Juniper SSL

Use the following guidelines to configure Juniper SSL VPN and Pulse Secure SSL VPN.

Table 1. Juniper SSL settings

Item

Description

Name

Enter a short phrase that identifies this VPN setting.

Description

Provide a description that clarifies the purpose of these settings.

Connection Type

Select Juniper SSL.

Deploy inside Knox Workspace

Select this option to deploy the VPN client app inside the Knox Workspace (container). Deploying the app inside the container means that the Knox security platform protects the app and its data.

This option is available only if you select the Samsung Knox option.

Server

Enter the IP address, hostname, or URL for the VPN server.

Proxy

Select None, Manual, or Automatic to configure a proxy.

If you select Manual, you must specify the proxy server name and port number.

If you select Automatic, you must specify the proxy server URL.

Proxy Server URL

Automatic Proxy

Enter the URL for the proxy server.

Enter the URL of the location of the proxy auto-configuration file.

Proxy Server

Manual Proxy

Enter the name for the proxy server.

Proxy Server Port

Manual Proxy

Enter the port number for the proxy server.

Type

Manual Proxy

Select Static or Variable for the type of authentication to be used for the proxy server.

Proxy Server User Name

Manual Proxy

If the authentication type is Static, enter the username for the proxy server.

If the authentication type is Variable, the default variable selected is $USERID$.

Proxy Server Password

Manual Proxy

If the authentication type is Static, enter the password for the proxy server. Confirm the password in the field below.

If the authentication type is Variable, the default variable selected is $PASSWORD$.

Proxy Domains (iOS only)

The VPN will only proxy for the domain and domain suffixes specified here (.com and .org are examples of top-level domain suffixes). Domain suffixes can be used to match multiple domains. For example, .com would include all .com domains, and example.com would include all domains ending in example.com, such as pages.example.com and mysite.example.com. Wildcards are not supported.

Click Add+ to add a domain.

User Name

Specify the user name to use for authentication. The default value is $EMAIL$. Use this field to specify an alternate format. For example, your standard might be $USERID$.

Why: Some enterprises have a strong preference concerning which identifier is exposed. See “Supported variables” on Supported variables.

User Authentication

Select Password or Certificate.

Password

Specify the password to use. The default value is $PASSWORD$. Use this field to specify a custom format, such as $PASSWORD$_$USERID$. See “Supported variables” on Supported variables.

Identity Certificate

Certificate authentication.

Select the entry you created for supporting VPN, if you are implementing certificate-based authentication.

Role

Specify the Juniper user role to use as a restriction.

Realm

Specify the Juniper realm to use as a restriction.

VPN on Demand

Certificate authentication.

Select to enable the VPN on Demand section. Click Add New to specify a domain or hostname and the preferred connection option.

Per-app VPN

Select Yes to create a per-app VPN setting.

Per-app VPN is supported for devices running iOS 7 through the most recently released version of iOS as supported by MobileIron. You must update your VPN software to a version that supports iOS 7 features.

An additional license may be required for this feature.

You cannot delete a per-app VPN setting that is being used by an app. Remove the per-app VPN setting from the app before you delete the setting.

You can enable per-app VPN for an app when you:

•

add the app in the App Catalog.

•

edit an in-house app or an App Store app in the App Catalog.

See the MobileIron Apps@Work Guide for information about how to add or edit apps.

Provider Type

Define whether the per-app VPN service will tunnel traffic at the application layer (app-proxy) or the IP layer (packet-tunnel).

Select app-proxy (default) or packet-tunnel.

On Demand Rules (VPN on Demand, iOS 7 through the most recently released version of iOS as supported by MobileIron.)

VPN On Demand rules are applied when the device's primary network interface changes, for example when the device switches to a different Wi-Fi network.

Note the following:

•

A matching rule is not required. The Default Rule is applied if a matching rule is not defined.

•

If you select Evaluate Connection, a matching rule is not required.

•

You can create up to 10 On Demand matching rules.

•

For each matching rule you can create up to 50 Type and Value pairs.

Add New Matching Rule

Click to add a new On Demand matching rule.

Action

Select one of the following actions to apply to the matching rule:

•

Connect

•

Disconnect

•

Allow

•

Ignore

•

Evaluate Connection

Add New

Click to add a new Type Value pair.

Click to delete either an On Demand rule, or a matching rule.

Matching Rules:

For each matching rule to which the action is applied enter the type and value pair.

Type

Select from one of the following key types:

•

DNS Domain

•

Interface Type

•

DNS Server Address

•

SSID

•

URL String Probe

Value

For each key selected, enter a value.

DNS Domain—Enter a list of domain names to match against the domain being accessed. Wildcard '*' prefix is supported, e.g. *.example.com would match anything.example.com

Interface Type—Enter either Wifi or Cellular.

DNS Server Address—Enter a list of DNS servers to match against. All DNS servers have to match the device’s current DNS servers or this match will fail. Wildcard '*' is supported, e.g. 1.2.3.* would match any DNS servers with 1.2.3. prefix.

SSID—Enter a list of SSIDs to match against the current network. If the network is not a Wi-Fi network or if its SSID does not appear in the list, the match will fail.

URL String Probe—Enter a URL to a trusted HTTPS server. This is used to probe for reachability. Redirection is not supported.

Description

Enter additional information about this matching rule.

Domain Action

Only appears if the Action is Evaluate Connection.

Select one of the following Actions for the domain:

•

Connect if needed—The specified domains trigger a VPN connection attempt if domain name resolution fails. For example: The DNS server indicates that it cannot resolve the domain, or responds with a redirection to a different server, or fails to respond (timeout).

•

Never connect—The specified domains do not trigger a VPN connection attempt.

Action Parameters:

Only appears if the Action is Evaluate Connection. Define the Evaluation Type and Value pair.

Evaluation Type

Select the Evaluation type as one of the following:

•

Domain (Required)

•

Required DNS Server (only available with Connect if needed)

•

Required URL Probe (only available with Connect if needed)

Value

Enter the value for the evaluation type selected.

Domain—Enter a list of domains for which this evaluation applies. Wildcard prefixes are supported, for example, *.example.com.

Required DNS Server—Enter a list of IP addresses of DNS servers to use for resolving the domains. These servers do not need to be part of the device’s current network configuration. If these DNS servers are not reachable, VPN is triggered. Either configure an internal DNS server or trusted external DNS server.

Required URL Probe—Enter an HTTP or HTTPS (preferred) URL. The device to probes this URL using a GET request. The probe is successful if the DNS resolution for this server is successful. VPN is triggered if the probe fails.

Description

Enter additional information about this Evaluation Type and Value pair.

Default Rule:

The default rule (action) is applied to a connection that does not match any of the matching rules.

If none of the rules above match or if there is no rule defined, choose VPN connection to:

Select the action for the Default Rule.

Domains

Safari Domains

Applicable to: Safari Domains (iOS 7 and later; macOS 10.11 and later)

NOTE:

You must update your VPN software to a version that supports Per-app VPN.

If the server ends with one of these domain names, a VPN connection is started automatically.

Add+ - Click to add a domain.
Safari Domain - Enter a domain name. Only alphanumeric characters and periods (.) are supported.
Description - Enter a description for the domain.

Calendar Domains

Applicable to: Calendar Domains (iOS 13 and later; macOS 10.15 and later)

If the server ends with one of these domain names, a VPN connection is started automatically.

Add+ - Click to add a domain.
Calendar Domain - Enter a domain name. Only alphanumeric characters and periods (.) are supported.
Description - Enter a description for the domain.

Contact Domains

Applicable to: Contact Domains (iOS 13 and later; macOS 10.15 and later)

If the server ends with one of these domain names, a VPN connection is started automatically.

Add+ - Click to add a domain.
Contact Domain - Enter a domain name. Only alphanumeric characters and periods (.) are supported.
Description - Enter a description for the domain.

Mail Domains

Applicable to: Mail Domains (iOS 13 and later; macOS 10.15 and later)

If the server ends with one of these domain names, a VPN connection is started automatically.

Add+ - Click to add a domain.
Mail Domain - Enter a domain name. Only alphanumeric characters and periods (.) are supported.
Description - Enter a description for the domain.

Custom Data

Add+ - Click to add a new key / value pair.
Key / Value - Enter the Key / value pairs necessary to configure the VPN setting. The app creator should provide the necessary key / value pairs.