Tunnel creation with Ivanti Tunnel for Android

The following describes how a tunnel session with Ivanti Tunnel for Android is created:

  1. Tunnel validates the configuration syntactically.

  2. Tunnel establishes a TCP connection with Standalone Sentry on port 443.
  3. Ivanti Tunnel and Standalone Sentry mutually authenticate each other using TLS 1.2 using client identity certificates.
    The Android TLS stack is used for this purpose.
  4. Standalone Sentry’s certificate presented in the TLS handshake is compared with the Standalone Sentry certificate in the Ivanti Tunnel configuration. This step occurs if certificate pinning is enabled.
  5. Tunnel initiates the AppTunnel protocol handshake:
    1. POST with device ID, user ID, and service ID are sent to Standalone Sentry.
    2. Standalone Sentry validates the parameters. For example, Standalone Sentry checks if the user or device is blocked.
    3. Standalone Sentry provides additional configuration parameters: interface IP and DNS server IP.
    4. The TCP connection is switched to the Tunnel protocol.
  6. A VPN session is created using Android API VpnService.Builder.
    1. VPN specific configuration is set in the VPN session based on the Ivanti Tunnel configuration created in UEM.

    2. Android creates a TUN interface and the VPN icon is set in the system bar. The VPN icon indicates that the tunnel is established and available. The VPN icon (looks like a key for Android native and Android Enterprise, and like a lock for Samsung Knox) in the status bar indicates that the Tunnel session is available. It does not indicate if traffic from an app currently being used is going through the tunnel. The behavior is similar to that of the Wi-Fi icon.

      Device users may also see the Tunnel notifications icon, which looks like the Ivanti Tunnel logo. The Tunnel notifications icon does not indicate that Ivanti Tunnel VPN is on. It only indicates that the there are notifications from Ivanti Tunnel.

Traffic from an app is automatically tunneled through Ivanti Tunnel irrespective of when an app is installed. The app may have been installed before Ivanti Tunnel was initiated or after Tunnel was initiated.