on 04-Apr-2014 11:31
As an F5 engineer out in the field I’m fortunate in the fact that I get to talk with customers about their projects and security concerns. While it probably would not surprise you to learn that Mobility is a key project for many organizations what does surprise me is how many are still using a layer-3 VPN approach on mobile devices. The major problem with this design is that once the VPN is established any application on the mobile platform can now access the corporate network. As we hear more and more about malware on mobile devices it is critical to start protecting corporate infrastructure by limiting access to corporate applications only.
With iOS 7 Apple introduced a great way to accomplish this with their Per app VPN. Per app VPN allows iOS to control which applications have access to the VPN tunnel. This gives organizations the ability to designate which applications are corporate apps and treat everything else as personal. Per app VPN also works in Safari with a per-tab level of granularity. So I can have one tab open watching who the Houston Texan’s take in the first round draft (Johnny Manziel of course) and a second tab that is securely connected to my corporate SharePoint site.
To take advantage of the iOS Per app VPN functionality Apple requires an Enterprise Mobile Management (EMM) solution to configure the mobile device and an Enterprise VPN solution like F5’s Access Policy Manager. So, if you’re anything like me you’ve scrolled past this text and straight to the pictures below because you need to deploy this ASAP right? We’ll here we go…
The iOS Per app VPN uses F5’s APM SOCKS Proxy functionality so we'll need TMOS 11.4 or higher installed on the BIG-IP and Edge Client 2.0 or higher installed on the mobile device.
1. Create a new Application Policy Profile and select your default language.
2. Customize the Profile's Visual Policy Builder by adding a Client Cert Inspection object and set the successful branch to Allow
3. Create a new LTM Client SSL Profile:
4. Create a new LTM Virtual Server:
So What does the end result look like? In the example below I tested the Safari per-tab capabilities by clicking the F5 shortcut icon and seamlessly had access to my test web server.
In Part 2 we will walk through how I configured AirWatch to perform the user experience demonstration.
I checked your examples against what I have and it seems to align fairly well. Now the service that the IOS device is connecting to using this, is the web resource behind the virtual server, correct? Or can it connect to a different service (not hosted on a F5 LTM) through this per-app tunnel?
Also my certificate check is slightly different, But the check is successful, so I assume this is valid.
outside of the APm and LTM licences, do we need other specific licencing to get the IOS 7 Per apps VPN working on an f5?
if yes, is it a per user based licence?
If I take the example of one app activating a Per-aps VPN and at the same time we have Safari being connected on a corporate sharepoint using another per-apps VPN conenctions, so both connections would be active at the same time?
thanks a lot
Only an APM license is required for the IOS Per app VPN so if you have LTM and APM licensing you're good to go. As for your example, yes both apps would have access as long as they're connecting to the same APM.
Can anyone help me find the best way to integrate this with an iOS WebDAV client connecting to SharePoint? Currently, we use Cert Based Auth to SharePoint which redirects to STS. However, If I could combine the steps of the VPN CBA and use APM to SSO to SharePoint it would take all of the logic off of the client app.
for iOS issues, i can refer you an app that is very useful for any iOS third party app installer. you can install it at this website for free!