Integrating AirWatch with Pulse Secure

Overview

Enterprises always face a major challenge of providing a secure and consistent network that is devoid of security breaches. With the current trend of employees wanting to access sensitive corporate data from their personal devices, this challenge becomes even more difficult. The solution to this challenge is Virtual Private Network (VPN) that allows the employees to access enterprise data on their devices that are outside the enterprise network.

 With v8.1, AirWatch  now  integrates its Mobile Device Management (MDM) solution with Pulse Secure to provide a seamless authenticated access and network connectivity to users through SSL VPN.  Apart from the Virtual Private Network (VPN) connection, per-app VPN is also extended to the devices, thus providing an extra security layer and giving the administrators the ability to define VPN connections to individual apps. The Pulse Secure app on the Android and iOS devices in coordination with the SSL VPN assures the security of the devices from mobile malware, viruses, and prevents the exploitation of sensitive corporate data. 

Requirements

You need to have the following in place in order to start using Pulse Secure.

  • AirWatch Admin Console 8.1

  • AirWatch Agent 5.4 for Android

  • Pulse Connect Secure Gateway (SA series appliances or MAG series gateways running Pulse Connect Secure service) that acts as a checkpoint, identifies the devices and queries the AirWatch Mobile Device Management (MDM) for the device attributes.

  • Pulse AppConnect SDK that delivers per-app SSL VPN connectivity for iOS and Android apps.

  • The Pulse Secure mobile app installed on the devices.  

Supported Devices

The devices that support Pulse Secure VPN and per-app VPN connectivity are:

  • Android 5.0 and above

  • iOS 7 devices 

Workflow

The illustration below shows how AirWatch and Pulse Secure work together to grant VPN access to a user.

 1.jpg

 

  1. The device enrolls to AirWatch.

  2. Once enrolled, the device connects with the AirWatch MDM. The VPN profile is then pushed to the device.

  3. The Pulse Secure mobile client on the device connects through a Web browser to the Pulse Connect Secure Gateway. 

  4. The gateway identifies the device and queries the AirWatch MDM for device attributes. A custom message is sent to the MDM. 

  5. The AirWatch MDM then sends a message to the device informing the user if the connection is a success or a failure.

 

Configuring the Payloads on the AIrWatch Admin Console

To connect a device to the VPN, a Credentials profile and then a VPN profile must be pushed from the AirWatch Admin Console to the device.

Thus, it is essential to configure the Credentials profile with the details of the digital certificate. The Credentials profile when pushed to the devices deploys this certificate to the devices.

Configuring the Credentials Payload

Corporate networks and devices, though protected with strong passwords, are still susceptible to password attacks and hacking. Digital Certificates from a trusted authority re-assures the security of networks.

To configure a credentials profile:

  • Navigate to Devices > Profiles > List View > Add > Add Profile. Select Android/iOS from the platform list.
  • Configure General profile settings and Credentials settings:
    • Credentials Source - Select one of the options from the drop down menu: UploadDefine Certificate Authority, and UserCertificate
      • If you choose Upload, complete the following:
        • Credential Name - Enter a name for the credential or select the + symbol to view the lookup values to find the certificate.
        • Certificate - Upload the certificate.
      • If you choose Define Certificate Authority to define a certificate authority issuing the certificate, then complete the following:
        • Certificate Authority - Select the Certificate Authority issuing the certificate.
        • Certificate Template - Select the predefined template for the Certificate Authority to use when requesting the Certificate.
      • If you choose User Certificate to upload an S/MIME certificate, then select either S/MIME Signing Certificate or S/MIME Encryption Certificate

Configuring the VPN profile

The VPN profile allows the devices outside the enterprise network to function in the same manner as when the devices are within the network.  VPNs provide a secure channel for the devices to access corporate resources.

While you are setting up your basic VPN settings, you can enable per-app VPN for your managed applications.  By doing so, you can choose which of your managed applications can access the VPN. This leaves out the personal or the non-important apps to connect using the regular internet connection. 

 

To configure the VPN profile for Android

The following instructions help you to configure your base VPN settings alongside Per-app VPN settings for an Android device.

1. Navigate to Devices > Profiles > List View > Add > Add Profile and select Android.
2. Configure the General settings.
3. Select the VPN payload.
4. Enter the Connection Info.

    • Connection Type - Choose Pulse Secure as the connection method for the devices as from the drop down menu.
    • Connection Name - Enter a name for the connection to be displayed on the device.
    • Server - Enter the hostname or IP address of the server for connection.
    • Per-app VPN Rules - Select the checkbox to enable Per-app VPN for your managed apps.

5. Enter the Authentication details.

    • User Authentication - Choose Password or Certificate as the method required to authenticate the VPN session.
    • Username - Provide the credentials required for end-user VPN access.
    • Realm - Define the server used to authenticate the device. 
    • Role - Defines the network resources the device can access.
    • Password - Provide the password required for end-user VPN access, if Password is chosen in the User Authentication field. 
    • Identity Certificate - Provide the certificate credentials required to authenticate the VPN connection if Certificate is chosen in the User Authentication field. 

6. Select Save & Publish

 

To configure the VPN profile for iOS

The following instructions help you to configure your base VPN settings alongside Per-app VPN settings for an iOS 7 device.

1. Navigate to Devices > Profiles > List View > Add Profile and select iOS.
2. Configure the General settings.
3. Select the VPN payload.
4. Enter the Connection information: 

    • Connection Name - Enter a name for the connection to be displayed on the device.
    • Connection Type - Choose Pulse Secure as the connection method for the device as from the drop down menu.
    • Server - Enter the hostname or IP address of the server for connection.
    • Account - Enter the name of the VPN account.
    • Disconnect on Idle - Allow the VPN to auto-disconnect after a specific amount of time. Support for this value is dependent on VPN provider.
    • Realm - Define the server used to authenticate the device.
    • Role - Defines the network resources the device can access.
    • Per-app VPN Rules - Select the checkbox to enable Per-app VPN for your managed apps.
    • Connect Automatically - Select this checkbox to allow the VPN to automatically connect to the chosen safari domains. 

5. Enter the Authentication information:

User Authentication - Choose Certificate or Password as the mode of authentication for end users. If you choose Password, then enter the password required for authentication in the Password field. If you choose Certificate, then enter the following information:

    • Identity Certificate - Provide the certificate credentials required to authenticate the VPN connection
    • Enable VPN on Demand - Enable VPN on Demand to use certificates to automatically establish VPN connections.

6. Enter the Proxy information:

Proxy - Select either Manual or Auto proxy type to configure with this VPN connection. If you choose Manual, then enter information for the following: 

    • Server - Enter the URL of the proxy server.
    • Port - Enter the port used to communicate with the proxy.
    • Username - Enter the username to connect to the proxy server.
    • Password - Enter the password for authentication.

If you choose Automatic, then enter Proxy Server Auto Config URL from which you will get the proxy settings. 

Enter the Vendor Configuration:

Vendor Keys - Select this to create custom keys to go into the vendor config dictionary.

    • Key - Enter the specific key provided by the vendor.
    • Value - Enter the VPN value for each key.

Select Save & Publish

 

 

Establishing VPNusing Pulse Secure Mobile Client

To start using the Pulse Secure VPN connection, your users must download and install the Pulse Secure mobile app from their device app stores onto their devices.

 

 2.png

 4.png

 

Since the VPN profiles are already deployed to the devices, on opening the Pulse secure mobile app, your users will view a ready to use VPN connection on their devices.

 

 

Tap Connnect on the home screen to connect to the VPN. The Login page appears.

Enter the Username and Password  to sign in to your VPN.  If you have more than one VPN connection, select your connection from the Select Connection drop down menu.

 

 

3.png

 

Tap Connections on the home screen to view the automatically populated connection details.  

Have more questions? Submit a request

0 Comments

Article is closed for comments.