns off automatically every time the device loses connectivity with the Internet. Users have to manually turn it on, to reach the corporate data. To overcome this, you can choose VPN On-Demand. As the name signifies, VPN connectivity is established only when specific domains require it and the user need not turn VPN on manually.

You have to specify the domain for which VPN should be turned on. You can comma separate multiple domains to be added. The below mentioned table assists you with the inputs which need to be entered on the product server to configure VPN for mobile devices

The following built in VPN connection types are supported by MDM:

In addition to the above mentioned built in VPNs, Mobile Device Manager Plus also supports the following plug in VPNs. These VPN require an additional app to be installed on the devices.

NOTE: These apps can also be configured over-the-air using App Configurations feature.

Juniper SSL app is not be available in the App Store. This VPN type can only be configured for devices that already have the app present in it. To configure Custom SSL VPN, the admin must manually enter the app details. All the other plug-in apps can be added using ABM and silently distributed to devices. Click here to know more about App Distribution and click here to know how to install apps silently in iOS devices.

Using certificate for authentication

In addition to configuring VPN on the managed devices, MDM also provides you with the option of provisioning VPN on the devices using certficate as the means of authentication. Authentication, as we all know plays as a major role in establishment of VPN connection and certificate is generally considered to be much more secure form of authentication than pre-shared key. Further, in case of large VPN networks, managing large quantity of pre-shared keys can be cumbersome. Certificates in this case is a much more scalable alternative. Additionally, pre-shared keys are bound to an IP address but certificates are not bound to an IP address, ensuring remote users with a dynamically assigned IP address can authenticate using identification information contained in the certificate. You can configure certificate as explained here and distribute them on a large scale as explained here.

The following documents will help you configure Cisco AnyConnect on your mobile devices-

Profile Specification

Description

VPN

Connection Name

Specify the name, which needs to be displayed as VPN name on the end user's mobile device

Connection Type

Connection type to be enabled

Server Name / IP Address

Host name or IP address of the server

Local Identifier (Can be configured only if the Connection Type is configured as IKEv2)

Specify the certificate identity of the user/device

Remote Identifier (Can be configured only if the Connection Type is configured as IKEv2)

Specify the certificate identity of the server

Account

'User Authentication to access the VPN' (%username%) will get the appropriate user name, mapped to the device

Realm (Can be configured only if Connection Type is set as Juniper SSL/Pulse VPN)

Specify the authentication realm. An authentication realm specifies the criteria users must comply with, to use the VPN service. It is a grouping of authentication resources, including authentication server, authentication policy etc., This is usually done by the network administrators.

Role (Can be configured only if Connection Type is set as Juniper SSL/Pulse VPN)

Specify the user role. A user role is an entity defining user session parameters(such as session settings), personalization settings(such as bookmarks) and other enabled access features. For example, a user role may define whether or not a user can perform Web browsing.

User Authentication

Specify user authentication type as password or RSA securID

Machine Authentication (Can be configured only if Connection Type is set as IPSec(Cisco))

Specify the password to be used for machine authentication

Password (Can be configured only if User authentication is set as Password)

Specify the password to be used for user authentication

Identity Certificate (Can be configured only if Machine Authentication is set as Certificate)

Specify the identity certificate to be used for certificate-based authentication. You can also use SCEP for this.

Include User PIN (Can be configured only if Machine Authentication is set as Certificate)

Specify whether the User PIN must be included or not.

Group Name (Can be configured only if User authentication is set as Password)

Specify the group name to be used for identifying the group. The group must end with [hybrid] if Hybrid Authentication is enabled

Shared secret

Specify the pre-shared secret

Use Hybrid Authentication (Can be configured only if Machine Authentication is set as Shared Secret)

Enable Hybrid Authentication, a secure alternative to the regular authentication used

Prompt for password (Can be configured only if Machine Authentication is set as Shared Secret)

Enable/Disable prompting password from the user

Encryption level (Can be configured only if Connection Type is set as PPTP)

Specify the password to be used for user authentication

Send All traffic

Routes all network traffic through VPN connection

Custom Data (Can be configured only for Connection Type that support additional configurations)

Specify the custom data to include additional configurations to the VPN connection.

Plug-in identifier (Can be configured only if Connection Type is set as Custom SSL)

Specify the plug-in identifier to identify the apps and apply VPN on the device.

App name (Can be configured only if Connection Type is set as Custom SSL)

Specify the app name.

Advanced Settings (Can be configured only if Connection Type is set as IKEv2)

Dead Peer Detection(DPD) Rate

DPD is used for identifying whether the connection, between the managed device and the VPN has been established or not. If the DPD is set as high, time interval for verifying the connection establishment is miniscule. If set as medium or low, the time interval increases.

Enable Perfect Forward Secrecy(PFS)

Perfect Forward Secrecy(PFS) is a property, which ensures security of the past communication in case the secret keys/passwords get compromised in the future. For example, even if someone gets access to the secret key/password right now, this cannot be used for accessing previous communication.

Enable Certificate Revocation Check

This can be used to verify the CA has revoked the certificate provisioned for the particular device

Disable MOBIKE

MOBIKE ensures the connection with VPN gateway is active while moving from one address to another. Additionally, in case the host is connected to multiple networks, MOBIKE can be used to move traffic to a different interface if, for instance, the one currently being used stops working.

Use internal IPv4 subnet

Allow/Restrict usage of internal IPv4 subnet attributes distributed.

Disable Redirect

Allow/Restrict redirection of connection from one VPN gateway to another.

IKE SA Parameters(Can be configured only if Connection Type is set as IKEv2)

The Internet Key Exchange Security Association (IKE SA) is used for establishing communication between the VPN and the devices for the first time, either using certificate/pre-shared key/user name.

Encryption Algorithm

The encryption technique to be used for sharing the data to establish connection. Common encryption techniques such as DES, AES, POLY, etc., are supported.

Integrity Algorithm

The integrity technique to be used for sharing the data to establish connection. Common integrity techniques such as SHA, MD5 etc., are supported.

Diffie-Hellman Group

Specify the group of Diffie-Hellman algorithm to be used for key exchange.

Lifetime(in minutes)

Specify the maximum possible duration for the connection to be established.

Child SA Parameters(Can be configured only if Connection Type is set as IKEv2)

The Child Security Association (IKE SA) is used to secure the communication occuring between the endpoints, after the VPN connection has been established during IKE SA

Encryption Algorithm

The encryption technique to be used for encryption the data being shared. Common encryption techniques such as DES, AES, POLY, etc., are supported.

Integrity Algorithm

The type of integrity algorithm to be used on the data being shared. Common integrity techniques such as SHA, MD5 etc., are supported.

Diffie-Hellman Group

Specify the group of Diffie-Hellman algorithm to be used for key exchange.

Lifetime(in minutes)

Specify the maximum possible duration for the connection to be active.

VPN On-Demand

Enable VPN On Demand

Enabling this, switches on VPN, as when VPN connectivity is required to reach the specific server/domain and the device is not in the corporate network

Specify the Domains

You have to specify the list of domains for which VPN should be enabled on-demand. You can enter multiple domain names using comma separation.

Configure Proxy

Proxy settings

Configure proxy settings for VPN

Server URL (Can be configured only if Proxy is set as Automatic)

Specify the URL containing the Proxy PAC.

Server (Can be configured only if Proxy is set as Manual)

Proxy server name

Port (Can be configured only if Proxy is set as Manual)

Port number to be used

User Name (Can be configured only if Proxy is set as Manual)

User name for authentication

Password (Can be configured only if Proxy is set as Manual)

Specify the password to be used.


Dynamic Variables :

The below mentioned dynamic variables are retrieved from the data provided while enrolling the device.

%username% - will get the appropriate user name, mapped to the device

See Also: Associating Profiles to Groups, Associating Profiles to Devices, App Management, Distribute Apps to Devices, Distribute Apps to Groups
Copyright © 2020, ZOHO Corp. All Rights Reserved.
ManageEngine