Smart Phones

Smart Phones

In addition to allowing users to access the system from standard workstations and kiosks, the system also allows end users access from connected PDAs, handhelds and smart phones such as i-mode and Pocket PC. When a user connects from a PDA or handheld device, the system determines which pages and functionality to display based on settings in the System > Configuration > Client Types page of the admin console. By default, settings in this page specify that when accessing the system using a(n):

•i-mode device-The system displays compact HTML (cHMTL) pages without tables, images, JavaScript, Java, or frames to the user. Depending on which features you enable through the admin console, the end user may browse the Web, link to Web bookmarks, single sign-on to other applications, and edit their preferences (including clearing their cache and editing their system/LDAP password). The system allows i-mode users to access supported features using access keys on their phone's keypad as well as through standard browse-and-select navigation.

•Pocket PC device-The system displays mobile HTML pages with tables, images, JavaScript and frames, but does not process Java. Depending on which features you enable through the admin console, the end user may access Mobile Notes and OWA e-mail applications, browse the Web, link to Web bookmarks, single sign-on to other applications, and edit their preferences (including clearing their cache and editing their system/LDAP password).

PDA and handheld users cannot access the admin console or most of the system's advanced options, including file browsing, VPN Tunneling, Host Checker, since PDA and handheld devices do not generally support the ActiveX, Java, or JavaScript controls on which these features depend.

Also note that i-mode users cannot access cookie-based options, including session cookies, since most i-mode browsers do not support HTTP cookies. The system rewrites hyperlinks to include the session ID in the URL instead of using cookies. The system reads the session ID when the user accesses the URL.

In order to improve the response time, the following icons are not displayed when accessing the home page: help, sign out, open bookmark in new page, and PSAM.

Configuring Connect Secure for PDAs and Handhelds

To properly configure the system to work with PDAs and handheld devices, you must:

1.Enable access at the system level-If you want to support browsers other than the defaults provided with the system, you must enter the user agent strings of the PDA and handheld operating systems that you want to support in the System > Configuration > Client Types tab. For a complete list of supported PDA and handheld browsers, see the Supported Platforms document posted on the Support web site.

2.Evaluate your user roles and resource policies-Depending on which Ivanti Connect Secure features you have enabled, you may need to either modify your existing roles and resource policies for PDA and handheld users or create new ones. Note that:

•Mobile device users cannot access roles or policies that require Host Checker since handheld devices do not generally support the ActiveX, Java, or JavaScript controls on which these features depend. You can disable these options through the following tabs:

•Users > User Roles > Role > General > Restrictions

•Resource Policies > Web > Access > Web ACL> Policy > Detailed Rules

•Mobile device users may have trouble reading long role names on their small screens. If you require users to pick from a list of roles when they sign in, you may want to shorten role names in the Users > User Roles > Role > General > Overview tab.

•Mobile device users may have trouble reading long bookmark names on their small screens. You can edit Web bookmarks in the following tabs:

•Users > Resource Profiles > Web Application Resource Profiles > Profile > Bookmarks

•Users > User Roles > Role > Web > Bookmarks

•Resource Policies > Web > Access > Web ACL> Policy > General

•Although advanced features such as file browsing are not supported for PDAs and handhelds, you do not need to disable them in the roles and resource policies used by mobile device users. The system simply does not display these options to mobile device users.

3.Evaluate your authentication and authorization servers-The system supports all of the same authentication and authorization servers for PDA and handheld users as standard users.

4.Evaluate your realms-Depending on which system features you have enabled, you may need to either modify your existing realms for PDA and handheld users or create new ones. Note that:

•Mobile device users cannot access the system when they try to sign into a realm that requires Host Checker since handheld devices do not generally support the ActiveX, Java, or JavaScript controls on which these features depend. You can disable these options through sub-tabs in the System > Configuration > Security page.

•Mobile device users may have trouble reading long realm names on their small screens. If you require users to pick from a list of realms when they sign in, you may want to shorten realm names in the Users > User Realms > Realm > General tab.

5.Evaluate your sign-in policy to use-If you want to use a different sign-in page for Pocket PC users, you can define it in the Authentication > Signing In > Sign-in Pages tab and then create a sign-in policy that references the page using options in the Authentication > Signing In > Sign-in Policies tab. Or, you can create a custom sign-in page using the Pocket PC template files that are available in sample.zip.

6.Specify allowed encryption strength-Different types of devices allow different encryption strengths. You should specify the encryption strength in Ivanti Connect Secure to match the requirement of your devices. For example, mobile phones often only accept 40-bit encryption. Review your end-users' device requirements and specify the allowed encryption strength on the System > Configuration > Security tab.

Defining Client Types

The Client Types tab allows you to specify the types of systems your users may sign in from and the type of HTML pages to display when they do. In addition, client types are used to identify the operating system shown on the Device Management page for devices that use ActiveSync to synchronize e-mail with a Microsoft Exchange server. The user agent string used to identify a device during login may be different from the one in the ActiveSync message. For example, in the list of default user agent strings, *Apple-iPhone* and *Apple-iPad* are used only in ActiveSync messages.

To manage the client types:

1.In the admin console, choose System > Configuration > Client Types.

2.In the User-agent string pattern text box, enter the user agent string for the operating system(s) that you want to support. You can specify all or part of the string. For example, you can use the default *DoCoMo* string to apply to all DoCoMo operating systems, or you can create a string such as DoCoMo/1.0/P502i/c10 to apply to a single type of DoCoMo operating system. You can use the * and ? wildcard characters in the string. Note that user agent strings on the system are case-insensitive.

If a device operating system shown on the Device Management page is Other, the ActiveSync message for the device has a user-agent string that is not defined here. To add the missing user-agent string:

3.Select System > Log/Monitoring > User Access > Log.

4.Search the User Access Log using the filter id='AUT31094' && user='username'. The AUT31094 is the ActiveSync log message ID, and you can select System > Status > Devices to get the device's username from the Device Management page. The log message looks like the following:

Device record created for user [email protected] to obtain Authorization Only access. (activesync_id=SAMSUNG1355815045478007_AM, user-agent=SAMSUNG-SAMSUNG-SGH-I997/100.202)

1. Copy the user-agent= value from the log message to the User-agent string pattern text box.

2. Select the client type (see Step 3) and click Add.

5.Select the type of HTML to display to users who sign in from the operating system specified in the previous step. Options include:

•Standard HTML-The system displays all standard HTML functions, including tables, full-size graphics, ActiveX components, JavaScript, Java, frames, and cookies. Ideal for standard browsers, such as Firefox, Mozilla, and Internet Explorer.

•Compact HTML (iMode)-The system displays small-screen HTML-compatible pages. This mode does not support cookies or the rendering of tables, graphics, ActiveX components, JavaScript, Java, VB script, or frames. (The only difference between this option and the Smart Phone HTML Basic option is the user interface.) Ideal for iMode browsers.

Form Post SSO is not supported on iMode appliances.

•Mobile HTML (Pocket PC)-The system displays small-screen HTML-compatible pages that may contain tables, small graphics, JavaScript, frames, and cookies, but this mode does not facilitate the rendering of java applets or ActiveX components. Ideal for Pocket PC browsers.

•Smart Phone HTML Advanced-The system displays small-screen HTML-compatible pages that may contain tables, small graphics, frames, cookies, and some JavaScript, but this mode does not facilitate the rendering of java applets, ActiveX components, or VB scripts. Ideal for Treo and Blazer browsers.

•Smart Phone HTML Basic-The system displays small-screen HTML-compatible pages. This mode does not support cookies or the rendering of tables, graphics, ActiveX components, JavaScript, Java, VB script, or frames. (The only difference between this option and the Compact HTML option is the user interface.) Ideal for Opera browsers on Symbian.

The system rewrites hyperlinks to include the session ID in the URL instead of using cookies.

•Mobile Safari, Android, Symbian, iPad-The Mobile Safari (iPhone/iPod Touch), Android, and Symbian selections have Basic, Advanced, and Full HTML options.

6.Specify the order that you want to evaluate the user agents. The system applies the first rule in the list that matches the user's system. For example, you may create the following user agent string/HTML type mappings in the following order

•User Agent String: *DoCoMo* Maps to: Compact HTML

•User Agent String: DoCoMo/1.0/P502i/c10 Maps to: Mobile HTML

If a user signs in from the operating system specified in the second line, the system will display compact HTML pages to him, not the more robust mobile HTML, since his user agent string matches the first item in the list.

To order mappings in the list, select the check box next to an item and then use the up and down arrows to move it to the correct place in the list.

7.Select the Enable password masking for Compact HTML check box if you want to mask passwords entered in iMode and other devices that use compact HTML. (Devices that do not use compact HTML mask passwords regardless of whether or not you select this check box.) Note that if your iMode users' passwords contain non-numeric characters, you must disable password masking because iMode devices only allow numeric data in standard password fields. If you disable masking, passwords are still transmitted securely, but are not concealed on the user's display.

8.Click Save Changes.

Enabling ActiveSync for Handheld Devices

Using ActiveSync, you can synchronize data between a Windows-based desktop computer and handheld devices. Connect Secure can be used as a reverse proxy to allow users to synchronize their data without installing an additional client application on their handheld devices. More than 1000 concurrent connections are supported on a PSA7000.

Please note the following:

•Supports Windows Phone 5.0, 6.0 and 8.0 only.

•Supports Exchange Server 2010, 2013.

•ActiveSync does not use up concurrent user licenses, even when configured with certificate authentication.

•Both NTLM & Basic Auth on the Exchange server are supported.

•Both HTTP and HTTPS between Connect Secure and an Exchange server are supported.

•If Connect Secure is used for OWA & ActiveSync, the hostnames for OWA access and ActiveSync must be different.

•Direct Push is supported with ActiveSync, however you must set HTTPServerTimeout to 20 minutes or less. Direct Push is a feature built into Exchange Server 2010.

•ActiveSync does not work through a back-end web proxy.

•VIP sourcing settings are ignored for ActiveSync sessions. ActiveSync traffic from Connect Secure to a backend server is always sent with the Internal Port's source IP address.

To configure the system as a reverse proxy for use with ActiveSync:

1.In the admin console, choose Authentication > Signing In > Sign-in Policies.

2.To create a new authorization only access policy, click New URL and select authorization only access. Or, to edit an existing policy, click a URL in the Virtual Hostname column.

3.In the Virtual Hostname field, enter the name that maps to the system IP address. The name must be unique among all virtual hostnames used in pass-through proxy's hostname mode. The hostname is used to access the Exchange server entered in the Backend URL field. Do not include the protocol (for example, http:) in this field.

For example, if the virtual hostname is myapp.ivehostname.com, and the backend URL is http://www.xyz.com:8080/, a request to https://myapp.ivehostname.com/test1 by the system is converted to a request to http://www.xyz.com:8080/test1. The response of the converted request is sent to the original requesting web browser.

4.In the Backend URL field, enter the URL for the Exchange server. You must specify the protocol, hostname and port of the server. For example, http://www.mydomain.com:8080/*.

When requests match the hostname in the Virtual Hostname field, the request is transformed to the URL specified in the Backend URL field. The client is directed to the backend URL unaware of the redirect.

5.Enter a Description for this policy (optional).

6.Select the server name or No Authorization from the Authorization Server drop-down menu. If you select a server, ensure that the front-end server provides the SMSESSION cookie otherwise you will receive an error.

7.Select a user role from the Role Option drop-down menu.

Only the following user role options are applicable for Autosync.

•HTTP Connection Timeout (Users > User Roles > RoleName > Web > Options > View advanced options)

•Allow browsing untrusted SSL web sites (Users > User Roles > RoleName > Web > Options > View advanced options)

•Source IP restrictions (Users > User Roles > RoleName > General > Restrictions)

•Browser restrictions (Users > User Roles > RoleName > General > Restrictions)

Ensure the user role you select has an associated Web Access policy.

8.Select the Allow ActiveSync Traffic only option to perform a basic of validation of the HTTP header to ensure the request is consistent with ActiveSync protocol. If you select this option only ActiveSync protocol requests can be processed. If validation fails, a message is created in the user's event log. If you do not select this option, both ActiveSync and non-ActiveSync requests are processed.

9.Click Save Changes.

The System Status Overview page displays the number of current active concurrent connections and a histogram of the active concurrent connections (Authorization Only Access Active Connections plot in the Concurrent SSL Connections graph).