Test using AppTunnel

Using Ivanti’s AppTunnel feature, your app can securely tunnel HTTP and HTTPS network connections from the app to servers behind an organization’s firewall. Your app does not take any special actions related to tunneling; the AppConnect library, Mobile@Work, and a Standalone Sentry handle tunneling for the app.

You can test the HTTP/S tunneling capability using the provided Ivanti EPMM and Sentry. Using the Admin Portal, you configure app-specific AppTunnel settings for Ivanti EPMM and Sentry.

Before you begin: Contact your Ivanti EPMM administrator to find out the host name or IP address of the Sentry to use for the AppTunnel feature.

To test your app’s use of AppTunnel with HTTP/S tunneling, do these high-level steps:

1. Enable AppTunnel on Ivanti EPMM.
2. Use an existing certificate or generate a new one.

If you have an existing certificate, see Use an existing certificate.

Otherwise, see Generate a certificate.

3. Configure the Sentry with an AppTunnel service.
4. Configure the AppTunnel service in the AppConnect app configuration.

Enable AppTunnel on Ivanti EPMM

To enable AppTunnel on Ivanti EPMM if it isn’t already enabled:

1. In the Admin Portal, go to Settings.
2. Select Additional Products > Licensed Products.
3. Select AppConnect For Third-party And In-house Apps if it isn’t already selected.
4. Select AppTunnel For Third-party And In-house Apps if it isn’t already selected.
5. Click Save.

Use an existing certificate

Standalone Sentry only allows AppConnect apps on authenticated devices to use AppTunnel with HTTP/S tunneling. This device authentication involves:

Providing Standalone Sentry with a root certificate.

Providing the device with an identity cert to present to the Standalone Sentry. The identity cert is provisioned from the certificate authority (CA) that originated the root certificate.

To upload the certificate to Ivanti EPMM:

1. In the Admin Portal, go to Policies & Configs > Configurations.
2. Select Add New > Certificate Enrollment > Single File Identity.
3. For Name, enter any name.

For example: Tunneling Identiity Certificate

4. For Certificate 1, click Browse to select the .p12 or .pfx file of the identity certificate.
5. For Password 1, enter the password for the certificate’s private key, if applicable.
6. Click Save.

Generate a certificate

Standalone Sentry only allows AppConnect apps on authenticated devices to use AppTunnel with HTTP/S tunneling. This device authentication involves:

Providing Standalone Sentry with a root certificate.

Providing the device with an identity cert to present to the Standalone Sentry. The identity cert is provisioned from the certificate authority (CA) that originated the root certificate.

One convenient way to get these certs involves making Ivanti EPMM a local certificate authority (CA).

This process involves the following high-level steps:

1. Create a certificate authority for using an AppTunnel with HTTP/S tunneling
2. Create a local certificate enrollment setting

Create a certificate authority for using an AppTunnel with HTTP/S tunneling

To create a local certificate authority on Ivanti EPMM to be used in generating certificates:

1. In the Admin Portal, select Services > Local CA.
2. Select Add > Generate Self-Signed Cert
3. Enter a name for Local CA Name.

For example: CA for AppTunnel

4. Set Key Length to 2048.
5. Set the Issuer Name to “CN=Tunneling CA”.
6. Click Generate.

A screen titled Certificate Template displays.

7. Click Save.
8. Click View Certificate next to your new local certificate authority.

9. Copy all the text into a text file.
10. Save the text file.

You will upload this text file later as the root certificate for authenticating devices to the Standalone Sentry.

Create a local certificate enrollment setting

After you configure Ivanti EPMM as a local CA, you create a local certificate enrollment setting. This setting configures Ivanti EPMM acting as a local CA to generate identity certificates for the devices to present to Standalone Sentry.

To create a local certificate enrollment setting:

1. In the Admin Portal, select Policies & Configs > Configurations
2. Select Add New > Certificate Enrollment > Local.

A dialog appears entitled New Local Certificate Enrollment Setting.

3. Enter a descriptive name in the Name field.

For example: Tunneling certificate

4. For Local CA, select the certificate authority you created for AppTunnel.
5. For Subject, enter “cn=tunneling”.

The value can be any string.

6. For Key Length, select 2048.
7. Click Issue Test Certificate.

The issued test certificate displays.

8. Click OK to close the displayed certificate.
9. Click Save to save the local certificate enrollment setting.

Configure the Sentry with an AppTunnel service

To support AppTunnel with HTTP/S tunneling, configure the Sentry with the internal servers that your app uses.

Do the following:

1. In the Admin Portal, go to Services > Sentry.
2. Click the edit icon next to the Sentry that your Ivanti EPMM administrator has designated for your AppTunnel testing.
3. Select Enable AppTunnel if it is not already selected.
4. For Device Authentication Configuration:

If you already had a certificate, select Group Certificate.

If you created a local certificate authority, select Identity Certificate.

5. Click Upload Certificate.

If you already had a certificate, upload it.

If you created a local certificate authority, upload the certificate text file that you created in Create a certificate authority for using an AppTunnel with HTTP/S tunneling. It is the root certificate for authenticating devices to the Standalone Sentry.

6. In the AppTunnel Configuration section, click + to add a new service.
7. Enter a Service Name.

The service name is any unique identifier for the internal server or servers that your AppConnect app tunnels to. Entering <ANY> means that the app can reach any of your internal servers.

Service Name examples:

SharePoint

HumanResources

8. For Server Auth, select Pass Through.

This field selects the authentication scheme for the Standalone Sentry to use to authenticate the user to the internal server. Pass Through means that the Sentry passes through the authentication credentials, such as the user ID and password (basic authentication) or NTLM, to the internal server.

The other option is Kerberos. Kerberos means that the Sentry uses Kerberos Constrained Delegation (KCD). The corporate environment must be set up for Kerberos Constrained Delegation.

9. Enter a Server List.

Enter a semicolon-separated list of internal server host names or IP addresses and the port that the Sentry can access.

For example:

sharepoint1.companyname.com:443;sharepoint2.companyname.com:443.

When you enter multiple servers, the Sentry uses a round-robin distribution to load balance the servers. That is, it sets up the first tunnel with the first internal server, the next with the next internal server, and so on.

If you selected <ANY> for the Service Name, the Server List is not applicable.

10. Select TLS Enabled if the internal servers require SSL.

Although port 443 is typically used for https and requires SSL, the internal server can use other port numbers requiring SSL.

If you selected <ANY> for the Service Name, do not select TLS Enabled.

11. Do not fill in Server SPN List. It applies only when the Server Auth field is Kerberos.
12. Select Proxy/ATC only if your testing requires that you direct the AppTunnel service traffic through a proxy server. The proxy server is located behind the firewall and sits between the Sentry and corporate resources. This deployment allows you to access corporate resources without having to open the ports that Sentry would otherwise require.

If selected, also configure the Server-side Proxy fields: Proxy Host Name / IP and Proxy Port.

13. Click Save.
14. Click View Certificate on the row with your new Sentry.

This action copies the Sentry’s self-signed certificate that you created to Ivanti EPMM.

Configure the AppTunnel service in the AppConnect app configuration

The AppConnect app configuration specifies the AppTunnel services that your app uses. You configured these services on the Sentry.

To configure AppTunnel on an AppConnect app configuration:

1. In the Admin Portal, select Policies & Configs > Configurations.
2. Select Add New > AppConnect > App Configuration.

If you already have an AppConnect app configuration for your app, select it and click Edit in the right-hand pane.

3. Enter a name for the AppConnect app configuration if this is a new one.

For example: My App’s App Configuration

4. In the Application field, enter the bundle ID of your app if this is a new app configuration.

For example: com.MyCompany.MySecureApp

5. In the AppTunnel Rules section, click Add+ to add a new AppTunnel configuration.
6. For Sentry, select the Sentry from the drop-down list.
7. For Service, select the service name from the drop-down list.

You created this service name in Create a certificate authority for using an AppTunnel with HTTP/S tunneling.

8. For the URL Wildcard, enter the host name or URL of the app server with which the app communicates. If the Service specified for this server in Configure the Sentry with an AppTunnel service is <ANY>, the host name can use the wildcard character *.

If a URL request in your app matches the value you enter here, the request uses AppTunnel with HTTP/S tunneling.

Examples:

sharepoint1.yourcompany.com

*.yourcompanyname.com

9. For Port, enter the port number that the app connects to.
10. For Identity Certificate:

If you already had a certificate, select the certificate setting that you created in Use an existing certificate.

If you created a local certificate authority, select the local certificate enrollment setting that you created in Create a local certificate enrollment setting. This selection will result in the device receiving an identity certificate from Ivanti EPMM that it will present to the Standalone Sentry for device authentication.

11. Click Save.

If you are creating a new AppConnect app configuration:

1. Select the new AppConnect app configuration.
2. Select Actions > Apply To Label.
3. Select the label that you created in Create a label for testing your app.
4. Click Apply.
5. Click OK.

Push the change to your device immediately, by doing the following steps on the device:

1. Launch Mobile@Work.
2. Tap Settings.
3. Tap Check for Updates.
4. Tap Force Device Check-in.

If app is running, Mobile@Work launches and updates the AppConnect app configuration. If your app is not running, Mobile@Work launches and updates the configuration the next time that you run your app. When Mobile@Work has updated the configuration, your app will use AppTunnel with HTTP/S tunneling for the URLs you specified.

Verify that your app’s networking capabilities work as expected.