Key-value pairs for custom data

You use key-value pairs to define the following:

•Specify apps that will trigger Tunnel

•Traffic rules

•IPv4 network routes for Tunnel VPN

•DNS rules

•Network routes

•Pinning

•MTU

•Idle time out

•Debugging

•Examples of custom data configurations

The following table provides the key-value pairs supported for Tunnel for Windows 10.

Table 4. Key-value pairs for Tunnel for Windows 10

Key

Value

Description

Specify apps that will trigger Tunnel

AppTriggerList/AppTriggerId/AppId

trafficFilterID is 0 or an integer greater than zero. The trafficFilterId must start at 0. Enter a new row for each additional app and increment the trafficFilterId by 1. Do not skip a number

•Package Family Name (PFN)

•Full path

Package Family Name (PFN): Enter the package family name for Windows Store apps.

Example: Microsoft.MicrosoftEdge_8wekyb3d8bbwe

Full path: Enter the full path for legacy apps.
Example: %PROGRAMFILES% (x86)\Google\Chrome\Application\chrome.exe

Specify apps that will route traffic through Tunnel

TrafficFilterList/trafficFilterId/AppId

trafficFilterID is 0 or an integer greater than zero. The trafficFilterId must start at 0. Enter a new row for each additional app and increment the trafficFilterId by 1. Do not skip a number.

•Package Family Name (PFN)

•Full path

Package Family Name (PFN): Enter the package family name for Windows Store apps.
Example: Microsoft.MicrosoftEdge_8wekyb3d8bbwe

Full path: Enter the full path for legacy apps.
Example: %PROGRAMFILES% (x86)\Google\Chrome\Application\chrome.exe

IMPORTANT:

Ensure that Always On is not checked.

Traffic rules

•Defines which traffic is allowed through Tunnel.

•You configure traffic rules in conjunction with TrafficFilterList/trafficFilterId/AppId.

•trafficFilterId in the traffic rule should match the trafficFilterId for the app to which this rule should apply.

TrafficFilterList/trafficFilterId/Protocol

A number from 0-255

Only the IP protocols represented by the number are allowed.

Example: 6.

TCP = 6, UDP = 17

TrafficFilterList/trafficFilterId/LocalPortRanges

A list of comma separated values specifying local port ranges

Only the local port ranges listed are allowed.
Example: 100-120, 200, 300-320.

Ports are only valid if the protocol is set to TCP=6 or UDP=17.

TrafficFilterList/trafficFilterId/RemotePortRanges

A list of comma separated values specifying remote port ranges

Only the remote port ranges listed are allowed.
Example: 100-120, 200, 300-320.

Ports are only valid if the protocol is set to TCP=6 or UDP=17.

TrafficFilterList/trafficFilterId/LocalAddressRanges

A list of comma separated values specifying local IP address ranges

Only the IP addresses listed are allowed.

TrafficFilterList/trafficFilterId/RemoteAddressRanges

A list of comma separated values specifying remote IP address ranges

Only the IP addresses listed are allowed.

TrafficFilterList/trafficFilterId/RoutingPolicyType

Specifies the routing policy for the app in the traffic filter list.

•ForceTunnel

•SplitTunnel

ForceTunnel: For this traffic rule all IP traffic from the app can go through Tunnel.

SplitTunnel: For this traffic rule only designated traffic from the app, as determined by the networking stack, can go through Tunnel.

IPv4 network routes for Tunnel VPN

RouteList/routeRowId/Address/PrefixSize

routeRowId is 0 or an integer greater than zero. The routeRowId must start at 0. Enter a new row for each additional route and increment the trouteRowId by 1. Do not skip a number.

IPv4 network routes set aside for the VPN interface

Specifies the IPv4 network routes for Tunnel VPN.

The network routes are added to the device OS routing table.

DNS rules

Ivanti strongly recommend configuring DNS rules. To configure DNS rules you must configure the following key-value pairs as a group:

•DomainNameInformationList/dniRowId/DomainName

•DomainNameInformationList/dniRowId/DnsServers

•DomainNameInformationList/dniRowId/DomainNameType

Ensure that an explicit route to the DNS server is configured in the VPN profile. You can use IIPv4NetworkRoute key-value pair to configure the route to the DNS server.

DomainNameInformationList/dniRowId/DomainName

dniRowId is 0 or an integer greater than zero. The dniRowId must start at 0. Enter a new row for each additional DNS server and increment the dniRowId by 1. Do not skip a number.

•FQDN

•Domain suffix

FQDN: Fully qualified domain name

Domain suffix: A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a . to the DNS suffix.

Example of domain suffix:
.companyname.com

DomainNameInformationList/dniRowId/DnsServers

The dniRowId must match the dniRowId for the DomainName.

List of comma separated DNS server IP addresses

Ensure that there are no spaces between the listed IP addresses.

Example: 10.10.15.6

DomainNameInformationList/dniRowId/DomainNameType

The dniRowId must match the dniRowId for the DomainName.

•FQDN

•Suffix

Example: Suffix

Network routes

IMPORTANT:

Do not use these key-value pairs to configure Access routes.

IPv4NetworkRoute

Valid IPv4 address range

Specifies the IPv4 network routes set aside for the VPN interface. Only traffic to the specified IP range will be allowed through Tunnel VPN.

Enter an IPv4 address range. Ensure that the network routes are reachable and not overlapping.

If an IPv4 address range is not specified, Tunnel sets the default route 0.0.0.0/0.

You can enter multiple IPv4 address ranges. Each range must be separated by a semicolon.

Example: 192.168.122.0/24

IPv4NetworkExcludedRoute

Valid IPv4 address range

These IPv4 routes will be excluded from going through Tunnel VPN. In the device routing table, the excluded routes are assigned to the non-VPN interfaces.

Example:

When a separate Standalone Sentry is set up for ActiveSync, access to the ActiveSync server does not need to go through Tunnel VPN, as ActiveSync traffic is secured by Standalone Sentry. In this case, you may want to exclude the specific route to the ActiveSync server. If the IP range is 192.0.0.0/24, and the IP address of the ActiveSync server is 192.0.1.1, the excluded route should be 192.0.1.1/32.

Pinning

DisablePinning

Disables certificate pinning. By default, certificate pinning is enabled.

MTU

TunnelMTU

An integer greater than 0

Sets the Inner Tunnel MTU. The default is set for 1400 bytes.

The maximum packet size that Windows 10 accepts is 1401 bytes.

The Inner Tunnel Max Frame Size is set as 1500.

Idle time out

TcpIdleTmoMs

An integer greater than 0

Controls the idle session timeout for the connection between the app and the backend resource. The timeout is measured in milliseconds.

Example: For 70 seconds, enter 70000.

The default idle timeout with Standalone Sentry for app VPN is 60 seconds.

DesktopIdleTmoMonitor

0, 1

Only for Windows 10 desktops.

1: DesktopSentIdleTmoMs is enabled. Tunnel monitors the idle time instead of Windows. This allow for faster and better response after a timeout. Tunnel uses the idle time out specified in DesktopSentIdleTmoMs and DesktopRecvIdleTmoMs. The default values are used if the key-value pairs are not configured.

0: The idle timeout management by Tunnel is disabled.

The default value if the key-value pair is not configured: 1

DesktopSentIdleTmoMs

An integer greater than 0

Only for Windows 10 desktops.

The timeout is measured in milliseconds.

If a value is not configured or configured as 0, Standalone Sentry's timeout value, which is 60 seconds, or the value configured for TcpIdleTmoMs is used.

The sent idle timeout is measured from the time of the last packet sent by Tunnel to Standalone Sentry.

DesktopRecvIdleTmoMs

An integer greater than 0

Only for Windows 10 desktops.

The timeout is measured in milliseconds.

If a value is not configured or configured as 0, received idled timeout is set to 30 seconds.

The received idle timeout is measured from the time of the last packet received by Tunnel from Standalone Sentry.

PhoneIdleTmoMonitor

0, 1

Only for Windows 10 phones.

0: The idle timeout management by Tunnel is disabled.

The default value if the key-value pair is not configured: 1

PhoneSentIdleTmoMs

An integer greater than 0

Only for Windows 10 phones.

The timeout is measured in milliseconds.

If a value is not configured or configured as 0, Standalone Sentry's timeout value, which is 60 seconds, or the value configured for TcpIdleTmoMs is used.

The sent idle timeout is measured from the time of the last packet sent by Tunnel to Standalone Sentry.

PhoneRecvIdleTmoMs

An integer greater than 0

Only for Windows 10 phones.

The timeout is measured in milliseconds.

If a value is not configured or configured as 0, received idled timeout is set to 30 seconds.

The received idle timeout is measured from the time of the last packet received by Tunnel from Standalone Sentry.

Debugging

DebugLog

Collects debug-level logs on the app connecting to the backend resource. By default, minimal-level logs are collected. If this key-value pair is configured, then the feature is grayed out in Tunnel and the user cannot change this setting on the device.

ShowDebugUI

Enables viewing of diagnostic information on the app connecting to the backend resource.

After the key-value pair is pushed to the device, the app must try to connect to backend resource to get the value. If the app is already running, it will pick up the new key-value pair when it is restarted.

debugInfoRecipient

A valid email address

Auto populates the support email address to which the logs will be emailed.

The log information is sent to the email address configured here.

Examples of custom data configurations

The following are examples of custom data configurations:

•Trigger Tunnel VPN when the user logs in to Windows 10 desktop

•Force tunneling with multiple DNS servers

•Split tunneling with one route list and one DNS server

•Split tunneling with two route lists and one DNS server

Trigger Tunnel VPN when the user logs in to Windows 10 desktop

•Always On is checked.

Key	Value
IPv4NetworkRoute	0.0.0.0/0;10.10.15.6/32;
TrafficFilterList/0/RoutingPolicyType	ForceTunnel
TrafficFilterList/0/AppId	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
DomainNameInformationList/0/DomainName	.companyname.com
DomainNameInformationList/0/DomainNameType	Suffix
DomainNameInformationList/0/DnsServers	10.10.15.6
TrafficFilterList/0/RemoteAddressRanges	10.0.0.0-10.255.255.25

Force tunneling with multiple DNS servers

•Always On is unchecked.

Key	Value
IPv4NetworkRoute	10.11.0.0/16;10.0.0.0/8;10.10.15.6/32;10.11.50.31/32;
TrafficFilterList/0/AppId	%PROGRAMFILES% (x86)\Google\Chrome\Application\chrome.exe
TrafficFilterList/0/RoutingPolicyType	ForceTunnel
TrafficFilterList/0/RemoteAddressRanges	10.0.0.0-10.255.255.255
DomainNameInformationList/0/DomainName	.companyname.com
DomainNameInformationList/0/DnsServers	10.10.15.6
DomainNameInformationList/0/DomainNameType	Suffix
DomainNameInformationList/1/DomainName	.google.com
DomainNameInformationList/1/DnsServers	10.11.50.31
DomainNameInformationList/1/DomainNameType	Suffix

Split tunneling with one route list and one DNS server

•Always On is unchecked.

Key	Value
IPV4NetworkRoute	0.0.0.0/0;10.10.15.6/32;
TrafficFilterList/0/AppId	%PROGRAMFILES% (x86)\Google\Chrome\Application\chrome.exe
RouteList/0/Address	10.0.0.0
RouteList/0/PrefixSize	8
TrafficFilterList/0/RoutingPolicyType	SplitTunnel
DomainNameInformationList/0/DomainName	.companyname.com
DomainNameInformationList/0/DnsServers	10.10.15.6
DomainNameInformationList/0/DomainNameType	Suffix

Split tunneling with two route lists and one DNS server

•Always On is unchecked.

Key	Value
IPV4NetworkRoute	10.10.15.6/32;10.11.50.31/32
TrafficFilterList/0/AppId	%PROGRAMFILES% (x86)\Google\Chrome\Application\chrome.exe
RouteList/0/Address	10.10.0.0
RouteList/0/PrefixSize	16
RouteList/1/Address	10.11.0.0
RouteList/1/PrefixSize	16
TrafficFilterList/0/RoutingPolicyType	SplitTunnel
DomainNameInformationList/0/DomainName	.companyname.com
DomainNameInformationList/0/DnsServers	10.10.15.6
DomainNameInformationList/0/DomainNameType	Suffix