Key-value pairs for custom data

You use key-value pairs to define the following:

Specify apps that will trigger Tunnel

Traffic rules

IPv4 network routes for Tunnel VPN

DNS rules

Network routes

Pinning

MTU

Idle time out

Debugging

Examples of custom data configurations

The following table provides the key-value pairs supported for Tunnel for Windows 10.

Table 4.   Key-value pairs for Tunnel for Windows 10

Key

Value

Description

Specify apps that will trigger Tunnel

AppTriggerList/AppTriggerId/AppId

trafficFilterID is 0 or an integer greater than zero. The trafficFilterId must start at 0. Enter a new row for each additional app and increment the trafficFilterId by 1. Do not skip a number

Package Family Name (PFN)

Full path

Package Family Name (PFN): Enter the package family name for Windows Store apps.

Example: Microsoft.MicrosoftEdge_8wekyb3d8bbwe

Full path: Enter the full path for legacy apps.
Example: %PROGRAMFILES% (x86)\Google\Chrome\Application\chrome.exe

Specify apps that will route traffic through Tunnel

TrafficFilterList/trafficFilterId/AppId

trafficFilterID is 0 or an integer greater than zero. The trafficFilterId must start at 0. Enter a new row for each additional app and increment the trafficFilterId by 1. Do not skip a number.

Package Family Name (PFN)

Full path

Package Family Name (PFN): Enter the package family name for Windows Store apps.
Example: Microsoft.MicrosoftEdge_8wekyb3d8bbwe

Full path: Enter the full path for legacy apps.
Example: %PROGRAMFILES% (x86)\Google\Chrome\Application\chrome.exe

Ensure that Always On is not checked.

Traffic rules

Defines which traffic is allowed through Tunnel.

You configure traffic rules in conjunction with TrafficFilterList/trafficFilterId/AppId.

trafficFilterId in the traffic rule should match the trafficFilterId for the app to which this rule should apply.

TrafficFilterList/trafficFilterId/Protocol

A number from 0-255

Only the IP protocols represented by the number are allowed.

Example: 6.

TCP = 6, UDP = 17

TrafficFilterList/trafficFilterId/LocalPortRanges

A list of comma separated values specifying local port ranges

Only the local port ranges listed are allowed.
Example: 100-120, 200, 300-320.

Ports are only valid if the protocol is set to TCP=6 or UDP=17.

TrafficFilterList/trafficFilterId/RemotePortRanges

A list of comma separated values specifying remote port ranges

Only the remote port ranges listed are allowed.
Example: 100-120, 200, 300-320.

Ports are only valid if the protocol is set to TCP=6 or UDP=17.

TrafficFilterList/trafficFilterId/LocalAddressRanges

A list of comma separated values specifying local IP address ranges

Only the IP addresses listed are allowed.

TrafficFilterList/trafficFilterId/RemoteAddressRanges

A list of comma separated values specifying remote IP address ranges

Only the IP addresses listed are allowed.

TrafficFilterList/trafficFilterId/RoutingPolicyType

Specifies the routing policy for the app in the traffic filter list.

ForceTunnel

SplitTunnel

ForceTunnel: For this traffic rule all IP traffic from the app can go through Tunnel.

SplitTunnel: For this traffic rule only designated traffic from the app, as determined by the networking stack, can go through Tunnel.

IPv4 network routes for Tunnel VPN

RouteList/routeRowId/Address/PrefixSize

routeRowId is 0 or an integer greater than zero. The routeRowId must start at 0. Enter a new row for each additional route and increment the trouteRowId by 1. Do not skip a number.

IPv4 network routes set aside for the VPN interface

Specifies the IPv4 network routes for Tunnel VPN.

The network routes are added to the device OS routing table.

DNS rules

Ivanti, Inc recommends configuring DNS rules. To configure DNS rules you must configure the following key-value pairs as a group:

DomainNameInformationList/dniRowId/DomainName

DomainNameInformationList/dniRowId/DnsServers

DomainNameInformationList/dniRowId/DomainNameType

Ensure that an explicit route to the DNS server is configured in the VPN profile. You can use IIPv4NetworkRoute key-value pair to configure the route to the DNS server.

DomainNameInformationList/dniRowId/DomainName

dniRowId is 0 or an integer greater than zero. The dniRowId must start at 0. Enter a new row for each additional DNS server and increment the dniRowId by 1. Do not skip a number.

FQDN

Domain suffix

FQDN: Fully qualified domain name

Domain suffix: A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a . to the DNS suffix.

Example of domain suffix:
.companyname.com

DomainNameInformationList/dniRowId/DnsServers

The dniRowId must match the dniRowId for the DomainName.

List of comma separated DNS server IP addresses

Ensure that there are no spaces between the listed IP addresses.

Example: 10.10.15.6

DomainNameInformationList/dniRowId/DomainNameType

The dniRowId must match the dniRowId for the DomainName.

FQDN

Suffix

Example: Suffix

Network routes

Do not use these key-value pairs to configure Access routes.

IPv4NetworkRoute

Valid IPv4 address range

Specifies the IPv4 network routes set aside for the VPN interface. Only traffic to the specified IP range will be allowed through Tunnel VPN.

Enter an IPv4 address range. Ensure that the network routes are reachable and not overlapping.

If an IPv4 address range is not specified, Tunnel sets the default route 0.0.0.0/0.

You can enter multiple IPv4 address ranges. Each range must be separated by a semicolon.

Example: 192.168.122.0/24

IPv4NetworkExcludedRoute

Valid IPv4 address range

These IPv4 routes will be excluded from going through Tunnel VPN. In the device routing table, the excluded routes are assigned to the non-VPN interfaces.

Example:

When a separate Standalone Sentry is set up for ActiveSync, access to the ActiveSync server does not need to go through Tunnel VPN, as ActiveSync traffic is secured by Standalone Sentry. In this case, you may want to exclude the specific route to the ActiveSync server. If the IP range is 192.0.0.0/24, and the IP address of the ActiveSync server is 192.0.1.1, the excluded route should be 192.0.1.1/32.

Pinning

DisablePinning

1

Disables certificate pinning. By default, certificate pinning is enabled.

MTU

TunnelMTU

An integer greater than 0

Sets the Inner Tunnel MTU. The default is set for 1400 bytes.

The maximum packet size that Windows 10 accepts is 1401 bytes.

The Inner Tunnel Max Frame Size is set as 1500.

Idle time out

TcpIdleTmoMs

An integer greater than 0

Controls the idle session timeout for the connection between the app and the backend resource. The timeout is measured in milliseconds.

Example: For 70 seconds, enter 70000.

The default idle timeout with Standalone Sentry for app VPN is 60 seconds.

DesktopIdleTmoMonitor

0, 1

Only for Windows 10 desktops.

1: DesktopSentIdleTmoMs is enabled. Tunnel monitors the idle time instead of Windows. This allow for faster and better response after a timeout. Tunnel uses the idle time out specified in DesktopSentIdleTmoMs and DesktopRecvIdleTmoMs. The default values are used if the key-value pairs are not configured.

0: The idle timeout management by Tunnel is disabled.

The default value if the key-value pair is not configured: 1

DesktopSentIdleTmoMs

An integer greater than 0

Only for Windows 10 desktops.

The timeout is measured in milliseconds.

If a value is not configured or configured as 0, Standalone Sentry's timeout value, which is 60 seconds, or the value configured for TcpIdleTmoMs is used.

The sent idle timeout is measured from the time of the last packet sent by Tunnel to Standalone Sentry.

DesktopRecvIdleTmoMs

An integer greater than 0

Only for Windows 10 desktops.

The timeout is measured in milliseconds.

If a value is not configured or configured as 0, received idled timeout is set to 30 seconds.

The received idle timeout is measured from the time of the last packet received by Tunnel from Standalone Sentry.

PhoneIdleTmoMonitor

0, 1

Only for Windows 10 phones.

1: DesktopSentIdleTmoMs is enabled. Tunnel monitors the idle time instead of Windows. This allow for faster and better response after a timeout. Tunnel uses the idle time out specified in DesktopSentIdleTmoMs and DesktopRecvIdleTmoMs. The default values are used if the key-value pairs are not configured.

0: The idle timeout management by Tunnel is disabled.

The default value if the key-value pair is not configured: 1

PhoneSentIdleTmoMs

An integer greater than 0

Only for Windows 10 phones.

The timeout is measured in milliseconds.

If a value is not configured or configured as 0, Standalone Sentry's timeout value, which is 60 seconds, or the value configured for TcpIdleTmoMs is used.

The sent idle timeout is measured from the time of the last packet sent by Tunnel to Standalone Sentry.

PhoneRecvIdleTmoMs

An integer greater than 0

Only for Windows 10 phones.

The timeout is measured in milliseconds.

If a value is not configured or configured as 0, received idled timeout is set to 30 seconds.

The received idle timeout is measured from the time of the last packet received by Tunnel from Standalone Sentry.

Debugging

DebugLog

1

Collects debug-level logs on the app connecting to the backend resource. By default, minimal-level logs are collected. If this key-value pair is configured, then the feature is grayed out in Tunnel and the user cannot change this setting on the device.

ShowDebugUI

1

Enables viewing of diagnostic information on the app connecting to the backend resource.

After the key-value pair is pushed to the device, the app must try to connect to backend resource to get the value. If the app is already running, it will pick up the new key-value pair when it is restarted.

debugInfoRecipient

A valid email address

Auto populates the support email address to which the logs will be emailed.

The log information is sent to the email address configured here.

Examples of custom data configurations

The following are examples of custom data configurations:

Trigger Tunnel VPN when the user logs in to Windows 10 desktop

Force tunneling with multiple DNS servers

Split tunneling with one route list and one DNS server

Split tunneling with two route lists and one DNS server

Trigger Tunnel VPN when the user logs in to Windows 10 desktop

Always On is checked.

 

Key

Value

IPv4NetworkRoute

0.0.0.0/0;10.10.15.6/32;

TrafficFilterList/0/RoutingPolicyType

ForceTunnel

TrafficFilterList/0/AppId

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

DomainNameInformationList/0/DomainName

.companyname.com

DomainNameInformationList/0/DomainNameType

Suffix

DomainNameInformationList/0/DnsServers

10.10.15.6

TrafficFilterList/0/RemoteAddressRanges

10.0.0.0-10.255.255.25

Force tunneling with multiple DNS servers

Always On is unchecked.

 

Key

Value

IPv4NetworkRoute

10.11.0.0/16;10.0.0.0/8;10.10.15.6/32;10.11.50.31/32;

TrafficFilterList/0/AppId

%PROGRAMFILES% (x86)\Google\Chrome\Application\chrome.exe

TrafficFilterList/0/RoutingPolicyType

ForceTunnel

TrafficFilterList/0/RemoteAddressRanges

10.0.0.0-10.255.255.255

DomainNameInformationList/0/DomainName

.companyname.com

DomainNameInformationList/0/DnsServers

10.10.15.6

DomainNameInformationList/0/DomainNameType

Suffix

DomainNameInformationList/1/DomainName

.google.com

DomainNameInformationList/1/DnsServers

10.11.50.31

DomainNameInformationList/1/DomainNameType

Suffix

Split tunneling with one route list and one DNS server

Always On is unchecked.

 

Key

Value

IPV4NetworkRoute

0.0.0.0/0;10.10.15.6/32;

TrafficFilterList/0/AppId

%PROGRAMFILES% (x86)\Google\Chrome\Application\chrome.exe

RouteList/0/Address

10.0.0.0

RouteList/0/PrefixSize

8

TrafficFilterList/0/RoutingPolicyType

SplitTunnel

DomainNameInformationList/0/DomainName

.companyname.com

DomainNameInformationList/0/DnsServers

10.10.15.6

DomainNameInformationList/0/DomainNameType

Suffix

Split tunneling with two route lists and one DNS server

Always On is unchecked.

 

Key

Value

IPV4NetworkRoute

10.10.15.6/32;10.11.50.31/32

TrafficFilterList/0/AppId

%PROGRAMFILES% (x86)\Google\Chrome\Application\chrome.exe

RouteList/0/Address

10.10.0.0

RouteList/0/PrefixSize

16

RouteList/1/Address

10.11.0.0

RouteList/1/PrefixSize

16

TrafficFilterList/0/RoutingPolicyType

SplitTunnel

DomainNameInformationList/0/DomainName

.companyname.com

DomainNameInformationList/0/DnsServers

10.10.15.6

DomainNameInformationList/0/DomainNameType

Suffix