Ivanti Standalone Sentry overview

Ivanti Standalone Sentry is a part of deployment that serves as an intelligent gatekeeper to your company’s ActiveSync server, such as a Microsoft Exchange Server, or with a backend resource such as a Sharepoint server, or it can be configured as a Kerberos Key Distribution Center Proxy (KKDCP) server. Sentry gets configuration and device information from a unified endpoint management (UEM) platform - Ivanti EPMM or Ivanti Neurons for MDM.

Access to enterprise content in business cloud services such as SalesForce, Box, G Suite, Dropbox, and Office 365 can be secured using Access. Access is a cloud service. An Access deployment requires a unified endpoint management (UEM) platform, Ivanti Standalone Sentry, and Ivanti Tunnel. For information about Access and how to set up the service, see the Access Guide.

The following provide additional information about Sentry:

Sentry flavors

Sentry and UEM platform support

Integrated Sentry

ActiveSync with Ivanti Standalone Sentry

AppTunnel with Ivanti Standalone Sentry

Network traffic support with AppTunnel

Ivanti Standalone Sentry as a KKDCP server (Ivanti EPMM only)

Sentry flavors

Sentry is available in two flavors: Ivanti Standalone Sentry or Integrated Sentry.

Ivanti Standalone Sentry is a separate appliance that acts as a gateway between devices and your ActiveSync-enabled email servers or backend resource. Ivanti Standalone Sentry can be configured for ActiveSync or AppTunnel, or as Kerberos Key Distribution Center Proxy (KKDCP) server. Ivanti Standalone Sentry can be installed on premise on a Appliance or a virtual appliance. Or, Ivanti Standalone Sentry can be installed in the cloud on AWS and Microsoft Azure.

Integrated Sentry is a Windows service that interacts with the Microsoft Exchange Server.

Ivanti Standalone Sentry gets input from the unified endpoint management (UEM) platform, Ivanti EPMM or Ivanti Neurons for MDM, to do the following:

Integrated Sentry or the Ivanti Standalone Sentry configured for ActiveSync protects the ActiveSync server from wrongful access from devices.

Ivanti Standalone Sentry configured for AppTunnel provides authenticated apps secure access to the backend resource.

Sentry and UEM platform support

UEM support varies depending on the type of Sentry. The following tables provides the UEM supported by Sentry.

Table 2.   sentry and uem platform support

Sentry

UEM platform

Integrated Sentry

Ivanti EPMM

Ivanti Standalone Sentry (on-premise, AWS, and Microsoft Azure)

Ivanti EPMM, Ivanti Neurons for MDM

Ivanti Neurons for MDM license requirement

Some Ivanti Standalone Sentry features are available based on the license level for Ivanti Neurons for MDM. The following table describes the license required for these features:

Table 3.  ivanti neurons for mdm license requirement

License requirement

Feature

Gold

 

 

 

 

 

 

 

Advanced traffic control

Outgoing ciphers

CIFS service for Docs@Work

Sharepoint service for Docs@Work

Help@Work service

Web@Work service

Custom HTTP service

Custom TCP service

Platinum

 

Tunnel service

AppTunnel

Integrated Sentry

Integrated Sentry is a policy agent for Microsoft Exchange Server email clusters, and for Microsoft Office 365. It is packaged as a software module on the Exchange Server or on a separate server with Exchange Server access.

Integrated Sentry passes information between Ivanti EPMM and Microsoft Exchange Server. For example:

Ivanti EPMM periodically syncs with Integrated Sentry to get the list of ActiveSync devices. Integrated Sentry gets the list from the Exchange Server.

Ivanti EPMM informs Integrated Sentry when an ActiveSync device is in violation of its security policy. Integrated Sentry tells the Exchange Server to block the device.

Ivanti EPMM informs Integrated Sentry when too many ActiveSync devices have the same mailbox. Integrated Sentry tells the Exchange Server to block the device.

Ivanti EPMM informs Integrated Sentry when the Ivanti EPMM administrator blocks, allows, or wipes an ActiveSync device in the Ivanti EPMM Admin Portal. Integrated Sentry tells the Exchange server to take the appropriate action.

Ivanti EPMM passes an ActiveSync policy to Integrated Sentry. You configure the policy using the Admin Portal. Integrated Sentry passes the policy to the Exchange Server, which updates its own policy, and passes the policy to the device.

Ivanti strongly recommends deploying Ivanti Standalone Sentry if you are supporting more than 5000 devices with Office 365.

ActiveSync with Ivanti Standalone Sentry

Ivanti Standalone Sentry enabled for ActiveSync serves as an intelligent gatekeeper to the ActiveSync server. It uses the ActiveSync protocol to communicate with the ActiveSync server and with ActiveSync devices. For information about these interactions, see Ivanti EPMM, Ivanti Standalone Sentry, and device interaction.

Exchange ActiveSync, also known as ActiveSync, is the protocol that the ActiveSync server uses to communicate over HTTP or HTTPS with devices. The ActiveSync server uses the ActiveSync protocol to do the following:

synchronize email, contacts, calendar, tasks and notes with a mobile device

provide for server-device interactions relating to mobile device management and policy controls

In a deployment, these devices are called ActiveSync devices. Ivanti Standalone Sentry and the UEM platform work together to protect the ActiveSync server from wrongful access by these devices.

Communication between Ivanti Standalone Sentry and ActiveSync servers is encrypted using HTTPS. Administrators can enable server TLS and configure outbound SSL. For Office 365 and GMail, Ivanti, Inc recommends that the communication should be configured to use HTTPS, so that confidential information such as user name, password, and email content are never communicated in clear text.

AppTunnel with Ivanti Standalone Sentry

Ivanti Standalone Sentry enabled for AppTunnel provides per-app secure tunneling and access control to protect app data as it moves between the device and corporate backend resources (data-in-motion). App-by-app session security protects the connection between each app container and the corporate network. AppTunnel is particularly useful when an organization does not want to open up VPN access to all apps on the device.AppTunnel is part of an AppConnect app or an Ivanti Tunnel deployment. However, AppTunnel is not a requirement for an AppConnect app deployment.

Ivanti Standalone Sentry and the UEM platform work together to provide secure access to the backend resource. For example:

UEM provides Ivanti Standalone Sentry with the backend resource configuration for the app.

When an app attempts to connect to a backend resource, Ivanti Standalone Sentry creates an app tunnel which is a unique combination of user, device, and app. Ivanti Standalone Sentry provides information about the app tunnel to the UEM.

UEM informs Ivanti Standalone Sentry when an app should not be allowed to access the backend resource. For example, Ivanti Standalone Sentry blocks access to the backend resource if there are security policy violations or the AppTunnel is manually blocked.

Network traffic support with AppTunnel

Table 4.   Supported network traffic for AppTunnel

Protocol

Support

HTTP, HTTPS tunneling

Android and iOS AppConnect apps

TCP tunneling

Android AppConnect apps

iOS and macOS managed apps with Tunnel configured for app proxy VPN.

Web@Work with Chromium stack enabled.

TCP tunnels support HTTP and HTTPS traffic also.

IP tunneling

Windows 10, iOS, and Android managed apps with Ivanti Tunnel.

IP tunnels also support HTTP, HTTPS, TCP, and UDP traffic.

Ivanti Standalone Sentry as a KKDCP server (Ivanti EPMM only)

Standalone Sentry can be configured as a Kerberos Key Distribution Center Proxy (KKDCP) server. A separate Standalone Sentry is required for Kerberos proxy. Standalone Sentry as a KKDCP server is only supported with Ivanti EPMM.