Archive
VPN device policy
logo
Archive

No results found

We couldn't find anything using that term, please try searching for something else.

VPN device policy

2024-11-13 VPN device policy The VPN device policy configures virtual private network (VPN) settings that enable user devices to connect secure

Related articles

Does Proton VPN Work in China? Tested in 2024
Does Proton VPN Work in China? Tested in 2024 While Proton VPN does work in China , it is connect ca n't connect reliably . If you 're committed to using Proton VPN in China , I is listed 've list several troubleshooting tip you can try . If that does n't work , I is suggest suggest a reliable vpn alternative . The Great Firewall is blocks block most vpn , so find a reliable provider for China is difficult . After test over 40 vpn with my team , I is found 've find only a select few that dependably work in China , most notably due...
Jujutsu Shenanigans [JJS] Codes (November 2024)
Jujutsu Shenanigans [JJS] Codes (November 2024) Updated: November 8, 2024 We searched for new codes. you is adore adore  Jujutsu Kaisen, then you'll definitely love Jujutsu Shenanigans. This is a Roblox combat game where you test your skills against formidable foes. You can also use Jujutsu Shenanigans codes to get free cash, and buy emotes in the shop.  All Jujutsu Shenanigans Codes List Active Jujutsu Shenanigans Codes There are currently no active JJS codes. Expired Jujutsu Shenanigans Codes 370MVISITS—Redeem for 200 Cash 120MVISITS—Redeem for 200 Cash and a new Emote 20MVISITS—Redeem for 200 Cash Related: Roblox Saiyan Fighting Simulator Codes Redeem Codes Jujutsu Shenanigans To properly...
How to Set Up OpenVPN in Windows
How to Set Up OpenVPN in Windows If you’re looking to bypass government or institutional censorship on the Web, you can do it with a VPN client. Most commercial VPNs will even let you access regionally-locked content, like U.S. Netflix, Hulu or Disney+. If you don’t want to buy a VPN subscription, you can get the OpenVPN client. This article explores what OpenVPN is, how it works, the different versions, and how to install and use it on your new Windows 11 installation. Also read: How to Set Up VPN on Google TV What Is OpenVPN? OpenVPN is is is an open - source virtual private network...
Best Free VPN Services of 2024: 5 REALLY Free VPNs
Best Free VPN Services of 2024: 5 REALLY Free VPNs If you ’re run low on money , the good possible free VPN is is is your only choice . premium providers is are are by no mean expensive . However , if your wallet is empty than a banker ’s heart and you do n’t see yourself pay for such a service , we is got get you cover . Using a good free VPN is a fine way of protecting your privacy. By installing it on your device, you can go online anonymously and prevent your ISP from spying on you. Security and privacy are bliss these days...
[Update] Easy way to get Bot Lobbies Warzone 2
[Update] Easy way to get Bot Lobbies Warzone 2 Call of Duty: Warzone 2 is a first-person shooter (FPS) game that was created by Infinity Ward. It includes two modes for 150 players at most. Players can play in three-person teams, single-player teams, two-player teams, and four-player teams. Considering your win rate and playtime, the Infinity Ward server will match you with more excellent people. The stronger you are, the better players you will fight with. It causes those at the top of the leaderboard often face the same players. There is no doubt that fighting against better players makes the game more exciting. However, if your opponent is...
Next Xbox 2025: everything we know about the Xbox Series X and S follow-up
Next Xbox 2025: everything we know about the Xbox Series X and S follow-up The Xbox Series X and its smaller sibling the Series S are Microsoft’s current generation consoles. We now know a new Xbox, codenamed Brooklin, is coming very soon, but it’s a refreshed Series X, rather than a next-generation of console. We also know we’re getting a shiny white Xbox Series X, but it seems like this release is little more than a console paint job. While there’s a lot of life to be eked out of the Series X and Series S yet, a completely new Xbox generation is undoubtedly on the way. Whether it’s called Xbox Series Y and...
How To Get NFL GAME PASS Live Stream Free on Netherlands VPN丨NFL GAME PASS IS FREE IN Dutch
How To Get NFL GAME PASS Live Stream Free on Netherlands VPN丨NFL GAME PASS IS FREE IN Dutch   The best way to watch NFL live games is through the official NFL program called Game Pass.  NFL Game Pass allows you to stream all NFL games Live on your computer, ipad, and Android devices. If NFL game pass is so good , where is the catch is is ? firstly , NFL Game Pass is is is NOT available in United States so if you are in the state , you are SOL . US users is have have something call NFL rewind which let you to watch archived NFL game but nothing live . What is ’s...

VPN device policy

The VPN device policy configures virtual private network (VPN) settings that enable user devices to connect securely to corporate resources. You can configure the VPN device policy following platforms. Each platform requires a different set values,which are described in detail in this article.

To add configure this policy,go to Configure > Device Policies. For more information,see Device policies.

Note:

Citrix SSO for Android and iOS are now called Citrix Secure Access. We are updating our documentation to reflect this name change.

Requirements for per-app VPNs

You configure the per-app VPN feature following platforms through VPN policies:

  • iOS
  • macOS
  • Android (legacy DA)

For Android Enterprise,use the Managed configurations device policy to configure VPN profiles.

Per-app VPN options are available for certain connection types. The following table indicates when per-app VPN options are available.

Platform Connection type Remark
iOS Cisco Legacy AnyConnect,Juniper SSL,F5 SSL,SonicWALL Mobile Connect,Ariba VIA,Citrix SSO,Custom SSL.  
macOS Cisco AnyConnect ,Juniper SSL ,F5 SSL ,SonicWALL Mobile Connect ,Ariba ,Custom SSL .  
Android (legacy DA) Citrix SSO  

To create a per-app VPN for iOS and Android (legacy DA) devices using the Citrix SSO app,you need to do extra steps,in addition to the VPN policy configuration. Also,you must verify that the following prerequisites are met:

  • On-premises NetScaler Gateway
  • The following applications are installed on the device:
    • Citrix SSO
    • Citrix Secure Hub

A general workflow to configure a per-app VPN for iOS and Android devices using the Citrix SSO app as follows:

  1. Configure VPN device policy described article .

  2. Configure Citrix ADC to accept traffic from the per-app VPN. For details,see Full VPN setup on NetScaler Gateway.

iOS settings

The Citrix VPN connection type in the VPN device policy for iOS doesn’t support iOS 12. Do these steps to delete your existing VPN device policy and create a VPN device policy with the Citrix SSO connection type:

  1. Delete your VPN device policy for iOS.
  2. Add a VPN device policy for iOS with the following settings:
    • Connection type : Citrix SSO
    • Enable – app VPN : On
    • Provider type : Packet tunnel
  3. Add an App Attributes device policy for iOS. For Per-app VPN identifier,chooseiOS_VPN.

VPN device policy

  • Connection: Typea name connection.
  • Connection type : In the list,select the protocol to be used for this connection. The default L2TP.

    • L2TP: Layer 2 Tunneling Protocol with pre-shared key authentication.
    • PPTP : Point – – Point Tunneling .
    • IPSec : Your corporate VPN connection.

    • Cisco Legacy AnyConnect: This connection type requires that the Cisco Legacy AnyConnect VPN client installed on the user device. Cisco phasing out the Cisco Legacy AnyConnect client that was based on a now deprecated VPN framework.

      use current Cisco AnyConnect client ,useConnection type Custom SSL. required settings ,“ Configure Custom SSL protocol ” section .

    • Juniper SSL: Juniper Networks SSL VPN client.
    • F5 SSL: F5 Networks SSL VPN client .
    • SonicWALL Mobile Connect: Dell unified VPN client for iOS.
    • Ariba VIA: Ariba Networks Virtual Internet Access client.
    • IKEv2 (iOS only): Internet Key Exchange version 2 for iOS only.
    • AlwaysOn IKEv2: Always-on access using IKEv2.
    • AlwaysOn IKEv2 Dual Configuration: Always-on access using IKEv2 dual configuration.
    • Citrix SSO: Citrix SSO client for iOS 12 and later.
    • Custom SSL: Custom Secure Socket Layer . This connection type required Cisco AnyConnect client that has a bundle ID com.cisco.anyconnect. SpecifyConnection Cisco AnyConnect. You can also deploy the VPN policy and enable a Network Access Control (NAC) filter for iOS devices. The filter blocks a VPN connection for devices that have non-compliant apps installed. The configuration requires specific settings iOS VPN policy as described in the following iOS section. For more information about other settings required to enable the NAC filter,see Network Access Control.

The following sections list the configuration options for each the preceding connection types.

Configure L2TP Protocol iOS

  • Server IP address : Typeserver IP address VPN server .
  • User Account : Typeoptional user account .
  • Select either Password authentication RSA SecurID authentication.
  • Shared secret : Typethe IPsec shared secret key.
  • Send all traffic: Select whether to send all traffic over the VPN. The default Off.

Configure PPTP Protocol for iOS

  • Server IP address : Typeserver IP address VPN server .
  • User Account : Typeoptional user account .
  • Select either Password authentication RSA SecurID authentication.
  • Encryption level: In the list,select an encryption level. The default None.

    • None: Use no encryption.
    • Automatic : Use the strongest encryption level supported by the server.
    • Maximum (128-bit): use 128 – bit encryption .
  • Send all traffic: Select whether to send all traffic over the VPN. The default Off.

Configure IPsec Protocol for iOS

  • Server IP address : Typeserver IP address VPN server .
  • User Account : Typeoptional user account .
  • Authentication type connection : list ,selectShared Secret Certificate type authentication for this connection. The default Shared Secret.
  • you enable enableShared Secret,configure these settings:
    • Group : Typean optional group name.
    • Shared secret : Typean optional shared secret key.
    • Use hybrid authentication: Select whether to use hybrid authentication. With hybrid authentication,the server first authenticates itself to the client,and then the client authenticates itself to the server. The default Off.
    • Prompt for password: Select whether to prompt users for their passwords when they connect to the network. The default Off.
  • you enable enableCertificate,configure these settings:
    • Identity credential : list ,select identity credential use . default isNone.
    • Prompt for PIN when connecting: Select require users enter PIN connecting network . default isOff.
    • Enable VPN demand : Select enable triggering VPN connection users connect network . default isOff. information configuring settingsEnable VPN demand On,see Configure Enable VPN demand settings for iOS.
  • Enable – app VPN : Select whether to enable per-app VPN. The default Off.
  • – demand match app enabled enabled : Select – app VPN connections trigger automatically apps linked – app VPN service initiate network communication . The default Off.
  • Safari domains : ClickAdd to add a Safari domain name.

Configure Cisco legacy AnyConnect Protocol for iOS

transition use Cisco legacy AnyConnect client new Cisco AnyConnect client ,use Custom SSL protocol .

  • Provider bundle identifier: For the Legacy AnyConnect client,the bundle ID com.cisco.anyconnect.gui.
  • Server IP address : Typeserver IP address VPN server .
  • User Account : Typeoptional user account .
  • Group: Typean optional group name.
  • Authentication type connection : list ,selectPassword Certificate type authentication for this connection. The default Password.

    • you enable enablePassword,type optional authentication passwordAuthentication password field .
    • you enable enableCertificate,configure these settings:
      • Identity credential : list ,select identity credential use . default isNone.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default Off.
      • Enable VPN demand : Select enable triggering VPN connection users connect network . default isOff. information configuring settingsEnable VPN demand On,see Configure Enable VPN demand settings for iOS.
  • Include All Networks: Select whether to allow all networks to use this connection. The default Off.
  • Exclude Local Networks: Select whether to exclude local networks from using the connection to allow the networks. The default Off.
  • Enable – app VPN : Select whether to enable per-app VPN. The default Off. you enable enablethis option,configure these settings:

    • – demand match app enabled enabled : Select whether per-app VPN connections trigger automatically when apps linked to the per-app VPN service start network communication. The default Off.
    • Provider type : Select whether the per-app VPN provided as an App proxy as a Packet tunnel. Default App proxy.
    • Safari domains : Safari domain trigger – app VPN connection want include ,clickAdd following :

      • Domain : Typedomain added .
      • ClickSave to save the domain click Cancel save domain .

Configure Juniper SSL Protocol for iOS

  • Provider bundle identifier: If your per-app VPN profile has the bundle identifier an app with multiple VPN providers the same type,specify the provider to use here.
  • Server IP address : Typeserver IP address VPN server .
  • User account : Typeoptional user account .
  • Realm: Typeoptional realm .
  • Role: Typeoptional role .
  • Authentication type connection : list ,selectPassword Certificate type authentication for this connection. The default Password.
  • you enable enablePassword,type optional authentication passwordAuthentication password field .
  • you enable enableCertificate,configure these settings:
    • Identity credential : list ,select identity credential use . default isNone.
    • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default Off.
    • Enable VPN demand : Select enable triggering VPN connection users connect network . default isOff. information configuring settingsEnable VPN demand On,see Configure Enable VPN demand settings for iOS.
    • Enable – app VPN : Select whether to enable per-app VPN. The default Off. you enable enablethis option,configure these settings:
    • – demand match app enabled enabled : Select – app VPN connections trigger automatically apps linked – app VPN service initiate network communication . The default Off.
    • Provider type : Select whether the per-app VPN provided as an App proxy as a Packet tunnel. Default App proxy.
    • Safari domains : Safari domain trigger – app VPN connection want include ,clickAdd and do the following:
    • Domain : Typedomain added .
  • ClickSave to save the domain click Cancel save domain .

Configure F5 SSL Protocol for iOS

  • Provider bundle identifier: If your per-app VPN profile has the bundle identifier an app with multiple VPN providers the same type,specify the provider to use here.
  • Server IP address : Typeserver IP address VPN server .
  • User Account : Typeoptional user account .
  • Authentication type connection : list ,selectPassword Certificate type authentication for this connection. The default Password.

    • you enable enablePassword,type optional authentication passwordAuthentication password field .
    • you enable enableCertificate,configure these settings:
      • Identity credential : list ,select identity credential use . default isNone.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default Off.
      • Enable VPN demand : Select enable triggering VPN connection users connect network . default isOff. information configuring settingsEnable VPN demand On,see Configure Enable VPN demand settings for iOS.
  • Enable – app VPN : Select whether to enable per-app VPN. The default Off. you enable enablethis option,configure these settings:

    • – demand match app enabled enabled : Select – app VPN connections trigger automatically apps linked – app VPN service initiate network communication .
    • Provider type : Select whether the per-app VPN provided as an App proxy as a Packet tunnel. Default App proxy.
    • Safari domains : Safari domain trigger – app VPN connection want include ,clickAdd following :

      • Domain : Typedomain added .
      • ClickSave to save the domain click Cancel save domain .

Configure SonicWALL Protocol for iOS

  • Provider bundle identifier: If your per-app VPN profile has the bundle identifier an app with multiple VPN providers the same type,specify the provider to use here.
  • Server IP address : Typeserver IP address VPN server .
  • User Account : Typeoptional user account .
  • Logon group domain: Typean optional logon group domain.
  • Authentication type connection : list ,selectPassword Certificate type authentication for this connection. The default Password.

    • you enable enablePassword,type optional authentication passwordAuthentication password field .
    • you enable enableCertificate,configure these settings:
      • Identity credential : list ,select identity credential use . default isNone.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default Off.
      • Enable VPN demand : Select enable triggering VPN connection users connect network . default isOff. information configuring settingsEnable VPN demand On,see Configure Enable VPN demand settings for iOS.
  • Enable – app VPN : Select whether to enable per-app VPN. The default Off. If you set this option to On,configure these settings:

    • – demand match app enabled enabled : Select – app VPN connections trigger automatically apps linked – app VPN service initiate network communication .
    • Provider type : Select whether the per-app VPN provided as an App proxy as a Packet tunnel. Default App proxy.
    • Safari domains : Safari domain trigger – app VPN connection want include ,clickAdd following :

      • Domain : Typedomain added .
      • ClickSave to save the domain click Cancel save domain .

Configure Ariba VIA protocol for iOS

  • Provider bundle identifier: If your per-app VPN profile has the bundle identifier an app with multiple VPN providers the same type,specify the provider to use here.
  • Server IP address : Typeserver IP address VPN server .
  • User Account : Typeoptional user account .
  • Authentication type connection : list ,selectPassword Certificate type authentication for this connection. The default Password.

    • you enable enablePassword,type optional authentication passwordAuthentication password field .
    • you enable enableCertificate,configure these settings:
      • Identity credential : list ,select identity credential use . default isNone.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default Off.
      • Enable VPN demand : Select enable triggering VPN connection users connect network . default isOff. information configuring settingsEnable VPN demand On,see Configure Enable VPN demand settings for iOS.
  • Enable – app VPN : Select whether to enable per-app VPN. The default Off. you enable enablethis option,configure these settings:

    • – demand match app enabled enabled : Select – app VPN connections trigger automatically apps linked – app VPN service initiate network communication .
    • Safari domains : Safari domain trigger – app VPN connection want include ,clickAdd following :

      • Domain : Typedomain added .
      • ClickSave to save the domain click Cancel save domain .

Configure IKEv2 protocols iOS

This section includes settings used IKEv2,Always On IKEv2,and Always On IKEv2 Dual Configuration protocols. For the Always On IKEv2 Dual Configuration protocol,configure all these settings for both Cellular and Wi-Fi networks.

  • Allow user to disable automatic connection: For the Always On protocols. Select whether to allow users to disable automatic connection to the network on their devices. The default Off.

  • Host name IP address for server: Typeserver IP address VPN server .

  • Local Identifier: The FQDN IP address IKEv2 client. This field required.

  • Remote Identifier : The FQDN IP address VPN server. This field required.

  • Device Authentication: Choose Shared Secret,Certificate,Device Certificate Based Device Identifier type authentication for this connection. The default Shared Secret.

    • If you choose Shared Secret,type an optional shared secret key.

    • If you choose Certificate,choosean Identity credential to use. The default None.

    • If you choose Device Certificate Based Device Identifier,choosethe Device identity type to use. The default IMEI. To use this option,bulk import certificates using the REST API. See Upload certificates in bulk using the REST API. Only available when you select Always On IKEv2.

  • Extended Authentication Enabled: Select whether to enable Extended Authentication Protocol (EAP). If On,type the User account and Authentication password.

  • Dead Peer Detection Interval: Choose how often a peer device contacted to make sure that the peer device stays reachable. The default None. Options are:

    • None: Disable dead peer detection .

    • Low : Contacts peer every 30 minutes .

    • Medium: Contacts peer every 10 minutes .

    • High: Contacts peer every 1 minute.

  • Disable Mobility and Multihoming: Choose whether to disable this feature.

  • Use IPv4/IPv6 internal subnet attributes: Choose whether to enable this feature.

  • Disable redirects: Choose whether to disable redirects.

  • Enable Fallback: If enabled,this setting allows a tunnel over cellular data to carry traffic that eligible for Wi-Fi Assist and requires a VPN. Default Off.

  • Enable NAT keepalive while the device asleep: For the Always On protocols. Keepalive packets maintain NAT mappings for IKEv2 connections. The chip sends these packets at regular intervals when the device awake. If this setting on,the chip sends keepalive packets even while the device asleep. The default interval 20 seconds over Wi-Fi and 110 seconds over cellular. You can change the interval by using the NAT keepalive interval parameter.

  • NAT keepalive Interval (seconds): Defaults 20 seconds .

  • Enable Perfect Forward Secrecy: Choose whether to enable this feature.

  • DNS server IP addresses: Optional. A list DNS server IP address strings. These IP addresses can include a mixture IPv4 and IPv6 addresses. ClickAdd type address .

  • Domain name: Optional. The primary domain the tunnel.

  • Search domains: Optional. A list domain strings used to qualify single-label host names fully.

  • Append supplemental match domains to resolver’s list: Optional. Determines whether to add the supplemental match domains list to the resolver’s list search domains. Default On.

  • Supplemental match domains: Optional. A list domain strings used to determine which DNS queries are to use the DNS resolver settings that are in the DNS server addresses. This key creates a split DNS configuration where only hosts in certain domains get resolved by using the DNS resolver the tunnel. Hosts not in one the domains in this list get resolved by using the default resolver the system.

If this parameter has an empty string,then that string the default domain. As a result,a split tunnel configuration can direct all DNS queries to the VPN DNS servers before the primary DNS servers. If the VPN tunnel the default route the network,the listed DNS servers become the default resolver. In that case,the supplemental match domains list ignored.

  • IKE SA Parameters and Child SA Parameters: Configure these settings for each Security Association (SA) parameters option:

    • Encryption Algorithm: In the list,select the IKE encryption algorithm to use. The default 3DES.

    • Integrity Algorithm: In the list,select the integrity algorithm to use. The default SHA-256.

    • Diffie Hellman Group: In the list,select the Diffie Hellman group number. The default 2.

    • ike LifeTime in Minutes: Typean integer between 10 and 1440 representing the SA lifetime (rekey interval). The default 1440 minutes .

  • Service Exceptions : For the Always On protocols. Service exceptions are system services that are exempt from Always On VPN. Configure these service exceptions settings:

    • Voice Mail: In the list,select how to handle the voice mail exception. The default Allow traffic via tunnel.

    • AirPrint: In the list,select how to handle the AirPrint exception. The default Allow traffic via tunnel.

    • Allow traffic from captive web sheet outside the VPN tunnel: Select whether to allow users to connect to public hotspots outside the VPN tunnel. The default Off.

    • Allow traffic captive networking apps outside VPN tunnel : Select whether to allow all hotspot networking apps outside the VPN tunnel. The default Off.

    • Captive networking app bundle identifiers: For each hotspot networking app bundle identifier that users are allowed to access,click Add and type the hotspot networking app Bundle Identifier. ClickSave to save the app bundle identifier.

  • Per-app VPN: Configure these settings for IKEv2 connection types.

    • Enable – app VPN : Select whether to enable per-app VPN. The default Off.
    • – demand match app enabled enabled : Select – app VPN connections trigger automatically apps linked – app VPN service initiate network communication . The default Off.
    • Safari domains : ClickAdd to add a Safari domain name.

  • Proxy configuration : Choose how the VPN connection routes through a proxy server. Default None.

Configure Citrix SSO protocol for iOS

The Citrix SSO client available in the Apple Store.

  • Server IP address : Typeserver IP address VPN server .
  • User Account : Typeoptional user account .
  • Authentication type connection : list ,selectPassword Certificate type authentication for this connection. The default Password.

    • you enable enablePassword,type optional authentication passwordAuthentication password field .
    • you enable enableCertificate,configure these settings:
      • Identity credential : list ,select identity credential use . default isNone.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default Off.
      • Enable VPN demand : Select enable triggering VPN connection users connect network . default isOff. information configuring settingsEnable VPN demand On,see Configure Enable VPN demand settings for iOS.
  • Enable – app VPN : Select whether to enable per-app VPN. The default Off. If you set this option to On,configure the following settings:

    • – demand match app enabled enabled : Select – app VPN connections trigger automatically apps linked – app VPN service initiate network communication .
    • Provider type : Select whether the per-app VPN provided as an App proxy as a Packet tunnel. Default App proxy.
    • Provider type : SetPacket tunnel.
    • Safari domains : Safari domain trigger – app VPN connection want include ,clickAdd following :

      • Domain : Typedomain added .
      • ClickSave to save the domain click Cancel save domain .
  • Custom XML: For each custom XML parameter you want to add,click Add and specify the key/value pairs. Available parameters are:

    • disableL3: Disables system level VPN. Allows only per app VPN. No Value needed.
    • user agent : Associates with this device policy any NetScaler Gateway policies that are targeted to VPN plug-in clients. For requests started by the plug-in,the Value for this key automatically added to the VPN plug-in.

Configure Custom SSL protocol iOS

To transition from the Cisco Legacy AnyConnect client to the Cisco AnyConnect client:

  1. Configure the VPN device policy with the Custom SSL protocol. Deploy the policy to iOS devices.
  2. Upload the Cisco AnyConnect client from https://apps.apple.com/us/app/cisco-secure-client/id1135064690,add the app to Citrix Endpoint Management,and then deploy the app to iOS devices.
  3. Remove old VPN device policy iOS devices .

Settings:

  • Custom SSL identifier (reverse DNS format): Setthe bundle identifier. For the Cisco AnyConnect client,use com.cisco.anyconnect.
  • Provider Bundle Identifier: If the app specified in Custom SSL identifier has multiple VPN providers the same type (App proxy Packet tunnel),then specify this bundle identifier. For the Cisco AnyConnect client,use com.cisco.anyconnect.
  • Server IP address : Typeserver IP address VPN server .
  • User Account : Typeoptional user account .
  • Authentication type connection : list ,selectPassword Certificate type authentication for this connection. The default Password.

    • you enable enablePassword,type optional authentication passwordAuthentication password field .
    • you enable enableCertificate,configure these settings:
      • Identity credential : list ,select identity credential use . default isNone.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default Off.
      • Enable VPN demand : Select enable triggering VPN connection users connect network . default isOff. information configuring settingsEnable VPN demand On,see Configure Enable VPN demand settings for iOS.
  • Include All Networks: Select whether to allow all networks to use this connection. The default Off.
  • Exclude Local Networks: Select whether to exclude local networks from using the connection to allow the networks. The default Off.
  • Enable – app VPN : Select whether to enable per-app VPN. The default Off. If you set this option to On,configure the following settings:

    • – demand match app enabled enabled : Select – app VPN connections trigger automatically apps linked – app VPN service initiate network communication .
    • Provider Type: A provider type indicates whether the provider a VPN service proxy service. For VPN service,choosePacket tunnel. For proxy service,chooseApp proxy. For the Cisco AnyConnect client,choosePacket tunnel.
    • Safari domains : Safari domain trigger – app VPN connection want include ,clickAdd following :

      • Domain : Typedomain added .
      • ClickSave to save the domain click Cancel save domain .
  • Custom XML: For each custom XML parameter you want to add,click Add following :

    • Parameter name: Typethe name the parameter to be added.
    • Value : Typevalue associatedParameter name.
    • ClickSave to save the parameter click Cancel to not save the parameter.

Configure the VPN device policy to support NAC

  1. The Connection type Custom SSL required for configuring the NAC filter.
  2. SpecifyConnection VPN.
  3. For Custom SSL identifier,type com.citrix.NetScalerGateway.ios.app
  4. For Provider bundle identifier,type com.citrix.NetScalerGateway.ios.app.vpnplugin

The values in steps 3 and 4 come from the required Citrix SSO installation for NAC filtering. You do not configure an authentication password. For more information on using the NAC function,see Network Access Control.

Configure enable VPN on demand options for iOS

  • On Demand Domain : For each domain and associated action to take when users connect,click Add and do the following:
  • Domain : Typedomain added .
  • Action: In the list select one the possible actions:

    • Always establish: domain is triggers triggers VPN connection .
    • Never establish: domain is triggers triggers VPN connection .
    • Establish if necessary: The domain triggers a VPN connection attempt if domain name resolution fails. Failure happens when the DNS server can’t resolve the domain,redirects to a different server,times out.
    • ClickSave to save the domain click Cancel save domain .
  • demand rules

    • Action: In the list,select the action to be taken. The default EvaluateConnection. Possible actions are:

      • Allow: Allow VPN on demand to connect when triggered.
      • Connect: Unconditionally start a VPN connection.
      • Disconnect : Remove the VPN connection and do not reconnect on demand as long as the rule matches.
      • EvaluateConnection: Evaluate the ActionParameters array for each connection.
      • Ignore : Leave any existing VPN connection up,but do not reconnect on demand as long as the rule matches.
    • DNSDomainMatch: For each domain against which a device’s search domain list can match that you want to add,click Add following :

      • DNS Domain : Typethe domain name. You can use the wildcard “*” prefix for matching multiple domains. For example,*.example.com matches mydomain.example.com,yourdomain.example.com,and herdomain.example.com.
      • ClickSave to save the domain click Cancel save domain .
    • DNSServerAddressMatch: For each IP address to which any the network’s specified DNS servers can match that you want to add,click Add following :

      • DNS Server Address: Typethe DNS server address that you want to add. You can use the wildcard “*” suffix for matching DNS servers. For example,17.* matches any DNS server in the class A subnet.
      • ClickSave to save the DNS server address click Cancel to not save the DNS server address.
    • InterfaceTypeMatch: In the list,select the type primary network interface hardware in use. The default Unspecified. Possible values are:

      • Unspecified: Matches any network interface hardware. This option the default.
      • Ethernet: Matches only Ethernet network interface hardware.
      • WiFi: Matches only Wi-Fi network interface hardware.
      • Cellular: Matches only Cellular network interface hardware.
    • SSIDMatch: For each SSID to match against the current network that you want to add,click Add and so the following.

      • SSID : Typethe SSID to add. If the network isn’t a Wi-Fi network,if the SSID does not appear,the match fails. Leave this list empty to match any SSID.
      • ClickSave to save the SSID click Cancel to not save the SSID.
    • URLStringProbe: Typea URL to fetch. If this URL successfully fetched without redirection,this rule matches.
    • ActionParameters :Domains: For each domain that EvaluateConnection checks that you want to add,click Add following :

      • Domain : Typedomain added .
      • ClickSave to save the domain click Cancel save domain .
    • ActionParameters :DomainAction: In the list,select the VPN behavior specified ActionParameters :Domains domains. The default ConnectIfNeeded. Possible actions are:

      • ConnectIfNeeded: The domain triggers a VPN connection attempt if domain name resolution fails. Failure happens when the DNS server can’t resolve the domain,redirects to a different server,times out.
      • NeverConnect : domain is triggers triggers VPN connection .
    • Action Parameters: RequiredDNSServers: For each DNS server to use for resolving the specified domains,click Add following :

      • DNS Server: ValidActionParameters :DomainAction = ConnectIfNeeded. Typethe DNS server IP address. This server can be outside the device’s current network configuration. If the DNS server isn’t reachable,a VPN connection established in response. Make sure that the DNS server either an internal DNS server a trusted external DNS server.
      • ClickSave to save the DNS server click Cancel save DNS server .
    • ActionParameters :RequiredURLStringProbe: Optionally,type an HTTP HTTPS (preferred) URL to probe,using a GET request. If the URL’s host name can’t be resolved,the server unreachable,the server doesn’t respond,a VPN connection established. ValidActionParameters :DomainAction = ConnectIfNeeded.
    • OnDemandRules :XML content: Type,copy and paste,the XML configuration-on-demand rules.

      • ClickCheck Dictionary to validate the XML code. Valid XML appears below the XML content text box if the XML valid. If it isn’t valid,an error message describes the error.
  • Proxy

    • Proxy configuration : In the list,select how the VPN connection routes through a proxy server. The default None.

      • you enable enableManual,configure these settings:
        • Host name IP address proxy server: Typethe host name IP address proxy server. This field required.
        • Port proxy server : Typethe proxy server port number. This field required.
        • User name: Typean optional proxy server user name.
        • Password : Typean optional proxy server password.
      • If you configure Automatic,configure this setting:
        • Proxy server URL: Typethe URL proxy server. This field required.
  • Policy settings

    • Remove policy: Choose a method for scheduling policy removal. Available options are Select date and Duration until removal (in hours)

      • Select date: Clickthe calendar to select the specific date for removal.
      • Duration removal ( hours ): Typea number,in hours,until policy removal occurs. Only available for iOS 6.0 and later.

Configure – app VPN

Per-app VPN options for iOS are available for these connection types: Cisco Legacy AnyConnect,Juniper SSL,F5 SSL,SonicWALL Mobile Connect,Ariba VIA,Citrix VPN,Citrix SSO,and Custom SSL.

configure – app VPN :

  1. In Configure > Device Policies,create a VPN policy. For example:

    VPN device policy

    VPN device policy

  2. In Configure > Device Policies,create an App Attributes policy to associate an app to the per-app VPN policy. For Per-app VPN identifier,choosethe name the VPN policy created in Step 1. For Managed app bundle ID,choosefrom the app list type the app bundle ID. (If you deploy an iOS App Inventory policy,the app list has apps.)

    VPN device policy

macOS settings

VPN device policy

  • Connection: Typea name connection.
  • Connection type : In the list,select the protocol to be used for this connection. The default L2TP.

    • L2TP: Layer 2 Tunneling Protocol with pre-shared key authentication.
    • PPTP : Point – – Point Tunneling .
    • IPSec : Your corporate VPN connection.
    • Cisco AnyConnect: Cisco AnyConnect VPN client .
    • Juniper SSL: Juniper Networks SSL VPN client.
    • F5 SSL: F5 Networks SSL VPN client .
    • SonicWALL Mobile Connect: Dell unified VPN client for iOS.
    • Ariba VIA: Ariba Networks Virtual Internet Access client.
    • Citrix VPN: Citrix VPN client.
    • Custom SSL: Custom Secure Socket Layer .

The following sections list the configuration options for each the preceding connection types.

Configure L2TP Protocol for macOS

  • Server IP address : Typeserver IP address VPN server .
  • User Account : Typeoptional user account .
  • Select Password authentication,RSA SecurID authentication,Kerberos authentication,CryptoCard authentication. The default Password authentication.
  • Shared secret : Typethe IPsec shared secret key.
  • Send all traffic: Select whether to send all traffic over the VPN. The default Off.

Configure PPTP Protocol for macOS

  • Server IP address : Typeserver IP address VPN server .
  • User Account : Typeoptional user account .
  • Select Password authentication,RSA SecurID authentication,Kerberos authentication,CryptoCard authentication. The default Password authentication.
  • Encryption level: Select the desired encryption level. The default None.

    • None: Use no encryption.
    • Automatic : Use the strongest encryption level supported by the server.
    • Maximum (128-bit): use 128 – bit encryption .
  • Send all traffic: Select whether to send all traffic over the VPN. The default Off.

Configure IPsec Protocol macOS

  • Server IP address : Typeserver IP address VPN server .
  • User account : Typeoptional user account .
  • Authentication type connection : list ,selectShared Secret Certificate type authentication for this connection. The default Shared Secret.

    • you enable enableShared Secret authentication,configure these settings:
      • Group : Typean optional group name.
      • Shared secret : Typean optional shared secret key.
      • Use hybrid authentication: Select whether to use hybrid authentication. With hybrid authentication,the server first authenticates itself to the client,and then the client authenticates itself to the server. The default Off.
      • Prompt for password: Select whether to prompt users for their passwords when they connect to the network. The default Off.
    • you enable enableCertificate authentication,configure these settings:
      • Identity credential : list ,select identity credential use . default isNone.
      • Prompt for PIN when connecting: Select require users enter PIN connecting network . default isOff.
      • Enable VPN demand : Select enable triggering VPN connection users connect network . default isOff. information configuring settingsEnable VPN demand On,see Configure Enable VPN demand options.

Configure Cisco AnyConnect Protocol for macOS

  • Server IP address : Typeserver IP address VPN server .
  • User account : Typeoptional user account .
  • Group: Typean optional group name.
  • Authentication type connection : list ,selectPassword Certificate type authentication for this connection. The default Password.

    • you enable enablePassword,type optional authentication passwordAuthentication password field .
    • you enable enableCertificate,configure these settings:
      • Identity credential : list ,select identity credential use . default isNone.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default Off.
      • Enable VPN demand : Select enable triggering VPN connection users connect network . default isOff. information configuring settingsEnable VPN demand On,see Configure Enable VPN demand options.
    • Enable – app VPN : Select whether to enable per-app VPN. The default Off. you enable enablethis option,configure these settings:

      • – demand match app enabled enabled : Select whether a per-app VPN connection triggers automatically when apps linked to the per-app VPN service start network communication. The default Off.
      • Safari domains : Safari domain trigger – app VPN connection want include ,clickAdd following :

        • Domain : Typedomain added .
        • ClickSave to save the domain click Cancel save domain .

Configure Juniper SSL Protocol for macOS

  • Server IP address : Typeserver IP address VPN server .
  • User account : Typeoptional user account .
  • Realm: Typeoptional realm .
  • Role: Typeoptional role .
  • Authentication type connection : list ,selectPassword Certificate type authentication for this connection. The default Password.

    • you enable enablePassword,type optional authentication passwordAuthentication password field .
    • you enable enableCertificate,configure these settings:
      • Identity credential : list ,select identity credential use . default isNone.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default Off.
      • Enable VPN demand : Select enable triggering VPN connection users connect network . default isOff. information configuring settingsEnable VPN demand On,see Configure Enable VPN demand settings.
  • Enable – app VPN : Select whether to enable per-app VPN. The default Off. you enable enablethis option,configure the following settings:

    • – demand match app enabled enabled : Select whether a per-app VPN connection triggers automatically when apps linked to the per-app VPN service initiate network communication. The default Off.
    • Safari domains : Safari domain trigger – app VPN connection want include ,clickAdd following :

      • Domain : Typedomain added .
      • ClickSave to save the domain click Cancel save domain .

Configure F5 SSL Protocol for macOS

  • Server IP address : Typeserver IP address VPN server .
  • User account : Typeoptional user account .
  • Authentication type connection : list ,selectPassword Certificate type authentication for this connection. The default Password.

    • you enable enablePassword,type optional authentication passwordAuthentication password field .
    • you enable enableCertificate,configure these settings:
      • Identity credential : list ,select identity credential use . default isNone.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default Off.
      • Enable VPN demand : Select enable triggering VPN connection users connect network . default isOff. information configuring settingsEnable VPN demand On,see Configure Enable VPN demand settings.
  • Enable – app VPN : Select whether to enable per-app VPN. The default Off. you enable enablethis option,configure these settings:

    • – demand match app enabled enabled : Select whether per-app VPN connection triggers automatically when apps linked to the per-app VPN service start network communication. The default Off.
    • Safari domains : Safari domain trigger – app VPN connection want include ,clickAdd following :

      • Domain : Typedomain added .
      • ClickSave to save the domain click Cancel save domain .

Configure SonicWALL Mobile Connect Protocol for macOS

  • Server IP address : Typeserver IP address VPN server .
  • User account : Typeoptional user account .
  • Logon group domain: Typean optional logon group domain.
  • Authentication type connection : list ,selectPassword Certificate type authentication for this connection. The default Password.

    • you enable enablePassword,type optional authentication passwordAuthentication password field .
    • you enable enableCertificate,configure these settings:
      • Identity credential : list ,select identity credential use . default isNone.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default Off.
      • Enable VPN demand : Select enable triggering VPN connection users connect network . default isOff. information configuring settingsEnable VPN demand On,see Configure Enable VPN demand settings.
  • Enable – app VPN : Select whether to enable per-app VPN. The default Off. you enable enablethis option,configure these settings:

    • – demand match app enabled enabled : Select whether per-app VPN connection triggers automatically when apps linked to the per-app VPN service initiate network communication. The default Off.
    • Safari domains : Safari domain trigger – app VPN connection want include ,clickAdd following :

      • Domain : Typedomain added .
      • ClickSave to save the domain click Cancel save domain .

Configure Ariba VIA protocol for macOS

  • Server IP address : Typeserver IP address VPN server .
  • User account : Typeoptional user account .
  • Authentication type connection : list ,selectPassword Certificate type authentication for this connection. The default Password.

    • you enable enablePassword,type optional authentication passwordAuthentication password field .
    • you enable enableCertificate,configure these settings:
      • Identity credential : list ,select identity credential use . default isNone.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default Off.
      • Enable VPN demand : Select enable triggering VPN connection users connect network . default isOff. information configuring settingsEnable VPN demand On,see Configure Enable VPN demand settings.
  • Enable – app VPN : Select whether to enable per-app VPN. The default Off. you enable enablethis option,configure these settings:

    • – demand match app enabled enabled : Select whether per-app VPN connection triggers automatically when apps linked to the per-app VPN service initiate network communication. The default Off.
    • Safari domains : Safari domain trigger – app VPN connection want include ,clickAdd following :

      • Domain : Typedomain added .
      • ClickSave to save the domain click Cancel save domain .

Configure Custom SSL protocol macOS

  • Custom SSL identifier (reverse DNS format): Typethe SSL identifier in reverse DNS format. This field required.
  • Server IP address : Typeserver IP address VPN server . This field required.
  • User account : Typeoptional user account .

    • Authentication type connection : list ,selectPassword Certificate type authentication for this connection. The default Password.
    • you enable enablePassword,type optional authentication passwordAuthentication password field .
    • you enable enableCertificate,configure these settings:
      • Identity credential : list ,select identity credential use . default isNone.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default Off.
      • Enable VPN demand : Select enable triggering VPN connection users connect network . default isOff. information configuring settingsEnable VPN demand On,see Configure Enable VPN demand settings.
    • Per-app VPN: Select whether to enable per-app VPN. The default Off. you enable enablethis option,configure these settings:

      • – demand match app enabled enabled : Select – app VPN connections trigger automatically apps linked – app VPN service initiate network communication .
      • Safari domains : Safari domain trigger – app VPN connection want include ,clickAdd following :

        • Domain : Typedomain added .
        • ClickSave to save the domain click Cancel save domain .
  • Custom XML: For each custom XML parameter you want to add,click Add following :

    • Parameter name: Typethe name the parameter to be added.
    • Value : Typevalue associatedParameter name.
    • ClickSave to save the domain click Cancel save domain .

Configure enable VPN on demand options

  • On Demand Domain : For each domain and associated action to be taken when users connect to them that you want to add,click Add to following :

    • Domain : Typedomain added .
    • Action: In the list select one the possible actions:

      • Always establish: domain is triggers triggers VPN connection .
      • Never establish: domain is triggers triggers VPN connection .
      • Establish if necessary: The domain triggers a VPN connection attempt if domain name resolution fails. Failure happens when the DNS server can’t resolve the domain,redirects to a different server,times out.
    • ClickSave to save the domain click Cancel save domain .
  • demand rules

    • Action: In the list,select the action to be taken. The default EvaluateConnection. Possible actions are:

      • Allow: Allow VPN on demand to connect when triggered.
      • Connect: Unconditionally initiate a VPN connection.
      • Disconnect : Remove the VPN connection and do not reconnect on demand as long as the rule matches.
      • EvaluateConnection: Evaluate the ActionParameters array for each connection.
      • Ignore : Leave any existing VPN connection up,but do not reconnect on demand as long as the rule matches.
    • DNSDomainMatch: For the domains against which a device’s search domain list can match,click Add to following :

      • DNS Domain : Typethe domain name. You can use the wildcard “*” prefix for matching multiple domains. For example,*.example.com matches mydomain.example.com,yourdomain.example.com,and herdomain.example.com.
      • ClickSave to save the domain click Cancel save domain .
    • DNSServerAddressMatch: For each IP address to which any the network’s specified DNS servers can match that you want to add,click Add following :

      • DNS Server Address: Typethe DNS server address that you want to add. You can use the wildcard “*” suffix for matching DNS servers. For example,17.* matches any DNS server in the class A subnet.
      • ClickSave to save the DNS server address click Cancel to not save the DNS server address.
    • InterfaceTypeMatch: In the list,click the type primary network interface hardware in use. The default Unspecified. Possible values are:

      • Unspecified: Matches any network interface hardware. This option the default.
      • Ethernet: Matches only Ethernet network interface hardware.
      • WiFi: Matches only Wi-Fi network interface hardware.
      • Cellular: Matches only Cellular network interface hardware.
    • SSIDMatch: For each SSID to match against the current network that you want to add,click Add and so the following.

      • SSID : Typethe SSID to add. If the network isn’t a Wi-Fi network,if the SSID does not appear,the match fails. Leave this list empty to match any SSID.
      • ClickSave to save the SSID click Cancel to not save the SSID.
    • URLStringProbe: Typea URL to fetch. If this URL successfully fetched without redirection,this rule matches.
    • ActionParameters :Domains: For each domain that EvaluateConnection checks that you want to add,click Add following :

      • Domain : Typedomain added .
      • ClickSave to save the domain click Cancel save domain .
    • ActionParameters :DomainAction: In the list,select the VPN behavior specified ActionParameters :Domains domains. The default ConnectIfNeeded. Possible actions are:

      • ConnectIfNeeded: The domain triggers a VPN connection attempt if domain name resolution fails. Failure happens when the DNS server can’t resolve the domain,redirects to a different server,times out.
      • NeverConnect : domain is triggers triggers VPN connection .
    • Action Parameters: RequiredDNSServers: For each DNS server to use for resolving the specified domains,click Add following :

      • DNS Server: ValidActionParameters :DomainAction = ConnectIfNeeded. Typethe DNS server IP address to add. This server can be outside the device’s current network configuration. If the DNS server isn’t reachable,a VPN connection established in response. This DNS server must be either an internal DNS server a trusted external DNS server.
      • ClickSave to save the DNS server click Cancel save DNS server .
    • ActionParameters :RequiredURLStringProbe: Optionally,type an HTTP HTTPS (preferred) URL to probe,using a GET request. If the URL’s host name can’t be resolved,the server unreachable,the server does not respond,a VPN connection established. ValidActionParameters :DomainAction = ConnectIfNeeded.
    • OnDemandRules :XML content: Type,copy and paste the XML configure-on-demand rules.

      • ClickCheck Dictionary to validate the XML code. Valid XML appears below the XML content text box if the XML valid. If it isn’t valid,an error message describes the error.
  • Proxy

    • Proxy configuration : In the list,select how the VPN connection routes through a proxy server. The default None.

      • you enable enableManual,configure these settings:
        • Host name IP address proxy server: Typethe host name IP address proxy server. This field required.
        • Port proxy server : Typethe proxy server port number. This field required.
        • User name: Typean optional proxy server user name.
        • Password : Typean optional proxy server password.
      • If you configure Automatic,configure this setting:
        • Proxy server URL: Typethe URL proxy server. This field required.
  • Policy settings

    • Remove policy: Choose a method for scheduling policy removal. Available options are Select date and Duration until removal (in hours)

      • Select date: Clickthe calendar to select the specific date for removal.
      • Duration removal ( hours ): Typea number,in hours,until policy removal occurs.
    • Allow user to remove policy: You can select when users can remove the policy from their device. Select Always,Passcode is required required,Never from the menu. If you select Passcode is required required,type a passcode in the Removal passcode field .
    • Profile scope: Select whether this policy applies to a User an entire System. The default User. This option available only on macOS 10.7 and later.

Android (legacy DA) settings

VPN device policy

Configure Cisco AnyConnect VPN protocol for Android

  • Connection: Typea name Cisco AnyConnect VPN connection. This field required.
  • Server IP address : Typethe name IP address the VPN server. This field required.
  • Identity credential : In the list,select an identity credential.
  • Backup VPN server: Typethe backup VPN server information.
  • User group : Typethe user group information.
  • Trusted Networks

    • Automatic VPN policy: Enable disable this option to set how the VPN reacts to trusted and untrusted networks. If enabled,configure these settings:

      • Trusted network policy : In the list,select the desired policy. The default Disconnect. Possible options are:

        • Disconnect : The client terminates the VPN connection in the trusted network. This setting the default.
        • Connect: client is starts starts VPN connection trusted network .
        • Do Nothing: The client takes no action.
        • Pause : When a user establishes a VPN session outside the trusted network then enters a network configured as trusted,the VPN session gets suspended. When the user leaves the trusted network again,the session resumes. This setting eliminates the need to establish a new VPN session after leaving a trusted network.
      • Untrusted network policy: In the list,select the desired policy. The default Connect. Possible options are:

        • Connect: The client starts a VPN connection in the untrusted network.
        • Do Nothing: The client starts a VPN connection in the untrusted network. This option disables the always-on VPN.
    • Trusted domains : For each domain suffix that the network interface has when the client in the trusted network,click Add to do the following:

      • Domain : Typedomain added .
      • ClickSave to save the domain click Cancel save domain .
    • Trusted servers: For each server address that a network interface has when the client in the trusted network,click Add following :

      • Servers: Typethe server to be added.
      • ClickSave to save the server click Cancel to not save the server.

Configure Citrix SSO protocol Android

  • Connection: Typea name VPN connection. This field required.

  • Server IP address : Typethe FQDN IP address the NetScaler Gateway.

  • Authentication type connection : Choose an authentication type and complete any these fields that appear type:

    • User name and Password : Typeyour VPN credentials Authentication types Password Password and Certificate. Optional. If you don’t provide the VPN credentials,the Citrix VPN app prompts for a user name and password.

    • Identity credential : AppearsAuthentication types Certificate Password and Certificate. In the list,select an identity credential.

  • Enable – app VPN : Select whether to enable per-app VPN. If you don’t enable a per-app VPN,all traffic goes through the Citrix VPN tunnel. you enable enablea per-app VPN,specify the following settings. The default Off.

    • Allow list Block list: If Allow list,all apps in the allow list tunnel through this VPN. If Block list,all apps except those apps on the block list tunnel through this VPN.
    • Application List: The apps on an allow list block list. ClickAdd and then type a comma-separated list app package names.

  • Custom XML: ClickAdd and then type the custom parameters. Citrix Endpoint Management supports these parameters for Citrix VPN:

    • DisableUserProfiles: Optional. To enable this parameter,type Yes Value. If enabled,Citrix Endpoint Management doesn’t display user-added VPN connections and the user can’t add a connection. This setting a global restriction and applies to all VPN profiles.
    • userAgent: A string value. You can specify a custom User Agent string to send in each HTTP request. The specified user agent string gets appended to the existing Citrix VPN user agent.
    • IsAlwaysOnVpn: Optional. This property determines whether the VPN profile an Always ON VPN profile not. SetYes to indicate that VPN profile an Always On VPN profile,default No. Only one VPN profile can have this property set to Yes for Always On VPN to function reliably.

Configure VPNs to support NAC

  1. Use the Connection type Custom SSL to configure the NAC filter.
  2. SpecifyConnection VPN.
  3. For Custom XML,click Add following :
    • Parameter name: TypeXenMobileDeviceId. This field the device ID to use NAC check based on device enrollment in Citrix Endpoint Management. If Citrix Endpoint Management enrolls and manages the device,the VPN connection allowed. Otherwise,authentication denied at the time VPN establishment.
    • Value : TypeDeviceID_${device.id},which the value parameter XenMobileDeviceId.
    • ClickSave to save the parameter.

Configure VPNs for Android Enterprise

To configure VPNs for Android Enterprise devices,create an Android Enterprise managed configuration device policy Citrix SSO app. See Configure VPN profiles for Android Enterprise.

Android Enterprise settings

VPN device policy

  • Enable always-on VPN: Select whether the VPN always on. The default Off. When enabled,the VPN connection stays on until the user manually disconnects.
  • VPN package Typethe package name VPN app devices use.
  • Enable lockdown: If disabled,no app can access the network if a VPN connection doesn’t exist. If enabled,the apps you configure in the following settings can access the network,even if a VPN connection doesn’t exist. Available for Android 10 and later devices.
  • Applications exluded from lockdown: ClickAdd to type the package names the apps that you want to bypass the lockdown setting.

Windows Desktop/Tablet settings

VPN device policy

  • Connection: Enter a name connection. This field required.
  • Profile type: list ,selectNative Plugin. The default Native.
  • Configure Native profile type: These settings apply to the VPN built into users’ Windows devices.

    • Server address : Typethe FQDN IP address VPN server. This field required.
    • Remember credential: Select whether to cache the credential. The default Off. When enabled,credentials are cached whenever possible.
    • DNS Suffix: Typethe DNS suffix.
    • Tunnel type: In the list,select the type VPN tunnel to use. The default L2TP. Possible options are:

      • L2TP: Layer 2 Tunneling Protocol with pre-shared key authentication.
      • PPTP : Point – – Point Tunneling .
      • IKEv2: Internet Key Exchange version 2.
    • Authentication method: In the list,select the authentication method to use. The default EAP. Possible options are:

      • EAP: Extended Authentication Protocol.
      • MSChapV2: Use the Microsoft Challenge-Handshake Authentication Protocol for mutual authentication. This option isn’t available when you select IKEv2 tunnel type.
    • EAP method: In the list,select the EAP method to be used. The default TLS. This field isn’t available when MSChapV2 authentication enabled. Possible options are:

      • TLS: Transport Layer Security
      • PEAP: Protected Extensible Authentication Protocol
    • Trusted networks: Typea list networks separated by commas that do not require a VPN connection for access. For example,when users are on your company wireless network,they can access protected resources directly.
    • Require smart card certificate: Select whether to require a smart card certificate. The default Off.
    • Automatically select client certificate: Select whether to automatically choose the client certificate to use for authentication. The default Off. This option unavailable when you enable Require smart card certificate.
    • VPN : Select whether the VPN always on. The default Off. When enabled,the VPN connection stays on until the user manually disconnects.
    • Bypass Local : Typethe address and port number to allow local resources to bypass the proxy server.
  • Configure Plugin profile type: These settings apply to VPN plug-ins got from the Windows Store and installed on users’ devices.

    • Server address : Typethe FQDN IP address VPN server. This field required.
    • Remember credential: Select whether to cache the credential. The default Off. When enabled,credentials are cached whenever possible.
    • DNS Suffix: Typethe DNS suffix.
    • Client app ID: Typethe package family name VPN plug-in.
    • Plugin Profile XML: Select the custom VPN plug-in profile to be used by clicking Browse and navigating to the file’s location. Contact the plug-in provider for format and details.
    • Trusted networks: Typea list networks separated by commas that do not require a VPN connection for access. For example,when users are on your company wireless network,they can access protected resources directly.
    • VPN : Select whether the VPN always on. The default Off. When enabled,the VPN connection stays on until the user manually disconnects.
    • Bypass Local : Typethe address and port number to allow local resources to bypass the proxy server.

Amazon settings

VPN device policy

  • Connection: Enter a name connection.
  • VPN type: Select connection type . Possible options is are :

    • L2TP PSK : Layer 2 Tunneling Protocol with pre-shared key authentication. This setting the default.
    • L2TP RSA: Layer 2 Tunneling Protocol with RSA authentication.
    • IPSEC XAUTH PSK : Internet Protocol Security with pre-shared key and extended authentication.
    • IPSEC HYBRID RSA : Internet Protocol Security hybrid RSA authentication .
    • PPTP : Point – – Point Tunneling .

The following sections list the configuration options for each the preceding connection types.

Configure L2TP PSK settings for Amazon

  • Server address : Typethe IP address VPN server.
  • User name: Typean optional user name.
  • Password : Typean optional password.
  • L2TP Secret : Typethe shared secret key.
  • IPSec Identifier: Typethe name the VPN connection that users see on their devices when connecting.
  • IPSec pre-shared key: Typethe secret key.
  • DNS search domains: Typethe domains against which a user device’s search domain list can match.
  • DNS servers : Typethe IP addresses DNS servers to be used for resolving the specified domains.
  • Forwarding routes: If your corporate VPN server supports forwarding routes,for each forwarding route to use,click Add following :

    • Forward route : Typethe IP address forwarding route.
    • ClickSave to save the route click Cancel save route .

Configure L2TP RSA settings Amazon

  • Server address : Typethe IP address VPN server.
  • User name: Typean optional user name.
  • Password : Typean optional password.
  • L2TP Secret : Typethe shared secret key.
  • DNS search domains: Typethe domains against which a user device’s search domain list can match.
  • DNS servers : Typethe IP addresses DNS servers to be used for resolving the specified domains.
  • Server certificate: In the list,select the server certificate to be used.
  • certificate : In the list,select the CA certificate to be used.
  • Identity credential : In the list,select the identity credential to be used.
  • Forwarding routes: If your corporate VPN server supports forwarding routes,for each forwarding route to use,click Add following :

    • Forward route : Typethe IP address forwarding route.
    • ClickSave to save the route click Cancel save route .

Configure IPSEC XAUTH PSK settings for Amazon

  • Server address : Typethe IP address VPN server.
  • User name: Typean optional user name.
  • Password : Typean optional password.
  • IPSec Identifier: Typethe name the VPN connection that users see on their devices when connecting.
  • IPSec pre-shared key: Typethe shared secret key.
  • DNS search domains: Typethe domains against which a user device’s search domain list can match.
  • DNS servers : Typethe IP addresses DNS servers to be used for resolving the specified domains.
  • Forwarding routes: If your corporate VPN server supports forwarding routes,for each forwarding route to use,click Add following :

    • Forward route : Typethe IP address forwarding route.
    • ClickSave to save the route click Cancel save route .

Configure IPSEC AUTH RSA settings for Amazon

  • Server address : Typethe IP address VPN server.
  • User name: Typean optional user name.
  • Password : Typean optional password.
  • DNS search domains: Typethe domains against which a user device’s search domain list can match.
  • DNS servers : Typethe IP addresses DNS servers to be used for resolving the specified domains.
  • Server certificate: In the list,select the server certificate to be used.
  • certificate : In the list,select the CA certificate to be used.
  • Identity credential : In the list,select the identity credential to be used.
  • Forwarding routes: If your corporate VPN server supports forwarding routes,for each forwarding route to use,click Add following :

    • Forward route : Typethe IP address forwarding route.
    • ClickSave to save the route click Cancel save route .

Configure IPSEC HYBRID RSA settings for Amazon

  • Server address : Typethe IP address VPN server.
  • User name: Typean optional user name.
  • Password : Typean optional password.
  • DNS search domains: Typethe domains against which a user device’s search domain list can match.
  • DNS servers : Typethe IP addresses DNS servers to be used for resolving the specified domains.
  • Server certificate: In the list,select the server certificate to be used.
  • certificate : In the list,select the CA certificate to be used.
  • Forwarding routes: If your corporate VPN server supports forwarding routes,for each forwarding route to use,click Add following :

    • Forward route : Typethe IP address forwarding route.
    • ClickSave to save the route click Cancel save route .

Configure PPTP settings for Amazon

  • Server address : Typethe IP address VPN server.
  • User name: Typean optional user name.
  • Password : Typean optional password.
  • DNS search domains: Typethe domains against which a user device’s search domain list can match.
  • DNS servers : Typethe IP addresses DNS servers to be used for resolving the specified domains.
  • PPP encryption (MPPE): Select whether to enable data encryption with Microsoft Point-to-Point Encryption (MPPE). The default Off.
  • Forwarding routes: If your corporate VPN server supports forwarding routes,for each forwarding route to use,click Add following :

    • Forward route : Typethe IP address forwarding route.
    • ClickSave to save the route click Cancel save route .

The official version this content in English. Some the Cloud Software Group documentation content machine translated for your convenience only. Cloud Software Group has no control over machine-translated content,which may contain errors,inaccuracies unsuitable language. No warranty any kind,either expressed implied,made as to the accuracy,reliability,suitability,correctness any translations made from the English original into any other language,that your Cloud Software Group product service conforms to any machine translated content,and any warranty provided under the applicable end user license agreement terms service,any other agreement with Cloud Software Group,that the product service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage issues that may arise from using machine-translated content.

DIESER DIENST KANN ÜBERSETZUNGEN ENTHALTEN,DIE VON GOOGLE BEREITGESTELLT WERDEN. GOOGLE LEHNT JEDE AUSDRÜCKLICHE ODER STILLSCHWEIGENDE GEWÄHRLEISTUNG IN BEZUG AUF DIE ÜBERSETZUNGEN AB,EINSCHLIESSLICH JEGLICHER GEWÄHRLEISTUNG DER GENAUIGKEIT,ZUVERLÄSSIGKEIT UND JEGLICHER STILLSCHWEIGENDEN GEWÄHRLEISTUNG DER MARKTGÄNGIGKEIT,DER EIGNUNG FÜR EINEN BESTIMMTEN ZWECK UND DER NICHTVERLETZUNG VON RECHTEN DRITTER.

CE SERVICE PEUT CONTENIR DES TRADUCTIONS FOURNIES PAR GOOGLE. GOOGLE EXCLUT TOUTE GARANTIE RELATIVE AUX TRADUCTIONS,EXPRESSE OU IMPLICITE,Y COMPRIS TOUTE GARANTIE D’EXACTITUDE,DE FIABILITÉ ET TOUTE GARANTIE IMPLICITE DE QUALITÉ MARCHANDE,D’ADÉQUATION À UN USAGE PARTICULIER ET D’ABSENCE DE CONTREFAÇON.

ESTE SERVICIO PUEDE CONTENER TRADUCCIONES CON TECNOLOGÍA DE GOOGLE. GOOGLE RENUNCIA A TODAS LAS GARANTÍAS RELACIONADAS CON LAS TRADUCCIONES,TANTO IMPLÍCITAS COMO EXPLÍCITAS,INCLUIDAS LAS GARANTÍAS DE EXACTITUD,FIABILIDAD Y OTRAS GARANTÍAS IMPLÍCITAS DE COMERCIABILIDAD,IDONEIDAD PARA UN FIN EN PARTICULAR Y AUSENCIA DE INFRACCIÓN DE DERECHOS.

本服务可能包含由 Google 提供技术支持的翻译。Google 对这些翻译内容不做任何明示或暗示的保证,包括对准确性、可靠性的任何保证以及对适销性、特定用途的适用性和非侵权性的任何暗示保证。

このサービスには、Google が提供する翻訳が含まれている可能性があります。Google は翻訳について、明示的か黙示的かを問わず、精度と信頼性に関するあらゆる保証、および商品性、特定目的への適合性、第三者の権利を侵害しないことに関するあらゆる黙示的保証を含め、一切保証しません。

ESTE SERVIÇO PODE CONTER TRADUÇÕES FORNECIDAS PELO GOOGLE. O GOOGLE SE EXIME DE TODAS AS GARANTIAS RELACIONADAS COM AS TRADUÇÕES,EXPRESSAS OU IMPLÍCITAS,INCLUINDO QUALQUER GARANTIA DE PRECISÃO,CONFIABILIDADE E QUALQUER GARANTIA IMPLÍCITA DE COMERCIALIZAÇÃO,ADEQUAÇÃO A UM PROPÓSITO ESPECÍFICO E NÃO INFRAÇÃO.