Secure Connectivity
Use the Blue Cedar Connect to enable secure access to corporate data with an in-app VPN that is optimized for mobile environments. When the Blue Cedar Enforce extension is enabled, it provides the option to embed the Blue Cedar Connect in-app VPN client (formerly referred to as a Secure Microtunnel). The in-app VPN client makes it easy for a mobile app to connect to firewalled resources, even if the app is running on an unmanaged device. Blue Cedar Connect in-app VPN is ideal for device environments that are a mix of BYOD and corporate-issued devices, or solely BYOD. The secure connection are transparent to the end users, as the connection parameters and destination can be pre-configured in the in-app VPN. An in-app VPN client delivers a superior user experience as the end user simply has to launch the app connect to a protected resource.
The configuration settings for Blue Cedar Connect are organized in three sections, shown in the App Enhancement / Blue Cedar Enforce / Protect Data / Secure Connect section of the workflow builder as three tabs:
- Gateway Settings
- Proxy Settings
- TLS/SSL Certificates
Gateway Settings
| Option | Description |
|---|---|
| Gateway Type | Choose one of these options
|
| Server Address | A numeric IP address or a fully qualified host name. If users may be using IPv6 networks, Blue Cedar recommends using a host name instead of an IP address for the Server Address. Using a host name allows the address to resolve itself on either IPv4 or IPv6 networks correctly. |
| Authentication Method | STANDARDS-BASED IKEV2 GATEWAY ONLY Username/Password (EAP-MSCHAPv2) Select this method and upload certificates if your users are connecting to a server that is configured to support your authentication provider and that supports EAP-MSCHAPv2. The app prompts the mobile app user to enter username and password for the configured authentication provider. When using EAP-MSCHAPv2, you must upload a certificate for the gateway on the TLS/SSL Certificates tab. Pre-shared key (PSK) If you select this method, enter the PSK into the "Pre-shared Key (PSK)" field. Blue Cedar automatically securely applies the PSK to the app. If you change the PSK on the VPN gateway after securing the app, then you must run the workflow again with the new PSK and have the end user install the updated app on their device. Otherwise, the existing app fails to work with the gateway. When using PSK, Blue Cedar recommends using an IP address instead of a host name for the VPN Server Address to protect against DNS poisoning, which is an attack that compromises a DNS name server’s database and reroutes traffic to an incorrect IP address. Note that using specific IP addresses fails for users on IPv6-only networks. |
| Advanced | |
| Authentication Group | BLUE CEDAR CONNECT GATEWAY ONLY To assign a specific gateway-defined auth-group, enter the name of the group. This group must be configured on the virtual gateway. See "Configuring AAA" in the Blue Cedar Connect Gateway documentation. |
| Trusted Certificates Group | |
| BLUE CEDAR CONNECT GATEWAY MICROSOFT TUNNEL GATEWAY If your Connect Gateway's identity certificate was issued by a certificate authority (CA) that is globally trusted, you can use this default option instead of uploading your CA certificate. |
| BLUE CEDAR CONNECT GATEWAY. MICROSOFT TUNNEL GATEWAY If your Connect Gateway's identity certificate was issued by a certificate authority (CA) that is not globally trusted, upload the Issuer certificate (CA certificate) of that identity certificate. This CA certificate is part of the Connect Gateway's PKI infrastructure: uploading it here includes it in the integration so that the app can validate the server's trust. If the trusted mobile device CA certificate store is being used, you can also upload a CA as an intermediate certificate. See "Configuring AAA Public Key Infrastructure" in the Blue Cedar Connect Gateway documentation. |
Proxy Settings
Proxy settings allow you to configure how web-based apps choose their path to the requested URLs. Proxy servers can provide security benefits, especially when coupled with a VPN. These details depend on the configuration of your infrastructure.
| Proxy option | Description |
|---|---|
| Automatic | Enter the URL for the proxy auto-config (PAC) file. A .pac file contains JavaScript functions that define how web browsers and other HTTP-based apps can automatically choose the appropriate proxy server for retrieving contents from a given URL. Note: PAC files should use system-default encoding: UTF-7 characters (ASCII) are supported, but Unicode is not. |
| Manual |
|
| Advanced | |
| Authenticated Proxy | Verification URL If you have an authenticating proxy and your app is not designed for proxy, enable the Authenticated Proxy option and enter a URL that requires authentication to the proxy for your configuration. Providing this URL allows the app to immediately test the connection path and thus avoid several potential issues with apps that do not support proxy. By authenticating to the proxy early, you can streamline the proxy authentication requests and verify that the proxy configuration is valid. |
TLS/SSL Certificates
This list of trusted server certificates applies to CA certificates used to validate URLs requested by the app, not to the Blue Cedar Connect Gateway identity certificate (CA certificate) in the gateway settings.
| Option | Description |
|---|---|
| Upload Certificate | Select a trust certificate. An integrated app can use SSL (X.509) certificates when establishing an SSL connection with the servers it needs to access. Valid format: The certificate must be a PEM-encoded certificate file. Apps secured with DER-encoded certificates cannot communicate with the gateway. |