en-US
search-icon

Mobile Connect 4.0 iOS User Guide

Installing and Connecting

This section describes how to install Mobile Connect on your device and how to configure and initiate a VPN connection using Mobile Connect.

Topics:

Related topics:

Installing Mobile Connect

SonicWall Mobile Connect is installed through the Apple App Store.

To download and install the Mobile Connect app:
1
On your iPhone, iPod touch, or iPad, tap the App Store icon.

2
Go to the Search tab, type in Mobile Connect, and tap Search.
3
In the search results, select Mobile Connect.
4
Tap Free and then tap Install. The application installs on your device. When the installation is complete, the SonicWall Mobile Connect icon appears on your device.

* 
NOTE: If you encounter an error when attempting to download Mobile Connect, see iTunes Store Customer Support, where you can find troubleshooting procedures and instructions on how to report the issue using your iTunes account: http://www.apple.com/support/itunes/.

Creating and Saving Connections

The process of creating a Mobile Connect connection is slightly different depending on the type of SonicWall appliance to which you are connecting.

Creating Firewall or SMA 100 Series / SRA connections

To create and save a new connection to a SonicWall network security appliance or SMA/SRA:
1
The first time you launch Mobile Connect, you are prompted to enable VPN functionality. Tap Enable.

2
In the next screen, tap Add Connection.

3
In the Name field, type in a descriptive name for the connection.
4
In the Server field, type in the URL or IP address of the server (appliance).
5
Tap Next. Mobile Connect attempts to contact the SonicWall appliance.
If Mobile Connect contacts the appliance successfully, the server connection is added to the list of saved connections on the Connections screen.
If the attempt fails, a warning message displays, asking if you want to save the connection. Verify that the server address or URL is spelled correctly, and then tap Save.

6
If Mobile Connect successfully contacts the server, you are prompted to enter your Username and Password, unless the server does not require this information. Type your credentials into the Username and Password fields.

* 
NOTE: If the previous screenshot does not match what is displayed on your device, you are connecting to a SonicWall SMA 1000 Series / E-Class SRA appliance. See Creating SMA 1000 Series / E-Class SRA Connections.
7
The Domain field is auto-populated with the default domain from the server. To select a different domain, tap Domain to display a drop-down menu of the available options, and then select the correct domain.

8
Tap Save. The Connections screen where you select the server connection is displayed.

Related topics:

Creating SMA 1000 Series / E-Class SRA Connections

To create and save a new connection to a SonicWall SMA 1000 Series / E-Class SRA appliance:
1
The first time you launch Mobile Connect, you are prompted to enable VPN functionality. Tap Enable.

2
In the next screen, tap Add Connection.

3
In the Name field, type in a descriptive name for the connection.
4
In the Server field, type in the URL or IP address of the server (appliance).
5
Tap Next. Mobile Connect attempts to contact the SonicWall appliance.
If Mobile Connect contacts the appliance successfully, the server connection is added to the list of saved connections on the Connections screen.
If the attempt fails, a warning message displays, asking if you want to save the connection. Verify that the server address or URL is spelled correctly, and then tap Save.

Clicking Save adds the server connection to the list of saved connections on the Connections screen.

Related topics:

Initiating a Connection

After you save a new connection, the Connections screen displays the list of all configured connections.

Connections screen

To initiate a Mobile Connect session:
1
Tap the connection in the list that you want to initiate. The Connection page displays.

2
Tap the VPN switch to enable the VPN.
3
Type your credentials into the Username and Password fields, if prompted (depending on whether the appliance you are connecting to allows for saving usernames and passwords), and then tap Login.
4
When the connection is successfully established, the Status row changes to Connected and the VPN switch is on.

Any bookmarks defined for the portal are displayed following the Status row. You can launch a bookmark by tapping on it.

5
Press the Home button on your iPhone, iPod touch, or iPad to display its home screen. You can now navigate to other applications to access your Intranet network. The status bar at the top of the iPhone, iPod touch or iPad displays a VPN icon to indicate that the Mobile Connect session is still connected.

If the VPN connection is interrupted, the VPN icon disappears and you are no longer able to access the Intranet network. This can happen if your device's connection transitions from wireless to cellular or to another network type.

Return to Mobile Connect to reestablish the connection. Optionally, you can configure Automatic Reconnect on the Settings tab to have Mobile Connect automatically attempt to reestablish interrupted connections.

Related topics:

Configuring Connect on Demand

The Connect on Demand feature provides the ability for Mobile Connect to automatically establish a VPN connection when you attempt to access a domain on the private network. This provides a seamless VPN connectivity experience without the need to manually launch Mobile Connect.

* 
NOTE: Connect on Demand is only available for connections to SonicWall SMA 1000 Series / E-Class SRA and SonicWall SMA 100 Series / SRA appliances.

See the following:

Connect on Demand to SMA 1000 Series / E-Class SRA

The easiest way to determine if Connect on Demand is available for your SMA 1000 Series / E-Class SRA connection is to look at the Connection screen when a VPN is connected. If the information indicator appears at the right side of the Status row, Connect on Demand can be configured while connected.

Info indicator

A VPN configuration on the SonicWall SMA 1000 Series / E-Class SRA appliance must meet the following requirements to support Connect on Demand:

The VPN tunnel must not be configured for Redirect-All mode.
The realm must be configured to use client certificates for authentication. Chained authentication (where a second authentication server is used) does not support Connect on Demand.
The valid client certificate for the realm must be present.
The user must successfully connect to the appliance at least one time.

If the Mobile Connect app is not running and user interaction is required for the VPN connection attempt to succeed, VPN on Demand may fail to connect. Some scenarios where user interaction may be required include the following:

The VPN server's SSL certificate is untrusted.
Personal Device Authorization is enabled on the server and the device has not been authorized.
Two-factor user authentication is required such as a one-time password.
To configure Connect on Demand to SonicWall SMA 1000 Series / E-Class SRA:
1
Tap the information indicator in the Status row on the Connection tab that displays the Connect On Demand screen.

2
Tap Connect on Demand.
3
Set Domain List to one of the following:
a
Set Domain List to Connect If Needed to have Mobile Connect establish a VPN connection when accessing a resource with any of the domain suffixes listed.
b
Set Domain List to Never Connect to disable Connect on Demand for the domain suffixes listed.
4
If more than one domain is listed, you can enable Connect on Demand for individual domains by tapping on the domain name.
* 
NOTE: Always Connect domains are no longer supported in iOS 7 and 8. They behave the same as Connect if Needed.

Related topics:

Connect on Demand to SMA 100 Series / SRA

On SonicWall SMA 100 Series / SRA appliances, client certificate authentication is available as a second factor authentication method in addition to standard user name and password authentication. If a client certificate is required during authentication, the user is automatically prompted to select a client certificate from the iOS device.

Selecting a certificate

Tapping on the information indicator that appears to the right of the client certificate displays additional details for the client certificate.

Certificate details

By default, a VPN configuration uses the client certificate setting of Choose during login.

To support Connect on Demand, a VPN configuration on the SonicWall SMA 100 Series / SRA appliance must meet the following requirements:

The user’s effective client certificate enforcement policy, configured at the domain or user level, must be enabled to use client certificates for authentication.
The user’s effective user name and password caching policy (configured at the global, group, or user level) must be set to Allow saving of username and password.
The valid client certificate for the user must be present on the iOS device.
The iOS VPN connection profile must have the user name and password configured, and the appropriate client certificate must be selected.
To configure Connect on Demand to SonicWall SMA 100 Series / SRA:
1
Tap Certificate on the Edit Connection screen.
2
Select a client certificate from the list.

The Connect On Demand setting is displayed.

3
Tap Connect On Demand on the Edit Connection screen to enable Connect On Demand and display the Connect On Demand screen.
4
In the Connect On Demand screen, set Domain List to Connect If Needed to have Mobile Connect establish a VPN connection when accessing a resource with any of the domain suffixes listed.

Setting Domain List to Never Connect disables Connect on Demand for the domain suffixes listed.

5
If more than one domain is listed, tap a domain name to enable Connect on Demand for an individual domain.
* 
NOTE: Always Connect domains are no longer supported in iOS 7 and 8. They behave the same as Connect if Needed.

Related topics:

Configuring Trusted Network Detection

The Apple Trusted Network Detection (TND) enhancement to the iOS Connect On Demand feature is available starting in iOS 6.

TND has the following properties:

Can be used only with Connect on Demand.
Extends the Connect on Demand functionality by determining whether the user is on a trusted network.
Is configured with the iPhone Configuration Utility.
Is used for wireless connections only. When operating over other types of network connections, Connect on Demand does not use TND to determine whether a VPN should be connected.

Connect On Demand starts a VPN connection whenever a user tries to access a destination with a hostname specified in the domains list. For example, if *.example.com is in the Always Connected list, when a user accesses internal.example.com, the client starts a VPN connection regardless of the network to which the device is currently connected. TND compares the VPN and local DNS servers and DNS suffixes to determine whether to use Mobile Connect and dial the VPN, as shown in the following table:

DNS comparison and effect on login

DNS suffixes

DNS servers

Login

None

None

Refused - no VPN

None

Same

Refused - no VPN

Same

Same

Refused - no VPN

Same

Same and others

Allowed

Same

Different

Allowed

Different

Same

Allowed

Partial match

Partial match

Allowed

A partial match means that if there are two DNS servers configured for TND, but only one DNS server matches the actual network environment, then the login will still be allowed.

Consult documentation from Apple Inc. for more information about Trusted Network Detection and Connect on Demand.

To determine if TND is available for your connection, tap the information indicator in the Status row on the Connection tab. This displays the Trusted Networks button used to enable/disable TND, if available.

Trusted Networks button

To configure TND:
1
Tap the information indicator in the Status row on the Connection tab.
2
Ensure that Connect On Demand is turned on.
3
Turn on Trusted Networks.
* 
NOTE: Trusted Network Detection is available only for connections to SonicWall SMA 1000 Series / E-Class SRA appliances.

Related topics:

Using Apple Configurator with Mobile Connect

The Apple Configurator makes it easy for anyone to mass configure and deploy iPhone, iPad, and iPod touch in business and education. It lets administrators of enterprise environments create configuration profiles for iOS devices that provide the ability to preconfigure the device settings for enterprise policies, such as VPN configuration, security policies, wireless settings, and so on.

The Apple Configurator enables administrators to configure Mobile Connect profiles for their users’ iOS devices. Information about installing and using Apple Configurator 2.0 is available here:

https://support.apple.com/en-us/HT205285

To configure a Mobile Connect profile using the Apple Configurator 2.0:
1
Download, install and launch the Apple Configurator 2.0.
2
Click File > New Profile.

3
Select VPN, and then click Configure.

4
In the Connection Name field, enter a name for the connection.

5
In the Connection Type drop-down menu, select SonicWall Mobile Connect.
6
In the Server field, enter the hostname or IP address for the SonicWall appliance.
7
(Optional) In the Account field, enter the username for the account.
8
The Login Group or Domain value depends on the type of appliance used for the connection:
For profiles connecting to SonicWall Firewall or SMA 100 Series / SRA appliances, enter the value in the Domain field shown in the Edit Connection screen of the Mobile Connect application.
For profiles connecting to SonicWall SMA 1000 Series / E-Class SRA appliances, enter the value selected in the Log in to screen, when initiating a connection in Mobile Connect.
9
In the User Authentication drop-down menu, select Password.
10
(Optional for connections to Firewall or SMA 100 Series / SRA appliances) In the Password field, enter the password for the user account, if the SonicWall appliance you are connecting to is configured to allow for saving passwords.
* 
NOTE: Only SonicWall Firewall or SMA 100 Series / SRA appliances can store passwords. SonicWall SMA 1000 Series / E-Class SRA appliances cannot store passwords.
11
(Optional for connections to SonicWall SMA 1000 Series / E-Class SRA appliances) If a proxy server is used for the connect, in the Proxy drop-down menu, select either Manual or Automatic. If a proxy server is not used, leave this set to None.
* 
NOTE: Only SonicWall SMA 1000 Series / E-Class SRA appliances support Mobile Connect over proxy. Currently, SonicWall Firewall and SMA 100 Series / SRA appliances do not support Mobile Connect over proxy.

Related topics: