Forum Discussion
James_124437
Nimbostratus
NimbostratusiOS 7 - Per App VPN
Does F5 support the per app VPN available now on iOS 7?
If so, can each app authenticate as different "users"?
Apple Documentation: Profile Configurations
kunjanYou may want to connect the iPCU and check the console logs.. also on the apm logs.
http://support.omnigroup.com/ios-console-log
Michael_Koyfma1Cirrus
Brad,
Perhaps it is worth opening a ticket with support on this. Per-App VPN will only fire automatically when you have On-demand VPN configured and working properly, else you have to establish it manually via EDGE client and then launch the App
brad_11480We are trying to get the per-app VPN working. The application is Epic Haiku. The MDM provider is MobileIron. The application was to a point where it did fireup the VPN connection, but the application was not sending through the VPN.. actually it wasn't able to send data anywhere (we had a tcpdump on the wireless controller). AT that time everything BUT that application was working via the SSLVPN tunnel.
From above, I realized that the desktop and network profile needed to be removed and the 'VDI & Java Support' checked for the virtual server. We did that. Then we found that the application firing up didn't establish the SSLVPN connection any longer.
Not sure this is an active thread.. Thanks for any insights. Brad Hanson, HealthPartners, Bloomington, Minnesota (I apologize for cross posting this on another thread first-- this was the thread that it probably should have gone on).
James, from APM side, is it just set a Network Access? How about the logon setting?
Thanks and good to know that Safari is enabled by default. I'm going to setup the Per-App VPN using MobileIron. Any experience and tips to config. both APM & MobileIron?
- James_124437It requires settings available in AirWatch version 7 and above.
Dan_Kieta_11582James, What version of AirWatch are you using? To this point, I have been unsuccessful in getting per-app VPN to work with our Airwatch implementation. Can you provide any guidance?- James_124437I don't have any experience with MobileIron. We use AirWatch here.
Thanks Michael. For Per-App VPN, my understanding is this feature required the mobile app support. Is it a list of supported app? If the app is not supported, is it using Mobile SDK to make it work with APM?
- James_124437Clive, Safari is enabled by default for Per-App VPN. In your configuration, you can specify the URLs that are whitelisted for Per-App VPN. There is a "SafariDomains" attribute of the Per-App VPN payload.
- Alex, thanks. I want to set Safari for per-App VPN. Is it supported? How to configure it?
- Alex_Zaytsev_13Clive, from what i observed, as long as app uses NextStep classes, it will be fine. If you are using CoreFoundation classes to make connections, you need to make the app proxy aware. Specifically, browser applications (e.g. Chrome) from App Store don't appear to be working with per-app vpn currently.
Michael_KoyfmanCirrocumulus
You don't need the Network Access Object on APM in order to use Per-App VPN - you just need to check "VDI & Java Support" on the Virtual server. Per-App VPN and Full Network Tunnel VPN are mutually exclusive - you currently can't have both on the same virtual server.
- Michael_KoyfmanUnfortunately, there is no public documentation on the topic just yet. In order for the Per-App VPN to work, you don't assign any resources to the session in the policy - no webtop, no Network Access - just end the branch in Allow state after the authentication - and you must check the 'VDI and Java" checkbox on the Virtual Server properties - that is it.
- Dan_Kieta_11582Michael, Do you know if there is any documentation that you can point me to that describes what needs to be configured on the Big-IP to support Per-App VPN? Are you saying that Network Access / APM is not required to make this work?
- Michael_Koyfma1
You don't need the Network Access Object on APM in order to use Per-App VPN - you just need to check "VDI & Java Support" on the Virtual server. Per-App VPN and Full Network Tunnel VPN are mutually exclusive - you currently can't have both on the same virtual server.
- Michael_Koyfma1Unfortunately, there is no public documentation on the topic just yet. In order for the Per-App VPN to work, you don't assign any resources to the session in the policy - no webtop, no Network Access - just end the branch in Allow state after the authentication - and you must check the 'VDI and Java" checkbox on the Virtual Server properties - that is it.
- Dan_Kieta_11582Michael, Do you know if there is any documentation that you can point me to that describes what needs to be configured on the Big-IP to support Per-App VPN? Are you saying that Network Access / APM is not required to make this work?
Is it means that from APM side, we just need to configure the normal Network Access and let the MDM Vendor configure the Per-app VPN profile only?
- Michael_Koyfman
MDM vendors need to specify the proper configuration in their software to enable F5 EDGE client Per-App VPN functionality.
Specifically, to specify that Per-App VPN is going to be used, they should specify the PerAppVpn key PerAppVpntrue in the configuration profile's VendorConfig section of the Per-app VPN profile.
If you are having difficulties with Per-App VPN functionality, please open a case with your MDM vendor and ask them to verify that they are sending this key as part of the F5 EDGE client per-App VPN configuration.
- Michael_KoyfmanOops, sorry, it should be: PerAppVpntrue
- Dan_Kieta_11582Michael, What is the syntax for this key in the VendorConfig section. I tried adding: VendorConfig PerAppVpntrue This did not work. Can you provide the correct syntax?