Configuring an AppTunnel service

You create an AppTunnel service in Standalone Sentry as part of the AppTunnel setup required to tunnel traffic to content repositories. CIFS traffic must be tunneled through Standalone Sentry.

Before you begin

Ensure that you have a Standalone Sentry that is set up for AppTunnel and the necessary device authentication is also configured. See “Configuring Standalone Sentry for app tunneling” in the Ivanti Standalone Sentry Guide for EPMM.

Procedure

  1. In the Admin Portal, go to Services > Sentry.
  2. Edit the entry for the Standalone Sentry that supports AppTunnel.
  3. In the App Tunneling Configuration section, under Services, click + to add a new service.
  4. Use the following guidelines to configure a tunnel service:

    Item

    Description

    Service Name

    The Service Name is used in the Docs@Work configuration for setting up tunneling to the content repository.

    Enter one of the following:

     

    • A unique name for the service that the AppConnect app on the device accesses. One or more of your internal app servers provide the service. You list the servers in the Server List field.

    For example, some possible service names are:

    • SharePoint
    • Human Resources

    A service name cannot contain these characters: 'space' \ ; * ? < > " |. Special prefixes:

    • For app tunnels that point to CIFS-based content servers, the service name must begin with CIFS_.

     

    • <ANY>

    Select <ANY> to allow tunneling to any URL that the app requests. Typically, you select <ANY> if an AppConnect app’s app configuration specifies a URL with wildcards for tunneling, such as *.myCompany.com. The Sentry tunnels the data for any URL request that the app makes that matches the URL with wildcards.

    The Sentry tunnels the data to the app server that has the URL that the app specified. The Server List field is therefore not applicable when the Service Name is <ANY>.

    For example, consider when the app requests URL myAppServer.mycompany.com, which matches *.mycompany.com in the app configuration. The Sentry tunnels the data to myAppServer.myCompany.com.

    Docs@Work typically uses the <ANY> service, so that it can browse to any of your internal servers.

    Do not select the <ANY> option for tunneling to CIFS-based content servers, Office 365, Box, and Dropbox. For CIFS-based content servers, select <CIFS_ANY>.

     

    • <CIFS_ANY>

    Select <CIFS_ANY> to allow tunneling to any URL for a CIFS-based content server. Typically, you select <CIFS_ANY> if the URL for a CIFS-based content server contains wildcards for tunneling, such as *.myCompany.com.

    The order of the Service Name entries does not matter.

    Server Auth

    Select the authentication scheme for the Standalone Sentry to use to authenticate the user to the app server:

    • Pass Through

    The Sentry passes through the authentication credentials, such as the user ID and password (basic authentication) or NTLM, to the app server.

    • Kerberos

    The Sentry uses Kerberos constrained delegation (KCD). KCD supports Single Sign On (SSO). SSO means that the device user does not have to enter any credentials when the AppConnect app accesses the app server.

    The Kerberos option is only available if you selected Identity Certificate for Device Authentication.

    Server List

    Enter the app server’s host name or IP address (usually an internal host name or IP address). Include the port number on the app server that the Sentry can access.

    Example:

    sharepoint1.companyname.com:443

    Acceptable characters in a host name are letters, digits, and a hyphen. The name must begin with a letter or digit.

    You can enter multiple servers. The Sentry uses a round-robin distribution to load balance the servers. That is, it sets up the first tunnel with the first app server, the next with the next app server, and so on. Separate each server name with a semicolon.

    Example:

    sharepoint1.companyname.com:443;sharepoint2.companyname.com:443

    The Server List field is not applicable when the service name is <ANY> or <CIFS_ANY>.

    TLS Enabled

    Select TLS Enabled if the app servers listed in the Server List field require SSL.

    This option is not applicable when the service name is <ANY> or <CIFS_ANY>.

    Although port 443 is typically used for https and requires SSL, the app server can use other port numbers requiring SSL.

    Proxy/ATC

    Select if you want to direct the AppTunnel service traffic through the proxy server.

    You must also have configured Server-side Proxy or Advanced Traffic Control (ATC).

    Server SPN List

    Enter the Service Principal Name (SPN) for each server, separated by semicolons. For example:

    sharepoint1.company.com;sharepoint2.company.com.

    The Server SPN List applies only when the Service Name is not <ANY> and the Server Auth is Kerberos.

    If each server in the Server List has the same name as its SPN, you can leave the Server SPN List empty. However, if you include a Server SPN List, the number of SPNs listed must equal the number of servers listed in the Server List. The first server in the Server List corresponds to the first SPN in the Server SPN List, the second server in the Server List corresponds to the second server in the Server SPN List, and so on.

    When the Service Name is <ANY> and the Server Auth is Kerberos, the Standalone Sentry assumes that the SPN is the same as the server name received from the device.

  5. Click Save.

Related topics

For more information on configuring AppTunnel, advanced traffic control, and AppTunnel rules, see “Configuring an AppTunnel service” in the Ivanti AppConnect Guide for EPMMand Ivanti Tunnel for iOS Guide.

Configuring AppTunnel rules

You create AppTunnel rules in the Docs@Work configuration as part of an AppTunnel setup required to tunnel traffic to content repositories. When Docs@Work tries to connect to the URL configured in AppTunnel Rules, Standalone Sentry creates an AppTunnel to the content server.

Ivanti strongly recommends that you do not configure AppTunnel rules with '*' in the URL. Docs@Work may not be able to activate the license for the embedded editor, impacting viewing and editing functionality.

Standalone Sentry does not support tunneling traffic to Office 365, Box, and Dropbox. Therefore, if you are configuring access to Office 365, Box, or Dropbox, do not use URL patterns (example: *) to configure the AppTunnel traffic rules.

Before you begin

Ensure the following:

Procedure

  1. In the Ivanti EPMM Admin Portal, go to Policies & Configs > Configurations.
  2. Select for the Docs@Work configuration you want to add AppTunnel rules.
  3. Click on Edit.
  4. In the AppTunnel Rules section click on Add+.
  5. Use the following guidelines to create an AppTunnel rule:

    Item

    Description

    AppTunnel Rules

    Sentry

    Select the Standalone Sentry that you want to tunnel the URLs listed in this AppTunnel entry. The drop-down list contains all Standalone Sentrys that are configured to support AppTunnel.

    Service

    Select a Service Name from the drop-down list.

    This service name specifies an AppTunnel service configured in the App Tunneling Configuration section of the specified Sentry.

    URL Wildcard

    Enter one of the following:

    • A content server’s hostname

    Example: finance.yourcompany.com

    • A hostname with wildcards. The wildcard character is

    Example: *.yourcompanyname.com

    If you want finer granularity regarding what requests the Standalone Sentry tunnels, configure multiple AppTunnel rows.

    URL Wildcard

    The Sentry and Service fields that you specify in the AppTunnel row determine the target content server.

    • A hostname with wildcards works only with the service <ANY> or <CIFS_ANY>. Unlike services with specific service names, these services do not have associated app servers. The Standalone Sentry tunnels the data to the app server that has the URL that the app specified.
    • The order of these AppTunnel rows matters. If you specify more than one AppTunnel row, the first row that matches the hostname requested is chosen. That row determines the Standalone Sentry and Service to use for tunneling.
    • Do not include a URI scheme, such as http:// or https:/, in this field.
    • If you are directing Office 365, Box, or Dropbox traffic through an AppTunnel, do not use URLs with wildcards.

    Tunneling traffic through Standalone Sentry is not supported for Box and Dropbox.

    • Docs@Work data is tunneled only if the Docs@Work request matches the hostname in the URL Wildcard field and the port number specified in the Port field.

    Port

    Enter the port number that Docs@Work requests to access.

    App data is tunneled only if the app’s request matches the hostname in the URL Wildcard field and this port number.

    If a port number is not configured, for http and https traffic, the default port is used. The default port used for http is 80 and the default port used for https is 443.

    Identity Certificate

    Select the Certificate or the SCEP profile that you created for devices to present to the Standalone Sentry that supports app tunneling.