iOS7 Per App VPN

Question

We are trying to test per-app VPN connections with iOS7 and have problems connecting to the F5 server when the VendorConfig key contains PerAppVpntrue in the MDM payload. The payload deploys to the device without a problem. I am starting to F5 Client manually and attempting to signon to the F5 server using password authentication but we never seem to actually reach the server. On the Client, the Connection Details screen shows no data traffic from the server, the server's IP address is not resolved. The tunnel type is Per-app SSL-VPN.
The iOS device console reports this message:
Feb 27 09:29:07 Afarias-iPad vpnagent[2088] : __VPNFlowOpen_block_invoke (1): Opening the DNS flow
Is there something we're doing wrong in the client configuration or server that's causing our problem?
Thanks.&nbsp;

alexey_384 · Answer

Have you enable 'Java &amp; VDI' option on virtual server? I saw the similar behaviour when option was disabled, but didn't remember the error text.
Per-app VPN uses BIG-IP DNS (System  ››  Configuration : Device : DNS), so if BIG-IP can resolve addresses then problem shouldn't be in DNS.
Possibly, there are errors in client's profile (wrong UDID e.g.).&nbsp;

david_avera_145 · Answer

We're still having the same problem.
My server contact assures me that those options are on the virtual server and it is resolving DNS addresses. Below is the syntax for the MDM Payload being used to define the per-app-VPN.
Is there anything wrong in there?  (again - thanks for the help)&nbsp;
?xml version="1.0" encoding="UTF-8"?&gt;

PayloadContent

VPN

AuthenticationMethod
Password
RemoteAddress
alabvpn2.xnetqa.com
AuthPassword
(redacted for security)
AuthName
(redacted for security)

VPNSubType
com.f5.F5-Edge-Client.vpnplugin
IPv4

OverridePrimary
0

VendorConfig

WebLogon
false
PerAppVpn
true

OnDemandMatchAppEnabled

VPNUUID
9C55106B-687E-4CDF-8037-1D217FDB475F
SafariDomains

10.1.2.10
10.1.2.11

Proxies

UserDefinedName
F5-2 Hand Built PAV
VPNType
VPN
PayloadDescription
Configures VPN settings, including authentication.
PayloadDisplayName
VPN (F5-2 Hand Built PAV)
PayloadIdentifier
Sybase - Configure.vpn
PayloadOrganization
Sybase - Configure
PayloadType
com.apple.vpn.managed.applayer
PayloadUUID
5b0a2bf9-b756-46b2-87bd-eee40f3c59d8
PayloadVersion
1

PayloadDescription
Payload Count: 1
PayloadDisplayName
F5-2 Per-App {0d2c18dc-510e-4645-9593-0874dffa1c45}
PayloadIdentifier
{0d2c18dc-510e-4645-9593-0874dffa1c45}
PayloadOrganization
Sybase - iAnywhere
PayloadRemovalDisallowed

PayloadType
Configuration
PayloadUUID
afaria:{0d2c18dc-510e-4645-9593-0874dffa1c45}-392198275
PayloadVersion
1

&nbsp;

alexey_384 · Answer

What status does Edge client show?
What application do you use to connect to backend?
If Safari you should set SafariDomains to cover your backend server. Not sure if it works for the ip addresses, according to the Apple help they should be domains. Also Safari may not use tunnel if dns name of the backend can be resolves directly, but it's relates to the on-demands tunnels, and, as I understand, you are using manual tunnels.
If you use another application (Dolphin, Chrome), then this application should be deployed using MDM with the same VPNUUDID that is used in mobile profile. Also, Edge 2.0.0 had an issue, and not all apps was able to use tunnel (Chrome e.g.). The issue was fixed in v2.0.1 (current).

In some cases the tunnel stops to work until device hard rebooted (manual disconnect of the on-demand tunnel). But at least it should be workable once.

If you even can't establish tunnel you should check configuration: username, password, certificate, access policy conformity.

david_avera_145 · Answer

Yes. We are attempting to use a manual tunnel. I start the F5 client and try to connect using the configuration I enclosed in an earlier comment. The client will accept the userid and password and a little spinner in the Status bar will show "Authenticating" and then say it is Connected. However, looking at Connection Details, there is no traffic shown between the client and the server and the server address is not resolved to an IP address.
In other non per-app-VPN profiles that work, the status bar will show "Authenticating", then "Negotiating" then say it is connected. In Connection Details we see Inbound and Outbound traffic and the Server address is resolved to an IP address.
It looks to me like the per-app VPN config is rejected before creates the tunnel, we never see any information about this in the server log.
I will check with my server guy about username, password, certificate and access policy conformity. The same username and password work with other non PAV configs. We are not using a certificate.
Thanks for your help.&nbsp;

Forum Discussion

iOS7 Per App VPN

4 Replies

Recent Discussions

F5Access | MacOS Sonoma

Active- Active HA setup

syslog server connection

Cannot see floating MAC address outside of ESXi

Rewrite uri translation not working

Related Content

Protecting Your Native Mobile Apps with F5 XC Mobile App Shield

Managing NGINX App Protect WAF for Beginners

Adaptive Apps: Identify underlying issues in a complex app portfolio - Demo Kit

Adaptive Apps: Simple and easy to deploy WAAP solution for tiered app protection - Demo Kit

The App Delivery Fabric with Secure Multicloud Networking