Virtual private networking
June 25, 2014
A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. A VPN enables users to send data between devices and a server across a shared or public network in a manner that emulates the properties of a point-to-point private link.
The Windows Phone 8.1 VPN client operates on a wide range of enterprise routers, network and security appliances, cloud data centers and mobile networks and leverages technology built on a converged platform between Windows and Windows Phone providing a consistent developer experience across device form factors running Windows and enabling a shared management interface through a converged configuration profile. After their device is provisioned, Windows Phone 8.1 users will experience an auto-triggered VPN connection while Trusted Network Detection is utilized to ensure users are only connected through VPN when required.
VPN on Windows Phone 8.1 supports two VPN tunneling protocols:
IPSec (IKEv2) gateway:
IKEv2 allows the phone to tolerate interruptions in the underlying VPN connection. If the connection is temporarily lost, or if a user moves from one network to another, IKEv2 will automatically restore the VPN connection after the network connection is reestablished. For more information on IKEv2, please refer to:
Secure Sockets Layer (SSL)-VPN gateway:
On Windows Phone 8.1, SSL-VPN methods are only supported using proprietary vendor plug-ins. These would need to be installed on the phone in order to connect to third-party VPN servers using SSL-VPN. For SSL-VPN, the user connects to the device using a web browser. The traffic between the web browser and the device is encrypted with the SSL protocol or its successor, the Transport Layer Security (TLS) protocol. For more information on SSL and TLS, see:
Multiple VPN profiles can be configured and they can be manually created locally on the phone or pushed by mobile device management (MDM). While a user can create their own profiles, those that are created by MDM are read-only and can’t be modified. Windows Phone 8.1 VPN utilizes IKEv2 for Internet Protocol security (IPSec) connections. IKEv2 can be used for connectivity to Windows Server for VPN as well as an interoperability protocol to connect to other VPN infrastructures.
Windows Phone 8.1 VPN capabilities include:
Always on (forced tunnel)
Manual connection (user taps on the profile to toggle the connection On/Off)
Automatic connection (the VPN connection is turned on automatically based on certain conditions)
Single sign-on (SSO) (if a connection uses a provisioned certificate or cached domain credentials it can allow the connection to immediately authenticate on activation)
Auto-reconnect (if connectivity is intermittent, this capability is useful because the connection can be reconnected without any user interaction)
VPN connections will timeout when idle after 30 seconds
Split Tunnel capabilities
With a split tunnel connection, normal traffic flows over available cellular or Wi-Fi connectivity, while enterprise traffic can be routed through a VPN. Windows Phone 8.1 provides two split tunnel options for VPN connections:
With a network-based connection, a VPN profile can include target IP ranges and DNS (namespace) lists. For each there are allowed and excluded lists so a wide range of blacklisting and whitelisting of network destinations for VPN access can be configured. Some examples of this type of profile include:
Opening a URL that is an intranet web site and automatically builds a VPN connection, authenticates the user, and brings up the web page.
Binding a network address like an Exchange Server mailbox server address (such as mail.mobile.contoso.com) to a VPN connection so Exchange ActiveSync connectivity can be based on a VPN-only connection. This enables Exchange access to be entirely intranet based for Windows Phones and would eliminate to the need to externally publish Exchange ActiveSync over port 443.
With an application-based connection, a VPN connection can be bound to a specific application. So a line-of-business (LOB) app or a Windows Phone Store app can start a VPN IPsec connection anytime it’s launched. This is done by leveraging an application’s Product ID, which is a GUID/unique identifier. Some examples of this type of profile include:
Binding a connection to the Lync application, and routing its Voice over Internet Protocol (VOIP) connectivity over VPN.
Binding the Outlook (in-box) app to a VPN that would route any email profile through that VPN connection.
For a list of Product IDs of in-box applications (Outlook, Internet Explorer, Messaging, and so on), see: http://msdn.microsoft.com/en-us/library/dn602089.aspx
Binding to Internet Explorer so any of its traffic would go through a VPN connection.
Follow the steps in the Configure IKEv2-based Remote Access article to configure IKEv2-based remote access for Windows Phone 8.1