Mobile Connect 4.0 Windows 10 User Guide

Configuring VPN Connections

This section describes how to configure and initiate a VPN connection using SonicWall Mobile Connect for Windows 10.


Creating a Connection

In Windows 10, VPN connections can be created in the Settings app.

To create a VPN connection:
Launch the Settings app and navigate to Network & Internet > VPN.
Under VPN, select Add a VPN connection.

In the Add a VPN connection window, select SonicWall Mobile Connect as the VPN provider.

After entering all the required information, click Save.
IMPORTANT: If a custom port is required, then the server name must be entered in URL format in the Server name field, for example https://vpn.example.com:4433.

Once the VPN connection is successfully created, the VPN connection name appears in the list of connections and in the VPN section.

Connecting to the VPN Server

To establish a Mobile Connect VPN session:
In the Action Center, select the VPN to open the Settings app and connect the VPN by selecting Connect.

Enter your username and password when prompted and tap OK. Note that the Windows Sign In screen accepts the SonicWall SMA 100 Series / SRA or Firewall appliance domain or the SonicWall SMA 1000 Series / E-Class SRA Login Group value as the Microsoft domain portion of the username:

Username@Domain OR Username@LoginGroup

Domain\Username OR LoginGroup\Username

Example 1: jdoe@SRA-DEMO or SRA-DEMO\jdoe, where SRA-DEMO is the name of the domain for the SMA 100 Series / SRA appliance.

Example 2: jdoe@CORP or CORP\joe, where CORP is the Login Group for the SMA 1000 Series / E-Class SRA appliance.

When the connection is successfully established, the Status changes to Connected and the Disconnect button replaces the Connect button.

Once connected, you can access the remote network. The Networks screen shows the status of the VPN connection.

If the VPN connection is interrupted, the VPN icon shows as disconnected and you will no longer be able to access the remote network. Return to the Networks screen to reestablish the VPN connection. Windows 10 will automatically attempt to reestablish interrupted connections. VPN connections in Windows 10 also can be managed using PowerShell.

Configuring Connections with PowerShell

This section includes the following topics:

Creating VPN Connections with PowerShell

To create a VPN connection, use the PowerShell command Add-VpnConnection (see http:// technet.microsoft.com/en-us/library/jj554824.aspx). The PluginApplicationID for the SonicWall Mobile Connect VPN plugin is SonicWALL.MobileConnect_e5kpm93dbe93j. In the example below, a VPN connection to vpn.example.com is created with default options. This is equivalent to using the Settings app on the Windows 10 device.

The following is an example of the PowerShell commands for creating a connection:

PS C:\> $xml = "<MobileConnect/>"

PS C:\> $sourceXml=New-Object System.Xml.XmlDocument

PS C:\> $sourceXml.LoadXml($xml)

PS C:\> Add-VpnConnection -NameVPN -ServerAddress vpn.example.com - SplitTunneling $True -PluginApplicationID SonicWALL.MobileConnect_e5kpm93dbe93j -CustomConfiguration $sourceXml

To delete a VPN connection, use the PowerShell command Remove-VPNConnection, specifying the VPN connection using the -name option. For example:

PS C:\> Remove-VpnConnection –Name VPN

Configuring VPN Connection Custom XML Settings

Using PowerShell, it is possible to configure advanced settings for the Mobile Connect VPN plug-in. This section describes each individual custom XML option and provides examples of how to configure these settings using PowerShell.

Server Port—<Port>4443</Port> - server port (optional, default is 443)
Debug Logging—<DebugLogging>true</DebugLogging> - enable debug logging in plug-in (optional, default false).
NOTE: If DebugLogging is enabled, logs are written to the following file:
Packet Capture—<PacketCapture>true</PacketCapture> - enable packet capture (optional, default false)
NOTE: If Packet Capture is enabled, the packet capture is in the following files:
Connections to SMA 1000 Series / E-Class SRA appliances:

Connections to SMA 100 Series / SRA and Firewall appliances:
Windows Native Authentication UI—<WindowsAuthUI>false</WindowsAuthUI> - disable Windows native authentication UI (optional, default true).
Parse Domain from Username field—<UsernameHasDomain>false</ UsernameHasDomain> - Parse out Domain field from Username field in Windows Auth dialog (optional, default true). Username should be entered in the format <Username>@<Domain> or <Domain>\<Username>. For SMA 100 Series / SRA and Firewall connections, the Domain portion is used for the Domain field.
NOTE: <UsernameHasDomain> only applies if WindowsAuthUI is enabled
Windows Single Sign On—<SingleSignOn>false</SingleSignOn> - Do not set SSO flag to RequestCredentials() (optional, default true).
NOTE: <SingleSignOn> will not apply for the username & password custom authentication prompt (WindowsAuthUI set to false)

PowerShell Examples for Customizing VPN Connections

Enable debug logging:

PS C:\> $xml = "<MobileConnect><DebugLogging>true</DebugLogging></ MobileConnect>"

PS C:\> $sourceXml=New-Object System.Xml.XmlDocument

PS C:\> $sourceXml.LoadXml($xml)

PS C:\> Add-VpnConnection -Name VPN -ServerAddress vpn.example.com - SplitTunneling $True -PluginApplicationID SonicWALL.MobileConnect_e5kpm93dbe93j
-CustomConfiguration $sourceX

Enable debug logging and packet capture:

PS C:\> $xml = "<MobileConnect><DebugLogging>true</ DebugLogging><PacketCapture>true</PacketCapture></MobileConnect>"

PS C:\> $sourceXml=New-Object System.Xml.XmlDocument

PS C:\> $sourceXml.LoadXml($xml)

PS C:\> Add-VpnConnection -Name VPN -ServerAddress vpn.example.com - SplitTunneling $True -PluginApplicationID SonicWALL.MobileConnect_e5kpm93dbe93j
-CustomConfiguration $sourceXml

Specify Non-standard port for VPN connection:

PS C:\> $xml = "<MobileConnect><Port>4433</4433></MobileConnect>" PS C:\> $sourceXml=New-Object System.Xml.XmlDocument

PS C:\> $sourceXml.LoadXml($xml)

PS C:\> Add-VpnConnection -Name VPN -ServerAddress vpn.example.com - SplitTunneling $True -PluginApplicationID SonicWALL.MobileConnect_e5kpm93dbe93j
-CustomConfiguration $sourceXml

Configuring Advanced VPN Connection Settings

This section includes the following topics:

Configuring SMA 1000 Series / E-Class SRA Connection Settings

The following settings are applicable to VPN connections with SMA 1000 Series / E-Class SRA appliances:

Encapsulated Security Payload—<ESP>true</ESP> - Enable ESP mode (optional, default false)
Compression—<Compression>false</Compression> - Disable lz4 compression (optional, default true)
Network Conflict Resolution Mode—<NCR>Local</NCR> - Set Network Conflict
Resolution (NCR) mode (optional, default 'Admin', other values 'Remote' or 'Local')
Login Group Caching—<CacheLoginGroup>true</CacheLoginGroup> - Enable Login
Group selection caching (optional, default false)

Configuring SMA 100 Series / SRA and Firewall Connection Settings

The following settings are applicable to VPN connections with SMA 100 Series / SRA or Firewall appliances:

Case-sensitive Domain Matching—<DomainMatchCaseSensitive>true</ DomainMatchCaseSensitive> - Perform case-sensitive match for user entered Domain field against VPN server Domain (optional, default false)
NOTE: Default behavior is that a case-insensitive match is performed. Only applies if <WindowsAuthUI> is enabled and <UsernameHasDomain> is enabled.
Max Login Retries—<MaxLoginRetries>0</MaxLoginRetries> - (optional, default 2 - total of 3 login attempts allowed)
Require Smart Card Certificate—<SmartCardRequired>true</SmartCardRequired> - require client certificate to be Smart Card (CertificateQuery->HardwareOnly flag must be set) (optional)
Client Certificate Issuer CA—<ClientCertIssuerCA>testing.testsslvpn.com</ ClientCertIssuerCA> - filter set of client certificates installed on Windows 10 by the Issuer CA (optional)
NOTE: The WinRT StreamSocket API in Windows 10 does not currently provide the list of Issuer CA certificates from the SSL server, so this may be used as a workaround to filter the list.
Automatically Select Client Certificate—<ClientCertAutoSelect>true</ ClientCertAutoSelect> - automatically select a single client certificate without prompting the user for verification (optional, default false)
Client Certificate Thumbprint—<ClientCertThumbprint>bea9275b806262dea611059efc8c2fa557d8ee10</ ClientCertThumbprint> - automatically select the client certificate that matches the given certificate Thumbprint (optional)

Configuring VPN Connection Triggers in Windows 10

VPN connection triggers can be configured using PowerShell to automatically connect a VPN connection when an application is launched, or when a client attempts to access a resource within a specified DNS namespace. In addition, trusted networks can be configured to prevent a VPN connection from being initiated when client devices are already within the trusted network and the VPN is not needed. Please refer to Microsoft’s documentation on the following commands:

(see http://technet.microsoft.com/en-us/library/dn296460%28v=wps.630%29.aspx)

The Add-VpnConnectionTriggerApplication command adds applications to a VPN connection object. The applications automatically trigger a VPN connection when launched.

(see http://technet.microsoft.com/en-us/library/dn262650%28v=wps.630%29.aspx)

The Add-VpnConnectionTriggerDnsConfiguration command adds a DNS suffix or name to the DNS trigger properties for a client. If you specify a DNS IP address for the suffix or name, when the client accesses a resource within the suffix, the client starts a VPN connection. If you do not specify a DNS IP address for a DNS suffix or name, accessing the suffix or name does not trigger the VPN connection.

(see http://technet.microsoft.com/en-us/library/dn262638%28v=wps.630%29.aspx)

The Add-VpnConnectionTriggerTrustedNetwork command adds DNS suffixes as trusted networks to the VPN profile. When a DNS suffix that you add to the VPN profile is present on the physical interface on the client, the VPN connection does not start even if the client tries to access an application that is part of triggering properties or tries to access a resource that is part of DNS suffix configured for triggering.