Configuring AppTunnel with TCP tunneling for Android secure apps

The procedure to configure AppTunnel with TCP tunneling is mostly the same as the procedure to configure AppTunnel with HTTP/S tunneling. The difference involves the AppTunnel service that you configure on the Standalone Sentry. To see just this difference, see Configuring an AppTunnel TCP service.

Before you begin

Ensure that you have a Standalone Sentry configured to support AppTunnel. The required steps include:

Setting up the Standalone Sentry connectivity settings, which include the Sentry host name or IP address, and the port number MobileIron Core uses to access the Sentry.
Enabling the Standalone Sentry for AppTunnel.
Configuring the Standalone Sentry for device authentication, which is how the device authenticates to the Standalone Sentry. This authentication includes setting up certificates if you require them.

For details about these required tasks, as well as optional tasks, see the “Configuring Standalone Sentry for AppTunnel” in the Sentry Guide for Core.

Complete the steps in Basic configuration.
Complete the steps in Adding third-party and in-house secure apps, if applicable.
Enable AppTunnel on MobileIron Core, if you are deploying third-party or in-house apps.

See Enabling AppTunnel.
Configure an AppTunnel TCP service on Standalone Sentry.

See Configuring an AppTunnel TCP service
Configure an AppConnect app configuration.

See Configuring the AppTunnel TCP service in the AppConnect app configuration.
Control the idle session timeout for the TCP connection between the app and the enterprise server.

See Configuring per-app idle session timeout for AppTunnel with TCP tunneling.
Change the TLS protocol version to use TLSv1.2 instead of TLS1.0, if required by the Standalone Sentry.

See Configuring AppTunnel with TCP tunneling for Android secure apps.

Configuring an AppTunnel TCP service

An AppTunnel TCP service defines the backend service that an AppConnect app tunnels to using TCP tunneling.

See "Standalone Sentry for AppTunnel" in the Sentry Guide for Core for information about configuring AppTunnel and an AppTunnel service. Standalone Sentry product documentation is available on the Sentry Landing Page.

About the AppTunnel TCP service name

When you configure an AppTunnel service, you give the service a service name. The service name is used in the AppConnect app configuration. The app configuration uses the service name to restrict the app to accessing servers in the Server List field associated with the service name.

The service name is one of the following:

A unique name for the TCP service that the AppConnect app on the device accesses

One or more of your internal app servers provide the service. You list the servers in the Server List field associated with the service name.

For AppTunnel with TCP tunneling, the name must begin with TCP (case-insensitive).

Example: TCP_Finance

A service name cannot contain these characters: 'space' \ ; * ? < > " |.

<TCP_ANY>

Select <TCP_ANY> for the service name to allow AppTunnel with TCP tunneling to any URL that the app requests. Typically, you select <TCP_ANY> if an AppConnect app’s app configuration specifies a URL with wildcards for tunneling, such as *.myCompany.com. The Sentry tunnels the data for any URL request that the app makes that matches the URL with wildcards.

The Sentry tunnels the data to the app server that has the URL that the app specified. The Server List field is therefore not applicable when the Service Name is <TCP_ANY>.

For example, consider when the app requests URL myAppServer.mycompany.com, which matches *.mycompany.com in the app configuration. The Sentry tunnels the data to myAppServer.myCompany.com.

Configuring the AppTunnel TCP service in the AppConnect app configuration

The AppConnect app configuration specifies the AppTunnel TCP service that the app uses.

Procedure

In the Admin Portal, select Policies & Configs > Configurations.
Select Add New > AppConnect > App Configuration.

Alternatively, edit an existing AppConnect app configuration.
Enter a name for the AppConnect app configuration.

Enter a name for the AppConnect app configuration.
In the Application field, select the secure app from the App Catalog.
In the AppTunnel Rules section, click Add+ to add a new AppTunnel rule.

Set up the TCP tunnel information as described in the following table:

Item	Description
Sentry	Select a Standalone Sentry configured for app tunneling from the drop-down list.
Service	Select a TCP service name from the drop-down list. This service name specifies an AppTunnel service configured in the AppTunnel Configuration section of the specified Standalone Sentry. If you entered a URL with wildcards in the URL Wildcard field, you can only select <TCP_ANY> as the service. The <TCP_ANY> service must be configured in the AppTunnel Configuration section of the Standalone Sentry configured for AppTunnel.
URL Wildcard	Enter one of the following: an enterprise app server’s hostname Example: finance.yourcompany.com a hostname with wildcards. The wildcard character is . Example: .yourcompanyname.com If the app requests to access this hostname, the Sentry tunnels the app data to an app server. The Sentry and Service fields that you specify in this AppTunnel row determine the target app server. Note the following: The app data is tunneled only if the app’s request matches this hostname and the port number specified in the Port field of this AppTunnel row. The order of these AppTunnel rows matters. If you specify more than one AppTunnel row, the first row that matches the hostname and port that the app requested is chosen. That row determines the Sentry and Service to use for tunneling.
Port	Enter the port number that the app requests to access. The app data is tunneled only if the app’s request matches the hostname in the URL Wildcard field and this port number. If you do not enter a port number, the port in the app’s request is not used to determine whether data is tunneled. Entering a port number in this field is required when both of the following are true: •The hostname in the URL Wildcard field does not contain a wildcard. •The service is not <TCP_ANY>.
Identity Certificate	Select the Certificate Enrollment setting that you created for AppTunnel. This selection determines the certificate that the device presents to the Standalone Sentry for authentication. See “Device and server authentication” in the Sentry Guide for Core.

Click Save.
Select the new AppConnect app configuration.
Select More Actions > Apply To Label.
Select the labels to which you want to apply this AppConnect app configuration.
Click Apply.

Configuring per-app idle session timeout for AppTunnel with TCP tunneling

For an AppConnect app using AppTunnel with TCP tunneling, you can control the idle session timeout for the TCP connection between the app and the enterprise server. This timeout is useful if the enterprise server takes more than 60 seconds to respond to a request from the app. The default idle session timeout is 60 seconds.

To specify a idle session timeout for an AppConnect app, provide a key-value pair in the app’s AppConnect app configuration that specifies the idle session timeout.

**Table 21.** Idle session timeout key-value pair
Key	Value
MI_AC_TCP_IDLE_TIMEOUT_MS	An integer greater than 0. The value is the number of milliseconds in which the enterprise server must respond to a request when using AppTunnel with TCP tunneling. The Standalone Sentry handling the AppTunnel times out if this value is exceeded. Default value: 60000

Procedure

In the Admin Portal, select Policies & Configs > Configurations.
Select the AppConnect app configuration for the AppConnect app (The Setting Type is AppConfig).
In App-specific Configurations, select Add+ to add a key-value pair.
Enter MI_AC_TCP_IDLE_TIMEOUT_MS for the key.
Enter the idle session timeout value in milliseconds.
Click Save.