SSL VPN and iPhone OS 4.0

Reply
Highlighted
L4 Transporter

SSL VPN and iPhone OS 4.0

I was looking at the new specs for the 4.0 code of the iPhone OS, and saw that they were opening up the SSL VPN function to Juniper and Cisco.

Any chance Palo Alto is working on a NetConnect app for the iPhone?

http://www.apple.com/iphone/business/preview-iphone-os/

Tags (2)
Highlighted
L5 Sessionator

This is being investigated for the future.

Highlighted
Not applicable

Any more news on some sort of iphone version of netconnect for OS 4.0?

We have a number of mobile users who used to take out Laptops on the road - and now want to take out ipads - and from what I have read - there is no way to connect an ipad / iphone to a PA Firewall due to the fact that there is no PPTP support, and that the iOS only supports Cisco IPSEC.

So either an iphone app would really help me get ipad users / boss off my case!

I guess if there was PPTP - that would solve everything, and would also enable us to allow other mobile devices such as Android devices....

Cheers,


Jeff

Highlighted
L3 Networker

Hi Jeff,

iPhone OS 4.0 support is not planned in the near term (meaning not in the next 6 months).  It is something that we'll be looking at and will eventually do, but timing of future functionality is generally not disclosed publicly.  Until then, I think your only solution if you have to support this is to deploy a stand-alone box for terminating iPad/iPhone connections (a low capacity platform can be less than $1000).  Sorry we can't solve this for you today...

Thanks,

Lee

Highlighted
Not applicable

Thanks for the reply Lee.

I think the real disappointment for us is that the top management here know that there is a large price premium for Palo Alto Networks products, and with that price premium, of course they expect 'the works'. Management talk to other management - and the 'Oh you can't VPN with your mobile device - why not?' comes up - only for yours truly to then get a memo the next day, enquiring why our premium PA based solution can't do what a free open source product can.

Of course I am quick to come back with a big list of stuff the PA solution does so much better than anything else - but if people can't work remotely - it sort of doesn't really matter does it?

With more remote workers, more mobile workers using mobile OS as mobile OS's are becoming more and more functional - I think that PA have dropped the ball on this one quite frankly.

I now have to set up a PPTP VPN concentrator - one for each department / security zone, when we were hoping with our PA solution we would be removing Firewall / VPN hardware from our rack - not adding it!

Not moaning - just sort of confused as to why PA don't think Mobile VPN is important in an increasingly mobile age..

Completely baffled!


Jeff

Highlighted
L1 Bithead

You are not alone.  Most Companies are waiting for a secured way of accessing the Corp Net.  Apple decided to stay old school by using PPTP and only Cisco IPSEC.

F5 Firepass - Nope

Juniper SA  - Beta Testing

Foritnet Fortigate - via PPTP, the App only supports web portal

Cisco ASA - via IPSEC and soon SSL VPN

Citrix SSL VPN - App supports Citrix XenApp.

Microsoft - via PPTP

Checkpoint - R71 (Mobile Blade) / Early Release

OpenVPN - JailBreak version only

Nortel Contivity - PPTP

NetMotion - Nope

Highlighted
Not applicable

Hmm... I promise I'm not being pedantic - but after a quick look....

F5 Firepass

http://www.f5.com/products/firepass/

"FirePass provides robust, secure SSL VPN remote access to business applications from a wide range of client devices, including Apple iPhone and Windows Mobile devices."

Juniper SA

http://www.itp.net/581782-juniper-makes-vpns-a-snap-on-the-iphone

"Juniper Networks has announced the release of its Junos Pulse app, which provides secure remote mobile access to corporate resources on an iPhone or iPod Touch. The app is now available to download via the Apple iTunes App Store."

Fortinet Fortigate

As you say - has PPTP at least (that's something eh?)

Someone on the apple forums claims to have IPSEC working...

http://discussions.apple.com/thread.jspa?threadID=1637208&tstart=-1

At least the other people in your list have either beta or some sort of solution (PPTP) - beta product out etc.

I'm telling you this is a big deal - more and more users are now ditching their laptops for ipads!!

Jeff

Highlighted
Not applicable

Why isn't L2TP an option? I understand PPTP is depreciated, but it'd be nice to be able to use the built in VPN client in Windows and iOS devices without having to install an client.

Highlighted
Not applicable

We have a lot of iphone and ipad devices in my company too and need to secure access SSL-VPN with PA.

I was wondering if to devoleping a client is so dificult what about a portal like check point already do with mobile connect ?

Highlighted
L4 Transporter

If your remote users really just need email, calendar, and address book access, this can be securely provided to iPhone users by allowing ActiveSync to the OWA server through the Palo Alto Networks firewall.  Full L3 VPN functionality is not needed for this.  This method actually provides a better user experience since it is native to the iPhone OS and uses less processing and battery resources.  It is effectively "always on" and works great.

There are some unique ways in which the Palo Alto Networks firewall can secure ActiveSync traffic.

  • App-ID to make sure only legitimate SSL traffic is hitting the ActiveSync port
  • SSL decryption to identify the application within the SSL traffic
  • App-ID again to make sure only ActiveSync traffic is hitting the server within the SSL session
  • Content-ID to identify and block vulnerabilities to the ActiveSync server

Remote users should only require a full L3 VPN tunnel if they need to access Intranet sites, telnet/ssh/ftp to internal resources, etc.

Cheers,

Kelly

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!