The Microsoft Intune extension provides the option to embed an in-app IKEv2 VPN client when you add Microsoft Intune. The in-app VPN client (also referred to as a Secure Microtunnel) uses an IKEv2 gateway to connect to network-protected resources such as a backend service or application.

  • The in-app VPN client is embedded into the app itself, making the entire secure connectivity aspect transparent to the end user.
  • This IKEv2 gateway can be a third party gateway (IPSec based) or the Blue Cedar Connect Gateway.

The Secure Microtunnel has been validated to work with the Cisco ASA gateway but should work with any 3rd-party IKEv2 gateway.

You can also upload one or more trusted SSL (X.509) certificates that an integrated app can then use when establishing an SSL connection with the servers it needs to access.

Prerequisites

Microsoft Intune subscription

An IPSec-based VPN server: either Blue Cedar Connect Gateway or a third party standards-based IKEv2 VPN server

StageApp Enhancement
StepMicrosoft Intune


Using this sub-step in a workflow

In the workflow builder for your app:

  • Add the App Enhancement stage
  • Add the Microsoft Intune step to the workflow.
  • Add the Secure Microtunnel sub-step to the Microsoft Intune step.

Secure Microtunnel

The configuration settings for Secure Microtunnel are organized in three sections, shown in the App Enhancement / Microsoft Intune / Secure Microtunnel section of the workflow builder as three tabs:

  • Gateway Settings
  • Proxy Settings
  • TLS/SSL Certificates

Gateway Settings

OptionDescription
Gateway Type

Choose one of these options

  • Standards-based IKEv2: A third party IPSec-based VPN server (such as Cisco ASA, Pulse Secure, and so on)
  • Blue Cedar Connect Gateway: Blue Cedar's IPSec-based virtual gateway
Server Address

A numeric IP address or a fully qualified host name.

If users may be using IPv6 networks, Blue Cedar recommends using a host name instead of an IP address for the Server Address. Using a host name allows the address to resolve itself on either IPv4 or IPv6 networks correctly.

Authentication Method

STANDARDS-BASED IKEV2 GATEWAY ONLY

Username/Password (EAP-MSCHAPv2)

Select this method and upload certificates if your users are connecting to a server that is configured to support your authentication provider and that supports EAP-MSCHAPv2. The app prompts the mobile app user to enter username and password for the configured authentication provider.

When using EAP-MSCHAPv2, you must upload a certificate for the gateway on the TLS/SSL Certificates tab.


Pre-shared key (PSK)

If you select this method, enter the PSK into the "Pre-shared Key (PSK)" field. Blue Cedar automatically securely applies the PSK to the app.

If you change the PSK on the VPN gateway after securing the app, then you must run the workflow again with the new PSK and have the end user install the updated app on their device. Otherwise, the existing app fails to work with the gateway.

When using PSK, Blue Cedar recommends using an IP address instead of a host name for the VPN Server Address to protect against DNS poisoning, which is an attack that compromises a DNS name server’s database and reroutes traffic to an incorrect IP address.

Note that using specific IP addresses fails for users on IPv6-only networks.

Advanced
Authentication Group 

BLUE CEDAR CONNECT GATEWAY ONLY

To assign a specific gateway-defined auth-group, enter the name of the group. This group must be configured on the virtual gateway. See "Configuring AAA" in the Blue Cedar Connect Gateway documentation.

Upload self-signed CA Certificate

BLUE CEDAR CONNECT GATEWAY ONLY

If your Connect Gateway's identity certificate was issued by a certificate authority (CA) that is not globally trusted, upload the Issuer certificate (CA certificate) of that identity certificate. This CA certificate is part of the Connect Gateway's PKI infrastructure: uploading it here includes it in the integration so that the app can validate the server's trust.

See "Configuring AAA Public Key Infrastructure" in the Blue Cedar Connect Gateway documentation.

Proxy Settings

Proxy settings allow you to configure how web-based apps choose their path to the requested URLs. Proxy servers can provide security benefits, especially when coupled with a VPN. These details depend on the configuration of your infrastructure.

Proxy optionDescription
Automatic

Enter the URL for the proxy auto-config (PAC) file. A .pac file contains JavaScript functions that define how web browsers and other HTTP-based apps can automatically choose the appropriate proxy server for retrieving contents from a given URL.

Note: PAC files should use system-default encoding: UTF-7 characters (ASCII) are supported, but Unicode is not. 

Manual
  • Host:
    A fully qualified domain name (FQDN) or the IP address of the proxy server.

    Example: bluecoat.acme.local
  • Port: 

    The port number of the HTTP proxy server that the app should use.

    Example: 8080

    Note: You must set both the host name and port number for the proxy server. Otherwise, the HTTP-based app cannot use the proxy server to access HTTP resources.

Advanced
Authenticated Proxy

Verification URL

If you have an authenticating proxy and your app is not designed for proxy, enable the Authenticated Proxy option and enter a URL that requires authentication to the proxy for your configuration. Providing this URL allows the app to immediately test the connection path and thus avoid several potential issues with apps that do not support proxy. By authenticating to the proxy early, you can streamline the proxy authentication requests and verify that the proxy configuration is valid.

TLS/SSL Certificates

This list of trusted server certificates applies to CA certificates used to validate URLs requested by the app, not to the Connect Gateway identity certificate (CA certificate) in the gateway settings.

OptionDescription
Upload Certificate

Select a trust certificate. An integrated app can use SSL (X.509) certificates when establishing an SSL connection with the servers it needs to access.

Valid format: The certificate must be a PEM-encoded certificate file. Apps secured with DER-encoded certificates cannot communicate with the gateway.