Configuring the Secure Microtunnel policy

Configure the Blue Cedar Accelerator for Secure Edge Connect (a separately licensed product) from the UI for the Blue Cedar Accelerator for Microsoft. In an app security profile, enable the option for Secure Microtunnel. 

Click Policies, then click Create New App Security Profile or click on the name of an existing profile to edit it.

On the policy details page, select the Secure Microtunnel tab and enable the policy.

Select the desired options:

Option

Description

Gateway Type
  • Standards-based IKEv2: A third party IPSec-based VPN server (such as Cisco ASA, Pulse Secure, and so on)
  • Blue Cedar Connect Gateway: Blue Cedar's IPSec-based virtual gateway.
Server Address

A numeric IP address or a fully qualified host name.

If users may be using IPv6 networks, Blue Cedar recommends using a host name instead of an IP address for the Server Address. Using a host name allows the address to resolve itself on either IPv4 or IPv6 networks correctly.

Authentication Method

Choose one of the authentication methods and supply the required key or certificate:

Pre-shared key (PSK)

If you select this method, enter the PSK into the "Pre-shared Key (PSK)" field. Blue Cedar automatically securely applies the PSK to the app.

If you change the PSK on the VPN gateway after securing the app, then you must re-integrate the app with the new PSK and have the end user install the updated secured app on their device. Otherwise, the existing secured app fails to work with the gateway.

When using PSK, Blue Cedar recommends using an IP address instead of a host name for the VPN Server Address to protect against DNS poisoning, which is an attack that compromises a DNS name server’s database and reroutes traffic to an incorrect IP address.

Note that using specific IP addresses fails for users on IPv6-only networks.


Username/Password (EAP-MSCHAPv2)

Select this method and upload certificates if your users are connecting to a server that is configured to support your authentication provider and that supports EAP-MSCHAPv2. The app prompts the mobile device user to enter username and password for the configured authentication provider.

When using EAP-MSCHAPv2, you must upload a certificate for the gateway.

Trusted Server Certificates

Click "Upload new certificate" to select the trust certificate. An integrated app can use SSL (X.509) certificates when establishing an SSL connection with the servers it needs to access

Valid format: The certificate must be a PEM-encoded certificate file. Apps secured with DER-encoded certificates cannot communicate with the gateway.

Click Save changes.