Key-value pairs for Ivanti Tunnel for macOS

The following table provides the key-value pairs for customizing Ivanti Tunnel for macOS.

Table 2.  k ey-value pairs for ivanti tunnel for macos

Key

Value

Manage Tunnel timeout

disconnectTimeoutInSeconds
(Ivanti EPMM)

Enter 0 or a number between 5 - 18000.

If the value is 0, then Ivanti Tunnel VPN never disconnects itself. You have to manually disconnect the VPN in the Ivanti Tunnel.

If the value is > 0, the Ivanti Tunnel VPN is disconnected after number entered.

Default value if the key-value pair is not configured: 60 seconds.

TcpIdleTmoMs

Enter an integer between 5000 - 1800000.

The timeout is measured in milliseconds. Configuring idle timeout allows you to control the idle session timeout for the TCP connection between the app and the backend server. You may want to configure idle timeout if the backend server takes more than 60 seconds to respond to a request.

The default idle timeout with Standalone Sentry for per app VPN if the key-value pair is not configured: 60 seconds.

Troubleshooting

debugInfoRecipient
(Available as field value in Ivanti Neurons for MDM)

Enter an email address to forward the debug information.

LogLevel

Enter debug <Log Level>

Use one of the following log level options. The options are listed from the least to the most verbose level.

error: Captures error logs if the Tunnel app errors out while performing an action.

warning: Captures warning messages logged if there is missing or incorrect information that might cause an error. This log level is rarely used.

info: Captures informational level details such as, log prints inputs, metadata, parameter values.

debug: Captures debug level information such as, actions, operations, values of critical data, and information that is helpful in debugging.

session: Captures everything that occurs during a tunnel session.

packet: Captures packet level information, such as, length in bytes. Used for troubleshooting DNS queries and responses to and from Tunnel.

Default if the key-value pair is not configured: info

DNS and network

IPv6NetworkPrefix

IPv6 ULA network prefix to use for internal NAT table.

Certificates

DisablePinning

false: Default, if the key-value pair is not configured. Certificate pinning is enabled.

true: Certificate pinning is disabled. Disabling certificate pinning is not recommended for security reasons.

The Standalone Sentry server certificate is automatically pushed to the device.

Packet-tunnel

IPRoutes

IP routes of the iOS or macOS device VPN. Enter list separated by semicolon.

The default value if the key-value is not configured is 0.0.0.0/0

Example  

10.0.0.0/8;172.16.0.0/16

Ivanti recommends configuring IP routes for better Tunnel performance.

ExcRoutes

IP routes that will be excluded from IPRoutes.

Example  

10.10.10.10/32.

SplitUDPPortList

List the destination UDP ports of the UDP packets that want to be sent through VPN. All other UDP packets are sent directly to destination from Tunnel client.

If the key-value pair is not configured all UDP packets from the VPN interface go through VPN.

Example  

53;161-162;200-1024

MTU

Tunnel MTU.

The default value if the key-value is not configured is 1400.

TunIP

IP address of the VPN network interface.

Configure only if the customer network is in the same range.

Example  

192.168.13.10

AtpProbeIdleSec

Sets the minimum idle time, in seconds, after which probe packets are sent out with outbound Tunnel traffic. If Tunnel does not receive a response for at least one of the probes sent, the existing connection is dropped and a new connection is established with the server.

The minimum idle time is based on the last inbound response received by Tunnel. For example, if the value is 60 seconds, if Tunnel does not receive any inbound traffic for 60 seconds, probe packets are sent with the next outbound Tunnel traffic.

Default value if the key-value pair is not configured: 60 seconds

AtpProbeIntervalSec

Sets the interval, in seconds, between probe packets sent after the minimum idle time specified in AtpProbeIdleSec.

Default value if the key-value pair is not configured: 1 second

AtpProbeCount

Sets the total count of the probe packets sent after the minimum idle time specified in AtpProbeIdleSec.

Default value if the key-value pair is not configured: 5

App proxy

DirectLocalhost

Enter true.

Configure if using app proxy Tunnel. The key-value pair is required for Tunnel to handle app proxy localhost traffic from apps.

true: If an app uses localhost, ::1, or 127.0.0.1, the localhost app proxy (TCP) traffic is redirected to the device itself.