Solving Secure Mobile Access with F5 and iOS 7 Per app VPN - Part 1
As an F5 engineer out in the field I’m fortunate in the fact that I get to talk with customers about their projects and security concerns. While it probably would not surprise you to learn that Mobility is a key project for many organizations what does surprise me is how many are still using a layer-3 VPN approach on mobile devices. The major problem with this design is that once the VPN is established any application on the mobile platform can now access the corporate network. As we hear more and more about malware on mobile devices it is critical to start protecting corporate infrastructure by limiting access to corporate applications only.
With iOS 7 Apple introduced a great way to accomplish this with their Per app VPN. Per app VPN allows iOS to control which applications have access to the VPN tunnel. This gives organizations the ability to designate which applications are corporate apps and treat everything else as personal. Per app VPN also works in Safari with a per-tab level of granularity. So I can have one tab open watching who the Houston Texan’s take in the first round draft (Johnny Manziel of course) and a second tab that is securely connected to my corporate SharePoint site.
To take advantage of the iOS Per app VPN functionality Apple requires an Enterprise Mobile Management (EMM) solution to configure the mobile device and an Enterprise VPN solution like F5’s Access Policy Manager. So, if you’re anything like me you’ve scrolled past this text and straight to the pictures below because you need to deploy this ASAP right? We’ll here we go…
The iOS Per app VPN uses F5’s APM SOCKS Proxy functionality so we'll need TMOS 11.4 or higher installed on the BIG-IP and Edge Client 2.0 or higher installed on the mobile device.
1. Create a new Application Policy Profile and select your default language.
2. Customize the Profile's Visual Policy Builder by adding a Client Cert Inspection object and set the successful branch to Allow
3. Create a new LTM Client SSL Profile:
- set Client Certificate to request
- set Trusted Certificate Authority to the CA that signed the certificate installed on the iOS device.
4. Create a new LTM Virtual Server:
- Add your customer Client SSL profile
- Select your Access Profile
- Select the default Connectivity Profile of create a custom connectivity profile with default settings
- Click the VDI & Java Support box to enable SOCKS proxy capabilities
So What does the end result look like? In the example below I tested the Safari per-tab capabilities by clicking the F5 shortcut icon and seamlessly had access to my test web server.