VPN device policy 编辑
The VPN device policy configures virtual private network (VPN) settings that enable user devices to connect securely to corporate resources. You can configure the VPN device policy for the following platforms. Each platform requires a different set of values, which are described in detail in this article.
To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.
Requirements for per-app VPNs
You configure the per-app VPN feature for the following platforms through VPN policies:
- iOS
- macOS
- Android (legacy DA)
- Samsung SAFE
- Samsung Knox
To configure VPNs for Android Enterprise devices, create a Managed configurations device policy for the Citrix SSO app. See Configure VPN profiles for Android Enterprise.
Per-app VPN options are available for certain connection types. The following table indicates when per-app VPN options are available.
Platform | Connection type | Remark |
---|---|---|
iOS | Cisco Legacy AnyConnect, Juniper SSL, F5 SSL, SonicWALL Mobile Connect, Ariba VIA, Citrix SSO, or Custom SSL. | |
macOS | Cisco AnyConnect, Juniper SSL, F5 SSL, SonicWALL Mobile Connect, Ariba VIA, or Custom SSL. | |
Android (legacy DA) | Citrix SSO | |
Samsung SAFE | IPSEC, SSL | VPN type set to Generic |
Samsung Knox | IPSEC, SSL | VPN type set to Generic |
To create a per-app VPN for iOS and Android (legacy DA) devices using the Citrix SSO app, you need to perform extra steps, in addition to the VPN policy configuration. Also, you must verify that the following prerequisites are met:
- On-premises Citrix Gateway
- The following applications are installed on the device:
- Citrix SSO
- Citrix Secure Hub
A general workflow to configure a per-app VPN for iOS and Android devices using the Citrix SSO app is as follows:
Configure a VPN device policy as described in this article.
For iOS, see Configure Citrix SSO protocol for iOS. After you configure the Citrix SSO protocol for iOS through a VPN device policy, you also need to create an App Attributes policy to associate an app to the per-app VPN policy. For more information, see Configure a per-app VPN.
- For the Authentication type for the connection field, if you select Certificate, you must first configure certificate-based authentication for Endpoint Management. See Client certificate or certificate plus domain authentication.
For Android (legacy DA), see Configure the Citrix SSO protocol for Android.
- For the Authentication type for the connection field, if you select Certificate or Password and Certificate, you must first configure certificate-based authentication for Endpoint Management. See Client certificate or certificate plus domain authentication.
Configure Citrix ADC to accept traffic from the per-app VPN. For details, see Full VPN setup on Citrix Gateway.
iOS settings
To prepare for device upgrades to iOS 12:
The Citrix VPN connection type in the VPN device policy for iOS doesn’t support iOS 12. Perform these steps to delete your existing VPN device policy and create a VPN device policy with the Citrix SSO connection type:
- Delete your VPN device policy for iOS.
- Add a VPN device policy for iOS. Important settings:
- Connection type = Citrix SSO
- Enable per-app VPN = On
- Provider type = Packet tunnel
- Add an App Attributes device policy for iOS. For Per-app VPN identifier, choose iOS_VPN.
- Connection name: Type a name for the connection.
- Connection type: In the list, select the protocol to be used for this connection. The default is L2TP.
- L2TP: Layer 2 Tunneling Protocol with pre-shared key authentication.
- PPTP: Point-to-Point Tunneling.
- IPSec: Your corporate VPN connection.
Cisco Legacy AnyConnect: This connection type requires that the Cisco Legacy AnyConnect VPN client is installed on the user device. Cisco is phasing out the Cisco Legacy AnyConnect client that was based on a now deprecated VPN framework. For more information, see the support article https://support.citrix.com/article/CTX227708.
To use the current Cisco AnyConnect client, use a Connection type of Custom SSL. For required settings, see “Configure Custom SSL protocol” in this section.
- Juniper SSL: Juniper Networks SSL VPN client.
- F5 SSL: F5 Networks SSL VPN client.
- SonicWALL Mobile Connect: Dell unified VPN client for iOS.
- Ariba VIA: Ariba Networks Virtual Internet Access client.
- IKEv2 (iOS only): Internet Key Exchange version 2 for iOS only.
- AlwaysOn IKEv2: Always-on access using IKEv2.
- AlwaysOn IKEv2 Dual Configuration: Always-on access using IKEv2 dual configuration.
- Citrix SSO: Citrix SSO client for iOS 12 and later.
- Custom SSL: Custom Secure Socket Layer. This connection type is required for the Cisco AnyConnect client that has a bundle ID of com.cisco.anyconnect. Specify a Connection name of Cisco AnyConnect. You can also deploy the VPN policy and enable a Network Access Control (NAC) filter for iOS devices. The filter blocks a VPN connection for devices that have non-compliant apps installed. The configuration requires specific settings for the iOS VPN policy as described in the following iOS section. For more information about other settings required to enable the NAC filter, see Network Access Control.
The following sections list the configuration options for each of the preceding connection types.
Configure L2TP Protocol for iOS
- Server name or IP address: Type the server name or IP address for the VPN server.
- User Account: Type an optional user account.
- Select either Password authentication or RSA SecurID authentication.
- Shared secret: Type the IPsec shared secret key.
- Send all traffic: Select whether to send all traffic over the VPN. The default is Off.
Configure PPTP Protocol for iOS
- Server name or IP address: Type the server name or IP address for the VPN server.
- User Account: Type an optional user account.
- Select either Password authentication or RSA SecurID authentication.
- Encryption level: In the list, select an encryption level. The default is None.
- None: Use no encryption.
- Automatic: Use the strongest encryption level supported by the server.
- Maximum (128-bit): Always use 128-bit encryption.
- Send all traffic: Select whether to send all traffic over the VPN. The default is Off.
Configure IPsec Protocol for iOS
- Server name or IP address: Type the server name or IP address for the VPN server.
- User Account: Type an optional user account.
- Authentication type for the connection: In the list, select either Shared Secret or Certificate for the type of authentication for this connection. The default is Shared Secret.
- If you enable Shared Secret, configure these settings:
- Group name: Type an optional group name.
- Shared secret: Type an optional shared secret key.
- Use hybrid authentication: Select whether to use hybrid authentication. With hybrid authentication, the server first authenticates itself to the client, and then the client authenticates itself to the server. The default is Off.
- Prompt for password: Select whether to prompt users for their passwords when they connect to the network. The default is Off.
- If you enable Certificate, configure these settings:
- Identity credential: In the list, select the identity credential to use. The default is None.
- Prompt for PIN when connecting: Select whether to require users to enter their PIN when connecting to the network. The default is Off.
- Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for iOS.
- Enable per-app VPN: Select whether to enable per-app VPN. The default is Off.
- On-demand match app enabled: Select whether per-app VPN connections trigger automatically when apps linked to the per-app VPN service initiate network communication. The default is Off.
- Safari domains: Click Add to add a Safari domain name.
Configure Cisco legacy AnyConnect Protocol for iOS
To transition from the Cisco legacy AnyConnect client to the new Cisco AnyConnect client, use the Custom SSL protocol.
- Provider bundle identifier: For the Legacy AnyConnect client, the bundle ID is com.cisco.anyconnect.gui.
- Server name or IP address: Type the server name or IP address for the VPN server.
- User Account: Type an optional user account.
- Group: Type an optional group name.
- Authentication type for the connection: In the list, select either Password or Certificate for the type of authentication for this connection. The default is Password.
- If you enable Password, type an optional authentication password in the Auth password field.
- If you enable Certificate, configure these settings:
- Identity credential: In the list, select the identity credential to use. The default is None.
- Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is Off.
- Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for iOS.
- Enable Per-app VPN: Select whether to enable per-app VPN. The default is Off. If you enable this option, configure these settings:
- On-demand match app enabled: Select whether per-app VPN connections trigger automatically when apps linked to the per-app VPN service initiate network communication. The default is Off.
- Provider type: Select whether the per-app VPN is provided as an App proxy or as a Packet tunnel. Default is App proxy.
- Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
- Domain: Type the domain to be added.
- Click Save to save the domain or click Cancel to not save the domain.
Configure Juniper SSL Protocol for iOS
- Provider bundle identifier: If your per-app VPN profile contains the bundle identifier of an app with multiple VPN providers of the same type, specify the provider to use here.
- Server name or IP address: Type the server name or IP address for the VPN server.
- User account: Type an optional user account.
- Realm: Type an optional realm name.
- Role: Type an optional role name.
- Authentication type for the connection: In the list, select either Password or Certificate for the type of authentication for this connection. The default is Password.
- If you enable Password, type an optional authentication password in the Auth password field.
- If you enable Certificate, configure these settings:
- Identity credential: In the list, select the identity credential to use. The default is None.
- Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is Off.
- Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for iOS.
- Enable Per-app VPN: Select whether to enable per-app VPN. The default is Off. If you enable this option, configure these settings:
- On-demand match app enabled: Select whether per-app VPN connections trigger automatically when apps linked to the per-app VPN service initiate network communication. The default is Off.
- Provider type: Select whether the per-app VPN is provided as an App proxy or as a Packet tunnel. Default is App proxy.
- Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
- Domain: Type the domain to be added.
- Click Save to save the domain or click Cancel to not save the domain.
Configure F5 SSL Protocol for iOS
- Provider bundle identifier: If your per-app VPN profile contains the bundle identifier of an app with multiple VPN providers of the same type, specify the provider to use here.
- Server name or IP address: Type the server name or IP address for the VPN server.
- User Account: Type an optional user account.
- Authentication type for the connection: In the list, select either Password or Certificate for the type of authentication for this connection. The default is Password.
- If you enable Password, type an optional authentication password in the Auth password field.
- If you enable Certificate, configure these settings:
- Identity credential: In the list, select the identity credential to use. The default is None.
- Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is Off.
- Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for iOS.
- Enable Per-app VPN: Select whether to enable per-app VPN. The default is Off. If you enable this option, configure these settings:
- On-demand match app enabled: Select whether per-app VPN connections trigger automatically when apps linked to the per-app VPN service initiate network communication.
- Provider type: Select whether the per-app VPN is provided as an App proxy or as a Packet tunnel. Default is App proxy.
- Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
- Domain: Type the domain to be added.
- Click Save to save the domain or click Cancel to not save the domain.
Configure SonicWALL Protocol for iOS
- Provider bundle identifier: If your per-app VPN profile contains the bundle identifier of an app with multiple VPN providers of the same type, specify the provider to use here.
- Server name or IP address: Type the server name or IP address for the VPN server.
- User Account: Type an optional user account.
- Logon group or domain: Type an optional logon group or domain.
- Authentication type for the connection: In the list, select either Password or Certificate for the type of authentication for this connection. The default is Password.
- If you enable Password, type an optional authentication password in the Auth password field.
- If you enable Certificate, configure these settings:
- Identity credential: In the list, select the identity credential to use. The default is None.
- Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is Off.
- Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for iOS.
- Enable Per-app VPN: Select whether to enable per-app VPN. The default is Off. If you set this option to ON, configure these settings:
- On-demand match app enabled: Select whether per-app VPN connections trigger automatically when apps linked to the per-app VPN service initiate network communication.
- Provider type: Select whether the per-app VPN is provided as an App proxy or as a Packet tunnel. Default is App proxy.
- Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
- Domain: Type the domain to be added.
- Click Save to save the domain or click Cancel to not save the domain.
Configure Ariba VIA protocol for iOS
- Provider bundle identifier: If your per-app VPN profile contains the bundle identifier of an app with multiple VPN providers of the same type, specify the provider to use here.
- Server name or IP address: Type the server name or IP address for the VPN server.
- User Account: Type an optional user account.
- Authentication type for the connection: In the list, select either Password or Certificate for the type of authentication for this connection. The default is Password.
- If you enable Password, type an optional authentication password in the Auth password field.
- If you enable Certificate, configure these settings:
- Identity credential: In the list, select the identity credential to use. The default is None.
- Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is Off.
- Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for iOS.
- Enable Per-app VPN: Select whether to enable per-app VPN. The default is Off. If you enable this option, configure these settings:
- On-demand match app enabled: Select whether per-app VPN connections trigger automatically when apps linked to the per-app VPN service initiate network communication.
- Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
- Domain: Type the domain to be added.
- Click Save to save the domain or click Cancel to not save the domain.
Configure IKEv2 protocols for iOS
This section includes settings used for the IKEv2, AlwaysOn IKEv2, and AlwaysOn IKEv2 Dual Configuration protocols. For the AlwaysOn IKEv2 Dual Configuration protocol, configure all these settings for both Cellular and Wi-Fi networks.
Allow user to disable automatic connection: For the AlwaysOn protocols. Select whether to allow users to turn off automatic connection to the network on their devices. The default is Off.
Host name or IP address for server: Type the server name or IP address for the VPN server.
Local Identifier: The FQDN or IP address for the IKEv2 client. This field is required.
Remote Identifier: The FQDN or IP address for the VPN server. This field is required.
Device Authentication: Choose Shared Secret, Certificate, or Device certificate based on device identifier for the type of authentication for this connection. The default is Shared Secret.
If you choose Shared Secret, type an optional shared secret key.
If you choose Certificate, choose an Identity credential to use. The default is None.
If you choose Device Certificate Based on Device Identifier, choose the Device identity type to use. The default is IMEI. To use this option, bulk import certificates using the REST API. See Upload certificates to iOS devices in bulk with the REST API. Only available when you select Always On IKEv2.
Extended Authentication Enabled: Select whether to enable Extended Authentication Protocol (EAP). If you choose On, type the User account and Authentication password.
Dead Peer Detection Interval: Choose how often a peer device is contacted to ensure that the peer device remains reachable. The default is None. Options are:
None: Disable dead peer detection.
Low: Contacts peer every 30 minutes.
Medium: Contacts peer every 10 minutes.
High: Contacts peer every 1 minute.
Disable Mobility and Multihoming: Choose whether to disable this feature.
Use IPv4/IPv6 internal subnet attributes: Choose whether to enable this feature.
Disable redirects: Choose whether to disable redirects.
Enable NAT keepalive while the device is asleep: For the AlwaysOn protocols. Keepalive packets maintain NAT mappings for IKEv2 connections. The chip sends these packets at regular intervals when the device is awake. If this setting is on, the chip sends keepalive packets even while the device is asleep. The default interval is 20 seconds over Wi-Fi and 110 seconds over cellular. You can change the interval by using the NAT keepalive interval parameter.
NAT keepalive Interval (seconds): Defaults to 20 seconds.
Enable Perfect Forward Secrecy: Choose whether to enable this feature.
DNS server IP addresses: Optional. A list of DNS server IP address strings. These IP addresses can include a mixture of IPv4 and IPv6 addresses. Click Add to type an address.
Domain name: Optional. The primary domain of the tunnel.
Search domains: Optional. A list of domain strings used to qualify single-label host names fully.
Append supplemental match domains to resolver’s list: Optional. Determines whether to add the supplemental match domains list to the resolver’s list of search domains. Default is On.
Supplemental match domains: Optional. A list of domain strings used to determine which DNS queries are to use the DNS resolver settings contained in the DNS server addresses. This key creates a split DNS configuration where only hosts in certain domains get resolved by using the DNS resolver of the tunnel. Hosts not in one of the domains in this list get resolved by using the default resolver of the system.
If this parameter contains an empty string, then that string is the default domain. This is how a split tunnel configuration can direct all DNS queries to the VPN DNS servers before the primary DNS servers. If the VPN tunnel is the default route of the network, the listed DNS servers become the default resolver. In that case, the supplemental match domains list is ignored.
IKE SA Parameters and Child SA Parameters. Configure these settings for each Security Association (SA) parameters option:
Encryption Algorithm: In the list, select the IKE encryption algorithm to use. The default is 3DES.
Integrity Algorithm: In the list, select the integrity algorithm to use. The default is SHA1-96.
Diffie Hellman Group: In the list, select the Diffie Hellman group number. The default is 2.
ike LifeTime in Minutes: Type an integer between 10 and 1440 representing the SA lifetime (rekey interval). The default is 1440 minutes.
Service Exceptions: For the AlwaysOn protocols. Service exceptions are system services that are exempt from AlwaysOn VPN. Configure these service exceptions settings:
Voice Mail: In the list, select how to handle the voice mail exception. The default is Allow traffic via tunnel.
AirPrint: In the list, select how to handle the AirPrint exception. The default is Allow traffic via tunnel.
Allow traffic from captive web sheet outside the VPN tunnel: Select whether to allow users to connect to public hotspots outside the VPN tunnel. The default is Off.
Allow traffic from all captive networking apps outside the VPN tunnel: Select whether to allow all hotspot networking apps outside the VPN tunnel. The default is Off.
Captive networking app bundle identifiers: For each hotspot networking app bundle identifier that users are allowed to access, click Add and type the hotspot networking app Bundle Identifier. Click Save to save the app bundle identifier.
Per-app VPN. Configure these settings for IKEv2 connection types.
- Enable per-app VPN: Select whether to enable per-app VPN. The default is Off.
- On-demand match app enabled: Select whether per-app VPN connections trigger automatically when apps linked to the per-app VPN service initiate network communication. The default is Off.
- Safari domains: Click Add to add a Safari domain name.
Proxy configuration: Choose how the VPN connection routes through a proxy server. Default is None.
Configure Citrix SSO protocol for iOS
The Citrix SSO client is available in the Apple Store at https://apps.apple.com/us/app/citrix-sso/id1333396910.
- Server name or IP address: Type the server name or IP address for the VPN server.
- User Account: Type an optional user account.
- Authentication type for the connection: In the list, select either Password or Certificate for the type of authentication for this connection. The default is Password.
- If you enable Password, type an optional authentication password in the Auth password field.
- If you enable Certificate, configure these settings:
- Identity credential: In the list, select the identity credential to use. The default is None.
- Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is OFF.
- Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is OFF. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for iOS.
- Enable Per-app VPN: Select whether to enable per-app VPN. The default is Off. If you set this option to ON, configure the following settings:
- On-demand match app enabled: Select whether per-app VPN connections trigger automatically when apps linked to the per-app VPN service initiate network communication.
- Provider type: Select whether the per-app VPN is provided as an App proxy or as a Packet tunnel. Default is App proxy.
- Provider type: Set to Packet tunnel.
- Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
- Domain: Type the domain to be added.
- Click Save to save the domain or click Cancel to not save the domain.
- Custom XML: For each custom XML parameter you want to add, click Add and specify the key/value pairs. Available parameters are:
- disableL3: Disables system level VPN. Allows only per app VPN. No Value is needed.
- useragent: Associates with this device policy any Citrix Gateway policies that are targeted to VPN plug-in clients. For requests initiated by the plug-in, the Value for this key is automatically added to the VPN plug-in.
Configure Custom SSL protocol for iOS
To transition from the Cisco Legacy AnyConnect client to the Cisco AnyConnect client:
- Configure the VPN device policy with the Custom SSL protocol. Deploy the policy to iOS devices.
- Upload the Cisco AnyConnect client from https://apps.apple.com/us/app/cisco-anyconnect/id1135064690, add the app to XenMobile, and then deploy the app to iOS devices.
- Remove the old VPN device policy from iOS devices.
Settings:
- Custom SSL identifier (reverse DNS format): Set to the bundle identifier. For the Cisco AnyConnect client, use com.cisco.anyconnect.
- Provider Bundle Identifier: If the app specified in Custom SSL identifier has multiple VPN providers of the same type (App proxy or Packet tunnel), then specify this bundle identifier. For the Cisco AnyConnect client, use com.cisco.anyconnect.
- Server name or IP address: Type the server name or IP address for the VPN server.
- User Account: Type an optional user account.
- Authentication type for the connection: In the list, select either Password or Certificate for the type of authentication for this connection. The default is Password.
- If you enable Password, type an optional authentication password in the Auth password field.
- If you enable Certificate, configure these settings:
- Identity credential: In the list, select the identity credential to use. The default is None.
- Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is OFF.
- Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is OFF. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for iOS.
- Enable Per-app VPN: Select whether to enable per-app VPN. The default is Off. If you set this option to ON, configure the following settings:
- On-demand match app enabled: Select whether per-app VPN connections trigger automatically when apps linked to the per-app VPN service initiate network communication.
- Provider Type: A provider type indicates whether the provider is a VPN service or proxy service. For VPN service, choose Packet tunnel. For proxy service, choose App proxy. For the Cisco AnyConnect client, choose Packet tunnel.
- Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
- Domain: Type the domain to be added.
- Click Save to save the domain or click Cancel to not save the domain.
- Custom XML: For each custom XML parameter you want to add, click Add and do the following:
- Parameter name: Type the name of the parameter to be added.
- Value: Type the value associated with Parameter name.
- Click Save to save the parameter or click Cancel to not save the parameter.
Configure the VPN device policy to support NAC
- The Connection type of Custom SSL is required for configuring the NAC filter.
- Specify a Connection name of VPN.
- For Custom SSL identifier, type com.citrix.NetScalerGateway.ios.app
- For Provider bundle identifier, type com.citrix.NetScalerGateway.ios.app.vpnplugin
The values in step 3 and 4 come from the required Citrix SSO installation for NAC filtering. You do not configure an authentication password. For more information on using the NAC function, see Network Access Control.
Configure enable VPN on demand options for iOS
- On Demand Domain: For each domain and associated action to take when users connect, click Add and do the following:
- Domain: Type the domain to be added.
- Action: In the list select one of the possible actions:
- Always establish: The domain always triggers a VPN connection.
- Never establish: The domain never triggers a VPN connection.
- Establish if necessary: The domain triggers a VPN connection attempt if domain name resolution fails. Failure happens when the DNS server cannot resolve the domain, redirects to a different server, or times out.
- Click Save to save the domain or click Cancel to not save the domain.
- On demand rules
- Action: In the list, select the action to be taken. The default is EvaluateConnection. Possible actions are:
- Allow: Allow VPN on demand to connect when triggered.
- Connect: Unconditionally initiate a VPN connection.
- Disconnect: Remove the VPN connection and do not reconnect on demand as long as the rule matches.
- EvaluateConnection: Evaluate the ActionParameters array for each connection.
- Ignore: Leave any existing VPN connection up, but do not reconnect on demand as long as the rule matches.
- DNSDomainMatch: For each domain against which a device’s search domain list can match that you want to add, click Add and do the following:
- DNS Domain: Type the domain name. You can use the wildcard “*” prefix for matching multiple domains. For example, *.example.com matches mydomain.example.com, yourdomain.example.com, and herdomain.example.com.
- Click Save to save the domain or click Cancel to not save the domain.
- DNSServerAddressMatch: For each IP address to which any of the network’s specified DNS servers can match that you want to add, click Add and do the following:
- DNS Server Address: Type the DNS server address you want to add. You can use the wildcard “*” suffix for matching DNS servers. For example, 17.* matches any DNS server in the class A subnet.
- Click Save to save the DNS server address or click Cancel to not save the DNS server address.
- InterfaceTypeMatch: In the list, select the type of primary network interface hardware in use. The default is Unspecified. Possible values are:
- Unspecified: Matches any network interface hardware. This option is the default.
- Ethernet: Matches only Ethernet network interface hardware.
- WiFi: Matches only Wi-Fi network interface hardware.
- Cellular: Matches only Cellular network interface hardware.
- SSIDMatch: For each SSID to match against the current network that you want to add, click Add and so the following.
- SSID: Type the SSID to add. If the network is not a Wi-Fi network, or if the SSID does not appear, the match fails. Leave this list empty to match any SSID.
- Click Save to save the SSID or click Cancel to not save the SSID.
- URLStringProbe: Type a URL to fetch. If this URL is successfully fetched without redirection, this rule matches.
- ActionParameters : Domains: For each domain that EvaluateConnection checks that you want to add, click Add and do the following:
- Domain: Type the domain to be added.
- Click Save to save the domain or click Cancel to not save the domain.
- ActionParameters : DomainAction: In the list, select the VPN behavior for the specified ActionParameters : Domains domains. The default is ConnectIfNeeded. Possible actions are:
- ConnectIfNeeded: The domain triggers a VPN connection attempt if domain name resolution fails. Failure happens when the DNS server cannot resolve the domain, redirects to a different server, or times out.
- NeverConnect: The domain never triggers a VPN connection.
- Action Parameters: RequiredDNSServers: For each DNS server IP address to be used for resolving the specified domains, click Add and do the following:
- DNS Server: Valid only when ActionParameters : DomainAction = ConnectIfNeeded. Type the DNS server to add. This server doesn’t need to be part of the device’s current network configuration. If the DNS server is not reachable, a VPN connection is established in response. This DNS server should be either an internal DNS server or a trusted external DNS server.
- Click Save to save the DNS server or click Cancel to not save the DNS server.
- ActionParameters : RequiredURLStringProbe: Optionally, type an HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL’s host name can’t be resolved, the server is unreachable, or the server doesn’t respond, a VPN connection is established. Valid only when ActionParameters : DomainAction = ConnectIfNeeded.
- OnDemandRules : XML content: Type, or copy and paste, XML configuration on demand rules.
- Click Check Dictionary to validate the XML code. You see Valid XML in green text below the XML content text box if the XML is valid. If it isn’t valid, you see an error message in orange text describing the error.
- Action: In the list, select the action to be taken. The default is EvaluateConnection. Possible actions are:
- Proxy
- Proxy configuration: In the list, select how the VPN connection routes through a proxy server. The default is None.
- If you enable Manual, configure these settings:
- Host name or IP address for the proxy server: Type the host name or IP address for the proxy server. This field is required.
- Port for the proxy server: Type the proxy server port number. This field is required.
- User name: Type an optional proxy server user name.
- Password: Type an optional proxy server password.
- If you configure Automatic, configure this setting:
- Proxy server URL: Type the URL for the proxy server. This field is required.
- If you enable Manual, configure these settings:
- Proxy configuration: In the list, select how the VPN connection routes through a proxy server. The default is None.
- Policy Settings
- Under Policy Settings, next to Remove policy, select either Select date or Duration until removal (in hours).
- If you select Select date, click the calendar to select the specific date for removal.
- In the Allow user to remove policy list, select Always, Password required, or Never.
- If you select Password required, next to Removal password, type the necessary password.
Configure a per-app VPN
Per-app VPN options for iOS are available for these connection types: Cisco Legacy AnyConnect, Juniper SSL, F5 SSL, SonicWALL Mobile Connect, Ariba VIA, Citrix VPN, Citrix SSO, and Custom SSL.
To configure a per-app VPN:
In Configure > Device Policies, create a VPN policy. For example:
In Configure > Device Policies, create an App Attributes policy to associate an app to the per-app VPN policy. For Per-app VPN identifier, choose the name of the VPN policy created in Step 1. For Managed app bundle ID, choose from the app list or type the app bundle ID. (If you deploy an iOS App Inventory policy, the app list contains apps.)
- Policy settings
- Remove policy: Choose a method for scheduling policy removal. Available options are Select date and Duration until removal (in hours)
- Select date: Click the calendar to select the specific date for removal.
- Duration until removal (in hours): Type a number, in hours, until policy removal occurs. Only available for iOS 6.0 and later.
- Remove policy: Choose a method for scheduling policy removal. Available options are Select date and Duration until removal (in hours)
macOS settings
- Connection name: Type a name for the connection.
- Connection type: In the list, select the protocol to be used for this connection. The default is L2TP.
- L2TP: Layer 2 Tunneling Protocol with pre-shared key authentication.
- PPTP: Point-to-Point Tunneling.
- IPSec: Your corporate VPN connection.
- Cisco AnyConnect: Cisco AnyConnect VPN client.
- Juniper SSL: Juniper Networks SSL VPN client.
- F5 SSL: F5 Networks SSL VPN client.
- SonicWALL Mobile Connect: Dell unified VPN client for iOS.
- Ariba VIA: Ariba Networks Virtual Internet Access client.
- Citrix VPN: Citrix VPN client.
- Custom SSL: Custom Secure Socket Layer.
The following sections list the configuration options for each of the preceding connection types.
Configure L2TP Protocol for macOS
- Server name or IP address: Type the server name or IP address for the VPN server.
- User Account: Type an optional user account.
- Select Password authentication, RSA SecurID authentication, Kerberos authentication, or CryptoCard authentication. The default is Password authentication.
- Shared secret: Type the IPsec shared secret key.
- Send all traffic: Select whether to send all traffic over the VPN. The default is Off.
Configure PPTP Protocol for macOS
- Server name or IP address: Type the server name or IP address for the VPN server.
- User Account: Type an optional user account.
- Select Password authentication, RSA SecurID authentication, Kerberos authentication, or CryptoCard authentication. The default is Password authentication.
- Encryption level: Select the desired encryption level. The default is None.
- None: Use no encryption.
- Automatic: Use the strongest encryption level supported by the server.
- Maximum (128-bit): Always use 128-bit encryption.
- Send all traffic: Select whether to send all traffic over the VPN. The default is Off.
Configure IPsec Protocol for macOS
- Server name or IP address: Type the server name or IP address for the VPN server.
- User account: Type an optional user account.
- Authentication type for the connection: In the list, select either Shared Secret or Certificate for the type of authentication for this connection. The default is Shared Secret.
- If you enable Shared Secret authentication, configure these settings:
- Group name: Type an optional group name.
- Shared secret: Type an optional shared secret key.
- Use hybrid authentication: Select whether to use hybrid authentication. With hybrid authentication, the server first authenticates itself to the client, and then the client authenticates itself to the server. The default is Off.
- Prompt for password: Select whether to prompt users for their passwords when they connect to the network. The default is Off.
- If you enable Certificate authentication, configure these settings:
- Identity credential: In the list, select the identity credential to use. The default is None.
- Prompt for PIN when connecting: Select whether to require users to enter their PIN when connecting to the network. The default is Off.
- Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand options.
- If you enable Shared Secret authentication, configure these settings:
Configure Cisco AnyConnect Protocol for macOS
- Server name or IP address: Type the server name or IP address for the VPN server.
- User account: Type an optional user account.
- Group: Type an optional group name.
- Authentication type for the connection: In the list, select either Password or Certificate for the type of authentication for this connection. The default is Password.
- If you enable Password, type an optional authentication password in the Auth password field.
- If you enable Certificate, configure these settings:
- Identity credential: In the list, select the identity credential to use. The default is None.
- Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is Off.
- Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand options.
- Enable Per-app VPN: Select whether to enable per-app VPN. The default is Off. If you enable this option, configure these settings:
- On-demand match app enabled: Select whether a per-app VPN connection triggers automatically when apps linked to the per-app VPN service initiate network communication. The default is Off.
- Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
- Domain: Type the domain to be added.
- Click Save to save the domain or click Cancel to not save the domain.
Configure Juniper SSL Protocol for macOS
- Server name or IP address: Type the server name or IP address for the VPN server.
- User account: Type an optional user account.
- Realm: Type an optional realm name.
- Role: Type an optional role name.
- Authentication type for the connection: In the list, select either Password or Certificate for the type of authentication for this connection. The default is Password.
- If you enable Password, type an optional authentication password in the Auth password field.
- If you enable Certificate, configure these settings:
- Identity credential: In the list, select the identity credential to use. The default is None.
- Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is Off.
- Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings.
- Enable per-app VPN: Select whether to enable per-app VPN. The default is Off. If you enable this option, configure the following settings:
- On-demand match app enabled: Select whether a per-app VPN connection triggers automatically when apps linked to the per-app VPN service initiate network communication. The default is Off.
- Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
- Domain: Type the domain to be added.
- Click Save to save the domain or click Cancel to not save the domain.
Configure F5 SSL Protocol for macOS
- Server name or IP address: Type the server name or IP address for the VPN server.
- User account: Type an optional user account.
- Authentication type for the connection: In the list, select either Password or Certificate for the type of authentication for this connection. The default is Password.
- If you enable Password, type an optional authentication password in the Auth password field.
- If you enable Certificate, configure these settings:
- Identity credential: In the list, select the identity credential to use. The default is None.
- Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is Off.
- Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings.
- Enable per-app VPN: Select whether to enable per-app VPN. The default is Off. If you enable this option, configure these settings:
- On-demand match app enabled: Select whether per-app VPN connection triggers automatically when apps linked to the per-app VPN service initiate network communication. The default is Off.
- Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
- Domain: Type the domain to be added.
- Click Save to save the domain or click Cancel to not save the domain.
Configure SonicWALL Mobile Connect Protocol for macOS
- Server name or IP address: Type the server name or IP address for the VPN server.
- User account: Type an optional user account.
- Logon group or domain: Type an optional logon group or domain.
- Authentication type for the connection: In the list, select either Password or Certificate for the type of authentication for this connection. The default is Password.
- If you enable Password, type an optional authentication password in the Auth password field.
- If you enable Certificate, configure these settings:
- Identity credential: In the list, select the identity credential to use. The default is None.
- Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is Off.
- Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings.
- Enable per-app VPN: Select whether to enable per-app VPN. The default is Off. If you enable this option, configure these settings:
- On-demand match app enabled: Select whether per-app VPN connection triggers automatically when apps linked to the per-app VPN service initiate network communication. The default is Off.
- Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
- Domain: Type the domain to be added.
- Click Save to save the domain or click Cancel to not save the domain.
Configure Ariba VIA protocol for macOS
- Server name or IP address: Type the server name or IP address for the VPN server.
- User account: Type an optional user account.
- Authentication type for the connection: In the list, select either Password or Certificate for the type of authentication for this connection. The default is Password.
- If you enable Password, type an optional authentication password in the Auth password field.
- If you enable Certificate, configure these settings:
- Identity credential: In the list, select the identity credential to use. The default is None.
- Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is Off.
- Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings.
- Enable per-app VPN: Select whether to enable per-app VPN. The default is Off. If you enable this option, configure these settings:
- On-demand match app enabled: Select whether per-app VPN connection triggers automatically when apps linked to the per-app VPN service initiate network communication. The default is Off.
- Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
- Domain: Type the domain to be added.
- Click Save to save the domain or click Cancel to not save the domain.
Configure Custom SSL protocol for macOS
- Custom SSL identifier (reverse DNS format): Type the SSL identifier in reverse DNS format. This field is required.
- Server name or IP address: Type the server name or IP address for the VPN server. This field is required.
- User account: Type an optional user account.
- Authentication type for the connection: In the list, select either Password or Certificate for the type of authentication for this connection. The default is Password.
- If you enable Password, type an optional authentication password in the Auth password field.
- If you enable Certificate, configure these settings:
- Identity credential: In the list, select the identity credential to use. The default is None.
- Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is OFF.
- Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is OFF. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings.
- Per-app VPN: Select whether to enable per-app VPN. The default is Off. If you enable this option, configure these settings:
- On-demand match app enabled: Select whether per-app VPN connections trigger automatically when apps linked to the per-app VPN service initiate network communication.
- Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
- Domain: Type the domain to be added.
- Click Save to save the domain or click Cancel to not save the domain.
- Custom XML: For each custom XML parameter you want to add, click Add and do the following:
- Parameter name: Type the name of the parameter to be added.
- Value: Type the value associated with Parameter name.
- Click Save to save the domain or click Cancel to not save the domain.
Configure enable VPN on demand options
- On Demand Domain: For each domain and associated action to be taken when users connect to them that you want to add, click Add to and do the following:
- Domain: Type the domain to be added.
- Action: In the list select one of the possible actions:
- Always establish: The domain always triggers a VPN connection.
- Never establish: The domain never triggers a VPN connection.
- Establish if necessary: The domain triggers a VPN connection attempt if domain name resolution fails. Failure happens when the DNS server cannot resolve the domain, redirects to a different server, or times out.
- Click Save to save the domain or click Cancel to not save the domain.
- On demand rules
- Action: In the list, select the action to be taken. The default is EvaluateConnection. Possible actions are:
- Allow: Allow VPN on demand to connect when triggered.
- Connect: Unconditionally initiate a VPN connection.
- Disconnect: Remove the VPN connection and do not reconnect on demand as long as the rule matches.
- EvaluateConnection: Evaluate the ActionParameters array for each connection.
- Ignore: Leave any existing VPN connection up, but do not reconnect on demand as long as the rule matches.
- DNSDomainMatch: For each domain against which a user device’s search domain list can match that you want to add, click Add to and do the following:
- DNS Domain: Type the domain name. You can use the wildcard “*” prefix for matching multiple domains. For example, *.example.com matches mydomain.example.com, yourdomain.example.com, and herdomain.example.com.
- Click Save to save the domain or click Cancel to not save the domain.
- DNSServerAddressMatch: For each IP address to which any of the network’s specified DNS servers can match that you want to add, click Add and do the following:
- DNS Server Address: Type the DNS server address you want to add. You can use the wildcard “*” suffix for matching DNS servers. For example, 17.* matches any DNS server in the class A subnet.
- Click Save to save the DNS server address or click Cancel to not save the DNS server address.
- InterfaceTypeMatch: In the list, click the type of primary network interface hardware in use. The default is Unspecified. Possible values are:
- Unspecified: Matches any network interface hardware. This option is the default.
- Ethernet: Matches only Ethernet network interface hardware.
- WiFi: Matches only Wi-Fi network interface hardware.
- Cellular: Matches only Cellular network interface hardware.
- SSIDMatch: For each SSID to match against the current network that you want to add, click Add and so the following.
- SSID: Type the SSID to add. If the network is not a Wi-Fi network, or if the SSID does not appear, the match fails. Leave this list empty to match any SSID.
- Click Save to save the SSID or click Cancel to not save the SSID.
- URLStringProbe: Type a URL to fetch. If this URL is successfully fetched without redirection, this rule matches.
- ActionParameters : Domains: For each domain that EvaluateConnection checks that you want to add, click Add and do the following:
- Domain: Type the domain to be added.
- Click Save to save the domain or click Cancel to not save the domain.
- ActionParameters : DomainAction: In the list, select the VPN behavior for the specified ActionParameters : Domains domains. The default is ConnectIfNeeded. Possible actions are:
- ConnectIfNeeded: The domain triggers a VPN connection attempt if domain name resolution fails. Failure happens when the DNS server cannot resolve the domain, redirects to a different server, or times out.
- NeverConnect: The domain never triggers a VPN connection.
- Action Parameters: RequiredDNSServers: For each DNS server IP address to be used for resolving the specified domains, click Add and do the following:
- DNS Server: Valid only when ActionParameters : DomainAction = ConnectIfNeeded. Type the DNS server to add. This server doesn’t need to be part of the device’s current network configuration. If the DNS server is not reachable, a VPN connection is established in response. This DNS server must be either an internal DNS server or a trusted external DNS server.
- Click Save to save the DNS server or click Cancel to not save the DNS server.
- ActionParameters : RequiredURLStringProbe: Optionally, type an HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL’s host name cannot be resolved, the server is unreachable, or the server does not respond, a VPN connection is established. Valid only when ActionParameters : DomainAction = ConnectIfNeeded.
- OnDemandRules : XML content: Type, or copy and paste, XML configure on demand rules.
- Click Check Dictionary to validate the XML code. You see Valid XML in green text below the XML content text box if the XML is valid. If it isn’t valid, you see an error message in orange text describing the error.
- Action: In the list, select the action to be taken. The default is EvaluateConnection. Possible actions are:
- Proxy
- Proxy configuration: In the list, select how the VPN connection routes through a proxy server. The default is None.
- If you enable Manual, configure these settings:
- Host name or IP address for the proxy server: Type the host name or IP address for the proxy server. This field is required.
- Port for the proxy server: Type the proxy server port number. This field is required.
- User name: Type an optional proxy server user name.
- Password: Type an optional proxy server password.
- If you configure Automatic, configure this setting:
- Proxy server URL: Type the URL for the proxy server. This field is required.
- If you enable Manual, configure these settings:
- Proxy configuration: In the list, select how the VPN connection routes through a proxy server. The default is None.
Android settings
Configure Cisco AnyConnect VPN protocol for Android
- Connection name: Type a name for the Cisco AnyConnect VPN connection. This field is required.
- Server name or IP address: Type the name or IP address of the VPN server. This field is required.
- Identity credential: In the list, select an identity credential.
- Backup VPN server: Type the backup VPN server information.
- User group: Type the user group information.
- Trusted Networks
- Automatic VPN policy: Enable or disable this option to set how the VPN reacts to trusted and untrusted networks. If enabled, configure these settings:
- Trusted network policy: In the list, select the desired policy. The default is Disconnect. Possible options are:
- Disconnect: The client terminates the VPN connection in the trusted network. This setting is the default.
- Connect: The client initiates a VPN connection in the trusted network.
- Do Nothing: The client takes no action.
- Pause: When a user establishes a VPN session outside the trusted network then enters a network configured as trusted, the VPN session gets suspended. When the user leaves the trusted network again, the session resumes. This setting eliminates the need to establish a new VPN session after leaving a trusted network.
- Untrusted network policy: In the list, select the desired policy. The default is Connect. Possible options are:
- Connect: The client initiates a VPN connection in the untrusted network.
- Do Nothing: The client starts a VPN connection in the untrusted network. This option disables always-on VPN.
- Trusted network policy: In the list, select the desired policy. The default is Disconnect. Possible options are:
- Trusted domains: For each domain suffix that the network interface has when the client is in the trusted network, click Add to do the following:
- Domain: Type the domain to be added.
- Click Save to save the domain or click Cancel to not save the domain.
- Trusted servers: For each server address that a network interface has when the client is in the trusted network, click Add and do the following:
- Servers: Type the server to be added.
- Click Save to save the server or click Cancel to not save the server.
- Automatic VPN policy: Enable or disable this option to set how the VPN reacts to trusted and untrusted networks. If enabled, configure these settings:
Configure the Citrix SSO protocol for Android
Connection name: Type a name for the VPN connection. This field is required.
Server name or IP address: Type the FQDN or IP address of the Citrix Gateway.
Authentication type for the connection: Choose an authentication type and complete any of these fields that appear for the type:
User name and Password: Type your VPN credentials for the Authentication types of Password or Password and Certificate. Optional. If you don’t provide the VPN credentials, the Citrix VPN app prompts for a user name and password.
Identity credential: Appears for the Authentication types of Certificate or Password and Certificate. In the list, select an identity credential.
Enable per-app VPN: Select whether to enable per-app VPN. If you don’t enable per-app VPN, all traffic goes through the Citrix VPN tunnel. If you enable per-app VPN, specify the following settings. The default is Off.
Whitelist or Blacklist: If Whitelist, all allowed apps tunnel through this VPN. If Blacklist, all apps except those apps on the block list tunnel through this VPN.
Note:
The XenMobile Server console includes the terms “blacklist” and “whitelist”. We are changing those terms in an upcoming release to “block list” and “allow list”.
Application List: Specify the allowed or blocked apps. Click Add and then type a comma-separated list of app package names.
Custom XML: Click Add and then type custom parameters. XenMobile supports these parameters for Citrix VPN:
- DisableUserProfiles: Optional. To enable this parameter, type Yes for the Value. If enabled, XenMobile doesn’t display user-added VPN connections and the user cannot add a connection. This setting is a global restriction and applies to all VPN profiles.
- userAgent: A string value. You can specify a custom User Agent string to send in each HTTP request. The specified user agent string gets appended to the existing Citrix VPN user agent.
Configure VPNs to support NAC
- Use the Connection type of Custom SSL to configure the NAC filter.
- Specify a Connection name of VPN.
- For Custom XML, click Add and do the following:
- Parameter name: Type XenMobileDeviceId. This field is the device ID to use for the NAC check based on device enrollment in XenMobile. If XenMobile enrolls and manages the device, the VPN connection is allowed. Otherwise, authentication is denied at the time of VPN establishment.
- Value: Type DeviceID_${device.id}, which is the value for the parameter XenMobileDeviceId.
- Click Save to save the parameter.
Configure VPNs for Android Enterprise
To configure VPNs for Android Enterprise devices, create a Managed configuration device policy for the Citrix SSO app. See Configure VPN profiles for Android Enterprise.
Samsung SAFE settings
- Connection name: Type a name for the connection.
- VPN type: In the list, select the protocol to be used for this connection. The default is L2TP with pre-shared key. Possible options are:
- L2TP with pre-shared key: Layer 2 Tunneling Protocol with pre-shared key authentication. This setting is the default.
- L2TP with certificate: Layer 2 Tunneling Protocol with certificate.
- PPTP: Point-to-Point Tunneling.
- Enterprise: Your corporate VPN connection. Applicable to SAFE versions earlier than 2.0.
- Generic: A generic VPN connection. Applicable to SAFE versions 2.0 or higher.
Configure L2TP with pre-shared key protocol for Samsung SAFE
- Host name: Type the name of the VPN host. This option is required.
- User name: Type an optional user name.
- Password: Type an optional password.
- Pre-shared key: Type the pre-shared key. This option is required.
Configure L2TP with certificate protocol for Samsung SAFE
- Host name: Type the name of the VPN host. This option is required.
- User name: Type an optional user name.
- Password: Type an optional password.
- Identity credential: In the list, select the identity credential to be used. The default is None.
Configure PPTP protocol for Samsung SAFE
- Host name: Type the name of the VPN host. This option is required.
- User name: Type an optional user name.
- Password: Type an optional password.
- Enable encryption: Select whether to enable encryption on the VPN connection.
Configure Enterprise protocol for Samsung SAFE
- Host name: Type the name of the VPN host. This option is required.
- Enable backup server: Select whether to enable a backup VPN server. If enabled, in Backup VPN server, type the FQDN or IP address of the backup VPN server.
- Enable user authentication: Select whether to require user authentication. If enabled, configure the following settings:
- User name: Type a user name.
- Password: Type the user password.
- Group name: Type an optional group name.
- Authentication method: In the list, select the authentication method to be used. Possible options are:
- Certificate: Use certificate authentication. This setting is the default. If selected, in the Identity credential list, select the credential to use. The default is None.
- Pre-shared key: Use a pre-shared key. If selected, in the Pre-shared key field, type the shared secret key.
- Hybrid RSA: Use hybrid authentication using RSA certificates.
- EAP MD5: Authenticate the EAP peer to the EAP server, but does no mutual authentication.
- EAP MSCHAPv2: Use Microsoft’s Challenge-Handshake authentication for mutual authentication.
- CA certificate: In the list, select the certificate to be used. The default is None.
- Enable default route: Select whether to enable a default route to the VPN server. The default is Off.
- Enable smartcard authentication: Select whether to allow users to authenticate by using smart cards. The default is Off.
- Enable mobile option: Select whether to enable mobile option. The default is Off.
- Diffie-Hellman group value (key strength): In the list, select the key strength to be used. The default is 0.
- Split tunnel type: In the list, select the type of split tunnel to use. The default is Auto. Possible options are:
- Auto: Split tunneling is used automatically.
- Manual: Split tunneling is used over the IP address and port specified on the VPN server.
- Disabled: Split tunneling is not used.
- SuiteB type: In the list, select the level of NSA Suite B encryption to use. The default is GCM-128. Possible options are:
- GCM-128: Use 128-bit AES-GCM encryption.
- GCM-256: Use 256-bit AES-GCM encryption.
- GMAC-128: Use 128-bit AES-GMAC encryption.
- GMAC-256: Use 256-bit AES-GMAC encryption.
- None: Use no encryption.
- Forward routes: If your corporate VPN server supports forwarding routes, for each forwarding route to use, click Add and do the following:
- Forward route: Type the IP address for the forwarding route.
- Click Save to save the route or click Cancel to not save the route.
Configure generic protocol for Samsung SAFE
- Host name: Type the name of the VPN host. This option is required.
- Enable user authentication: Select whether to require user authentication. If enabled, in Password, type the user password.
- User name: Type a user name.
- Package Name Agent VPN: The package name, or ID, of the VPN installed on the device; for example, Mocana or Pulse Secure.
- VPN Connection type: In the list, select either IPSEC or SSL for the connection type to be used. The default is IPSEC. The following sections describe the configuration settings for each connection type.
Configure IPSEC connection type settings for Samsung SAFE
- Identity: Type an optional identifier for this configuration.
- IPsec group ID type: In the list, select the IPsec group ID type to use. The default is Default. Possible options are:
- Default
- IPv4 address
- Fully qualified domain name (FQDN)
- User FQDN
- IKE key ID
- IKE version: In the list, select the Internet Key Exchange version to use. The default is IKEv1.
- Authentication method: In the list, select the authentication method to be used. The default is Certificate. Possible options are:
- Certificate: Use certificate authentication. If selected, in the Identity credential list, select the credential to use. The default is None.
- Pre-shared key: Use a pre-shared key. If selected, in the Pre-shared key field, type the shared secret key.
- Hybrid RSA: Use hybrid authentication using RSA certificates.
- EAP MD5: Authenticate the EAP peer to the EAP server, but does no mutual authentication.
- EAP MSCHAPv2: Use Microsoft’s Challenge-Handshake authentication for mutual authentication.
- CAC based Authentication: Use a Common Access Card (CAC) for authentication.
- Identity credential: In the list select the identity credential to use. The default is None.
- CA certificate: In the list, select the certificate to be used.
- Enable dead peer detection: Select whether to contact a peer to ensure that it remains alive. The default is Off.
- Enable default route: Select whether to enable a default route to the VPN server.
- Enable mobile option: Select whether to enable mobile option.
- ike LifeTime in Minutes: Type the number of minutes before the VPN connection must be reestablished. The default is 1440 minutes (24 hours).
- ipsec LifeTime in Minutes: Type the number of minutes before the VPN connection must be reestablished. The default is 1440 minutes (24 hours).
- Diffie-Hellman group value (key strength): In the list, select the key strength to be used. The default is 0.
- IKE Phase 1 key exchange mode: Select either Main or Aggressive for the IKE Phase 1 negotiation mode. The default is Main.
- Main: No information is exposed to potential attackers during negotiation, but is slower than Aggressive mode.
- Aggressive: Some information (for example, the identity of the negotiating peers) is exposed to potential attackers during negotiation, but is faster than Main mode.
- Perfect forward secrecy (PFS) value: Select whether to use PFS to require a new key exchange renegotiating a connection.
- Split tunnel type: In the list, select the type of split tunnel to use. Possible options are:
- Auto: Split tunneling is automatically used.
- Manual: Split tunneling is used over the IP address and port specified on the VPN server.
- Disabled: Split tunneling is not used.
- IPSEC Encryption algorithm: A VPN configuration that the IPsec protocol uses.
- IKE Encryption Algorithm: A VPN configuration that the IPsec protocol uses.
- IKE Integrity Algorithm: A VPN configuration that the IPsec protocol uses.
- Vendor: A personal profile for generic agents that communicate with the Knox API.
- Forward routes: If your corporate VPN server supports forwarding routes, for each forwarding route to use, click Add and do the following:
- Forward route: Type the IP address for the forwarding route.
- Click Save to save the route or click Cancel to not save the route.
- Per App VPN: For each per-app VPN you want to add, click Add and do the following:
- Per App VPN: The VPN configuration that the app uses to communicate.
- Click Save to save the per-app VPN or click Cancel to not save the per-app VPN.
Configure SSL connection type settings for Samsung SAFE
- Authentication method: In the list, select the authentication method to be used. The default is Not Applicable. Possible options are:
- Not Applicable
- Certificate: Use certificate authentication. If selected, in the Identity credential list, select the credential to use. The default is None.
- CAC based Authentication: Use a Common Access Card (CAC) for authentication.
- CA certificate: In the list, select the certificate to be used.
- Enable default route: Select whether to enable a default route to the VPN server.
- Enable mobile option: Select whether to enable mobile option.
- Split tunnel type: In the list, select the type of split tunnel to use. Possible options are:
- Auto: Split tunneling is automatically used.
- Manual: Split tunneling is used over the IP address and port specified on the VPN server.
- Disabled: Split tunneling is not used.
- SSL Algorithm: Type the SSL algorithm to use for client-server negotiation.
- Vendor: A personal profile for generic agents that communicate with the Knox API.
- Forward routes: If your corporate VPN server supports forwarding routes, for each forwarding route to use, click Add and do the following:
- Forward route: Type the IP address for the forwarding route.
- Click Save to save the route or click Cancel to not save the route.
- Per App VPN: For each per-app VPN you want to add, click Add and do the following:
- Per App VPN: The VPN configuration that the app uses to communicate.
- Click Save to save the per-app VPN or click Cancel to not save the per-app VPN.
- Policy settings
- Remove policy: Choose a method for scheduling policy removal. Available options are Select date and Duration until removal (in hours)
- Select date: Click the calendar to select the specific date for removal.
- Duration until removal (in hours): Type a number, in hours, until policy removal occurs.
- Allow user to remove policy: You can select when users can remove the policy from their device. Select Always, Passcode required, or Never from the menu. If you select Passcode required, type a passcode in the Removal passcode field.
- Profile scope: Select whether this policy applies to a User or an entire System. The default is User. This option is available only on macOS 10.7 and later.
- Remove policy: Choose a method for scheduling policy removal. Available options are Select date and Duration until removal (in hours)
Samsung Knox settings
When you configure any policy for Samsung Knox, it applies only inside the Samsung Knox container.
- VPN Type: In the list, select the type of VPN connection to configure. The connection can be either Enterprise (applicable to Knox versions earlier than 2.0) or Generic (applicable to Knox versions 2.0 or higher). The default is Enterprise.
The following sections list the configuration options for each of the preceding connection types.
Configure Enterprise protocol for Samsung Knox
- Connection name: Type a name for the connection. This field is required.
- Host name: Type the name of the VPN host. This option is required.
- Enable backup server: Select whether to enable a backup VPN server. If enabled, in Backup VPN server, type the FQDN or IP address of the backup VPN server.
- Enable user authentication: Select whether to require user authentication. If enabled, configure the following settings:
- User name: Type a user name.
- Password: Type the user password.
- Group name: Type an optional group name.
- Authentication method: In the list, select the authentication method to be used. Possible options are:
- Certificate: Use certificate authentication. For certificate authentication, also select the credential to use from the Identity credential list.
- Pre-shared key: Use a pre-shared key. If selected, in the Pre-shared key field, type the shared secret key.
- Hybrid RSA: Use hybrid authentication using RSA certificates.
- EAP MD5: Authenticate the EAP peer to the EAP server, but does no mutual authentication.
- EAP MSCHAPv2: Use Microsoft’s Challenge-Handshake authentication for mutual authentication.
- CA certificate: In the list, select the certificate to be used.
- Enable default route: Select whether to enable a default route to the VPN server.
- Enable smartcard authentication: Select whether to allow users to authenticate by using smart cards. The default is Off.
- Enable mobile option: Select whether to enable mobile option.
- Diffie-Hellman group value (key strength): In the list, select the key strength to be used. The default is 0.
- Split tunnel type: In the list, select the type of split tunnel to use. Possible options are:
- Auto: Split tunneling is automatically used.
- Manual: Split tunneling is used over the IP address and port specified on the VPN server.
- Disabled: No split tunneling is used.
- SuiteB type: In the list, select the level of NSA Suite B encryption to use. Possible options are:
- GCM-128: Use 128-bit AES-GCM encryption: This setting is the default.
- GCM-256: Use 256-bit AES-GCM encryption.
- GMAC-128: Use 128-bit AES-GMAC encryption.
- GMAC-256: Use 256-bit AES-GMAC encryption.
- None: Use no encryption.
- Forward routes: Click Add to add any optional forwarding routes if your corporate VPN server supports multiple route tables.
Configure generic protocol for Samsung Knox
- Connection name: Type a name for the connection. This field is required.
- Package Name Agent VPN: The package name, or ID, of the VPN installed on the device; for example, Mocana or Pulse Secure.
- Host name: Type the name of the VPN host. This option is required.
- Enable user authentication: Select whether to require user authentication. If enabled, configure the following settings:
- User name: Type a user name.
- Password: Type the user password.
- Identity: Type an optional identifier for this configuration. Only applies when Vpn Connection type = IPSEC.
- VPN Connection type: In the list, select either IPSEC or SSL for the connection type to be used. The default is IPSEC. The following sections describe the configuration settings for each connection type.
- Configure IPSEC connection settings
- IPsec group ID type: In the list, select the IPsec group ID type to use. The default is Default. Possible options are:
- Default
- IPv4 address
- Fully qualified domain name (FQDN)
- User FQDN
- IKE key ID
- IKE version: In the list, select the Internet Key Exchange version to use. The default is IKEv1.
- Authentication method: In the list, select the authentication method to be used. The default is Certificate. Possible options are:
- Certificate: Use certificate authentication. If selected, in the Identity credential list, select the credential to use. The default is None.
- Pre-shared key: Use a pre-shared key. If selected, in the Pre-shared key field, type the shared secret key.
- Hybrid RSA: Use hybrid authentication using RSA certificates.
- EAP MD5: Authenticate the EAP peer to the EAP server, but does no mutual authentication.
- EAP MSCHAPv2: Use Microsoft’s Challenge-Handshake authentication for mutual authentication.
- CAC based Authentication: Use a Common Access Card (CAC) for authentication.
- CA certificate: In the list, select the certificate to be used.
- Enable dead peer detection: Select whether to contact a peer to ensure that it remains alive. The default is Off.
- Enable default route: Select whether to enable a default route to the VPN server.
- Enable mobile option: Select whether to enable mobile option.
- ike LifeTime in Minutes: Type the number of minutes before the VPN connection must be reestablished. The default is 1440 minutes (24 hours).
- ipsec LifeTime in Minutes: Type the number of minutes before the VPN connection must be reestablished. The default is 1440 minutes (24 hours).
- Diffie-Hellman group value (key strength): In the list, select the key strength to be used. The default is 0.
- IKE Phase 1 key exchange mode: Select either Main or Aggressive for the IKE Phase 1 negotiation mode. The default is Main.
- Main: No information is exposed to potential attackers during negotiation, but is slower than Aggressive mode.
- Aggressive: Some information (for example, the identity of the negotiating peers) is exposed to potential attackers during negotiation, but is faster than Main mode.
- Perfect forward secrecy (PFS) value: Select whether to use PFS to require a new key exchange renegotiating a connection.
- Split tunnel type: In the list, select the type of split tunnel to use. Possible options are:
- Auto: Split tunneling is automatically used.
- Manual: Split tunneling is used over the IP address and port specified on the VPN server.
- Disabled: Split tunneling is not used.
- SuiteB Type: In the list, select the level of NSA Suite B encryption to use. The default is GCM-128. Possible options are:
- GCM-128: Use 128-bit AES-GCM encryption.
- GCM-256: Use 256-bit AES-GCM encryption.
- GMAC-128: Use 128-bit AES-GMAC encryption.
- GMAC-256: Use 256-bit AES-GMAC encryption.
- None: Use no encryption.
- IPSEC Encryption algorithm: VPN configuration that the IPsec protocol uses.
- IKE Encryption Algorithm: VPN configuration that the IPsec protocol uses.
- IKE Integrity Algorithm: VPN configuration that the IPsec protocol uses.
- Knox: Configurations for Samsung Knox only.
- Vendor: A personal profile for generic agents that communicate with the Knox API.
- Forward routes: If your corporate VPN server supports forwarding routes, for each forwarding route to use, click Add and do the following:
- Forward route: Type the IP address for the forwarding route.
- Click Save to save the route or click Cancel to not save the route.
- Per App VPN: For each per-app VPN you want to add, click Add and do the following:
- Per App VPN: The VPN configuration the app uses to communicate.
- Click Save to save the per-app VPN or click Cancel to not save the per-app VPN.
- IPsec group ID type: In the list, select the IPsec group ID type to use. The default is Default. Possible options are:
- Configure SSL connection settings
- Authentication method: In the list, click the authentication method to use. Possible options are:
- Not Applicable: No authentication method applies. This setting is the default.
- Certificate: Use certificate authentication. This setting is the default. If selected, in the Identity credential list, select the credential to use. The default is None.
- CAC based Authentication: Use a Common Access Card (CAC) for authentication.
- CA certificate: In the list, select the certificate to be used.
- Enable default route: Select whether to enable a default route to the VPN server.
- Enable mobile option: Select whether to enable mobile option.
- Split tunnel type: In the list, select the type of split tunnel to use. Possible options are:
- Auto: Split tunneling is automatically used.
- Manual: Split tunneling is used over the IP address and port specified.
- Disabled: No split tunneling is used.
- SuiteB Type: In the list, select the level of NSA Suite B encryption to use. The default is GCM-128. Possible options are:
- GCM-128: Use 128-bit AES-GCM encryption.
- GCM-256: Use 256-bit AES-GCM encryption.
- GMAC-128: Use 128-bit AES-GMAC encryption.
- GMAC-256: Use 256-bit AES-GMAC encryption.
- None: Use no encryption: Type the SSL algorithm to use for client-server negotiation.
- SSL Algorithm: Type the SSL algorithm to use for client-server negotiation.
- Knox: Configurations for Samsung Knox only.
- Vendor: A personal profile for generic agents that communicate with the Knox API.
- Forward routes: If your corporate VPN server supports forwarding routes, for each forwarding route to use, click Add and do the following:
- Forward route: Type the IP address for the forwarding route.
- Click Save to save the route or click Cancel to not save the route.
- Per App VPN: For each per-app VPN you want to add, click Add and do the following:
- Per App VPN: The VPN configuration the app uses to communicate.
- Click Save to save the per-app VPN or click Cancel to not save the per-app VPN.
- Authentication method: In the list, click the authentication method to use. Possible options are:
Windows Desktop/Tablet settings
- Connection name: Enter a name for the connection. This field is required.
- Profile type: In the list, select either Native or Plugin. The default is Native.
- Configure Native profile type: These settings apply to the VPN built into users’ Windows devices.
- Server address: Type the FQDN or IP address for the VPN server. This field is required.
- Remember credential: Select whether to cache the credential. The default is Off. When enabled, credentials are cached whenever possible.
- DNS Suffix: Type the DNS suffix.
- Tunnel type: In the list, select the type of VPN tunnel to use. The default is L2TP. Possible options are:
- L2TP: Layer 2 Tunneling Protocol with pre-shared key authentication.
- PPTP: Point-to-Point Tunneling.
- IKEv2: Internet Key Exchange version 2.
- Authentication method: In the list, select the authentication method to use. The default is EAP. Possible options are:
- EAP: Extended Authentication Protocol.
- MSChapV2: Use Microsoft’s Challenge-Handshake authentication for mutual authentication. This option is not available when you select IKEv2 for the tunnel type.
- EAP method: In the list, select the EAP method to be used. The default is TLS. This field is not available when MSChapV2 authentication is enabled. Possible options are:
- TLS: Transport Layer Security
- PEAP: Protected Extensible Authentication Protocol
- Trusted networks: Type a list of networks separated by commas that do not require a VPN connection for access. For example, when users are on your company wireless network, they can access protected resources directly.
- Require smart card certificate: Select whether to require a smart card certificate. The default is Off.
- Automatically select client certificate: Select whether to automatically choose the client certificate to use for authentication. The default is Off. This option is unavailable when you enable Require smart card certificate.
- Always on VPN: Select whether the VPN is always on. The default is Off. When enabled, the VPN connection remains on until the user manually disconnects.
- Bypass For Local: Type the address and port number to allow local resources to bypass the proxy server.
- Configure Plugin profile type: These settings apply to VPN plug-ins obtained from the Windows Store and installed on users’ devices.
- Server address: Type the FQDN or IP address for the VPN server. This field is required.
- Remember credential: Select whether to cache the credential. The default is Off. When enabled, credentials are cached whenever possible.
- DNS Suffix: Type the DNS suffix.
- Client app ID: Type the package family name for the VPN plug-in.
- Plugin Profile XML: Select the custom VPN plug-in profile to be used by clicking Browse and navigating to the file’s location. Contact the plug-in provider for format and details.
- Trusted networks: Type a list of networks separated by commas that do not require a VPN connection for access. For example, when users are on your company wireless network, they can access protected resources directly.
- Always on VPN: Select whether the VPN is always on. The default is Off. When enabled, the VPN connection remains on until the user manually disconnects.
- Bypass For Local: Type the address and port number to allow local resources to bypass the proxy server.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论