Overview of device and server authentication with Ivanti Standalone Sentry
Ivanti Standalone Sentry supports device authentication using user name and password, certificate-based authentication, or Kerberos Constrained Delegation. Device authentication involves configuring:
•device authentication (how the device authenticates to the Ivanti Standalone Sentry)
See Device authentication configuration on Ivanti Standalone Sentry.
•server authentication (how the Standalone Sentry authenticates the device to the server).
See Server authentication on Ivanti Standalone Sentry.
Device authentication configuration on Ivanti Standalone Sentry
Device authentication specifies how the device authenticates to the Ivanti Standalone Sentry. The following table describes the device authentication options on Ivanti Standalone Sentry.
Device Authentication |
Description |
Pass Through |
Only available if you are using Sentry for ActiveSync only. Sentry passes through the following authentication provided by the device: user name and password or NTLM. |
Group Certificate |
Available for ActiveSync and AppTunnel. Requires the following: •A trusted group certificate for device authentication. •A authentication method like user name and password or NTLM for authenticating the device to the server. KCD is not supported with Group Certificates. |
Identity Certificate |
Available for ActiveSync and AppTunnel. Requires the following: •A certificate issued by a Trusted Root Authority for device authentication. •A user name and password or a properly configured Kerberos implementation for authenticating the device to the server. |
Trusted Front-End |
Available for ActiveSync and AppTunnel. Requires the following: •Setting up an Apache or F5 proxy to front-end the Standalone Sentry. •Additional minor changes to references to the hostname in some profiles. Ivanti supports only Apache or F5 servers as the trusted front-end server for TCP tunneling. |
Server authentication on Ivanti Standalone Sentry
Server authentication specifies how Sentry authenticates the device to the backend resource. This can be the ActiveSync server or a backend resource.
Ivanti Standalone Sentry supports pass through or Kerberos for server authentication. These are supported for both ActiveSync and AppTunnel.
The following table describes the device authentication options on Ivanti Standalone Sentry.
Server Authentication |
Description |
Pass Through |
Sentry passes through the authentication provided by the device. For example: user name and password, NTLM. This is the only authentication option you can use with Microsoft Office 365. This is also the only authentication option available for TCP and IP tunneling. |
Kerberos |
Only available if you choose Identity Certificate for device authentication. Requires a properly configured Kerberos implementation. |