Per-App VPN AirWatch et F5 BIGIP APM

Nowadays, with MDM, we can push VPN configurations to mobiles devices.

A new kind of VPN called Per-APP VPN (Android 5.0 or iOS 7.0 minimum) is available on MDM like AirWatch, MobileIron ... Per-APP is a brand new VPN tunnel concept. This Per-App VPN tunnel is started only for a specific application on the mobile terminal. All flow from this app are routed into this tunnel. All other trafic uses local NIC (WIFI, 3/4G without VPN).

It's a little bit different from On-Demand VPN. On-Demand start when a specific network is requested and all trafic goes through this tunnel whatever the application.

This video explains how to set AirWatch side and APM side

 

/////////////////////////////////////////////////////////////////////////////////////////

 

Avec un MDM (Mobile Device Manager), il est possible de pousser sur vos terminaux mobiles (iOS 7.x et Android 5.0 minimum) un profile de configuration VPN dit "Per-App VPN". 

Un Per-App VPN est un VPN monté à la demande par une application sur le terminal mobile. Cela se rapproche du "On-Demand" à la différence que seul le flux en sortie de l'application ira dans le tunnel SSL. Contrairement à un tunnel On-Demand où tous les flux transitent dans le tunnel SSL.

Dans cet article (vidéo en anglais), je vous présente la mise en place d'une solution Per-App VPN avec le MDM AirWatch et la gateway SSL F5 BIGIP APM. Pour cela :

  • AirWatch intègre dans son MDM les briques VPN SSL F5 afin de simplifier la configuration des profiles VPN SSL. Aucun code XML n'est nécessaire car le EDGE client est déjà connu du MDM AirWatch.
  • F5 intègre les API avec les solutions MDM telles que AirWatch.

 

 

Published May 04, 2015
Version 1.0
  • Waarom in het Frans en niet in het Engels? Anoying, isn't it, when you can't read what someone writes.
  • Hi Richard, you are on the French blog (French tag on this article) and you do right, I don't speak Dutch ;). Let me translate for you : Nowadays, with MDM, we can push VPN configurations to mobiles devices. A new kind of VPN called Per-APP VPN (Android 5.0 or iOS 7.0 minimum) is available on MDM like AirWatch, MobileIron ... Per-APP is a brand new VPN tunnel concept. This Per-App VPN tunnel is started only for a specific application on the mobile terminal. All flow from this app are routed into this tunnel. All other trafic uses local NIC (WIFI, 3/4G without VPN). It's a little bit different from On-Demand VPN. On-Demand start when a specific network is requested and all trafic goes through this tunnel whatever the application. This video explains how to set AirWatch side and APM side. Hope this help.
  • Bonjour Matthieu. Il est donc possible d'avoir plusieurs tunnels depuis le même device (plusieurs apps lancées, chacune avec per-App VPN). Est-ce que l'APM compte 1 CCU par device dans ce cas ou non? Merci pour vos éclaircissements. Alexandre
  • Vous ne parlez pas de la partie "device validation" (sideband irule). Aucune référence à celle-ci sur Devcentral. Pourriez-vous nous donner quelques informations à ce sujet?
  • Hi. Nice piece of work... But even though I see that the leatest Android Edge Client support Per App VPN, I see no way to enable it. The only function that seems available is On Demand VPN on Android. Or did I miss something ?
  • Alexandre, les irules sont disponibles en passant par votre contact F5 local. Elles ne sont pas encore publiques. Yoann, Per-App VPN settings can only be done from an MDM. There is no way to enable it in EDGE Client app.
  • Where can I find more detail regarding how the macro objects were configured ("Collect Device Info", "Enrollment" and "On-Demand Cert Auth")?
  • Hi Matthieu, does Edge Client on Android 5.0 starts the VPN connection, when the "per App-VPN" enabled App is started? On iOS, this works fine, but we couldn't do that on Android so far. According to my information, this should be possible with Android 5 now. I've raised a support call for that but they don't wanna help me ;( Thanks in advance.
  • Hi, Thankyou for the great guide. I am having problem finding the iApp and the irules used in the guide. Can you please provide the irule.