Forum Discussion
James_124437
Nimbostratus
NimbostratusiOS 7 - Per App VPN
Does F5 support the per app VPN available now on iOS 7?
If so, can each app authenticate as different "users"?
Apple Documentation: Profile Configurations
Alex_Zaytsev_13@Michael Koyfman, Our own MDM solution :)
- Alex_Zaytsev_13
@Michael Koyfman,
I tried adding the key you've speicifed to the payload, it didn't seem to have any effect - i can see in the console that the App VPN rule matched, but when i dont connect to VPn manually, i get the 'Requires app layer VPN' error and if i do connect manually, i get the same pair of 'no local address specified' - 'no remote address specified' errors.
I am using the latest EDGE client from App Store.
- Alex - Can you send me the .mobileconfig file you are using?
pm_01_139138Is this thread monitored ? I have the same problem. keep on getting App-Layer VPN required. Any solutions ?
Michael_KoyfmanCirrocumulus
MDM vendors need to specify the proper configuration in their software to enable F5 EDGE client Per-App VPN functionality.
Specifically, to specify that Per-App VPN is going to be used, they should specify the PerAppVpn key PerAppVpntrue in the configuration profile's VendorConfig section of the Per-app VPN profile.
If you are having difficulties with Per-App VPN functionality, please open a case with your MDM vendor and ask them to verify that they are sending this key as part of the F5 EDGE client per-App VPN configuration.
Dan_Kieta_11582Michael, What is the syntax for this key in the VendorConfig section. I tried adding: VendorConfig PerAppVpntrue This did not work. Can you provide the correct syntax?- Michael_KoyfmanOops, sorry, it should be: PerAppVpntrue
Michael_Koyfma1Cirrus
MDM vendors need to specify the proper configuration in their software to enable F5 EDGE client Per-App VPN functionality.
Specifically, to specify that Per-App VPN is going to be used, they should specify the PerAppVpn key PerAppVpntrue in the configuration profile's VendorConfig section of the Per-app VPN profile.
If you are having difficulties with Per-App VPN functionality, please open a case with your MDM vendor and ask them to verify that they are sending this key as part of the F5 EDGE client per-App VPN configuration.
- Dan_Kieta_11582Michael, What is the syntax for this key in the VendorConfig section. I tried adding: VendorConfig PerAppVpntrue This did not work. Can you provide the correct syntax?
- Michael_Koyfma1Oops, sorry, it should be: PerAppVpntrue
Is it means that from APM side, we just need to configure the normal Network Access and let the MDM Vendor configure the Per-app VPN profile only?
- Michael_Koyfman
You don't need the Network Access Object on APM in order to use Per-App VPN - you just need to check "VDI & Java Support" on the Virtual server. Per-App VPN and Full Network Tunnel VPN are mutually exclusive - you currently can't have both on the same virtual server.
- Dan_Kieta_11582Michael, Do you know if there is any documentation that you can point me to that describes what needs to be configured on the Big-IP to support Per-App VPN? Are you saying that Network Access / APM is not required to make this work?
- Michael_KoyfmanUnfortunately, there is no public documentation on the topic just yet. In order for the Per-App VPN to work, you don't assign any resources to the session in the policy - no webtop, no Network Access - just end the branch in Allow state after the authentication - and you must check the 'VDI and Java" checkbox on the Virtual Server properties - that is it.
- Michael_Koyfma1
You don't need the Network Access Object on APM in order to use Per-App VPN - you just need to check "VDI & Java Support" on the Virtual server. Per-App VPN and Full Network Tunnel VPN are mutually exclusive - you currently can't have both on the same virtual server.
- Dan_Kieta_11582Michael, Do you know if there is any documentation that you can point me to that describes what needs to be configured on the Big-IP to support Per-App VPN? Are you saying that Network Access / APM is not required to make this work?
- Michael_Koyfma1Unfortunately, there is no public documentation on the topic just yet. In order for the Per-App VPN to work, you don't assign any resources to the session in the policy - no webtop, no Network Access - just end the branch in Allow state after the authentication - and you must check the 'VDI and Java" checkbox on the Virtual Server properties - that is it.
Thanks Michael. For Per-App VPN, my understanding is this feature required the mobile app support. Is it a list of supported app? If the app is not supported, is it using Mobile SDK to make it work with APM?
- Alex_Zaytsev_13Clive, from what i observed, as long as app uses NextStep classes, it will be fine. If you are using CoreFoundation classes to make connections, you need to make the app proxy aware. Specifically, browser applications (e.g. Chrome) from App Store don't appear to be working with per-app vpn currently.
- Alex, thanks. I want to set Safari for per-App VPN. Is it supported? How to configure it?
James_124437Clive, Safari is enabled by default for Per-App VPN. In your configuration, you can specify the URLs that are whitelisted for Per-App VPN. There is a "SafariDomains" attribute of the Per-App VPN payload.
Thanks and good to know that Safari is enabled by default. I'm going to setup the Per-App VPN using MobileIron. Any experience and tips to config. both APM & MobileIron?
- James_124437I don't have any experience with MobileIron. We use AirWatch here.
- Dan_Kieta_11582James, What version of AirWatch are you using? To this point, I have been unsuccessful in getting per-app VPN to work with our Airwatch implementation. Can you provide any guidance?
- James_124437It requires settings available in AirWatch version 7 and above.