en-US
search-icon

Secure Mobile Access 12.0 Admin Guide

Mobile Connect

 

Using SMA with Mobile Connect

About using SMA with Mobile Connect

Mobile Connect has general design constraints and implementation issues with Application Access Control (also known as Per-App VPN) on iOS, OS X and Android. The following information provides considerations and caveats that you may need to know when configuring Mobile Connect to connect to an SMA appliance.

For more information about Mobile Connect, see the Mobile Connect User Guide for your device, available at SonicWall Support.

General Limitations

Topics:  

Hostname Redirection

Mobile Connect on all supported platforms can perform DNS monitoring (like Connect Tunnel for Windows/Mac OSX/Linux), but it is unable to add a route. The current version logs a Corresponding IP resource is missing message. In addition, Mobile Connect does not have dynamic routing support:

Mobile Connect does not include dynamic routing like other clients (Windows/Mac/Linux), so all IP subnet or ranges corresponding to a host or domain that the user would access should be added as resources in AMC and included in Access Control rules appropriate for the user/groups that need access to the destination host or domain.
Because Mobile Connect cannot handle dynamic routing, Secure Mobile Access 11.x.0 and higher include warnings that resources containing wild cards will not work.

DNS Routing with Split Tunnel

In split tunnel, only DNS requests that match the VPN DNS suffix search domains will use the VPN DNS servers. Requests to domains that do not match the VPN DNS suffixes go to the local (3G/WiFi connection) DNS servers. This is true for connections to all server appliances: E-Series SMA, SMB SMA, and UTM. This is a limitation of Apple's iOS.

Example DNS suffix: example.com

Query for www.example.com uses VPN DNS Server
Query for intranet.corp.example.com uses VPN DNS Server
Query for www.google.com uses Local DNS server
Query for i2.examplecorp.com uses Local DNS server
This behavior can be overridden in Split Tunnel mode by adding a CEM entry in AMC.

DNS Routing with Redirect-All

In tunnel-all mode (also called Redirect-All), all DNS requests are prioritized to use the VPN DNS servers.

Mobile Connect General Limitations

Mobile Connect does not currently provide messaging to the end-user when an application is attempting to access something on the corporate network that either the user or application is not allowed to access. Currently, it is silently dropped. SonicWall is aware of this limitation and is working to enhance Mobile Connect in a future release to provide more information and messaging to the user in these types of conditions.

Files

Mobile Connect 3.0 introduces secure mobile access to files through new File bookmarks. File bookmarks allow secure access to files by first checking and enforcing the server configured file policy, and then securely downloading and displaying the file within the Mobile Connect app. Server configured policies include control over whether a file may be printed, copied to the clipboard, opened in a third party app, or securely cached on the iOS device. File bookmarks can also be created to folders or file share root directories to allow directory navigation.

Application Access Control

Application Access Control works on Android and iOS/Mac OSX platforms for SonicWall Secure Mobile Access as follows:

VPN-Controlled Apps

When a Mobile Connect user removes authorization of an app, the application no longer remains a VPN-controlled app. Any further access through the app behaves like the app was never in the App. Checking or unchecking an app takes effect immediately. There is no need to disconnect and reconnect Mobile Connect.

When using Application Access Control can a user continue to access network resources or personal web sites with an application approved for use if the user removes authorization of the application?

For example, while a user is accessing a corporate resource with Chrome (an application approved for use) the following steps occur in this instance:

1
When Chrome is checked, Chrome can send traffic over the corporate network.
2
When Chrome is unchecked, the client guarantees that none of the user’s traffic is sent via the tunnel to the corporate network.
3
Whether Chrome is checked or unchecked, if the user navigates to a location not on the corporate network that traffic flows out the user’s normal network interface. Traffic to/from a location not on the corporate network never uses the tunnel. That is, SMA always uses Split Tunnel and never redirects all when using Application Access Control.
4
Traffic to destinations inside the corporate network that the user has been granted access to will be either delivered to the tunnel if the app is checked or dropped if the app is unchecked. Traffic to destinations inside the corporate network will never flow out the normal interface of the user’s device.

The checkbox only controls if the traffic is dropped on the floor or sent down the tunnel, it does not have the ability to determine where the traffic will flow. That kind of dynamic routing is not something we can support with the current client interfaces.

It is not strictly true that applications under control are not affected by the VPN. If the Mobile Connect client is running and connected to the server, all traffic bound for IP addresses on the corporate network from ANY application (even those not listed) is captured. Traffic not from a listed application is dropped. This is important if there are IP address collisions, those same issues can occur with Application Access Control and will affect all applications on the user's device whether they are under control or not under control.

iOS/Mac OS X Specific Limitations

In some cases, additional limitations are imposed on Mobile Connect by Apple. SonicWall is continuing to work with Apple on several of these limitations to further empower the BYOD story for administrators and users. Some examples of limitations are:

Mobile Connect on iOS and Mac OSX uses a proxy-based mechanism to redirect application data to the corporate network. This has specific server-side scale limitations that SonicWall is aware of. SonicWall is continuing to work with Apple on finding the right solution for BYOD administrators and users on iOS and Mac OSX devices.
Version information is not provided during Application Learning on iOS and Mac OSX. To get version information, view app details in the App Store.

Android Specific Limitations

Google does not have built-in per-app VPN support for Android like Apple does on iOS and Mac OSX. Therefore, Mobile Connect uses a proprietary mechanism to perform the per-app VPN capabilities and runtime verification on Android devices. SonicWall is continuing to work with Google to provide a more holistic approach to per-app VPN inside of Android to further empower the BYOD story for administrators and users.

Windows RT MC limitations

Windows RT MC does not support App Access Control
Limited EPC support

Supported EPC Profiles

End Point Control policy checking is performed before establishing the VPN connection established. Mobile Connect supports the attributes shown ni Supported EPC profiles.

 

Supported EPC profiles

Android

iOS

Mac OSX

Antivirus App

Application

Antivirus Program

Personal Firewall App

Client Certificate

Antispyware Program

Application

Directory Name

Personal Firewall Program

Client Certificate

Equipment ID

Application

Directory Name

File Name

Client Certificate

Equipment ID

iOS Version

Directory Name

File Name

 

Equipment ID

Android Version

 

File Name

 

 

Mac OS version

IPV6 Limitations

If a device has IPv4 and IPv6 and the DNS host name resolves to an IPv6 record for the appliance, Mobile Connect uses IPv6 to communicate with the appliance. Otherwise, it falls back to IPv4.

URL Control Caveats

The contents of the following fields adversely affect Mobile Connect functions:

Server field setup with http or https causes a Mobile Connect failure.
Realm name limitations require that URLs are correctly formatted, without wild cards in the host name or URL.

Warnings are shown on various page where wild cards might interfere with Mobile Connect operations:

URL Control allows other mobile applications to pass action requests using special URLs to Mobile Connect. These action requests can create VPN connection entries and connect or disconnect VPN connections. For example, another application can launch Mobile Connect, access internal resources as needed, and then disconnect by using the mobileconnect:// or sonicwallmobileconnect:// URL scheme. Some common examples of URL Control are:

Add profile: mobileconnect://addprofile[/ ]?name=ConnectionName&server=ServerAddress[&Parameter1=Value&Parameter2 =Value...]
Connect: mobileconnect://connect[/ ]?[name=ConnectionName|server=ServerAddress][&Parameter1=Value&Parameter2 =Value...]
Disconnect: mobileconnect://disconnect[/]

More detailed information is provided in the SonicWall Mobile Connect User Guide for your mobile device.

Configuring Trusted Network Detection

The Apple Trusted Network Detection (TND) enhancement to the iOS Connect On Demand feature is available in iOS 6. TND results in the following:

Can be used only with Connect on Demand.
Extends the Connect on Demand functionality by determining whether the user is on a trusted network.
Configured with the iPhone Configuration Utility.
Used for Wi-Fi connections only. When operating over other types of network connections, Connect on Demand does not use TND to determine whether a VPN should be connected.

Connect On Demand starts a VPN connection whenever a user tries to access a destination with a hostname specified in the domains list. For example, if *.example.com is in the Always Connected list, when a user accesses internal.example.com, the client starts a VPN connection regardless of the network to which the device is currently connected. TND compares the VPN and local DNS servers and DNS suffixes to determine whether to use Mobile Connect and dial the VPN, as shown inTrusted Network Detection according to suffixes.

 

Trusted Network Detection according to suffixes

DNS Suffixes

DNS Servers

Login

None

None

Refused - no VPN

None

Same

Refused - no VPN

Same

Same

Refused - no VPN

Same

Same and others

Allowed

Same

Different

Allowed

Different

Same

Allowed

Some

Some

Allowed

Consult documentation from Apple Inc. for more information about Trusted Network Detection and Connect on Demand.

To determine if TND is available for your connection, tap the info indicator in the Status row on the Connection tab. This displays the buttons used to enable/disable TND if available.

To configure TND:
1
Tap the Info icon in the Status row on the Connection tab.
2
Ensure Connect On Demand is turned on.
3
Turn on Trusted Networks.
* 
NOTE: In Mobile Connect for iOS 3.0, File bookmarks are supported only on the SonicWall SMA appliances with SMA 7.5 or later firmware. Support for File bookmarks in SMA and Next Generation Firewall appliances is expected in a future release.