Additional configurations using key-value pairs for Ivanti Tunnel

Key-value pairs are used to customize Ivanti Tunnel for iOS app behavior. These key-value pairs define app behavior such as idle timeout, email address for sending debug information, and level of log detail that is collected.

The following table provides the key-value pairs for customizing Tunnel for iOS.

Table 4.   Key-value pairs for Ivanti tunnel for iOS

Key

Value

Manage Tunnel timeout

disconnectTimeoutInSeconds
(Ivanti EPMM)

Enter 0 or a number between 5 - 18000.

If the value is 0, then Tunnel VPN never disconnects itself. You have to manually disconnect the VPN in the Tunnel.

If the value is > 0, the Tunnel VPN is disconnected after number entered.

If this key-value pair is not configured, the default is 60 seconds.

TcpIdleTmoMs

Enter any integer between 5000 - 18000000.

The timeout is measured in milliseconds. Configuring idle timeout allows you to control the idle session timeout for the TCP connection between the app and the backend server. You may want to configure idle timeout if the backend server takes more than 60 seconds to respond to a request.

The default idle timeout with Standalone Sentry for per-app VPN if the key-value pair is not configured: 60 seconds.

For packet tunnel, Ivanti recommends setting the idle timeout equal to or larger than the idle timeout for the enterprise server being accessed. If you do not know the idle timeout for the server, set the value to 3600000.

Troubleshooting

debugInfoRecipient
(Available as field value in Ivanti Neurons for MDM)

Enter an email address to forward the debug information.

LogLevel

Enter debug <Log Level>

Use one of the following log level options. The options are listed from the least to the most verbose level.

  • error: Captures error logs if the Tunnel app errors out while performing an action.
  • warning: Captures warning messages logged if there is missing or incorrect information that might cause an error. This log level is rarely used.
  • info: Captures informational level details such as, log prints inputs, metadata, parameter values.
  • debug: Captures debug level information such as, actions, operations, values of critical data, and information that is helpful in debugging.
  • session: Captures everything that occurs during a tunnel session.
  • packet: Captures packet level information, such as, length in bytes. Used for troubleshooting DNS queries and responses to and from Tunnel.

Default if the key-value pair is not configured: info

UseSecureEMail

Enter true.

Tunnel uses Email+ to send debug logs.

If the key-value pair is not configured, Tunnel uses the native iOS email client to send debug logs.

SendDeviceID

Enter true.

Tunnel provides the device ID to Access.

The device ID is reported on Access in Reports > Errors.

The key-value pair is useful in identifying devices that encounter connection errors when authenticating through Access.

Default if the key-value pair is not configured: false.

MaxLogFolderSize

When this KVP is set to true, then support for setting the log folder size in MB is enabled. If the KVP is not set, it defaults to 10MB.

EnableConsoleLogging

When this KVP is set to true, then Tunnel app logs messages to console

DNS and network

PublicDNS

Enter a space-separated list of DNS servers that are accessible from the device. Each DNS entry is -separated by a space.

IPv4 and IPv6 addresses are supported.

Since (managed) apps have access to the DNS servers configured on the device, this KVP is needed only in rare cases.

Example  

8.8.8.8 8.8.8.1

IPv6NetworkPrefix

IPv6 ULA network prefix to use for internal NAT table.

DNS query for SRV record (for SSO with Kerberos)

SRV_kerberos._tcp.DnsDomainName

Where DnsDomainName is the internal domain name of the KDC server.

Example:
SRV_kerberos._tcp.example.com

Enter SRV Priority Weight Port Target

Where:

  • Priority is the priority of the server.
  • Weight is the load-balancing mechanism that is used when selecting a target
  • Port is the port number the server is listening.
  • Target is the fully qualified domain name (FQDN) of the KDC server.

Example  

SRV 0 100 88 kdc.example.com

SRV record derived from the key-value pair:
_kerberos._tcp.example.com. SRV 0 100 88 kdc.example.com.

Ensure that the domain configured for DnsDomainName and for Target is also configured in Safari Domains in the Tunnel VPN configuration. Configuring the domains in Safari Domains ensures that the traffic goes through Tunnel.

Certificates

DisablePinning

false: Default, if the key-value pair is not configured. Certificate pinning is enabled.

true: Certificate pinning is disabled. Disabling certificate pinning is not recommended for security reasons.

The Standalone Sentry server certificate is automatically pushed to the device.

Packet-tunnel

IPRoutes

IP routes of the iOS or macOS device VPN. Enter list separated by semicolon.

The default value if the key-value is not configured is 0.0.0.0/0

Example  

10.0.0.0/8;172.16.0.0/16

ExcRoutes

IP routes that will be excluded from IPRoutes.

Example  

10.10.10.10/32.

SplitUDPPortList

Enter list of UDP ports to send through Tunnel VPN. All other UDP packets are sent directly to destination.

If the KVP is not configured, all UDP packets are sent through Tunnel VPN.

Example  

53;161-162;200-1024

Standalone Sentry supports only limited types of UDP traffic, such as DNS traffic. Audio and video traffic through Standalone Sentry is not supported. Therefore, Ivanti recommends configuring SplitUDPPortList to manage UDP traffic.

MTU

Tunnel MTU.

The default value if the key-value is not configured is 1400.

TunIP

IP address of the VPN network interface. Configure only if customer network is in the same range.

Example  

192.168.13.10

AtpProbeIdleSec

Sets the minimum idle time, in seconds, after which probe packets are sent out with outbound Tunnel traffic. If Tunnel does not receive a response for at least one of the probes sent, the existing connection is dropped and a new connection is established with the server.

The minimum idle time is based on the last inbound response received by Tunnel. For example, if the value is 60 seconds, if Tunnel does not receive any inbound traffic for 60 seconds, probe packets are sent with the next outbound Tunnel traffic.

Default value if the key-value pair is not configured: 60 seconds

AtpProbeIntervalSec

Sets the interval, in seconds, between probe packets sent after the minimum idle time specified in AtpProbeIdleSec.

Default value if the key-value pair is not configured: 1 second

AtpProbeCount

Sets the total count of the probe packets sent after the minimum idle time specified in AtpProbeIdleSec.

Default value if the key-value pair is not configured: 5

App proxy

DirectLocalhost

Enter true.

Configure if using app proxy Tunnel. The key-value pair is required for Tunnel to handle app proxy localhost traffic from apps.

true: If an app uses localhost, ::1, or 127.0.0.1, the localhost app proxy (TCP) traffic is redirected to the device itself.

SplitUDPPortList

Enter list of UDP ports to send through Tunnel VPN. All other UDP packets are sent directly to destination.

If the KVP is not configured, all UDP packets are sent through Tunnel VPN.

Example  

53;161-162;200-1024

Standalone Sentry supports only limited types of UDP traffic, such as DNS traffic. Audio and video traffic through Standalone Sentry is not supported. Therefore, Ivanti recommends configuring SplitUDPPortList to manage UDP traffic.

EnableLegacyAppProxyDNSSetup

When this KVP is set to true, then Tunnel code will use the old logic. But if this KVP does not exist or if this KVP is set to false, then the tunnel code will not set the system level DNS servers.