Blue Cedar Connect for Microsoft Intune

Secure Connectivity

The Microsoft Intune extension provides the option to embed an in-app IKEv2 VPN client when you add Microsoft Intune. The in-app VPN client (also referred to as Blue Cedar Connect) uses an IKEv2 gateway to connect to network-protected resources such as a backend service or application.

The in-app VPN client is embedded into the app itself, making the entire secure connectivity aspect transparent to the end user.
This IKEv2 gateway can be a third party gateway (IPSec based) or the Blue Cedar Connect Gateway.

Blue Cedar Connect has been validated to work with the Cisco ASA gateway but should work with any 3rd-party IKEv2 gateway.

You can also upload one or more trusted SSL (X.509) certificates that an integrated app can then use when establishing an SSL connection with the servers it needs to access.

Prerequisites

Microsoft Intune subscription

An IPSec-based VPN server: either Blue Cedar Connect Gateway or a third party standards-based IKEv2 VPN server

Stage

App Enhancement

Step

Microsoft Intune

Using this step in a workflow

In the workflow builder for your app:

Add the App Enhancement stage
Add the Microsoft Intune step to the workflow.
Add the Blue Cedar Connect step to the Microsoft Intune step.

Blue Cedar Connect

The configuration settings for Blue Cedar Connect are organized in three option tabs, shown in the App Enhancement / Microsoft Intune / Secure Conectivity section of the workflow builder:

Gateway
Proxy
TLS/SSL Certificates

Gateway Settings

Option	Description
Gateway Type	Choose one of these options None Blue Cedar Connect Gateway: Blue Cedar's IPSec-based virtual gateway Standards-based IKEv2: A third party IPSec-based VPN server (such as Cisco ASA, Pulse Secure, and so on)
Server Address	A numeric IP address or a fully qualified host name. If users may be using IPv6 networks, Blue Cedar recommends using a host name instead of an IP address for the Server Address. Using a host name allows the address to resolve itself on either IPv4 or IPv6 networks correctly.
Authentication Method	STANDARDS-BASED IKEV2 GATEWAY ONLY Username/Password (EAP-MSCHAPv2) Select this method and upload certificates if your users are connecting to a server that is configured to support your authentication provider and that supports EAP-MSCHAPv2. The app prompts the mobile app user to enter username and password for the configured authentication provider. When using EAP-MSCHAPv2, you must upload a certificate for the gateway on the TLS/SSL Certificates tab. Pre-shared key (PSK) If you select this method, enter the PSK into the "Pre-shared Key (PSK)" field. Blue Cedar automatically securely applies the PSK to the app. If you change the PSK on the VPN gateway after securing the app, then you must run the workflow again with the new PSK and have the end user install the updated app on their device. Otherwise, the existing app fails to work with the gateway. When using PSK, Blue Cedar recommends using an IP address instead of a host name for the VPN Server Address to protect against DNS poisoning, which is an attack that compromises a DNS name server’s database and reroutes traffic to an incorrect IP address. Note that using specific IP addresses fails for users on IPv6-only networks.
Advanced
Authentication Group	BLUE CEDAR CONNECT GATEWAY ONLY To assign a specific gateway-defined auth-group, enter the name of the group. This group must be configured on the virtual gateway. See "Configuring AAA" in the Blue Cedar Connect Gateway documentation.
Trusted Certificates Group
Trust mobile device CA certificate store	BLUE CEDAR CONNECT GATEWAY. MICROSOFT TUNNEL GATEWAY If your Connect Gateway's identity certificate was issued by a certificate authority (CA) that is not globally trusted, upload the Issuer certificate (CA certificate) of that identity certificate. This CA certificate is part of the Connect Gateway's PKI infrastructure: uploading it here includes it in the integration so that the app can validate the server's trust.
Upload self-signed CA Certificate	BLUE CEDAR CONNECT GATEWAY. MICROSOFT TUNNEL GATEWAY If your Connect Gateway's identity certificate was issued by a certificate authority (CA) that is not globally trusted, upload the Issuer certificate (CA certificate) of that identity certificate. This CA certificate is part of the Connect Gateway's PKI infrastructure: uploading it here includes it in the integration so that the app can validate the server's trust. If the trusted mobile device CA certificate store is being used, you can also upload a CA as an intermediate certificate. See "Configuring AAA Public Key Infrastructure" in the Blue Cedar Connect Gateway documentation.

Proxy Settings

Proxy settings allow you to configure how web-based apps choose their path to the requested URLs. Proxy servers can provide security benefits, especially when coupled with a VPN. These details depend on the configuration of your infrastructure.

Proxy option	Description
Automatic	Enter the URL for the proxy auto-config (PAC) file. A .pac file contains JavaScript functions that define how web browsers and other HTTP-based apps can automatically choose the appropriate proxy server for retrieving contents from a given URL. Note: PAC files should use system-default encoding: UTF-7 characters (ASCII) are supported, but Unicode is not.
Manual	Host: A fully qualified domain name (FQDN) or the IP address of the proxy server. Example: bluecoat.acme.local Port: The port number of the HTTP proxy server that the app should use. Example: 8080 Note: You must set both the host name and port number for the proxy server. Otherwise, the HTTP-based app cannot use the proxy server to access HTTP resources.
Advanced
Authenticated Proxy	Verification URL If you have an authenticating proxy and your app is not designed for proxy, enable the Authenticated Proxy option and enter a URL that requires authentication to the proxy for your configuration. Providing this URL allows the app to immediately test the connection path and thus avoid several potential issues with apps that do not support proxy. By authenticating to the proxy early, you can streamline the proxy authentication requests and verify that the proxy configuration is valid.

TLS/SSL Certificates

This list of trusted server certificates applies to CA certificates used to validate URLs requested by the app, not to the Connect Gateway identity certificate (CA certificate) in the gateway settings.

Option

Description

Upload Certificate

Select a trust certificate. An integrated app can use SSL (X.509) certificates when establishing an SSL connection with the servers it needs to access.

Valid format: The certificate must be a PEM-encoded certificate file. Apps secured with DER-encoded certificates cannot communicate with the gateway.