Blue Cedar Connect sub-step for Blue Cedar Enforce
Use the Blue Cedar Connect sub-step to enable secure access to corporate data with an in-app VPN that is optimized for mobile environments. When the Blue Cedar Enforce extension is enabled, it provides the option to embed the Blue Cedar Connect in-app VPN client (formerly referred to as a Secure Microtunnel). The in-app VPN client makes it easy for a mobile app to connect to firewalled resources, even if the app is running on an unmanaged device. Blue Cedar Connect in-app VPN is ideal for device environments that are a mix of BYOD and corporate-issued devices, or solely BYOD. The secure connection are transparent to the end users, as the connection parameters and destination can be pre-configured in the in-app VPN. An in-app VPN client delivers a superior user experience as the end user simply has to launch the app connect to a protected resource.
Blue Cedar Enforce subscription
An IPSec-based VPN server: either Blue Cedar Connect Gateway or a third party standards-based IKEv2 VPN server
|Step||Blue Cedar Enforce|
The Blue Cedar Connect in-app VPN has been validated to work with the the Blue Cedar Connect Gateway and the Cisco ASA gateway but should work with any 3rd-party IKEv2 gateway.
You can also upload to the gateway one or more trusted SSL (X.509) certificates that an integrated app can then use when establishing an SSL connection with the servers it needs to access.
Using this sub-step in a workflow
In the workflow builder for your app:
- Add the App Enhancement stage
- Add the Blue Cedar Enforce step to the workflow.
- Add the Blue Cedar Connect sub-step to the Blue Cedar Enforce step.
Blue Cedar Connect
The configuration settings for Blue Cedar Connect in-app VPN are organized in three sections, shown in the App Enhancement / Blue Cedar Enforce / Blue Cedar Connect section of the workflow builder as three tabs:
- Gateway Settings
- Proxy Settings
- TLS/SSL Certificates
Choose one of these options
A numeric IP address or a fully qualified host name.
If users may be using IPv6 networks, Blue Cedar recommends using a host name instead of an IP address for the Server Address. Using a host name allows the address to resolve itself on either IPv4 or IPv6 networks correctly.
STANDARDS-BASED IKEV2 GATEWAY ONLY
Select this method and upload certificates if your users are connecting to a server that is configured to support your authentication provider and that supports EAP-MSCHAPv2. The app prompts the mobile app user to enter username and password for the configured authentication provider.
When using EAP-MSCHAPv2, you must upload a certificate for the gateway on the TLS/SSL Certificates tab.
Pre-shared key (PSK)
If you select this method, enter the PSK into the "Pre-shared Key (PSK)" field. Blue Cedar automatically securely applies the PSK to the app.
If you change the PSK on the VPN gateway after securing the app, then you must run the workflow again with the new PSK and have the end user install the updated app on their device. Otherwise, the existing app fails to work with the gateway.
When using PSK, Blue Cedar recommends using an IP address instead of a host name for the VPN Server Address to protect against DNS poisoning, which is an attack that compromises a DNS name server’s database and reroutes traffic to an incorrect IP address.
Note that using specific IP addresses fails for users on IPv6-only networks.
BLUE CEDAR CONNECT GATEWAY ONLY
To assign a specific gateway-defined auth-group, enter the name of the group. This group must be configured on the virtual gateway. See "Configuring AAA" in the Blue Cedar Connect Gateway documentation.
|Trusted Certificates Group|
BLUE CEDAR CONNECT GATEWAY MICROSOFT TUNNEL GATEWAY
If your Connect Gateway's identity certificate was issued by a certificate authority (CA) that is globally trusted, you can use this default option instead of uploading your CA certificate.
BLUE CEDAR CONNECT GATEWAY. MICROSOFT TUNNEL GATEWAY
If your Connect Gateway's identity certificate was issued by a certificate authority (CA) that is not globally trusted, upload the Issuer certificate (CA certificate) of that identity certificate. This CA certificate is part of the Connect Gateway's PKI infrastructure: uploading it here includes it in the integration so that the app can validate the server's trust. If the trusted mobile device CA certificate store is being used, you can also upload a CA as an intermediate certificate.
See "Configuring AAA Public Key Infrastructure" in the Blue Cedar Connect Gateway documentation.
Proxy settings allow you to configure how web-based apps choose their path to the requested URLs. Proxy servers can provide security benefits, especially when coupled with a VPN. These details depend on the configuration of your infrastructure.
Note: PAC files should use system-default encoding: UTF-7 characters (ASCII) are supported, but Unicode is not.
If you have an authenticating proxy and your app is not designed for proxy, enable the Authenticated Proxy option and enter a URL that requires authentication to the proxy for your configuration. Providing this URL allows the app to immediately test the connection path and thus avoid several potential issues with apps that do not support proxy. By authenticating to the proxy early, you can streamline the proxy authentication requests and verify that the proxy configuration is valid.
This list of trusted server certificates applies to CA certificates used to validate URLs requested by the app, not to the Blue Cedar Connect Gateway identity certificate (CA certificate) in the gateway settings.
Select a trust certificate. An integrated app can use SSL (X.509) certificates when establishing an SSL connection with the servers it needs to access.
Valid format: The certificate must be a PEM-encoded certificate file. Apps secured with DER-encoded certificates cannot communicate with the gateway.