Custom data key-value pairs for Ivanti Tunnel for Android native and Samsung Knox Workspace

The following table provides a description of the custom data key-value pairs.

Table 7.  Tunnel configuration key-value pairs description

Key

Value: Enter

Description

Manage Tunnel timeout

TcpIdleTmoMs

An integer

The Tunnel TCP session idle timeout, on Standalone Sentry, in milliseconds.

Tunnel sends this value to Standalone Sentry during the initial handshake in header X-App-TcpIdleTimeoutMs. If this key-value pair is not configured, the default value is 3600000 milliseconds (one hour).

Frequently, in production environments, there are firewalls and load balancers between the device and Standalone Sentry. Each network element may have a different idle timeout, shorter than the timeout for Standalone Sentry. Ivanti recommends that the value for TcpIdleTmoMs is less than the idle timeout for all the other network elements.

As an alternative, consider configuring TCP keep-alive.

VPN connection

AllowBypass

(Android native only)

  • true
  • false

true: Allows all apps to bypass this VPN connection. Apps may use methods such as setProcessDefaultNetwork(Network) to send and receive directly over the underlying network or any other network for which they have permissions.

false: Default, if the key-value pair is not configured. All traffic from apps is forwarded through the VPN interface. Apps cannot bypass the VPN.

SplitDomainsList

 

List of domain suffixes separated a semicolon (;)

 

Example: acme.com; google.com

DNS requests with domains matching the values are sent to the DNS for the VPN. DNS requests with non-matching domains are sent to the device's DNS.

Example: All DNS queries that match *.company.com are handled by the VPN DNS server, but all other queries are handled by the device network DNS i.e. not the VPN DNS server.

The DNS handler for the Tunnel plugin decides which DNS request will be sent to which DNS server, based on the configured domains:

  • All sub domains are matched.
    Example: example.com matches example.com, staf.example.com, and jira.example.com
  • The configured domain is considered completed with top domains. Anything to the right of the top domain is omitted.
    Example: example.com does not match example.com.akamai.com
  • Only complete domains are matched.
    Example: example.com does not match myexample.com
  • '*' and '?' are not valid characters for the configuration.

The filtering is done on an IP packet level, therefore, DNS resolver functionality is not provided. The default behavior sends all DNS requests to the DNS for the VPN.

SplitUDPPortList

List of UDP ports separated by a semicolon (;)

List of UDP ports to send through Ivanti Tunnel VPN. All other UDP packets are sent directly to destination.

If the key-value pair is not configured, all UDP packets are sent through Ivanti Tunnel VPN.

Example  

53;161-162;200-1024

MTU

An integer

Tunnel MTU.

The default value if the key-value is not configured is 1400

quickRetryMaxAttempts

An integer

Number of attempts to reconnect to VPN.

The default if the key-value pair is not configured is 3.

quickRetryIntervalSec

An integer

Time between attempts to reconnect to VPN in seconds.

The default if the key-value pair is not configured is 1.

slowRetryIntervalSec

An integer

Time between attempts to reconnect to VPN in seconds.

The default if the key-value pair is not configured is 60.

TcpKeepCount

An integer

The value configured specifies the number of unacknowledged probes for TCP keep-alive to send before the connection is considered as dead.

The default value, if the key-value pair is not configured, is 20.

The key is part of the Android operating system specifications.

TcpKeepIntervalSec

An integer

The value configured specifies the TCP keep-alive interval between subsequent failed keep-alive probes in seconds.

The default value, if the key-value pair is not configured, is 2 seconds.

The key is part of the Android operating system specifications.

AtpProbeIdleSec

An integer

Sets the minimum idle time, in seconds, after which probe packets are sent out with outbound Tunnel traffic. If Tunnel does not receive a response for at least one of the probes sent, the existing connection is dropped and a new connection is established with the server.

The minimum idle time is based on the last inbound response received by Tunnel. For example, if the value is 60 seconds, if Tunnel does not receive any inbound traffic for 60 seconds, probe packets are sent with the next outbound Tunnel traffic.

Default value if the key-value pair is not configured: 60 seconds

AtpProbeIntervalSec

An integer

Sets the interval, in seconds, between probe packets sent after the minimum idle time specified in AtpProbeIdleSec.

Default value if the key-value pair is not configured: 1 second

AtpProbeCount

An integer

Sets the total count of the probe packets sent after the minimum idle time specified in AtpProbeIdleSec.

Default value if the key-value pair is not configured: 5

Certificates

DisablePinning

  • true
  • false

false: Default, if the key-value pair is not configured. Certificate pinning is enabled.

true: Certificate pinning is disabled. Disabling certificate pinning is not recommended for security reasons.

The Standalone Sentry server certificate is automatically pushed to the device.

Troubleshooting

UINotificationLevel

  • 0
  • 1
  • 2

The user will see error notifications or all Tunnel related notifications, based on the level of notifications you configure.

Configure one of the following levels of user notifications that the Tunnel app will provide:

  • 0: Notifications or errors are not displayed, except if an error occurs upon establishing Tunnel.
  • 1: Only errors notifications are displayed. This is the default setting if the key-value is configured.
  • 2: Error notifications and connect/disconnect confirmations are displayed.

There are no notifications to indicate that an app is blocked or allowed.

DebugLog

  • 0
  • 6
  • 4
  • 3
  • 2

Controls the amount of logging. The client app can override the VPN profile.

  • 0: Default setting if the key-value pair is not configured. Minimal level of logs are collected.
  • 6: ERROR level
  • 4: INFO level.
  • 3: DEBUG level
  • 2: VERBOSE level

AllowCapture

  • false
  • true

Allows users to capture traffic in a PCAP file.

false: Device users are not allowed to trigger inner traffic capture.

true: Device users are allowed to trigger inner traffic capture and email the PCAP file.

The default, if the key-value pair is not configured, is false.

The PCAP file may contain sensitive information.

debugInfoRecipient

Email address

The device debug logs are sent to the configured email address.

When users tap Email Debug Info, the To field is auto filled with the value configured for debugInfoRecipient.

EnableUserControl

  • true
  • false

true: Tunnel VPN is enabled. The option to enable or disable Tunnel VPN is available to the device user.

false: Tunnel VPN is enabled. The option to enable or disable Tunnel VPN is not available to the device user.

Default value if the key-value pair is not configured: true

The key-value pair is not applicable to Tunnel deployed in the Samsung Knox workspace. By default, device users in the Samsung Knox workspace do not have the option to enable or disable Tunnel VPN.

DefaultMaxNumLogs

An integer

Sets the maximum number of log files.

The default if the key-value pair is not configured is 8.

DefaultMaxPcapSize

An integer

Sets the maximum pcap file size in bytes.

The default if the key-value pair is not configured is 2097152.

DefaultMaxNumPcaps

An integer

Sets the maximum number of pcap files.

The default if the key-value pair is not configured is 10.

AnalyticsEnabled

  • true
  • false

true: Enables collection of analytics data for Mixpanel.

false:Collection of analytics data is disabled.

Default value if the key-value pair is not configured: true.

SendDeviceID

  • true
  • false

true: Ivanti Tunnel provides the device ID to Access.

The device ID is reported on Access in Reports > Errors.

false: Ivanti Tunnel does not provide the device ID to Access.

The key-value pair is useful in identifying devices that encounter connection errors when authenticating through Access.

Default value if the key-value pair is not configured: false

Tethering

ExcludeTethering

  • true
  • false

true: Ivanti Tunnel VPN continues to work on the tethered host device without impacting the tethering client connection.

false: Ivanti Tunnel VPN may impact the tethering client connection.

Default value if the key-value pair is not configured: false

This key-value pair may be required for Ivanti Tunnel for Android native only.

If the KVP is configured to true, ensure that internal IP ranges do not overlap with the IP ranges used by the tethering client. Avoid the following IP ranges:

192.168.42.0/23  (192.168.42.0 ~ 192.168.43.255)

192.168.44.0/22  (192.168.44.0 ~ 192.168.47.255)

192.168.48.0/23  (192.168.48.0 ~ 192.168.49.255)

Tethering traffic from client devices does not go through the VPN of the host device.