PULSE CONNECT SECURE APPCONNECT

Similar documents
Pulse Policy Secure. Identity-Based Admission Control with Check Point Next-Generation Firewall Deployment Guide. Product Release 9.0R1 Document 1.

Pulse Mobile. Android for Work Guide. Product Release 5.1R3. Document Revision 1.0 Published:

Enterprise Guest Access

Pulse Secure Desktop Client

JUNIPER NETWORKS PRODUCT BULLETIN

Cloud Secure Integration with ADFS. Deployment Guide

Pulse Secure Mobile Android Release 5.2R1

Pulse Secure Client for Chrome OS

Pulse Secure Mobile Android

Pulse Secure Mobile Client

Optimal Gateway Selection for Pulse Connect Secure with Pulse Secure Virtual Traffic Manager

Pulse Connect Secure. Supported Platforms Guide. Product Release 8.1. Document Revision 3.0 Published:

Pulse Secure Mobile Android Release 6.3.0

AirWatch Mobile Device Management

EveryonePrint MDM Integration Guide. AirWatch. EveryonePrint MDM Integration Guide AirWatch Page 1 of 22

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Pulse Secure Browser. Release Notes & User Guide

Securing Office 365 with MobileIron

Pulse Secure Mobile Android

Pulse Secure Browser. Release Notes & User Guide

Pulse Secure Desktop Client

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

SAML Authentication with Pulse Connect Secure and Pulse Secure Virtual Traffic Manager

Pulse Secure Desktop Client

VMware AirWatch Integration with RSA PKI Guide

Pulse Secure Desktop Client Supported Platforms Guide

Pulse Secure Desktop Client Supported Platforms Guide

Slack Cloud App SSO. Configuration Guide. Product Release Document Revisions Published Date

Table of Contents HOL-1757-MBL-6

Pulse Policy Secure. Supported Platforms Guide. PPS 9.0R3 Build For more information, go to

VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources

Cloud Secure. Microsoft Office 365. Configuration Guide. Product Release Document Revisions Published Date

Pulse Secure Desktop Client

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

Table of Contents. VMware AirWatch: Technology Partner Integration

PrinterOn Mobile App MDM/MAM. Basic Integration Guide

Pulse Workspace Appliance. Administration Guide

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

Pulse Policy Secure. IC Series to MAG Series Hardware Migration Guide. Product Release 5.2. Document Revision 1.0. Published:

Configuring and Delivering Salesforce as a managed application to XenMobile Users with NetScaler as the SAML IDP (Identity Provider)

MaaS360 Secure Productivity Suite

VMware Tunnel Guide for Windows

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

ARCHITECTURAL OVERVIEW REVISED 6 NOVEMBER 2018

Symantec Managed PKI. Integration Guide for AirWatch MDM Solution

Forescout. eyeextend for VMware AirWatch. Configuration Guide. Version 1.9

VMware Tunnel Guide for Windows Installing the VMware Tunnel for your AirWatch environment

Google Sync Integration Guide. VMware Workspace ONE UEM 1902

Forescout. eyeextend for MobileIron. Configuration Guide. Version 1.9

Pulse Connect Secure. Network Connect to Pulse Desktop Migration Guide. Document Revision 2.1

Willis Mobile Device Access Security Policy. Date: July-2014 Version: 2.0 FINAL

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Forescout. eyeextend for IBM MaaS360. Configuration Guide. Version 1.9

Integrating AirWatch and VMware Identity Manager

Configuring and Delivering ServiceNow as a managed application to XenMobile Users with 3 rd Party SAML IDP (Identity Provider)

KeyNexus Hyper-V Deployment Guide

ESAP. Release Notes. Release, Build Published Document Version February

Using the Terminal Services Gateway Lesson 10

AirWatch Container. VMware Workspace ONE UEM

VMware AirWatch Tizen Guide

Configuring and Delivering Salesforce as a managed application to XenMobile Users with 3 rd Party SAML IDP (Identity Provider)

VMware AirWatch Integration with SecureAuth PKI Guide

Citrix SSO for ios. Page 1 18

Integrate Aventail SSL VPN

Samsung Knox Mobile Enrollment. VMware Workspace ONE UEM 1902

VMware Tunnel Guide for Windows

BlackBerry UEM Configuration Guide

Configuration Guide. BlackBerry UEM. Version 12.9

Citrix SSO for Mac OS X. User Guide

VMware AirWatch Mobile Application Management Guide Enable access to public and enterprise apps

Configuration Guide. BlackBerry UEM. Version 12.7 Maintenance Release 2

GlobalSign Integration Guide. GlobalSign Enterprise PKI (EPKI) and VMware Workspace ONE UEM (AirWatch)

Transit VPC Deployment Using AWS CloudFormation Templates. White Paper

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Azure MFA Integration with NetScaler

VMware AirWatch Google Sync Integration Guide Securing Your Infrastructure

HySecure Quick Start Guide. HySecure 5.0

ESAP. Release Notes. Release, Build Published Document Version December

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

VMware Tunnel on Linux. VMware Workspace ONE UEM 1811

Augmenting security and management of. Office 365 with Citrix XenMobile

VMware Tunnel on Windows. VMware Workspace ONE UEM 1810

Polycom RealPresence Access Director System

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: UNIFIED ACCESS GATEWAY ARCHITECTURE

System requirements for Qlik Sense. Qlik Sense September 2018 Copyright QlikTech International AB. All rights reserved.

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Mobile Iron Core - Setup Guide 1

Pulse Policy Secure X Network Access Control (NAC) White Paper

Citrix SD-WAN for Optimal Office 365 Connectivity and Performance

VMware AirWatch Google Sync Integration Guide Securing Your Infrastructure

McAfee MVISION Mobile Microsoft Intune Integration Guide

JN0-355 Q&As. Junos Pulse Secure Access, Specialist (JNCIS-SA) Pass Juniper JN0-355 Exam with 100% Guarantee

CONFIGURING BASIC MACOS MANAGEMENT: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

ForeScout Extended Module for MobileIron

McAfee MVISION Mobile Microsoft Intune Integration Guide

Kony MobileFabric. Release Notes. On-Premises. Release 6.5. Document Relevance and Accuracy

High-performance. Enterprise Scale. Global Mobility.

McAfee MVISION Mobile IBM MaaS360 Integration Guide

Transcription:

PULSE CONNECT SECURE APPCONNECT A Micro VPN That Allows Specific Applications on Mobile Devices to Independently Leverage the Connect Secure Gateway Product Release 8.1 Document Revision 1.0 Published: 2015-02-10 2015 by Pulse Secure, LLC. All rights reserved

Pulse Secure, LLC 2700 Zanker Road, Suite 200 San Jose, CA 95134 http://www.pulsesecure.net 2015 by Pulse Secure, LLC. All rights reserved Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Pulse Connect Secure AppConnect White Paper The information in this document is current as of the date on the title page. END USER LICENSE AGREEMENT The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) Pulse Secure software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at http://www.pulsesecure.net/support/eula. By downloading, installing or using such software, you agree to the terms and conditions of that EULA. 2015 by Pulse Secure, LLC. All rights reserved 2

Table of Contents Executive Summary...4 Introduction...4 Prerequisites...4 Technical Details...4 Deployment Models...6 ios 7 Per-App VPN...6 MobileIron Deployment (ios 7 only)...7 AirWatch Deployment (ios 7 only)...8 Samsung KNOX... 10 AppConnect SDK... 10 PAC License... 10 Conclusion... 10 About Pulse Secure... 10 2015 by Pulse Secure, LLC. All rights reserved 3

Executive Summary Pulse Connect Secure AppConnect is a micro VPN solution that runs on mobile devices (ios and Android) to enable encrypted communication between specific applications (via AppConnect tunnels) and a Pulse Connect Secure gateway (MAG Series Pulse Secure gateways, formerly Junos Pulse Secure Access Service or SSL VPN). It allows enterprise-level IT administrators to secure sensitive data transactions between remote mobile devices and the enterprise network. Unlike a standard Layer 3 VPN, an administrator has discretionary rights, for configuring which applications leverage the AppConnect tunnel. This creates an environment where only sensitive enterprise data travel back to the enterprise network, leaving non-sensitive (personal) data to travel over standard data paths from the device to the Internet. Introduction There are three core deployment models, each with specific use cases and requirements. The deployment models are: 1) ios 7 Per-App VPN (requires third-party MDM solution to deploy) 2) Samsung KNOX VPN 3) AppConnect SDK While AppConnect is a software-based solution installed on mobile devices, it requires Pulse Connect Secure hardware or a virtualized Pulse Connect Secure environment in order to terminate AppConnect tunnels, as well as an enablement license, called a PAC license (Pulse AppConnect license), for each physical device that does accept AppConnect tunnels from mobile devices. Virtual Pulse Connect Secure deployments do not currently require the PAC license. Depending on the deployment model, additional third-party solutions might be required. Such solutions include MobileIron, AirWatch, or any other MDM solution that allows the administrator to define and deploy ios 7 Per-App VPN settings. Such third-party MDM solutions can also be directly integrated with newer versions of the Pulse Connect Secure (version 8.x or later), allowing more control over access policies for mobile devices. This creates a robust and secure environment where mobile devices can be trusted to remotely access and leverage sensitive enterprise data located on the enterprise network. Prerequisites The deployment model that best suits a given enterprise can be defined by few questions. 1) Do you deploy managed or proprietary mobile applications? a. Yes All three deployment models can be leveraged to secure data transactions of managed or proprietary applications. b. No Samsung KNOX can still be used to secure data transactions of KNOX-based applications, and ios 7 Per-App VPN can still be used to secure the Safari browser. The AppConnect SDK cannot be leveraged. 2) Do you have an existing MDM deployment that supports ios 7 Per-App VPN settings? a. Yes The ios7 deployment model can be leveraged. b. No Only the KNOX or AppConnect SDK deployment models can be leveraged. 3) Do you have existing Pulse Connect Secure Gateway(s)? (SA Series or MAG Series hardware or a virtualized Pulse Connect Secure environment, software version 7.2 or later) a. Yes You need to add a PAC license to each physical gateway in order to accept AppConnect tunnels. b. No The AppConnect solution cannot be deployed in any mode. You must purchase a MAG appliance or virtual appliance to terminate AppConnect tunnels. Technical Details AppConnect tunnels leverage WSAM technology on the Pulse Connect Secure gateway. There are settings that must be configured on the gateway in order to leverage WSAM on mobile devices. AppConnect tunnels consume one concurrent session/license per AppConnect tunnel. The number of concurrent licenses a single device can, consume differs based on the implementation, deployment, and use case of the AppConnect tunnels. The gateway must be running software version 7.2 or later. In situations where multiple connections are opened between a device and the Pulse Connect Secure Gateway, connection limit is 128 per device (Pulse Connect Secure version 8.0R3 and later, 64 connections per device for earlier versions of the Pulse Connect Secure Gateway). 2015 by Pulse Secure, LLC. All rights reserved 4

Pulse Connect Secure Gateway Configuration The following steps show how to configure the Pulse Connect Secure gateway. The administrator creates a user realm and role(s), defines role mapping, creates a sign-in policy, and enables the WSAM and VPN settings. Optionally, MobileIron or AirWatch MDM servers can be linked to the SA Series to allow additional Host Checker rules. More details regarding MobileIron and AirWatch integration into the Pulse Connect Secure gateway can be found here. 1) Create a new User Realm. Optional: Device Attributes. 2) Optional: Create a new sign-in URL to be used when connecting a mobile device via AppConnect. 3) Add the newly created user realm to the selected realms list. 2015 by Pulse Secure, LLC. All rights reserved 5

4) Define role-mapping options for the realm. 5) Turn on WSAM and VPN tunneling in the role(s) used for AppConnect-enabled devices. Deployment Models There are three core deployment models, each with specific use cases and requirements. The deployment models are ios 7 Per-App VPN, Samsung KNOX VPN, and AppConnect SDK. Additionally, the ios 7 Per-App VPN deployment model also requires the use of a third-party MDM provider. ios 7 Per-App VPN Apple has created a set of MDM APIs, referred to as ios 7 Per-App VPN, and opened them to MDM providers. These settings allow a device administrator to define a list of applications that leverage a VPN. This differs from previous versions of the Apple MDM VPN APIs. Earlier, an administrator can only define a device-wide (Layer 3) VPN. Now, in ios 7, an administrator can define a VPN connection and also define which managed applications have access to the VPN. This leaves all personal or non-sensitive applications (as defined by the administrator) to connect to the Internet directly, without the use of the VPN. As with all other Apple MDM APIs, the administrator must leverage an MDM provider to push and manage these settings on the end user s ios device. In the case of ios 7, the Pulse Connect Secure application (version 5.0R4 or later) must be installed on an end user s device, so that the device OS to be able to open AppConnect tunnels terminating on a Pulse Connect Secure gateway. The Pulse Connect Secure application includes a system-level plug-in that is activated by the ios 7 Per-App VPN settings. End users must open Pulse Connect Secure and accept the End User License Agreement (EULA) to enable the plug-in. 2015 by Pulse Secure, LLC. All rights reserved 6

Two main limitations are currently applied to applications that leverage the ios 7 Per-App VPN. These limitations are created by Apple s current implementation of the ios 7 Per-App VPN APIs and are subject to change in any future ios release. The limitations are not unique to Pulse Secures implementations of AppConnect. 1) Only managed applications are able to leverage the ios 7 Per-App VPN. a. A managed application is one that has been installed on an end user s device via a MDM solution. b. In addition to managed applications, Safari can be forced over the AppConnect tunnel. 2) Only TCP is currently supported (UDP support is expected in a future release). a. UDP packets that travel over the ios 7 Per-App VPN are dropped from the network stack by the system. b. Any application that sends data using the UDP protocol fails to function if added to the IiOS7 Per-App VPN. The deployment steps to enable ios 7 Per-App VPN differ based on the currently deployed MDM solution. The following are two step-by-step examples of the most common MDM solutions, MobileIron and AirWatch. MobileIron Deployment (ios 7 only) It is presumed that the administrator has a basic understanding of the MobileIron solution. For additional details, refer to the MobileIron documentation. MobileIron requires an additional license to enable Per-App VPN settings. All details of integration are subject to change. This deployment is for MobileIron version VSP 5.9.2 Build 11. 1) Once logged in to the MobileIron server, navigate to Policies & Configs tab. Click Add New in the drop-down menu and select VPN. MobileIron requires the use of certificate authentication. Optionally, the administrator can configure Safari Domains or VPN on Demand. 2) After a VPN profile has been set up, the administrator can now apply the profile to individual managed applications. Navigate to the Apps tab, and change the Selected Platform to ios. Selecting the edit option for a given application brings up settings for that application. Find the Per-App VPN setting and select the newly created VPN profile in the drop-down menu. Click Save. Repeat for each and every application that needs to send data over the VPN. 2015 by Pulse Secure, LLC. All rights reserved 7

AirWatch Deployment (ios 7 only) It is presumed that the administrator has a basic understanding of the AirWatch solution. For additional details, refer to the AirWatch documentation. All details of integration are subject to change. This deployment is for AirWatch version 7.1. 1) Log in to the AirWatch console and navigate to Devices, Profiles, List View, and select +Add. From here, select ios and then VPN from the ios drop-down menu. 2015 by Pulse Secure, LLC. All rights reserved 8

2) Fill out the VPN profile and choose connection and authentication settings. Click Save. 3) Navigate to the Apps & Books tab. Locate each ios application in a managed application list that needs to send data over the VPN, and edit the application settings. In the Deployment tab of the application settings, enable the Use VPN check box. 2015 by Pulse Secure, LLC. All rights reserved 9

Samsung KNOX Samsung KNOX is an enterprise-level application container offered by Samsung on select devices and firmware versions. Samsung KNOX enables the user to have a dual persona device. All personal applications and data reside outside the KNOX container. All sensitive enterprise applications and data reside inside the KNOX container. The KNOX container can be described as a virtual machine. All data and processes inside the container are only accessible from inside the container. Samsung has leveraged the AppConnect SDK to allow the device to pass all Internet communications that originate or terminate inside the KNOX container through a Pulse Connect Secure gateway via an AppConnect tunnel. Unlike ios 7 Per-App VPN, the AppConnect tunnel is leveraged by the KNOX container, rather than individual applications. More details are expected to be provided when Samsung publicly releases the version of KNOX that includes AppConnect integration. AppConnect SDK The AppConnect SDK is a set of APIs and libraries, provided by Pulse Secure that allows mobile application developers to directly open socket-based SSL VPN connections to a Pulse Connect Secure Gateway. From the point of view of the Pulse Connect Secure Gateway, these tunnels mirror all other forms of AppConnect tunnels. The integration is done at the code level. Any application that integrates with the AppConnect SDK needs to be recompiled and manually deployed to the end users. The AppConnect SDK is best leveraged by container solutions or in-house applications that are deployed without the use of an MDM solution. The APIs include authentication and connection management functions. Connections can be shared across multiple applications on a single device. Contact your Pulse Secure sales representative for more details regarding AppConnect SDK. PAC License The Pulse AppConnect (PAC) license is required for PAC feature enablement of mobile application-level VPN tunnel (also known as micro VPN tunnel) termination on SA Series and MAG Series SSL VPN gateways. AppConnect tunnels originate from applications running on an Android (4.x or later) or ios (7 or later) mobile devices for example, the ios 7 Per-App VPN or Samsung KNOX feature configured by the MDM console, or a container that has fully integrated with the Pulse Connect Secure AppConnect SDK. The AppConnect tunnels limit traffic to only approved applications, which is different from the standard Pulse Secure Layer 3 device-level VPN tunnel where all the traffic is sent over a VPN tunnel. An AppConnect tunnel consumes one concurrent session/license, up to the concurrent licenses available. The number of concurrent licenses a single device can, or does, consume differs based on the implementation, deployment, and use case of the application-level VPN tunnels. The PAC feature is interoperable with 7.x and 8.x software versions. The PAC license is not required on the virtual appliance. PAC functionality is automatically enabled on the virtual appliance. The PAC license is perpetual. Subscription PAC license are not available. A PAC license is needed on each gateway (standalone or in an active/passive cluster). Conclusion The three deployment models for Pulse AppConnect give administrators the ability to ensure the most common mobile devices (ios and Android) can open AppConnect tunnels that terminate on a Pulse Connect Secure gateway. A PAC license is required when terminating AppConnect tunnels on a physical gateway. Some environments require the use of third-party MDM software. Deploying Pulse AppConnect ensures sensitive enterprise data are protected while leaving end-users personal data to travel over the standard path, limiting traffic on the enterprise network. About Pulse Secure Pulse Secure is in the business of network innovation. From devices to data centers, from consumers to cloud providers, Pulse Secure delivers the software, silicon and systems that transform the experience and economics of networking. The company serves customers and partners worldwide. Additional information can be found at www.pulsesecure.net. 2015 by Pulse Secure, LLC. All rights reserved 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback