Configuring Ivanti Standalone Sentry for AppTunnel
If you configure AppTunnel on a Ivanti Standalone Sentry that was already configured for ActiveSync, and you change the device authentication options, ensure that the associated Exchange profile matches the device authentication options.
Procedure
- In Ivanti Neurons for MDM, go to Admin > Sentry.
- Click +Add Sentry Profile or click on an existing profile to Edit.
- Depending on the device authentication you will configure, select one of the following:
- ActiveSync and/or App Tunnel with certificates
- ActiveSync and/or App Tunnel with Kerberos
- Use the guidelines provided in the following sections to configure Ivanti Standalone Sentry for AppTunnel.
- Click Save.
- Assign the profile to a registered Ivanti Standalone Sentry.
Only one profile can be assigned to a Ivanti Standalone Sentry.
Ivanti Standalone Sentry connectivity global settings
See Configuring Ivanti Standalone Sentry connectivity settings.
Device Authentication
Device authentication determines how users attempting to connect to the ActiveSync server or backend resource authenticate with Standalone Sentry. AppTunnel setup requires an Identity certificate or a Kerberos setup.
See Device and server authentication for information on selecting and configuring a method of device authentication.
Default unmanaged devices behavior
By default, Sentry blocks unregistered devices from accessing backend resources.
See Default unmanaged devices behavior.
Passive health check options
These settings determine when a server is marked as ‘dead’.
See Passive health check options.
Scheduling options
The options provide additional flexibility in managing multiple Sentrys.
See Scheduling options.
Default HTTP/TCP timeouts
Do not make changes to the settings unless specifically instructed in the documentation or by Professional Services.
See Default HTTP/TCP timeouts.
Sentry server configuration
Configure the Sentry port, certificate, protocols and cipher suites.
See Sentry server configuration.
Advanced Traffic Control and server-side explicit proxy
Advanced traffic control
Advance Traffic Control (ATC) allows you to manage access to backend resources based on which app the traffic is coming from and the destination IP address or domain name. ATC provides administrators additional control and flexibility in how traffic to backend resources are managed. You can specify whether traffic to the backend resource is through a proxy server, allowed direct access, or blocked.
Example: You may want to direct Safari traffic to go through a certain proxy server and all other traffic to go directly to backend resources. In this case, you would configure the Safari bundle ID in the Application BundleID and select the proxy server to direct Safari traffic, and set the Default Action to Allow.
If you are using a Ivanti Standalone Sentry version 8.5.0 or earlier and configure ATC rules, Ivanti Standalone Sentry will ignore the ATC rules.
Rule type |
App - Services |
IP-based rule |
|
Domain-based rule |
|
Server-side explicit proxy
Ivanti Standalone Sentry supports sending traffic through an HTTP proxy server to access corporate resources. The proxy server is located behind the firewall and sits between the Sentry and corporate resources. This deployment allows you to access corporate resources without having to open the ports that Sentry would otherwise require.
Consider the following:
- This configuration is only supported for AppTunnel traffic.
- Proxy is configured for each AppTunnel service. You may configure proxy for some AppTunnel services and not for other AppTunnel services on the same Sentry.
- The same proxy server may be configured on multiple Sentrys.
Ivanti Standalone Sentry filters HTTP traffic through a TCP tunnel that uses server-side explicit proxy. For HTTP traffic through a TCP tunnel, if server-side explicit proxy is configured, Standalone Sentry will treat the explicit proxy as HTTP proxy. The HTTP request URL will be modified to include the target host.
In all other cases, Ivanti Standalone Sentry treats the explicit proxy server as a TCP proxy server. Sentry will send a HTTP CONNECT request to the explicit proxy, followed by TCP data.
Item |
Description |
Advanced Traffic Control |
Select to enable advanced traffic control. |
Server-side Proxy List Traffic is directed to the proxy servers listed here based on the backend resource and action defined in Traffic Control Rules. |
|
Name |
Enter a unique name for the proxy server. The name for the proxy server will be available for selection in the Proxy field for Traffic Control Rules. |
Hostname |
Enter the IP address or FQDN for the proxy server. |
Port |
Enter the port number for the proxy server. |
+ |
Click to add a proxy server. |
Traffic control rules Specify whether traffic from an app to the backend resource is through a proxy server, allowed direct access, or blocked. You can create multiple rule sets. Each rule set can have multiple rules. However, all rules in a rule set can only be one type, either IP based or domain based. You cannot create a mix of IP based and domain based rules in a rule set.
|
|
Rule type |
Select one of the following:
|
Destination Host |
Enter the IP address or domain name of the backend resource:
|
Application Bundle ID |
Enter the app bundle ID for which you are creating the domain-based rule. The bundle ID can include "*" for wildcard matching. The bundle ID can be used in conjunction with Destination Host. If you are using the bundle ID with a destination host, then the rule will be applied only to traffic from the app directed to the destination host. |
Action |
Select Proxy, Allow, or Block. |
Proxy |
If you selected Proxy for Action, then select the proxy server for the backend resource. |
Default Action |
The default action is applied if traffic control rules is not defined for a backend resource. |
Proxy |
If you choose Proxy as the default action, select the proxy server for traffic to the backend resource. |
AppTunnel service
Select one of the app services to create an AppTunnel service for that app.
•Service types and supported traffic
•Field description for AppTunnel service
Service types and supported traffic
The following table describes the service type available when configuring AppTunnel and the traffic type supported by the service.
Service type |
Supports traffic type |
Sharepoint for Docs@Work |
|
CIFS for Docs@Work |
|
Web@Work |
|
Ivanti Tunnel |
|
Help@Work |
|
Custom HTTP |
|
Custom TCP |
|
Field description for AppTunnel service
The following table describes the fields available for configuring an AppTunnel service. The fields available for configuration changes depending on the type of service you are configuring.
Item |
Description |
Service Name |
The Service Name identifies the AppTunnel service. The service name is referenced in the AppConnect app configuration for configuring tunneling for the AppConnect app. The app is restricted to accessing the backend resources listed in the Server List field. A service name cannot contain these characters: 'space' \ ; * ? < > " |. |
Service Type (only Ivanti Tunnel iOS or macOS) |
IP: Select to configure packet-tunnel provider type VPN. TCP: Select to configure app-proxy VPN. |
Enable DFS |
Select the check box if you are configuring a DFS site in Docs@Work. Only for Docs@Work for CIFS service. |
Server Authentication |
Select the authentication scheme for the Standalone Sentry to use to authenticate the user to the backend resource:
|
All destinations (forward proxy) |
Select if you want all traffic from the app to go through Standalone Sentry. |
Specific destinations (reverse proxy) |
Select if you want to restrict traffic to only specific servers. Standalone Sentry sends through only requests to the configured servers. |
Servers (reverse proxy) |
Add the backend resource’s fully qualified domain name (FQDN) and port number on the backend resource that the Sentry can access. Example:sharepoint1.companyname.com:443 Acceptable characters in a host name are letters, digits, and a hyphen. The name must begin with a letter or digit. You can enter multiple resources. The Sentry uses a round-robin distribution to load balance. That is, it sets up the first tunnel with the first resource, the next with the next resource, and so on. |
Enable Server TLS |
Select Enable Server TLS if the servers listed in the Servers field require SSL. Although port 443 is typically used for https and requires SSL, the backend resource can use other port numbers requiring SSL. |
ATC Rule Set |
Select the ATC rule set if you want to manage the AppTunnel service traffic through ATC rules. You must also have configured Advanced Traffic Control (ATC) rules. Only the rule type supported by the app will be listed. |
Add Context Headers |
Select the check box to forward additional device context information to your corporate backend resource. This allows your corporate backend resources to further validate the device. Context headers are not supported for TCP tunneling. |
About context headers
As an administrator you may require your corporate backend resources to further validate the devices accessing these resources. In these cases, Standalone Sentry forwards context information in the header. You enable context headers in a service configuration. So, you can decide to enable context headers for some services and not enable context headers for other services.
If server-side explicit proxy is configured, the request to the proxy (HTTP CONNECT) includes the context headers.
Header Name |
Description |
X-Ivanti-DEVICE-UUID |
Device UUID The Device UUID can be used in API calls to Ivanti Neurons for MDM to collect more information about the device. |
X-Ivanti-USER-UPN |
User Principal name |
X-Ivanti-USER-DN |
User DN (if available) |
X-Ivanti-USER-CERT |
User Identity certificate The certificate is represented in a Privacy Enhanced Mail (PEM) encoding without the header or the trailer information. |