This article describes how to implement VPN on Demand for the iPhone/iPad.
Configure VPN on Demand on iPhone/iPad.
- From the App Store, download Apple Configurator on a Mac OS X device.
- Certificate authentication MUST be configured on the Pulse Secure gateway. Client certificates need to be issued for each user to install on their device (Refer to #7 for installation instructions)
- Device certificate MUST be trusted by the iOS device. If the device certificate is signed by a private CA, root certificates should be pushed via profile.
Configure VPN on Demand on an iPhone/iPad
Note: Apple does not support the Always option for VPN On Demand in iOS7 and above. For more information, refer to: http://support.apple.com/kb/TS4550.
1. After installation, open Apple Configuator using Spotlight or Finder.
2. From the top menu, click Prepare.
3. From the Prepare window, click Install Profiles
4. Follow the given prompts. It will ask to attach the mobile device to the Mac via USB cable.
5.After attaching the device, click Next
6. Click New
7. From the left pane, click Certificates
8. Click Configure
9. From the Finder window, select the client certificate issued for the end user’s device. This should be a P12 or PFX file.
10. In the Certificate Name field, enter a friendly name for the client certificate
11. In the Password field, enter the password associated with the client certificate (during the creation or export)
Note: If the device certificate installed on the Pulse Secure gateway is issued from a private ca, click the (+) icon and browse to the root certificate. The root certificate must be installed with the profile for VPN On Demand to work properly. If the device certificate is issued from a public ca, the root certificate is not required to be installed with the profile.
12. From the left pane, click VPN
13. For Connection Name, enter a friendly name for the connection.
14. For Connection Type, select Custom SSL. Note: For Pulse 5.0 and below, select Juniper SSL.
15. Under Identifier, enter net.pulsesecure.PulseSecure.vpnplugin
16. In the Server field, enter the fully qualified domain name or IP address of the Pulse Secure gateway.
Note: Ensure the Server name matches the common name of the device certificate installed on the Pulse Secure gateway.
17. For the Account field, enter the username for the end user
18. For the Realm field, enter the realm name for authenticating the connection
19. For the Role field, enter the role name for authentication the connection
20. For the User Authentication field, select Certificate
21. For the Credential field, select the friendly name associated with client certificate imported in step 9
22. Click the checkbox for Enable VPN On Demand
23. Click the (+) icon
24. Under Match Domain or Host, enter the hostname to trigger VPN On Demand
25. Under On Demand Action, select the corresponding action when VPN On Demand is triggered
26. Click Save
27. Click Next
28. Follow the prompts on the iOS device to install the profile.
29. Once the installation is complete, test VPN On demand is working via Safari.
The available VPN on Demand setting options for “iOS6 and below” and “iOS7 and above” are listed below.
VPN on Demand setting options for iOS6 and below:
Always: Start a VPN connection each time the specific domain matches.
Never: Do not start a VPN connection each time the specific domain matches.
Establish if needed: Start a VPN connection ONLY after a DNS failure occurs.
Note: See the Apple Developer Guide for all possible VPN On Demand parameters.
VPN on Demand setting options for iOS7 and above:
Note: In iOS7, Always is automatically converted to Establish if needed.
To configure VPN On Demand to trigger VPN to access an internal URL which is externally resolvable, the mobile configuration must be manually modified (as shown in A,B, and C below) to support the OnDemandRules parameters. (Currently, these parameters are not supported by the existing iPhone configuration utility and must be modified manually.)
A. Obtain a copy of the mobile configuration.
B. Open the mobile configuration file via Notepad.
C. Under VPN > OnDemandEnabled key, add the following lines:
<key>OnDemandRules</key> <array> <dict> <key>Action</key> <string>EvaluateConnection</string> <key>ActionParameters</key> <array> <dict> <key>Domains</key> <array> <string>*.pulsesecure.net</string> <--Enter the domain names to trigger VPN On Demand. (If multiple domain names exist, add a new string value for each domain name as seen in the next line.) <string>*.pulsesecure1.net</string> </array> <key>DomainAction</key> <string>ConnectIfNeeded</string> <key>RequiredDNSServers</key> <array> <string>XXX.XX.XX.XXXX <--Enter your internal DNS server IP address. </array> </dict> </array>
RequiredDNSServers enables a VPN connection to be established if the DNS server that follows is not reachable. This is similar to the Always option for external users (except when a device is able to communicate to the internal DNS server on the internal LAN).
For further information about what values can be configured for VPN on demand, refer to the VPN payload section in the Apple developer’s guide.
If further assistance is needed, please provide the Junos Pulse logs and iOS device console log.
- For Pulse Secure mobile logs, open the Pulse Secure mobile app. Click Status > Send Logs.