The Microsoft Intune extension provides the option to embed an in-app IKEv2 VPN client when you add Microsoft Intune. The in-app VPN client (also referred to as a Secure Microtunnel) uses an IKEv2 gateway to connect to network-protected resources such as a backend service or application.
- The in-app VPN client is embedded into the app itself, making the entire secure connectivity aspect transparent to the end user.
- This IKEv2 gateway can be a third party gateway (IPSec based) or the Blue Cedar Connect Gateway.
The Secure Microtunnel has been validated to work with the Cisco ASA gateway but should work with any 3rd-party IKEv2 gateway.
You can also upload one or more trusted SSL (X.509) certificates that an integrated app can then use when establishing an SSL connection with the servers it needs to access.
Microsoft Intune subscription
An IPSec-based VPN server: either Blue Cedar Connect Gateway or a third party standards-based IKEv2 VPN server
Using this sub-step in a workflow
In the workflow builder for your app:
- Add the App Enhancement stage
- Add the Microsoft Intune step to the workflow.
- Add the Secure Microtunnel sub-step to the Microsoft Intune step.
The configuration settings for Secure Microtunnel are organized in three sections, shown in the App Enhancement / Microsoft Intune / Secure Microtunnel section of the workflow builder as three tabs:
- Gateway Settings
- Proxy Settings
- TLS/SSL Certificates
Choose one of these options
A numeric IP address or a fully qualified host name.
If users may be using IPv6 networks, Blue Cedar recommends using a host name instead of an IP address for the Server Address. Using a host name allows the address to resolve itself on either IPv4 or IPv6 networks correctly.
STANDARDS-BASED IKEV2 GATEWAY ONLY
Select this method and upload certificates if your users are connecting to a server that is configured to support your authentication provider and that supports EAP-MSCHAPv2. The app prompts the mobile app user to enter username and password for the configured authentication provider.
When using EAP-MSCHAPv2, you must upload a certificate for the gateway on the TLS/SSL Certificates tab.
Pre-shared key (PSK)
If you select this method, enter the PSK into the "Pre-shared Key (PSK)" field. Blue Cedar automatically securely applies the PSK to the app.
If you change the PSK on the VPN gateway after securing the app, then you must run the workflow again with the new PSK and have the end user install the updated app on their device. Otherwise, the existing app fails to work with the gateway.
When using PSK, Blue Cedar recommends using an IP address instead of a host name for the VPN Server Address to protect against DNS poisoning, which is an attack that compromises a DNS name server’s database and reroutes traffic to an incorrect IP address.
Note that using specific IP addresses fails for users on IPv6-only networks.
BLUE CEDAR CONNECT GATEWAY ONLY
To assign a specific gateway-defined auth-group, enter the name of the group. This group must be configured on the virtual gateway. See "Configuring AAA" in the Blue Cedar Connect Gateway documentation.
|Upload self-signed CA Certificate|
BLUE CEDAR CONNECT GATEWAY ONLY
If your Connect Gateway's identity certificate was issued by a certificate authority (CA) that is not globally trusted, upload the Issuer certificate (CA certificate) of that identity certificate. This CA certificate is part of the Connect Gateway's PKI infrastructure: uploading it here includes it in the integration so that the app can validate the server's trust.
See "Configuring AAA Public Key Infrastructure" in the Blue Cedar Connect Gateway documentation.
Proxy settings allow you to configure how web-based apps choose their path to the requested URLs. Proxy servers can provide security benefits, especially when coupled with a VPN. These details depend on the configuration of your infrastructure.
Note: PAC files should use system-default encoding: UTF-7 characters (ASCII) are supported, but Unicode is not.
If you have an authenticating proxy and your app is not designed for proxy, enable the Authenticated Proxy option and enter a URL that requires authentication to the proxy for your configuration. Providing this URL allows the app to immediately test the connection path and thus avoid several potential issues with apps that do not support proxy. By authenticating to the proxy early, you can streamline the proxy authentication requests and verify that the proxy configuration is valid.
This list of trusted server certificates applies to CA certificates used to validate URLs requested by the app, not to the Connect Gateway identity certificate (CA certificate) in the gateway settings.
Select a trust certificate. An integrated app can use SSL (X.509) certificates when establishing an SSL connection with the servers it needs to access.
Valid format: The certificate must be a PEM-encoded certificate file. Apps secured with DER-encoded certificates cannot communicate with the gateway.