Configuring Ivanti Standalone Sentry for AppTunnel

If you configure AppTunnel on a Ivanti Standalone Sentry that was already configured for ActiveSync, and you change the device authentication options, ensure that the associated Exchange profile matches the device authentication options.

Procedure

1. In Ivanti Neurons for MDM, go to Admin > Sentry.
2. Click +Add Sentry Profile or click on an existing profile to Edit.
3. Depending on the device authentication you will configure, select one of the following:
   • ActiveSync and/or App Tunnel with certificates
   • ActiveSync and/or App Tunnel with Kerberos
4. Use the guidelines provided in the following sections to configure Ivanti Standalone Sentry for AppTunnel.
   • Ivanti Standalone Sentry connectivity global settings
   • Device Authentication
   • Default unmanaged devices behavior
   • Passive health check options
   • Scheduling options
   • Default HTTP/TCP timeouts
   • Sentry server configuration
   • Advanced Traffic Control and server-side explicit proxy
   • AppTunnel service
5. Click Save.
6. Assign the profile to a registered Ivanti Standalone Sentry.
   Only one profile can be assigned to a Ivanti Standalone Sentry.

Ivanti Standalone Sentry connectivity global settings

See Configuring Ivanti Standalone Sentry connectivity settings.

Device Authentication

Device authentication determines how users attempting to connect to the ActiveSync server or backend resource authenticate with Standalone Sentry. AppTunnel setup requires an Identity certificate or a Kerberos setup.

See Device and server authentication for information on selecting and configuring a method of device authentication.

Default unmanaged devices behavior

By default, Sentry blocks unregistered devices from accessing backend resources.

See Default unmanaged devices behavior.

Passive health check options

These settings determine when a server is marked as ‘dead’.

See Passive health check options.

Scheduling options

The options provide additional flexibility in managing multiple Sentrys.

See Scheduling options.

Default HTTP/TCP timeouts

Do not make changes to the settings unless specifically instructed in the documentation or by Professional Services.

See Default HTTP/TCP timeouts.

Sentry server configuration

Configure the Sentry port, certificate, protocols and cipher suites.

See Sentry server configuration.

Advanced Traffic Control and server-side explicit proxy

•Advanced traffic control

•Server-side explicit proxy

Advanced traffic control

Advance Traffic Control (ATC) allows you to manage access to backend resources based on which app the traffic is coming from and the destination IP address or domain name. ATC provides administrators additional control and flexibility in how traffic to backend resources are managed. You can specify whether traffic to the backend resource is through a proxy server, allowed direct access, or blocked.

Example: You may want to direct Safari traffic to go through a certain proxy server and all other traffic to go directly to backend resources. In this case, you would configure the Safari bundle ID in the Application BundleID and select the proxy server to direct Safari traffic, and set the Default Action to Allow.

If you are using a Ivanti Standalone Sentry version 8.5.0 or earlier and configure ATC rules, Ivanti Standalone Sentry will ignore the ATC rules.

Table 78.  Rule type supported by app

Rule type	App - Services
IP-based rule	Ivanti Tunnel for Android and Windows.
Domain-based rule	Ivanti Tunnel for iOS AppConnect apps for iOS and Android devices. SharePoint for Docs@Work CIFS for Docs@Work Web@Work

Server-side explicit proxy

Ivanti Standalone Sentry supports sending traffic through an HTTP proxy server to access corporate resources. The proxy server is located behind the firewall and sits between the Sentry and corporate resources. This deployment allows you to access corporate resources without having to open the ports that Sentry would otherwise require.

Consider the following:

• This configuration is only supported for AppTunnel traffic.
• Proxy is configured for each AppTunnel service. You may configure proxy for some AppTunnel services and not for other AppTunnel services on the same Sentry.
• The same proxy server may be configured on multiple Sentrys.

Ivanti Standalone Sentry filters HTTP traffic through a TCP tunnel that uses server-side explicit proxy. For HTTP traffic through a TCP tunnel, if server-side explicit proxy is configured, Standalone Sentry will treat the explicit proxy as HTTP proxy. The HTTP request URL will be modified to include the target host.

In all other cases, Ivanti Standalone Sentry treats the explicit proxy server as a TCP proxy server. Sentry will send a HTTP CONNECT request to the explicit proxy, followed by TCP data.

Table 79.  Field descriptions for Advanced Traffic Control (ATC)

Item	Description
Advanced Traffic Control	Select to enable advanced traffic control.
Server-side Proxy List Traffic is directed to the proxy servers listed here based on the backend resource and action defined in Traffic Control Rules.
Name	Enter a unique name for the proxy server. The name for the proxy server will be available for selection in the Proxy field for Traffic Control Rules.
Hostname	Enter the IP address or FQDN for the proxy server.
Port	Enter the port number for the proxy server.
+	Click to add a proxy server.
Traffic control rules Specify whether traffic from an app to the backend resource is through a proxy server, allowed direct access, or blocked. You can create multiple rule sets. Each rule set can have multiple rules. However, all rules in a rule set can only be one type, either IP based or domain based. You cannot create a mix of IP based and domain based rules in a rule set. Rules in a rule set are matched based on the order in which they are listed. This is especially important for domain names with wildcards. For example, if the Block action is selected for *.company.com, and the Proxy action is selected for *.internal.company.com, and the rule for *.company.com is listed first, then all company.com domains will be blocked. Use the up and down arrows to order the rules. If AppTunnel traffic is blocked due to traffic control rules, the AppTunnel entry is not reported in the Sentry tab in device details for a device.
Rule type	Select one of the following: IP based: The rule is matched based on the IP address of the destination host. IP based rules are supported only for IP traffic from Windows and Android devices going through Ivanti Tunnel. The destination has to be an IP address or an IP range. Example: 10.0.0.0/8, 10.5.0.0/16, 10.5.2.0/24, 10.5.5.2/32 Domain based: The rule is matched based on the domain of the destination host and the bundle ID of the app. Domain based rules are supported only for HTTP/S and TCP traffic from iOS devices going through Ivanti Tunnel. The destination has to be a domain name.
Destination Host	Enter the IP address or domain name of the backend resource: IP based rules: Enter an IP address or range. The IP address range must conform CIDR format. Example: 192.168.0.15/24 Domain based rules: Port numbers are not supported. Wildcards are supported. Only the suffix after the * wildcard is matched. Example: *.acme.com.
Application Bundle ID	Enter the app bundle ID for which you are creating the domain-based rule. The bundle ID can include "*" for wildcard matching. The bundle ID can be used in conjunction with Destination Host. If you are using the bundle ID with a destination host, then the rule will be applied only to traffic from the app directed to the destination host.
Action	Select Proxy, Allow, or Block.
Proxy	If you selected Proxy for Action, then select the proxy server for the backend resource.
Default Action	The default action is applied if traffic control rules is not defined for a backend resource.
Proxy	If you choose Proxy as the default action, select the proxy server for traffic to the backend resource.

AppTunnel service

Select one of the app services to create an AppTunnel service for that app.

•Service types and supported traffic

•Field description for AppTunnel service

•About context headers

Service types and supported traffic

The following table describes the service type available when configuring AppTunnel and the traffic type supported by the service.

Table 80.  Service type and supported AppTunnel traffic

Service type	Supports traffic type
Sharepoint for Docs@Work	iOS: HTTP, HTTPS Android: HTTP, HTTPS
CIFS for Docs@Work	iOS: CIFS Android: CIFS
Web@Work	iOS: HTTP, HTTPS Android: HTTP, HTTPS
Ivanti Tunnel	iOS: HTTPS, TCP, IP (split tunneling for UDP traffic) Windows: HTTPS, TCP, IP (including UDP). Android: HTTPS, TCP, IP (including UDP).
Help@Work	iOS: TCP (includes HTTP and HTTPS)
Custom HTTP	HTTP and HTTPS Any service other than TCP and IP
Custom TCP	TCP

Field description for AppTunnel service

The following table describes the fields available for configuring an AppTunnel service. The fields available for configuration changes depending on the type of service you are configuring.

Table 81.  Field descriptions for AppTunnel service

Item	Description
Service Name	The Service Name identifies the AppTunnel service. The service name is referenced in the AppConnect app configuration for configuring tunneling for the AppConnect app. The app is restricted to accessing the backend resources listed in the Server List field. A service name cannot contain these characters: 'space' \ ; * ? < > " |.
Service Type (only Ivanti Tunnel iOS or macOS)	IP: Select to configure packet-tunnel provider type VPN. TCP: Select to configure app-proxy VPN.
Enable DFS	Select the check box if you are configuring a DFS site in Docs@Work. Only for Docs@Work for CIFS service.
Server Authentication	Select the authentication scheme for the Standalone Sentry to use to authenticate the user to the backend resource: Pass through (Basic Authentication) The Sentry passes through the authentication credentials, such as the user ID and password (basic authentication) or NTLM, to the backend resource. For TCP and IP tunneling, select Pass Through. The Sentry passes through all TCP or IP packets to the backend resource. Kerberos The Sentry uses Kerberos Constrained Delegation (KCD). KCD supports Single Sign On (SSO). SSO means that the device user does not have to enter any credentials when the AppConnect app accesses the backend resource. The Kerberos option is only available if: You selected ActiveSync and/or App Tunnel with Kerberos. Kerberos authentication is now supported with Exchange ActiveSync, Web@Work, SharePoint for Docs@Work, and CIFS for Docs@Work services. If you select Kerberos, additional fields are displayed. See Authentication using an Identity certificate and Kerberos constrained delegation.
All destinations (forward proxy)	Select if you want all traffic from the app to go through Standalone Sentry.
Specific destinations (reverse proxy)	Select if you want to restrict traffic to only specific servers. Standalone Sentry sends through only requests to the configured servers.
Servers (reverse proxy)	Add the backend resource’s fully qualified domain name (FQDN) and port number on the backend resource that the Sentry can access. Example:sharepoint1.companyname.com:443 Acceptable characters in a host name are letters, digits, and a hyphen. The name must begin with a letter or digit. You can enter multiple resources. The Sentry uses a round-robin distribution to load balance. That is, it sets up the first tunnel with the first resource, the next with the next resource, and so on.
Enable Server TLS	Select Enable Server TLS if the servers listed in the Servers field require SSL. Although port 443 is typically used for https and requires SSL, the backend resource can use other port numbers requiring SSL.
ATC Rule Set	Select the ATC rule set if you want to manage the AppTunnel service traffic through ATC rules. You must also have configured Advanced Traffic Control (ATC) rules. Only the rule type supported by the app will be listed.
Add Context Headers	Select the check box to forward additional device context information to your corporate backend resource. This allows your corporate backend resources to further validate the device. Context headers are not supported for TCP tunneling.

About context headers

As an administrator you may require your corporate backend resources to further validate the devices accessing these resources. In these cases, Standalone Sentry forwards context information in the header. You enable context headers in a service configuration. So, you can decide to enable context headers for some services and not enable context headers for other services.

If server-side explicit proxy is configured, the request to the proxy (HTTP CONNECT) includes the context headers.

 

Table 82.  Information in context headers

Header Name	Description
X-Ivanti-DEVICE-UUID	Device UUID The Device UUID can be used in API calls to Ivanti Neurons for MDM to collect more information about the device.
X-Ivanti-USER-UPN	User Principal name
X-Ivanti-USER-DN	User DN (if available)
X-Ivanti-USER-CERT	User Identity certificate The certificate is represented in a Privacy Enhanced Mail (PEM) encoding without the header or the trailer information.