Using the Motorola SSL Mobile VPN Solution with MSP

Transcription

1 Using the Motorola SSL Mobile VPN Solution with MSP

2

3 Using the Motorola SSL Mobile VPN Solution with MSP 72E Revision C September 2010

4 2010 by Motorola, Inc. All rights reserved. No part of this publication may be reproduced or used in any form, or by any electrical or mechanical means, without permission in writing from Motorola. This includes electronic or mechanical means, such as photocopying, recording, or information storage and retrieval systems. The material in this manual is subject to change without notice. While every reasonable precaution has been taken in the preparation of this document, neither Symbol Technologies, Inc., nor Motorola, Inc., assumes responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. The software is provided strictly on an as is basis. All software, including firmware, furnished to the user is on a licensed basis. Motorola grants to the user a non-transferable and non-exclusive license to use each software or firmware program delivered hereunder (licensed program). Except as noted below, such license may not be assigned, sublicensed, or otherwise transferred by the user without prior written consent of Motorola. No right to copy a licensed program in whole or in part is granted, except as permitted under copyright law. The user shall not modify, merge, or incorporate any form or portion of a licensed program with other program material, create a derivative work from a licensed program, or use a licensed program in a network without written permission from Motorola. The user agrees to maintain Motorola s copyright notice on the licensed programs delivered hereunder, and to include the same on any authorized copies it makes, in whole or in part. The user agrees not to decompile, disassemble, decode, or reverse engineer any licensed program delivered to the user or any portion thereof. Motorola reserves the right to make changes to any software or product to improve reliability, function, or design. Motorola does not assume any product liability arising out of, or in connection with, the application or use of any product, circuit, or application described herein. No license is granted, either expressly or by implication, estoppel, or otherwise under any Motorola, Inc., intellectual property rights. An implied license only exists for equipment, circuits, and subsystems contained in Motorola products. MOTOROLA and the Stylized M Logo and Symbol and the Symbol logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. Motorola, Inc One Motorola Plaza Holtsville, New York

5 Using the Motorola SSL VPN Solution with MSP -- v Table of Contents About This Guide...1 Related Documents... 1 Service Information... 2 Chapter 1 Introduction...3 Overview... 3 Benefits of the Motorola SSL Mobile VPN Solution... 4 Acquiring the Motorola SSL Mobile VPN Solution... 4 Obtaining the Add-On Kit... 4 Add-On Kit Contents... 4 Add-On Kit Installation... 5 Licensing the Motorola SSL Mobile VPN Solution... 5 Documentation Approach... 6 Chapter 2 Key Concepts...7 Overview... 7 Persistence... 7 IP Addressing... 7 Chapter 3 Security Considerations...9 Overview... 9 Digital Certificates... 9 CA Certificates... 9 Public CA... 9 Private CA...10 Self-Signed CA...10 Server Certificates...11 Client Certificates...11 Firewalls Authentication... 11

6 vi -- Using the Motorola SSL VPN Solution with MSPUsing the Motorola SSL Mobile VPN Solution with MSP Chapter 4 Configuration...15 Overview Settings Class Configuration Settings Description...15 Server address:...15 Server port:...15 WVPN Server Group name:...16 Additional server address:...16 Additional server address:...16 Additional server port:...16 Select WVPN server randomly:...16 Authentication Information...16 WVPN user:...16 WVPN domain:...16 WVPN password:...17 Use computer certificate...17 Client certificate issuer...17 DHCP User class:...21 Autostart client:...21 Automatic connect:...21 Disable Error Messages:...21 Disable the tray Icon:...22 Disable disconnect menu:...22 Disable cancel connect:...22 Login type:...22 Show advanced settings:...22 Enable debug logging:...22 Debug log file size:...22 Debug file:...22 CA Certificate:...22 Chapter 5 How the Motorola SSL Mobile VPN Solution Works...23 Overview How the Motorola Mobile SSL VPN Solution Works Network Components...24 Public Network...24 DMZ (De-Militarized Zone)...24 Enterprise Network...24 Software Components...25 VPN Client...25 AirBeam Safe Enterprise Server...25 AirBeam Safe Gatekeeper Server...25 Other Enterprise Server(s)...26 VPN Connection...26 Server Certificate Verification (Mandatory)...26 Client Certificate Verification (Optional)...26 Secure Tunnel Establishment...26 Client Authentication...27 Session Establishment or Reconnection...27 Virtual IP Address Assignment...27 Virtual NIC...28 Chapter 6 Using the Motorola SSL Mobile VPN Solution...29 Overview Key Questions... 29

7 Table of Contents vii Do I need a Gatekeeper?...29 Do I need to use Certificates?...30 Server Certificates...30 Client Certificates...30 How to Use the Motorola SSL Mobile VPN Solution Implementation Process...31 VPN Client Installation...32 VPN Client Operation...32 Managing the VPN Client...33 Updating VPN Settings...33 Updating Certificates...33 Disabling the VPN Client...34 Uninstalling the VPN Client...34 Upgrading the VPN Client...34 Remote Control over a VPN Connection...35 Troubleshooting Common Issues...36 Certificate Range of Operational Validity...36 Try Manual Configuration and Connection...37 Lack of Suitable Device Connectivity...37 Inaccessible Server(s)...38 Incorrectly Configured Server(s)...38 Missing Device License Server(s)...38 Incorrectly Configured VPN Client...39 Troubleshooting Tools...39 From the Command Prompt on Server(s)...39 ipconfig...39 netstat...39 From the Device...39 Debug Log File...39 Plug-In Log File...40 CTNetworkinfo...40

8 viii -- Using the Motorola SSL VPN Solution with MSP

9 Using the Motorola SSL VPN Solution with MSP -- 1 About This Guide This document provides information on the Motorola SSL Mobile VPN Solution. Newer versions of this document may be available as part of an Add-On installer that is available for download at Related Documents MSP Release Notes, p/n 72E Understanding Mobility Services Platform 3.3.1, p/n 72E Using Mobility Services Platform 3.3.1, p/n 72E MSP Software Installation Guide, p/n 72E MSP Client Software Guide, p/n 72E Using the MSP Administration Program, p/n 72E Using the Motorola Remote Control Solution with MSP, p/n 72E Using the Athena Remote Control Solution With MSP, p/n 72E AirBEAM Package Builder Product Reference Guide, p/n 72E AirBEAM Package Builder Version 2.X Addendum All SSL VPN Documentation referenced below can be found at: SG_SupportGoals&BROWSE_PRODUCT.isProductTaxonomy=true&BROWSE_PRODUCT.Nod eid=sg_airbeamsafesoftware_1_2&browse_product.thispageurl=%2fproduct%2f products.do&id=m4&browse_product.taxoname=sg_supportgoals&nodetype=leaf&nod ename=airbeam+safe&document=dt_productmanuals_1_1&browse_product.nod etype=leaf&nodeid=sg_airbeamsafesoftware_1_2&appcontext=ac_productpage&par am_document=sp. AirBeam Safe Site Preparation Guide (P/N Rev. A) Getting Started Guide - AirBeam Safe Getting Started Guide (P/N Rev. A)

10 2 -- Using the Motorola SSL VPN Solution with MSP AirBeam Safe System Administrator's Guide (P/N Rev. A) Service Information If you have a problem with your software, contact Motorola Enterprise Mobility support for your region. Contact information is available at: When contacting Enterprise Mobility support, please have the following information available: Serial number of the software Model number or product name Software type and version number Software license information Motorola responds to calls by , telephone or fax within the time limits set forth in support agreements. If you purchased your Enterprise Mobility business product from a Motorola business partner, contact that business partner for support.

11 3 -- Using the Motorola SSL VPN Solution with MSP Chapter 1 Introduction Overview The Motorola SSL Mobile VPN Solution Add-On Kit allows the Motorola SSL Mobile VPN Solution to be used together with MSP as a fully certified and supported solution. The Motorola SSL Mobile VPN Solution (also known as AirBeam Safe) allows Enterprises to leverage the power of mobility without compromising security. This mobile virtual private network (VPN) allows Enterprises to provide workers who are on-the-move inside and outside the Enterprise walls with easy-to-use secure wireless access to the Internet, Enterprise intranet and applications. The Motorola SSL Mobile VPN Solution supports strong mutual authentication with one, two, or three-factor Client authentication. This helps provides worry-free mobility, especially critical in the retail and healthcare industries, where compliance with government regulations is required to protect sensitive financial and personal data. Both Client-side and Server-side authentication can be used to ensure that all devices are properly authorized on your network and connected via authorized Servers. FIPS compliance offers strong 256-bit AES encryption to protect data in transit. Integrity checks ensure that data was not altered while in transmission, preventing devices from sending or receiving information that contains a rogue packet. Network Access Control (NAC) can be used execute scripts to verify whether devices are compliant to Enterprise security policies and reject or quarantine those that are non-compliant. The Motorola SSL Mobile VPN Solution features session persistence, which provides a virtually continuous VPN session, even across periods when the device enters suspend mode, temporarily loses wireless coverage, or switches between different network adapters. Users and applications can thus enjoy virtually seamless connectivity even across such gaps in actual connectivity. Productivity is enhanced since intermittent losses of connectivity no longer require repeated login, reopening of applications, etc. Data loss due to lost connections is also reduced since information is buffered and automatically delivered once connectivity is restored. The Motorola SSL Mobile VPN Solution (developed by our partner Columbitech and also known as AirBEAM Safe) has been available in a standalone form for many Motorola devices for a number of years. Now, the Motorola SSL Mobile VPN Solution has been fully integrated with MSP to form a complete and robust Mobile VPN Solution.

12 4 -- Using the Motorola SSL VPN Solution with MSP Benefits of the Motorola SSL Mobile VPN Solution The Mobile Motorola SSL Mobile VPN Solution has the following benefits over using the stillavailable standalone version of the Motorola SSL Mobile VPN Solution or the commercial version that is available directly from Columbitech: The device software to support the Motorola SSL Mobile VPN Solution is delivered in MSP-ready Package form for easy mass deployment to mobile devices managed by MSP. o o These Packages deploy the VPN Client software to Motorola devices in a manner that Persists across a Restore Boot on devices where such Persistence is supported. These Packages include an MSP plug-in that enables the Motorola SSL Mobile VPN Solution configuration to be configured from MSP. This enables Staging of initial Motorola SSL Mobile VPN Solution configuration and Provisioning of new VPN configurations as required. The Motorola SSL Mobile VPN Solution has been formally tested and certified for use with MSP. Support for the Motorola SSL Mobile VPN Solution can be obtained from the same Motorola help desk that provides MSP support. Important: Because they lack the above advantages, the standalone Motorola SSL Mobile VPN Solution product available from Motorola and the commercial version of the VPN available directly from Columbitech are not recommended or officially supported for use with MSP. Acquiring the Motorola SSL Mobile VPN Solution Obtaining the Add-On Kit The Motorola SSL Mobile VPN Solution components are provided via Add-On Kits that are included on the MSP Installation CD and that are separately available for download from the following link: Updated versions of the Add-On Kits containing updated components may also periodically be available for download from the same link. Add-On Kit Contents Each Add-On-Kit will be a.zip File with a name of the form: Motorola_SSL_VPN_<os, if applicable>_<core version>_<zip version>_<date>.zip where:

13 Chapter 1 Introduction 5 <os> is WM5 for Windows Mobile 5.0 or higher, WM2003 for Windows Mobile 2003 only, or CE for Windows CE. <core version> This is the version of the primary component of the Add-On. <zip version> <date> This is a version number that is used to indicate that something has changed in the Add-On other than the primary component. This needs to be reset when the Core Version changes. indicates the release date of the Add-On Kit.ZIP File (represented in YYYYDDMM format). Each Add-On Kit.ZIP File contains the following contents: The PDF file containing this document. The Definition Document, Network.WVPN.Motorola.SSL.Settings.XML. One of the three Control Module Packages: Moto_SSL_VPN_WM5, which is suitable for use on supported devices running the Windows Mobile 5.0 or higher Operating System. Moto_SSL_VPN_WM2003, which is suitable for use on supported devices running the Windows Mobile 2003 Operating System. Moto_SSL_VPN_CE, which is suitable for use on supported devices running the Windows CE Operating System. Add-On Kit Installation Important: If more than one Add-On Kit for the same solution is installed, then certain common files will likely appear in all.zip Files. Since Updates to parallel Add-On Kits may be released on independent schedules, it is very important that the latest copy of these common files be used. This can be accomplished by installing Add-On Kits in oldest to newest order since the last Add- On Kit installed will determine the version of the common files that will be used. This ordering can be determined by looking at the date that is part of the Add-On Kit.ZIP File name. For Users with direct access to Windows Console on the MSP Server, an Add-On Kit.ZIP Files can be installed using the MSP Administration Program. See Add-On Kit Installation in Administering MSP Licensing the Motorola SSL Mobile VPN Solution The Motorola SSL Mobile VPN Solution is supported on the same set of Motorola devices on which the standalone SSL Mobile VPN product is supported. Using the Motorola SSL Mobile VPN Solution with MSP on those supported devices requires the standard per-device MSP Server licenses and in addition requires per-device Server licenses on the AirBeam Safe Enterprise Server.

14 6 -- Using the Motorola SSL VPN Solution with MSP The AirBeam Safe Enterprise Server requires that a sufficient number of licenses be installed to accommodate the number of devices that will be simultaneously connected via that Server. If several AirBeam Safe Enterprise Servers are used and/or if only a portion of the devices connect at once via any one Server, then a given AirBeam Safe Enterprise Server may not require as many licenses installed as there are devices using the Motorola SSL Mobile VPN Solution. All requisite licenses can be purchased from Motorola or from Motorola partners. For information on ordering licenses, please consult your Motorola sales professional or Motorola partner. Note: The purchase of a software maintenance agreement is mandatory when purchasing licenses for the Motorola SSL Mobile VPN Solution. Documentation Approach This document is not intended to be a complete guide to the use of the Motorola SSL Mobile VPN Solution. Instead, this document relies on the existing standalone AirBeam Safe documentation to describe much of the basic functionality and usage. As described above, the standalone AirBeam Safe documentation is provided as part of the Add-On Kit for the Motorola SSL Mobile VPN Solution. This document focuses on areas where the Motorola SSL Mobile VPN Solution differs from the standalone AirBeam Safe product, and where additional functionality is provided when it is used with MSP.

15 7 -- Using the Motorola SSL VPN Solution with MSP Chapter 2 Key Concepts Overview This chapter discusses the key concepts these concepts required to understand and use the Motorola SSL Mobile VPN Solution. Persistence The Packages that install the VPN Client do so Persistently. This means that the installation of the VPN Client will survive a Restore Boot, on devices where such Persistence is supported. The Settings Class Network.WVPN.Motorola.SSL is used to create Settings Objects to configure the Motorola SSL Mobile VPN Solution. Settings Objects of this Settings Class have Single Instance Persistence. Installing a new Settings Object of this Settings Class will replace any previously installed Settings Object of the same Settings Class. Further, as discussed in the Understanding MSP Understanding Reboots and Persistence, only the single Settings Package that has been most recently installed for this Settings Class will Persist across a Restore Boot, on devices where such Persistence is supported. IP Addressing A device must have a valid IP Address on a network adapter before it can successfully connect to an AirBeam Safe Enterprise or Gatekeeper Server using the VPN Client. The AirBeam Safe Enterprise Server must also be configured to acquire sufficient valid IP Addresses on behalf of the VPN Clients as they connect. When successfully connected to the AirBeam Safe Enterprise Server, a device will thus be allocated at least two valid IP Addresses: one physical address on the local network and one virtual address on the remote network. Note: The VPN Client does not support establishing a VPN connection over a Microsoft ActiveSync connection.

16 8 -- Using the Motorola SSL VPN Solution with MSP

17 9 -- Using the Motorola SSL VPN Solution with MSP Chapter 3 Security Considerations Overview This section discusses the considerations related to security that may be of interest when using the Motorola SSL Mobile VPN Solution. Digital Certificates The Motorola SSL Mobile VPN Solution relies on the use of X.509 Digital Certificates for a significant portion of its security. There are three types of Certificates of interest. CA Certificates A CA (Certificate Authority) is an entity that issues and signs Digital Certificates for use by Servers and Clients. There are three main types of CAs in common use: Public CA A Public CA is a well-known trusted commercial entity (e.g. Verisign, Thawte, etc.) that issues Digital Certificates, usually for a fee. In essence, a Public CA-Signed Certificate says Trust me because you trust this Public CA. Such organizations can charge a fee for this service because they are universally trusted and hence their Root CA Certificates are pre-installed into the Trusted Root Certificate Store of most Workstation PCs, Servers, and devices. The key advantage of the Public CA model is that all Certificates issued by a Public CA are automatically trusted without requiring the installation of any Certificates to establish that trust. Certificates need only be distributed to and installed into the systems that will own them, not to the systems that will reference them. If the number of referencing systems is very large, the savings from not having to distribute and install Certificates could be quite high. The disadvantages of the Public CA model are the requirement to pay a per-certificate fee to the Public CA and potential time-lag required for the Public CA to issue a Certificate. If many Certificates are issued and/or if the time-lag is problematic, then this model may be undesirable.

18 10 -- Using the Motorola SSL VPN Solution with MSP Private CA A Private CA is a private entity (e.g. a group or individual within an Enterprise) that is trusted to issue Digital Certificates within a given domain (e.g. to groups or users within that Enterprise). In essence, a Private CA-Signed Certificate says Trust me because you this Private CA. Because a Private CA is not publicly or universally trusted, trust of a Private CA must be explicitly established within a domain by distributing and installing the Root CA Certificate of that Private CA into the Trusted Root Certificate Stores of Workstation PCs, Servers, and devices that need to trust the Certificates it issues. Key advantages of the Private CA model are that Certificates can be freely issued by the Private CA without paying a per-certificate fee and that issuance of such Certificates depends primarily on the person or group doing the issuing. The disadvantages of the Private CA model is that a person or group must staffed to act as the Private CA an issue Certificates and trust of that Private CA must be initially established in advance with every entity that will own or reference those Certificates. If the number of referencing systems is very large, the cost to deploy and install the Private CA Root Certificate could be quite substantial, although it generally would be a one-time cost. Note: If Certificates are only being used for the use of the Motorola SSL Mobile VPN Solution, then the AirBeam Safe Certificate Manager can be used as a Private CA. If Certificates need to be issued for other reasons that the use of the Motorola SSL Mobile VPN Solution, then an independent Private CA will likely be advisable. Self-Signed CA A Self-Signed Certificate is a Certificate issued by an entity to itself. In essence, a Self-Signed Certificate says Trust me because you trust me. Every entity with a Self-Signed Certificate is thus acting as its own CA. Because such an entity is not inherently trustable, trust of an entity with a Self-Signed Certificate must be explicitly established within a domain by distributing and installing its Certificate, as if it were a Root CA Certificate, into the Trusted Root Certificate Stores of Workstation PCs, Servers, and devices that need to trust that Certificate. This may be acceptable during testing or in very small scale deployments, e.g. where only one Certificate will ever be used. The only advantage of the Self-Signed CA model is that it can reduce complexity and effort for very small scale deployments. For a single Self-Signed Certificate, the same number of Certificates would need to be distributed and installed as if a Private CA was used. But, the need to implement a Private CA could introduce more complexity than would be acceptable in a very small scale deployment. The disadvantages of Self-Signed CA model are that trust of all Self-Signed Certificates must be established in advance with every entity that will reference any Self-Signed Certificate. If the number of referencing systems is very large and/or the number of Self-Signed Certificates is large, then this model can quickly become totally impractical.

19 Chapter 3 Security Considerations 11 Server Certificates A Server Certificate is used to prove the identity of a Server and to provide access to the Public Key of that Server to Clients that will reference it. The trust of a Server Certificate is determined by the trust of the issuer of that Server Certificate. A Server Certificate generally does not need to be distributed to or installed into the Certificate Store of any Clients since the trust is established by trust of the issuing CA. Note: When a Server Certificate is Self-Signed, then it must be installed into the Certificate Store of any Clients that will reference it. But, in such cases, the Server Certificate is not being installed because it is a Server Certificate. It is being installed into the trusted Root Certificate Store of the client as the Root CA Certificate of the issuing CA. Since it is self-signed, it is also the issuer. Client Certificates A Client Certificate is used to prove the identity of a Client and to provide access to the Public Key of that Client to Servers that will by accessed by that Client. The trust of a Client Certificate by a Server is determined by the trust of the issuer of that Client Certificate. A Client Certificate generally does not need to be distributed to or installed into the Certificate Store of any Servers since the trust is established by trust of the issuing CA. Note: While in theory Self-Signed Client Certificates could be used, this is usually more trouble than it would be worth. Since the number of Clients is generally larger than the number of servers, it generally does not make good sense to have to distribute and install all Client Certificates into all Servers. Further, when Client Certificates are used, it is generally considered good practice to maintain tight control over the issuance of Client Certificates. Firewalls If a Firewall exists between a Client and the AirBeam Safe Enterprise Server or AirBeam Safe Gateway Server, then that Firewall must be configured to pass traffic on the appropriate port to allow the Client to contact the Server. The default used is TCP port 9102, but this can be changed if necessary by reconfiguring both the Client and the Server. Authentication A key security consideration when using the Motorola SSL Mobile VPN Solution is the type(s) of authentication that will be used. Authentication is the process whereby the AirBeam Safe Enterprise Server verifies the identity of the VPN Client through the use of credentials supplied by the VPN Client to ensure that it is authorized to establish a connection. As discussed later in this document in the section How the Motorola Mobile SSL VPN Solution Works, authentication always occurs over a secure tunnel. Consequently, all supported authentication types are effectively secure since authentication information is not subject to eaves-dropping while being transferred. Authentication can be combined with Client Certificates to further verify the identity of the VPN Client and offer even tighter security. Some authentication types are inherently more secure than others from other forms of attack. For example, authentication using a simple User Name and Password is subject to compromise if the credentials are discovered via social engineering (e.g. observing a User entering the credentials or tricking a User into disclosing credentials). Further, security can be enhanced by protecting against brute-force attacks through the use of strong Passwords. Strong Passwords

20 12 -- Using the Motorola SSL VPN Solution with MSP are those that are not easily guessed and are not vulnerable to dictionary-based attacks. The choice of authentication type used is often driven by the authentication infrastructure that is already in place within an Enterprise. For example, if an Enterprise already has an LDAP (Lightweight Directory Access Protocol) Directory Server or Microsoft Active Directory Domain in place, then it may be appropriate to authenticate against that existing Directory Server. If no existing authentication infrastructure is in place or if using that existing authentication infrastructure is not practical or desirable, then a simpler authentication type may be used, such as configuring a local database of User Names and Passwords. A variety of authentication types are supported and each provides different degrees of security, including: AD/Simple This indicates that authentication will be performed directly between the VPN Client and the AirBeam Safe Enterprise Server. The AirBeam Safe Enterprise Server will authenticate the credentials locally, via Windows authentication or via a configured database of User Names and Passwords. The VPN Client will acquire the requisite credentials before connecting to the AirBeam Safe Enterprise Server and then transfer them to the AirBeam Safe Enterprise Server over the secure tunnel, when requested to do so by the AirBeam Safe Enterprise Server. Notes: The use of this authentication type does not preclude the use of the RADIUS challenge/response authentication type. The use of this authentication type allows the VPN Client to authenticate directly with the AirBeam Safe Enterprise Server, if the Server is configured to support it. If the AirBeam Safe Enterprise Server is also configured to support RADIUS challenge/response authentication, then authentication may occur twice. The use of this authentication type results in one, two, or three-factor authentication, depending on how the AirBeam Safe Enterprise Server is configured. When used alone, it results in one-factor authentication. When used in conjunction with Client Certificates or the RADIUS challenge/response authentication type, it can result in two or three-factor authentication. Challenge/Response This indicates that authentication will be performed between the VPN Client and a RADIUS Server using RADIUS challenge/response, facilitated by the AirBeam Safe Enterprise Server. The VPN Client will prompt for authentication information only when a challenge is received from the RADIUS Server via the AirBeam Safe Enterprise Server. The VPN Client then collects the appropriate authentication information and sends it over the secure tunnel to the AirBeam Safe Enterprise Server which forwards it to the RADIUS Server. Via the RADIUS Server many different authentication types may be supported, including LDAP (Lightweight Directory Access Protocol), Microsoft Active Directory, and RSA SecurID. Notes: The use of this authentication type does preclude the use of AD/Simple authentication type. The use of this authentication type prevents the VPN Client from authenticating directly with the AirBeam Safe Enterprise Server, even if the Server is configured to support it.

21 Chapter 3 Security Considerations 13 The use of this authentication type results in one or two-factor authentication, depending on how the AirBeam Safe Enterprise Server is configured. When used alone, it results in one-factor authentication. When used in conjunction with Client Certificates, it results in two-factor authentication. Special Case With Client Certificates When using Client Certificates, it is possible configure the AirBeam Safe Enterprise Server such that no additional authentication is used. This means that authentication will rely solely on the Client Certificates to verify the identity of the VPN Client. The VPN Client would then never prompt for authentication information and would never need to send authentication information to the AirBeam Safe Enterprise Server. Notes: The use of this authentication type does preclude the use of both the AD/Simple authentication type and the RADIUS challenge/response authentication type. The use of this authentication type prevents the VPN Client from participating in these authentication types, even if the Server is configured to support them. The use of this authentication type results in one-factor authentication and is allowed only when Client Certificates are used since otherwise there would be no authentication at all.

22 14 -- Using the Motorola SSL VPN Solution with MSP

23 15 -- Using the Motorola SSL VPN Solution with MSP Chapter 4 Configuration Overview This chapter discusses the use of Settings Objects to configure the VPN Client as part of the Motorola SSL Mobile VPN Solution. Settings Class The Settings Class Network.WVPN.Motorola.SSL is used to create Settings Objects to configure the Motorola SSL Mobile VPN Solution. The Definition Document for this Settings Class is Network.WVPN.Motorola.SSL.Settings.XML, and must have been uploaded into MSP before Settings Objects of this Settings Class can be created. Configuration Settings The following Configuration Settings are supported within Network.WVPN.Motorola.SSL Settings Objects and can be used to configure the VPN Client. Description This Setting specifies an optional overall description which can be used to enter comments or other information about this Settings Object. Server address: This Setting allows the IP Address or network name of the primary AirBeam Safe Enterprise Server or AirBeam Safe Gatekeeper Server to be specified. Server port: This Setting allows the port number to be used to connect to the primary AirBeam Safe Enterprise Server or AirBeam Safe Gatekeeper Server to be specified.

24 16 -- Using the Motorola SSL VPN Solution with MSP WVPN Server Group name: This Setting allows a group name to be specified. This is only relevant when an AirBeam Safe Gatekeeper Server is used. The WVPN Server Group name is used to identify a group of AirBeam Safe Enterprise Servers to which connections from the VPN Client can be directed by the AirBeam Safe Gatekeeper Server. Additional server address: This Setting controls whether a secondary AirBeam Safe Enterprise Server or AirBeam Safe Gatekeeper Server will be specified. Selecting TRUE will allow the following additional Settings to be configured. Additional server address: This Setting allows the IP Address or network name of the secondary AirBeam Safe Enterprise Server or AirBeam Safe Gatekeeper Server to be specified. Additional server port: This Setting allows the port number to be used to connect to the secondary AirBeam Safe Enterprise Server or AirBeam Safe Gatekeeper Server to be specified. Select WVPN server randomly: This Setting controls whether connections to the AirBeam Safe Enterprise Server(s) or AirBeam Safe Gatekeeper Server(s) should be randomized. Selecting TRUE indicates that on each connection the VPN Client should randomly decide whether to connect to the primary or secondary Server. Selecting FALSE indicates that the Primary Server should be used when possible and the secondary VPN Server should be used only if primary Server cannot be used. Authentication Information This Settings in this section are used when AD/Simple Authentication is used. They allow the credentials to be pre-entered so the Device User need not be prompted to enter them. If all the required information has been specified via these Settings, then the VPN Client will not prompt the Device User to enter them. If any of these Settings are left blank, then the Device User will be prompted to enter the required information. Note: These Settings are only used for AD/Simple Authentication. If Challenge/Response Authentication is used, then these Settings will be ignored and the Device User will always be prompted based on challenge from the RADIUS Server. WVPN user: This Setting allows the User Name for AD/Simple Authentication to be specified. WVPN domain: This Setting allows the domain for AD/Simple Authentication to be specified.

25 Chapter 4 Configuration WVPN password: This Setting allows the Password for AD/Simple Authentication to be specified. The password will be encrypted and stored in the Device Registry to enable secure automatic connection without having to prompt the Device User to enter the Password. Use computer certificate This Setting controls whether a Client Certificate on the device should be used to verify the identity of the VPN Client to the AirBeam Safe Enterprise Server or AirBeam Safe Gatekeeper Server. Selecting TRUE will allow the following additional Settings to be configured. Note: This Setting only makes sense to set to TRUE if the AirBeam Safe Enterprise Server or AirBeam Safe Gatekeeper Server has been configured to use Client Certificates to authenticate VPN Clients. If this is not the case, then configuring this Setting on the VPN Client will have no effect since the AirBeam Safe Enterprise Server or AirBeam Safe Gatekeeper Server will never ask the VPN Client to send its Client Certificate. Client certificate issuer This Setting allows information to be specified about the issuer of the Client Certificate that will be used. For the VPN Client to use a Client Certificate, the Client Certificate must already be in the Personal/Client Certificate Store of the device. Note: A Certificate Settings Object is the most common way to install a Client Certificate into the Personal/Client Certificate Store of the device prior to referencing that Client Certificate via issuer information provided by this Setting in a Network.WVPN.Motorola.SSL Settings Object. The VPN Client locates the Client Certificate that it will use by comparing the issuer information provided in this Setting with the issuer information in the Client Certificates that are in the Personal/Client Certificate Store of the device. The issuer information specified in this Setting must be a text string in the following format: <designator1>=<value1>, <designator2>=<value2>,, <designatorn>=<valuen>

26 18 -- Using the Motorola SSL VPN Solution with MSP The following requirements must be met when constructing the text string for this Setting: Format sensitivity The format used for the string must exactly follow the format as defined above. In particular: The designator must be followed immediately by the equal sign (=) with no space between the designator and the equal sign (=). The equal sign (=) must be followed immediately by the value, with no space between the equal sign (=) and the value. A comma (,) must be used to separate the value for one designator from the next designator. There must be a space following the comma that separates the value for one designator from the next designator. There must not be a comma (,) or any spaces after the value of the last designator. Case sensitivity The text string for this Setting is case sensitive. Designators and values must match the required values exactly. Order sensitivity The designators specified in the text string must include all the designators included in the Issuer of the CA Root Certificate and must be listed in the text string for this Setting in exactly the order they appear in the Issuer of the CA Root Certificate. Designator sensitivity The designators used must be supported by the VPN Client. The designators supported by the VPN Client are shown the first column of Table 1 below. Notes: When examining a CA Certificate on a Windows PC or Windows device, Windows Designators are displayed, which may be different from the VPN Client Supported Designators. In such cases, the issuer information specified in text string for this Setting must use the VPN Client Supported Designators. The necessary mapping can be accomplished using Table 1 below. A CA Certificate could be constructed which uses additional designators in the Subject and Issuer which are not listed in Table 1 below. Such a CA Certificate cannot be used to issue Client Certificates for use with the VPN Client. This is because it would be impossible to construct a string that exactly matches the issuer information of the Client Certificate using only VPN Client Supported Designators. VPN Client Supported Designator Windows Designator Standard X.509 Designator Purpose CN CN commonname Specifies the common name used to identify the entity

27 Chapter 4 Configuration VPN Client Supported Designator Windows Standard X.509 Designator Designator Purpose SN SERIALNU MBER serialnumber Specifies an identifier assigned when the distinguished name would otherwise not be unique dnqualifier dnqualifier dnqualifier O O organizationname OU OU organizationalunitname C C countryname S S stateorprovincename localityname L localityname E E address Specifies additional disambiguating information assigned when the distinguished name would otherwise not be unique Specifies the organization name with which the entity is associated Specifies the organizational unit name which the entity is associated Specifies the country associated with the specified organization or the entity Specifies the state or province associated with the specified organization or entity Specifies the locality (city) associated with the specified organization or entity Specifies the address associated with an organization or entity Name None (will show as an OID number) Specifies a name for an entity surname SN surname givenname G givenname Specifies the family name (last name) of a person Specifies the given name (first name) of a person

28 20 -- Using the Motorola SSL VPN Solution with MSP VPN Client Supported Designator Windows Standard X.509 Designator Designator Purpose generationqualifier None (will show as an OID number) generationqualifier Specifies the generation suffix of a person (e.g. Sr., Jr., IV, etc.). Initials I Initials Title T title DC DC domaincomponent Specifies the initials of a person Specifies the function of a person within the specified organization and/or organizational unit Specifies the domain name (e.g. registered DNS name) of an entity Table 1 Certificate Distinguished Name Field Designators The following example may help to understand how to successfully create the text string to specify the issuer information for a Client Certificate. Assume that a Private CA was created that has both the Issuer and Subject set to the same collection of designators and values. When viewed on a Windows Workstation PC, the Root CA Certificate for this Private CA might appear as shown in Figure 1 below. Figure 1 Sample CA Certificate Distinguished Name

29 Chapter 4 Configuration As shown in Figure 1 above, the Subject and Issuer have the same set of designators and values and the designators used are the Windows Designators shown in column 2 of Table 1 above. All of these designators are the same as the VPN Client Supported Designators except the designator L which must be mapped to localityname. The text string required to successfully specify the issuer information for any Client Certificate issued by that Private CA would thus be: E=My. @MyOrganization.com, CN=SampleCA, OU=MyOrgUnit, O=MyOrganization, localityname=mylocale, S=MyState, C=US As shown above, the issuer information is specified in the required format, the designators and values are in the proper case, all the designators and values are listed and they are listed in the order they appear in the CA Certificate, and the VPN Client Supported Field Designator localityname was used instead of the Windows Designator L. Note: While the above text string was wrapped onto two lines in this document, because of its length, it would need to be entered as a single string into the Setting. The VPN Client will select a Client Certificate from the Personal/Client Certificate Store of the device by finding one where all the issuer information in the Client Certificate exactly matches the supplied issuer information. If the specified issuer information matches more than one Client Certificate, then the first Client Certificate that is successfully matched will be used. DHCP User class: This Setting allows a User class to be specified. The AirBeam Safe Enterprise Server can be configured to use internal IP Address pool(s) to assign IP Addresses to VPN Clients. The User class can be used to define a scope such that IP Addresses for the VPN Client are allocated from a specific pool associated with that User class. Autostart client: This Setting controls whether the VPN Client will be automatically launched when the device is subsequently rebooted. Selecting TRUE causes the VPN Client to be automatically launched on each subsequent reboot. Automatic connect: This Setting controls whether the VPN Client will automatically attempt to connect to the AirBeam Safe Enterprise Server or AirBeam Safe Gatekeeper Server once it has a valid configuration. Disable Error Messages: This Setting controls whether error messages are suppressed from being displayed to the Device User. Selecting TRUE will prevent error messages from being displayed to the Device User, which may be desirable in situations where the Device User is not expected to be able to take any corrective actions and should not be interrupted by messages. Note: Errors will still be written to the log file on the device based on the configured Severity level.

30 22 -- Using the Motorola SSL VPN Solution with MSP Disable the tray Icon: This Setting controls whether the tray icon for the Motorola SSL Mobile VPN Solution will be prevented from being displayed in the sys tray on the device. Selecting TRUE prevents the icon from being displayed. This can be useful it is desirable to completely hide all visibility to and access to the VPN Client from the Device User. Disable disconnect menu: This Setting controls whether the Disconnect menu option, that is normally available from the tray icon for the Motorola SSL Mobile VPN Solution will be disabled (grayed out). Selecting TRUE disables the menu option. This can be useful if the tray icon will be displayed but it is desirable to prevent the Device User from disconnecting the VPN Client. Disable cancel connect: This Setting controls whether the Cancel button on the dialog that is shown on the VPN Client connection dialog will be disabled (grayed out). Selecting TRUE disables the button. This can be useful if the dialog will be displayed but it is desirable to prevent the Device User from cancelling connection attempt. Login type: This Setting allows the type of authentication to be configured. The possible values, and their meanings, are described earlier in this document in the section Authentication. Show advanced settings: This Setting controls whether additional advanced Settings can be configured. Selecting TRUE will allow the following additional Settings to be configured. Enable debug logging: This Setting controls whether debug logging is enabled. Selecting TRUE will enable debug logging and allow the following additional Settings to be configured. Debug log file size: This Setting allows the maximum size of the Log File created, in bytes, to be specified. This can be useful to limit the amount of space in the Device File System can be consumed by the Log File. Debug file: This Setting allows the path and name of the Log File to be specified. By default, this Setting is set to a value of \DebugLog.txt which cases the Log File to be called DebugLog.txt and to be located in the root of the Device File System. This can be useful to place the Log File someplace more or less Persistent. CA Certificate: This Setting specifies the CA Certificate that will be used to verify the identity of the Server Certificate sent to the VPN Client by the AirBeam Safe Enterprise Server or AirBeam Safe Gatekeeper Server. The User will be asked to browse to the location of and select the appropriate Certificate.CER file.

31 23 -- Using the Motorola SSL VPN Solution with MSP Chapter 5 How the Motorola SSL Mobile VPN Solution Works Overview This chapter describes how the Motorola SSL Mobile VPN Solution actually functions. While the information in this section will help provide a more complete understanding of the Motorola SSL Mobile VPN Solution, readers may nonetheless choose to skip ahead to the next chapter, Error! Reference source not found., to get started right away. How the Motorola Mobile SSL VPN Solution Works Figure 2 below shows the high level architecture of the device software of the Motorola Mobile SSL VPN Solution. Figure 2 Motorola Mobile SSL VPN Architecture

32 24 -- Using the Motorola SSL VPN Solution with MSP As shown in Figure 2 above, the various components that make up the Motorola SSL Mobile VPN Solution are described in the following subsections. Network Components As shown in Figure 2 above, various network domains that comprise or are used in conjunction with the Motorola SSL Mobile VPN Solution are described in the following subsections. Public Network A common use of the Motorola SSL Mobile VPN Solution is to provide secure connectivity from and to entities, usually devices, on a Public Network, such as the Public Internet. A classic scenario is a WWAN-enabled device that with cellular data connectivity. Such a device often has the ability to contact Servers that are exposed onto the Public Internet, but usually cannot be contacted from the Public Internet, which is probably a good thing from a security perspective. Using the Motorola SSL Mobile VPN Solution, the device can be virtually bridged onto the Enterprise Network in a secure manner and assigned an IP Address on that network. This allows the device to securely contact Servers in the Enterprise Network and be contacted by entities, such as Servers or Workstation PCs, on the Enterprise Network, as if it were physically on the Enterprise Network. DMZ (De-Militarized Zone) A DMZ is generally a security necessity when one or more Servers located on an Enterprise Network will be in any way exposed to access from a Public Network, such as the Public Internet. A DMZ is essentially a pair of Firewalls that define a special network domain that is exposed in controlled ways by carefully controlling the configuration of the Firewalls. The Firewall between the DMZ and the Public Network is generally configured to tightly control what traffic can enter the DMZ from the Public Network and usually controls, albeit somewhat less tightly, the traffic that can exit the DMZ to the Public Network. By controlling the traffic entering the DMZ from the Public Network, many threats can be prevented before they can get started. The Servers located in the DMZ are generally designed to be gateways between Intermediate Servers in the DMZ, such as the AirBeam Safe Gatekeeper Server, and Servers in the Enterprise Network, such as the AirBeam Safe Enterprise Server. More sensitive interfaces can be used by Intermediate Servers to bridge traffic to Servers within the Enterprise Network. By operating in the DMZ, Intermediate Servers can qualify traffic in various ways and significantly reduce risk by filtering out many threats. The Firewall between the DMZ and the Enterprise Network is generally configured to tightly control what traffic can enter the Enterprise Network from the DMZ and usually controls, albeit somewhat less tightly, the traffic that can enter the DMZ from the Enterprise Network. By controlling the traffic entering the Enterprise Network from the DMZ, most threats that somehow get past the Intermediate Servers in the DMZ can be prevented. Enterprise Network The Enterprise Network is the internal Private Network of the Enterprise and is generally where all the sensitive Servers that provide Enterprise-specific services are generally located. In most cases, the AirBeam Safe Enterprise Server would be located in the Enterprise Network. Many other Servers, including the MSP Server, one or more Relay Servers, and various Application Servers will commonly also be located in the Enterprise Network.

33 Chapter 5 How the Motorola SSL Mobile VPN Solution Works In some cases, an Enterprise may have more than one level of DMZ. In such cases, there may be a DMZ just for some of the more sensitive Servers that would otherwise be located in the Enterprise Network. This might be done if there are security reasons for wanting to partially isolate such Servers from the general Enterprise Network. Software Components As shown in Figure 2 above, the various software components that comprise or are used in conjunction with the Motorola SSL Mobile VPN Solution are described in the following subsections. VPN Client The VPN Client is a software component that resides on a device and handles the device-side establishment and communications associated with the secure tunnel connection. When using the Motorola SSL Mobile VPN Solution, the VPN Client is installed as an MSP Package and configured by applying Settings Objects of the Settings Class Network.WVPN.Motorola.SSL. The VPN Client can be configured to connect to one or two Server components, depending on the requirements and overall system design. AirBeam Safe Enterprise Server The AirBeam Safe Enterprise Server is a software component that resides on a Server, usually safely within an Enterprise Network. The AirBeam Safe Enterprise Server handles the Serverside encryption, authentication, compression and session management. The AirBeam Safe Enterprise Server also acts as the termination point for secure tunnel connections from VPN Clients. Note: The AirBeam Safe Enterprise Server can act alone, without an AirBeam Safe Gatekeeper Server, but this would require that the AirBeam Safe Enterprise Server be directly exposed to the contacting devices. This would generally mean that the AirBeam Safe Enterprise Server would need to reside in the DMZ. While this can be done, it is generally considered a less secure solution than would result if an AirBeam Safe Gatekeeper Server were also used. AirBeam Safe Gatekeeper Server The AirBeam Safe Gatekeeper Server is an optional software component that must reside on a Server that is separate from the AirBeam Safe Enterprise Server. The AirBeam Safe Gatekeeper Server helps increase security by reducing the attack surface of the overall solution. The Gatekeeper is not a mandatory component, but can help to achieve a more stringent level of security. When used, the AirBeam Safe Gatekeeper Server acts as the termination point for secure tunnel connections from VPN Clients and hence would generally need to be located in the DMZ. This allows the AirBeam Safe Enterprise Server to be more safely located within the Enterprise Network instead of in the DMZ. By separating the tunnel termination from the authentication, the risk is reduced since the more sensitive authentication is more tightly protected. Use of the AirBeam Safe Gatekeeper Server can also simplify Firewall configuration and can be used to enable load balancing, by directing traffic to one of several AirBeam Safe Enterprise Servers.

34 26 -- Using the Motorola SSL VPN Solution with MSP Other Enterprise Server(s) While they are not a part of the Motorola SSL Mobile VPN Solution, there will often be other Enterprise Servers within the Enterprise Network where the AirBeam Safe Enterprise Server is located. The MSP Server and one or more Relay Servers might be amongst these. Also, various other Application Servers that might be utilized by the same devices could be amongst these. A key thing to understand is that the Motorola SSL Mobile VPN Solution can potentially server as a common pathway to all these Servers. VPN Connection To establish a secure connection, the VPN Client must be configured to contact one or more AirBeam Safe Enterprise Servers or AirBeam Safe Gatekeeper Servers. If AirBeam Safe Gatekeeper Server(s) are used, then the VPN Client will be configured to contact the IP Address(es) or network name(s) of one or two AirBeam Safe Gatekeeper Server(s). If AirBeam Safe Gatekeeper Server(s) are not used, then the VPN Client will be configured to contact the IP Address(es) or network name(s) of one or two AirBeam Safe Enterprise Server(s). Server Certificate Verification (Mandatory) When the VPN Client contacts the AirBeam Safe Enterprise Server or AirBeam Safe Gatekeeper Server, the Server sends its Server Certificate to the Client to prove its identity. The Client verifies the identity of the Server using the following process: 1. Verify that the issuer of the Server Certificate is trusted by the Client. 2. Verify that the Server Certificate is not expired and is suitable for the intended purpose. 3. Verify that the common name of the subject of the Server Certificate matches the IP Address or network name at which the Client contacted that Server. Note: Server verification by the VPN Client is optional but highly recommended. If all the above checks pass, then the VPN Client has successfully verified the identity of the Server and the connection can proceed. Client Certificate Verification (Optional) Optionally, the AirBeam Safe Enterprise Server or AirBeam Safe Gatekeeper Server can be configured to require that the VPN Client prove its identity to the Server through the use of a Client Certificate. If this option has been configured, then the Server will request the VPN Client to send its Client Certificate and the Server will verify it using the following process: 1. Verify that the issuer of the Client Certificate is trusted by the Server. 2. Verify that the Client Certificate is not expired and is suitable for the intended purpose. 3. Verify that the Client Certificate is not currently being used by any other Client that is connected to the same AirBeam Safe Enterprise Server or AirBeam Safe Gatekeeper Server. Secure Tunnel Establishment Once the VPN Client has verified the Server and the Server has optionally verified the VPN Client, a Secure Tunnel can be established. This proceeds according to the standard rules for TLS (Transport Layer Security) which in brief follows the following process:

35 Chapter 5 How the Motorola SSL Mobile VPN Solution Works The VPN Client creates a random Session Key, encrypts it using the Public Key associated with the Server Certificate, and sends the encrypted Session Key to the Server. 2. The Server decrypts the encrypted Session Key using its Private Key. 3. The VPN Client and the Server now have the same Session Key which is used to encrypt and decrypt all further data traffic, thus permitting a secure tunnel to be established. If the VPN Client connects to an AirBeam Safe Gatekeeper Server, then a second secure tunnel is opened between the VPN Client and the AirBeam Safe Enterprise Server over the connection that is maintained from the AirBeam Safe Enterprise Server to the AirBeam Safe Gatekeeper Server. The establishment of this second tunnel follows a process similar to the above. Once the second secure tunnel is established, the first secure tunnel is dropped. Client Authentication Once a secure tunnel has been established from the VPN Client to the AirBeam Safe Enterprise Server, the Server determines what mode of authentication has been configured and requests the VPN Client to authenticate accordingly. The VPN Client responds over the secure tunnel with the required authentication credentials and the AirBeam Safe Enterprise Server proceeds to validate those credentials. If authentication succeeds, the connection can proceed. If authentication fails, then the connection is rejected. Depending on the type(s) of authentication requested, Session Establishment or Reconnection Once the VPN Client has successfully been authenticated by the AirBeam Safe Enterprise Server, the Server determines if that VPN Client was in the middle of a session. If the VPN Client was in the middle of a session, then the Server re-connects that session and data transfer for that session continues where it left off. If the VPN Client was not in the middle of a session, then the Server establishes a new session with that VPN Client. Virtual IP Address Assignment As part of the establishment of any new session, the AirBeam Safe Enterprise Server acquires a suitable IP Address for the new session based on the IP Address assignment configured in the Server. This could be done by the Server issuing a request to an existing DHCP Server on behalf of the VPN Client or by the Server allocating an IP Address from a Client IP Address pool(s) configured for the Server. Note: When IP Addresses are allocated from IP Address pool, it may take some time after a VPN Client disconnects before the AirBeam Safe Enterprise Server can re-use that IP Address. If an IP Address pool has just enough IP Addresses, and if VPN Clients frequently disconnect, then some re-connections may be delayed due to a temporary unavailability of IP Addresses.

36 28 -- Using the Motorola SSL VPN Solution with MSP Virtual NIC The VPN Client software sets up a Virtual NIC (Network Interface Card) within the device that captures all outgoing traffic, compresses and encrypts it, and sends it the AirBeam Safe Enterprise Server over the physical network adapter that is currently in use. The Virtual NIC will be assigned the Virtual IP Address assigned to session with the VPN Client by the Server. If the physical network connection is temporarily lost (e.g. device suspend, signal loss, adapter switch etc.), the Virtual NIC will remain enabled and operative, although data will be buffered and network operations may block when the available buffers become full. This approach minimizes the effect on network applications, allowing their logical network sessions to be kept active and hence providing an always-on user experience,

37 Chapter 6 Using the Motorola SSL Mobile VPN Solution Overview This chapter explains how to use the Motorola SSL Mobile VPN Solution. Key Questions Do I need a Gatekeeper? The AirBeam Safe Gatekeeper Server is an optional Server component that you normally install in the Enterprise DMZ (DeMilitarized Zone). Refer to MSP Release Notes to understand the functionality of AirBeam Safe Gatekeeper Server and to decide if you need or want to have one or more Gatekeepers. At a high level, a Gatekeeper offers the following advantages: Allows external connections entering from a Public network (such as the Public Internet) to be forced to pass through the AirBeam Safe Gatekeeper Server in the DMZ before being routed to the AirBeam Safe Enterprise Server for authentication and the onto the Private Enterprise Network. Avoids the need to open any incoming ports in the Firewall between the DMZ and the AirBeam Safe Enterprise Server. Note: This is possible because each AirBeam Safe Enterprise Server creates and maintains a connection to its assigned AirBeam Safe Gatekeeper Server in the DMZ. This means that only outgoing, not incoming ports need to be opened in the Firewall.

38 30 -- Using the Motorola SSL VPN Solution with MSP Enables load balancing and failover amongst multiple AirBeam Safe Enterprise Servers. Notes: Full support for load balancing and failover can be achieved only if you have at least one AirBeam Safe Gatekeeper Server and at least two AirBeam Safe Enterprise Servers. It may advantageous to have more than one AirBeam Safe Gatekeeper Server to avoid having a single point of failure. Limited support for load balancing and failover can be achieved by configuring the VPN Client to use primary and secondary Servers. Do I need to use Certificates? The section discusses when and how Certificates may be needed to implement and use the Motorola SSL Mobile VPN Solution. For more information on the need for and use of Certificates with the Motorola SSL Mobile VPN Solution, refer to Administering MSP Server Certificates To use the Motorola SSL Mobile VPN Solution, you must use Server Certificates. Each AirBeam Safe Enterprise Server or AirBeam Safe Gatekeeper Server requires a Server Certificate. That Server Certificate must be issued by a CA that is trusted by that Server. The Server Certificate is required to allow VPN Clients to establish a secure tunnel to that Server. Depending on the CA model used, this may require the installation of the CA Root Certificate into the Trusted Root Certificate Store of the Server. Each VPN Client must trust the CA that issued the Server Certificate of each Server to which it will establish a secure tunnel. Depending on the CA model used, this may require the installation of the CA Root Certificate into the Trusted Root Certificate Store of the device. Client Certificates To use the Motorola SSL Mobile VPN Solution, you can choose whether or not to use Client Certificates. If an AirBeam Safe Enterprise Server or AirBeam Safe Gatekeeper Server is configured to use Client Certificates, then that Server will require that all VPN Clients that connect to it have mutually-unique Client Certificates. Each VPN Client must trust the CA that issued its Client Certificate. Depending on the CA model used, this may require the installation of the CA Root Certificate into the Trusted Root Certificate Store of the device. The Client Certificate must be installed into the Personal Certificate Store of the device. Each AirBeam Safe Enterprise Server or AirBeam Safe Gatekeeper Server must trust the CA that issued each Client Certificate. Depending on the CA model used, this may require the installation of the CA Root Certificate into the Trusted Root Certificate Store of the Server.

39 Chapter 6 Using the Motorola SSL Mobile VPN Solution 31 How to Use the Motorola SSL Mobile VPN Solution Implementation Process The following steps should be followed to implement the Motorola SSL Mobile VPN Solution: 1. Identify the number and types of Servers you will need. a. Will AirBeam Safe Gatekeeper Servers be used? i. How many? ii. Where will they be located? iii. At which IP Address and/or network names will be they be contacted? b. Identify AirBeam Safe Enterprise Servers i. How many? 2. Determine CA Model ii. Where will they be located? iii. At which IP Address and/or network names will be they be contacted? a. Public CA - Select Public CA b. Private CA - Setup or identity Private CA c. Self-Signed Certificates 3. Install the required Server software on appropriate Server hardware 4. Deploy Server Certificates a. Issue Server Certificates for all required Servers b. Install Server Certificates onto all required Servers 5. Install the Motorola SSL Mobile VPN Solution Add-On Kit. For detailed instructions, see Administering MSP Create one or more appropriate Network.WVPN.Motorola.SSL Settings Objects. 7. Deploy the appropriate Package(s) containing the appropriate version(s) of the VPN Client to the appropriate device(s). 8. Deploy the appropriate Network.WVPN.Motorola.SSL Settings Objects to the appropriate devices to configure the VPN Client as required. Assuming that the right configuration has been applied to the VPN Client on a device using the appropriate Settings Objects, the VPN Client on the device should automatically launch and connect to the AirBeam Safe Enterprise Server or AirBeam Safe Gatekeeper Server. It is then possible to begin using the VPN to communicate with the entities on the Enterprise Network.

40 32 -- Using the Motorola SSL VPN Solution with MSP VPN Client Installation When a Package to deploy the Motorola SSL Mobile VPN device software is installed on a device, the device will reboot. This is necessary to finish the installation of the device software. But the VPN Client will not launch or attempt to connect until it has been configured by applying an appropriate Network.WVPN.Motorola.SSL Settings Object. When the VPN Client is running on a device, it will display a tray icon in the sys tray on the device unless it has been specifically configured not to do. The tray icon indicates the status VPN Client and connections as shown in Table 2 below. Icon State Description The VPN Client is running and is connected. The number of blue bars indicates the current data rate of the connection. The VPN Client is running and is trying to connect or re-connect. The VPN Client is running but is not connected and is not trying to connect. VPN Client Operation Table 2 VPN Client Tray Icon States As shown in Table 2 above, the VPN Client tray icon, if it is shown, can be used to identify the current state of the VPN Client. When the VPN Client tray icon is green, an IP Address on the Enterprise Network has successfully been assigned to the device and the device can communicate with entities on the Enterprise Network. When using MSP and the GetAdapters Control Module, the IP Address assigned to the VPN Client Virtual NIC will be reported to MSP. For more information on the GetAdapters Control Module, refer to Understanding MSP Understanding Control Modules. If the physical connection is lost, the VPN Client tray icon will change to yellow to indicate that a re-connection of the sessions is required and will be automatically attempted periodically in the background when physical connectivity becomes available. The VPN Session will be maintained and applications with open connections will not see them terminate. Any data transfers that were initiated before the loss of connectivity will remain buffered and new attempts to initiate data transfer can be accepted and will be buffered. New data transfer requests may block or indicate not ready when the maximum available buffer capacity has been reached and connectivity remains unavailable.

41 Chapter 6 Using the Motorola SSL Mobile VPN Solution 33 If the VPN Session is disconnected using the Disconnect menu option that can be invoked from VPN Client tray icon, then the VPN Client tray icon will change to red to indicate that no session is active. Any applications with open connections will see them terminate when the VPN session is explicitly disconnected. If the VPN Client is terminated using the Exit menu option that can be invoked from VPN Client tray icon, then the VPN Client tray icon will be removed from the sys tray to indicate that the VPN Client is no longer running. When the VPN Client terminates, any VPN session that is connected will be disconnected. Managing the VPN Client Updating VPN Settings Once the VPN Client has been configured and connected, as a result of applying an appropriate Network.WVPN.Motorola.SSL Settings Object, it may become necessary to reconfigure the VPN Client to keep pace with changes in the rest of the Enterprise. A suitable new or modified Network.WVPN.Motorola.SSL Settings Object can be sent at any time to reconfigure the VPN Client. Settings Objects are Single Instance and consequently, Installing a new or updated Network.WVPN.Motorola.SSL Settings Object will replace any previously installed Settings Object of the same Settings Class. The uninstallation of the old Settings Object will disconnect the VPN Client and the installation the new Settings Object will re-connect the VPN Client, if so requested. This allows the VPN Client configuration to be changed using the existing VPN connection and ending up connected again. Important: While changing allows the VPN Client configuration over an existing VPN connection is possible, it should be performed only after careful testing under a variety of conditions. If the new VPN Client configuration results in an inability to connect, and if the VPN connection is the only one over which manageability is possible, then a loss of manageability may result. To recover from such a situation, the device would need to have some other form of connectivity established or would need to be Staged to re-establish VPN connectivity. Updating Certificates Certificates are always issued with a defined Range of Operational Validity, which is a period of time that is established by a pair of dates and times that define when the Certificate is Valid From and when the Certificate is Valid To. CA Certificates are often issued with Valid To dates that are well into the future. This can help avoid the need to frequently (or potentially ever) re-issue them. Server Certificates and Client Certificates are often issued with Valid To dates that are much closer. In most cases (except when using Self-Signed Certificates), when a new Server Certificate or Client Certificate is issued, it need only be distributed to the owner of that Certificate (i.e. to the Server or Client to which the Certificate was issued). When re-issuing a Server Certificate or Client Certificate, it is often advisable to define the Ranges of Operational Validity of the old and new Certificates such that they overlap. In other words, the Valid From date of the new Certificate is before the Valid To date of the old Certificate. This allows the new Certificate to be installed before the old Certificate has expired and ensures that the new Certificate will be valid when it is installed.

42 34 -- Using the Motorola SSL VPN Solution with MSP If the above approach is followed, then so long as the CA Certificate remains valid, installing a new Server Certificate or Client Certificate should have little impact on a running system. Of course, the new Certificate should be installed before the old Certificate expires to avoid an inability to connect. Note: A Certificate Settings Object is the most common way to install an updated Client Certificate into the Personal/Client Certificate Store of a device. If the issuer information of the Client Certificate has remained identical, then the Network.WVPN.Motorola.SSL Settings Object would not need to be updated or re-applied. Disabling the VPN Client Uninstalling the Network.WVPN.Motorola.SSL Settings Object that configured and launched the VPN Client can be used to remotely terminate the VPN Client, causing it to exit. This will leave the VPN Client installed and available to be reconfigured at a later time. Important: While remotely terminating the VPN Client is possible, it should be undertaken with caution. If the VPN connection is the only one over which manageability is possible, then a loss of manageability, will result. To recover from such a situation, the device would need to have some other form of connectivity established or would need to be Staged to re-establish VPN connectivity. Uninstalling the VPN Client Uninstalling the Package that deployed the VPN Client can be used to remotely terminate the VPN Client, causing it to exit, and then completely removing it from the device. Note: Any Network.WVPN.Motorola.SSL Settings Object that has previously been used to configure and launch the VPN Client should be uninstalled before the VPN Client is uninstalled. Uninstalling the Package that deployed the VPN Client means that the VPN Client will no longer available to be configured and will need to be re-installed before the VPN Client can again be used. Important: Uninstalling the VPN Client is possible should be undertaken with caution. If the VPN connection is the only one over which manageability is possible, then a loss of manageability, will result. To recover from such a situation, the device would need to have some other form of connectivity established or would need to be Staged to re-establish VPN connectivity. Upgrading the VPN Client From time to time, new versions of the VPN Client will become available through new versions of the Motorola SSL Mobile VPN Add-On Kit. To upgrade the VPN Client, deploy the new Package which will replace the existing Package of the same name (but with a different version). Note that a Package replacement performs an uninstall of the old Package before installing the new Package.

43 Chapter 6 Using the Motorola SSL Mobile VPN Solution 35 Notes: Since upgrading the VPN Client involves uninstalling the VPN Client, any Network.WVPN.Motorola.SSL Settings Object that has previously been used to configure and launch the VPN Client should be uninstalled before the VPN Client is upgraded. Once the new VPN Client has been installed, an appropriate Network.WVPN.Motorola.SSL Settings Object will need to be applied to configure the VPN Client and connect it if desired. The same or a different Network.WVPN.Motorola.SSL Settings Object might be used, depending on the circumstances. Once the VPN Client has been suitably upgraded, configured, and connected, VPN connectivity should resume. In most cases the upgrading of the VPN Client when it is configured and connection should consist of three Deployment Steps, which can generally be placed into the same Bundle. The first Deployment Step should uninstall the current Network.WVPN.Motorola.SSL Settings Object. The second Deployment Step should install the new Package, which will replace the old Package. The third Deployment Step will install the Network.WVPN.Motorola.SSL Settings Object. Important: If the upgrading of the VPN Client is being performed over the VPN connection, a potential problem can occur. The VPN connection will be lost after the first Deployment Step and will not re-established until the third Deployment Step. As a result, the Bundle will not be able to finish since connectivity will not be available to pull the Packages for the second and third Deployment Steps. If it is necessary to upgrade the VPN Client over the VPN connection, a Detached Job must be used. A Detached Job uses Cached Execution whereby all the Content is downloaded in advance, while connectivity is available, before the Deployment Steps are executed. For more information on Detached Jobs, see Understanding MSP Understanding Objects. Remote Control over a VPN Connection A discussed earlier, one key reason to use the Motorola SSL Mobile VPN Solution is to deal with devices that would otherwise be uncontactable or which otherwise could be a security risk. Remote Control over a WWAN cellular data connection often has both issues and hence is a key reason why the Motorola SSL Mobile VPN Solution might be used. As mentioned earlier, once a VPN connection is established, if the MSP GetAdapters Control Module is being used, it will automatically and periodically report the IP Address of the VPN session to the MSP Server. This will allow the MSP Console UI to be used to initiate a Remote Control session to the device via the VPN connection. As long as the Workstation PC from which the MSP Console UI is being run is on the same Enterprise Network as the AirBeam Safe Enterpriser Server, a successfully connection can likely be made.

44 36 -- Using the Motorola SSL VPN Solution with MSP Notes: There are a variety of potential reasons why a Workstation PC might not be able to successfully establish a Remote Control session to a device over a VPN connection. It is beyond the scope of this document to cover all the possible reasons, but an example may help to understand the concepts involved. Consider the situation where the Workstation PC is on a different subnet of the Enterprise Network from the AirBeam Safe Enterpriser Server. If the routing between these two subnets does not forward traffic on the ports required for a Remote Control connection, then the Workstation PC would not be able to successfully establish a Remote Control session to a device. For more information on configuring the ports required to support Remote Control, see Understanding MSP Understanding MSP Security. Troubleshooting Common Issues Certificate Range of Operational Validity Certificates are designed to be time sensitive, having a range of operational validity. If a device is not set to the correct date and time, then a Certificate could be erroneous determined to be invalid. The Certificate could be considered to be not yet valid or no longer valid based on the date and time set on the device. The installation of a Certificate could fail or, in the case of a previously installed Certificate, the Certificate could fail to perform its purpose. Some common failure cases include: A CA Certificate cannot be successfully installed on a device because the date and time set on that device is outside the range of operational validity for that CA Certificate. A Server Certificate cannot be successfully trusted on a device because the date and time set on that device is outside the range of operational validity for the previously-installed CA Certificate of the issuer of that Server Certificate. A Server Certificate cannot be successfully validated on a device because the date and time set on that device is outside the range of operational validity for that Server Certificate. A Client Certificate cannot be successfully trusted on a device because the date and time set on that device is outside the range of operational validity for the previously-installed CA Certificate of the issuer of that Client Certificate. A Client Certificate cannot be successfully installed on a device because the date and time set on that device is outside the range of operational validity for that Client Certificate. Most of the above failure cases can be corrected by simply settings the date and time of the device correctly. The MSP DateAndTime Control Module can be used to set the date and time of a device to the date and time of a selected Web Server. For more information on the DateAndTime Control Module, see Understanding MSP Understanding Control Modules. When Staging a device to establish VPN connectivity, it may be necessary to install Certificates before network connectivity is available. The MSP DateAndTime Control Module can only be used to set the date and time of a device if that device has connectivity to a specified Web Server. A fresh-out-of-the-box device could therefore present a problem since its date and time are likely set wrong and it likely has no connectivity. When Staging such a device to establish VPN connectivity, and when the installation of Certificates is required, this presents a potential problem.

45 Chapter 6 Using the Motorola SSL Mobile VPN Solution 37 One solution would to manually set the date and time on the device before Staging. While this would work, it is a tedious and error-prone solution. A better solution would likely be to use a Certificates Settings Object to deploy the Certificates (which is likely already being done) and to set the Device date and time Setting of that Certificates Settings Object to Set to certificate NotBefore time, if necessary. This will check the date and time of the device against the Range of Operational Validity for the Certificate and change the date and time of the device to the beginning of the Range of Operational Validity if necessary to make sure that the Certificate can be successfully installed. Important: If the above approach is used, then the device will almost certainly end up set to an incorrect date and time, albeit one that makes connectivity possible. Once the device has connectivity, then the MSP DateAndTime Control Module can be successfully used to set the date and time of the device from a specified Web Server. And even if the date and time is left incorrect, it is probably no worse than the fresh-out-of-the-box time that would otherwise have been set on the device. You can find out if Certificate Range of Operational Validity will likely be an issue by checking the date and time on a device and comparing it to the information displayed for a Certificate when the Certificate file is opened on a Workstation PC. You can also find out if it is an issue on a device by attempting to install the Certificate on the device manually and seeing what happens. Try Manual Configuration and Connection When first installing the Motorola SSL Mobile VPN Solution, it may be advisable to try connecting a few devices manually before attempting to configure any device using MSP. After installing and configuring the required Server(s), use MSP to deploy the Package containing the VPN Client to a small number of devices. This will generally require establishing some form of connectivity other than a VPN connection (e.g. ActiveSync or a WLAN connection. Once the VPN Client software Package is installed, the VPN Client can be manually launched on the device and then manually configured using its in-device configuration UI. Once one device or a few devices can successfully establish a VPN connection, you know you have the Server(s) configured and that you know the right information needed to configure the VPN Client. It then makes sense to work on accomplishing the same thing via MSP. Lack of Suitable Device Connectivity If it is not possible to establish a VPN connection successfully, the problem may that the device may lack suitable connectivity. The following should be checked: Check the signal strength icon (if available) on the device to see if data connectivity is available. Use the appropriate in-device UI to check the configuration and connectivity available. Determine the device IP Address and see if it is as expected. Try to ping the device IP Address from the device. Try to ping the default gateway IP Address from the device. Try to ping some known Server IP Address from the device. Try using Internet Explorer on the device to reach some known Web Server.

46 38 -- Using the Motorola SSL VPN Solution with MSP Inaccessible Server(s) If it is not possible to establish a VPN connection successfully, an obvious but sometimes overlooked thing to check is that the AirBeam Safe Enterprise Server(s) and/or AirBeam Safe Gatekeeper Server(s) are properly accessible. The Server(s) could be down, could have incorrectly configured network connectivity, or could have no network connectivity at all. The following should be checked for each relevant Server: Log into the Windows Console of the Server and verify that all required services are running. Check the network adapter on the Server and see if it is connected and if its IP Address seems correct. Try to ping the Server from a Workstation PC using its IP Address. Try to establish a telnet session to the Server from a Workstation PC using its IP Address and the Server port number. (e.g. Telnet :9102). Try to ping the Server from a device using its IP Address. If possible, place a Workstation PC onto the same subnet as devices and try to ping the Server from a Workstation PC using its IP Address. If possible, place a Workstation PC onto the same subnet as devices and to establish a telnet session to the Server from a Workstation PC using its IP Address and the Server port number. (e.g. Telnet :9102). Incorrectly Configured Server(s) If it is not possible to establish a VPN connection successfully, the problem may that the AirBeam Safe Enterprise Server(s) and/or AirBeam Safe Gatekeeper Server(s) are not correctly configured. The following should be checked: Run the AirBeam Safe Server Configuration Program and check to see that each AirBeam Safe Enterprise Server is configured as expected. Run the AirBeam Safe Gatekeeper Configuration Program and check to see that each AirBeam Safe Gatekeeper Server is configured as expected. Check the Application Event log on the Server(s) to see if any AirBeam Safe related errors are reported. Turn on debug logging on the Server(s) and check the debug log(s) to see if any relevant problems are reported. Missing Device License Server(s) If it is not possible to establish a VPN connection successfully, the problem may that the AirBeam Safe Enterprise Server does not have sufficient device licenses installed for the number of devices to be connected. The following should be checked: In the AirBeam Safe Server Configuration program, check the amount of licenses available on the About tab. Compare that with the amount of connected users, visible in the AirBeam Safe Administrative Tool.

47 Chapter 6 Using the Motorola SSL Mobile VPN Solution 39 Incorrectly Configured VPN Client If it is not possible to establish a VPN connection successfully, the problem may that the VPN Client is not correctly configured. The following should be checked: Check the VPN Settings Object and compare the Settings against the configuration that can be manually used to successfully establish a VPN connection from a comparable device under comparable conditions. Check the VPN Settings Object and compare the Settings against the configuration of the relevant AirBeam Safe Enterprise Server and/or AirBeam Safe Gatekeeper Server to see that they are consistent. Check that the correct VPN Settings Object is installed on the device by looking at the Package inventory for the device on the MSP Console UI or in the Package list in the MSP Agent or RD Client UI. Check that the VPN Client configuration applied by the VPN Settings Object matches what was expected by using the VPN Client in-device configuration UI. Troubleshooting Tools From the Command Prompt on Server(s) The commands described below can be executed from the command prompt of a Server and can often be used to help debug common problems. The command prompt can be invoked on a Server via: Start->Programs->Accessories->Command Prompt. ipconfig This command can be used to query information about the configuration and status of network adapters on a Server. ipconfig all The above command shows all your IP addresses as well as other facts regarding every, adapter. netstat This command can be used to verify that the AirBeam Safe Enterprise Server and the AirBeam Safe Gatekeeper Server are listening on the right ports and that a TCP connection is established between them. netstat na Ensure that the AirBeam Safe Gatekeeper Server is listening for AirBeam Safe Enterprise Servers on port 9101 (default). From the Device Debug Log File When configured as described earlier in section Enable debug logging:, the VPN Client creates a Log File that records events and debugging information reflecting its operation.

48 40 -- Using the Motorola SSL VPN Solution with MSP Plug-In Log File When Network.WVPN.Motorola.SSL Settings Objects are applied to configure the VPN Client, information is appended to the file \Application\log.txt. This information can sometimes be useful when debugging configuration problems. CTNetworkinfo This utility can be used to query information about the configuration and status of networking on the device. This information can sometimes be helpful in tracking down complex networking issues. The following information is available: The list of active network adapters and information about each active network adapter, Information from the device network routing table. Information from the device network ARP table. Netstat information similar to that displayed by the netstat utility on a Server. Information from the device network interface table.

49

50 Motorola, Inc. One Motorola Plaza Holtsville, New York 11742, USA MOTOROLA and the Stylized M Logo and Symbol and the Symbol logo are registered in the U.S. Patent and Trademark Office. All other product or service names are the property of their registered owners. MOTOROLA, Inc E