SSL VPN and iPhone OS 4.0

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL VPN and iPhone OS 4.0

L4 Transporter

I was looking at the new specs for the 4.0 code of the iPhone OS, and saw that they were opening up the SSL VPN function to Juniper and Cisco.

Any chance Palo Alto is working on a NetConnect app for the iPhone?

http://www.apple.com/iphone/business/preview-iphone-os/

58 REPLIES 58

L5 Sessionator

This is being investigated for the future.

Any more news on some sort of iphone version of netconnect for OS 4.0?

We have a number of mobile users who used to take out Laptops on the road - and now want to take out ipads - and from what I have read - there is no way to connect an ipad / iphone to a PA Firewall due to the fact that there is no PPTP support, and that the iOS only supports Cisco IPSEC.

So either an iphone app would really help me get ipad users / boss off my case!

I guess if there was PPTP - that would solve everything, and would also enable us to allow other mobile devices such as Android devices....

Cheers,


Jeff

Hi Jeff,

iPhone OS 4.0 support is not planned in the near term (meaning not in the next 6 months).  It is something that we'll be looking at and will eventually do, but timing of future functionality is generally not disclosed publicly.  Until then, I think your only solution if you have to support this is to deploy a stand-alone box for terminating iPad/iPhone connections (a low capacity platform can be less than $1000).  Sorry we can't solve this for you today...

Thanks,

Lee

Thanks for the reply Lee.

I think the real disappointment for us is that the top management here know that there is a large price premium for Palo Alto Networks products, and with that price premium, of course they expect 'the works'. Management talk to other management - and the 'Oh you can't VPN with your mobile device - why not?' comes up - only for yours truly to then get a memo the next day, enquiring why our premium PA based solution can't do what a free open source product can.

Of course I am quick to come back with a big list of stuff the PA solution does so much better than anything else - but if people can't work remotely - it sort of doesn't really matter does it?

With more remote workers, more mobile workers using mobile OS as mobile OS's are becoming more and more functional - I think that PA have dropped the ball on this one quite frankly.

I now have to set up a PPTP VPN concentrator - one for each department / security zone, when we were hoping with our PA solution we would be removing Firewall / VPN hardware from our rack - not adding it!

Not moaning - just sort of confused as to why PA don't think Mobile VPN is important in an increasingly mobile age..

Completely baffled!


Jeff

You are not alone.  Most Companies are waiting for a secured way of accessing the Corp Net.  Apple decided to stay old school by using PPTP and only Cisco IPSEC.

F5 Firepass - Nope

Juniper SA  - Beta Testing

Foritnet Fortigate - via PPTP, the App only supports web portal

Cisco ASA - via IPSEC and soon SSL VPN

Citrix SSL VPN - App supports Citrix XenApp.

Microsoft - via PPTP

Checkpoint - R71 (Mobile Blade) / Early Release

OpenVPN - JailBreak version only

Nortel Contivity - PPTP

NetMotion - Nope

Hmm... I promise I'm not being pedantic - but after a quick look....

F5 Firepass

http://www.f5.com/products/firepass/

"FirePass provides robust, secure SSL VPN remote access to business applications from a wide range of client devices, including Apple iPhone and Windows Mobile devices."

Juniper SA

http://www.itp.net/581782-juniper-makes-vpns-a-snap-on-the-iphone

"Juniper Networks has announced the release of its Junos Pulse app, which provides secure remote mobile access to corporate resources on an iPhone or iPod Touch. The app is now available to download via the Apple iTunes App Store."

Fortinet Fortigate

As you say - has PPTP at least (that's something eh?)

Someone on the apple forums claims to have IPSEC working...

http://discussions.apple.com/thread.jspa?threadID=1637208&tstart=-1

At least the other people in your list have either beta or some sort of solution (PPTP) - beta product out etc.

I'm telling you this is a big deal - more and more users are now ditching their laptops for ipads!!

Jeff

Why isn't L2TP an option? I understand PPTP is depreciated, but it'd be nice to be able to use the built in VPN client in Windows and iOS devices without having to install an client.

Not applicable

We have a lot of iphone and ipad devices in my company too and need to secure access SSL-VPN with PA.

I was wondering if to devoleping a client is so dificult what about a portal like check point already do with mobile connect ?

If your remote users really just need email, calendar, and address book access, this can be securely provided to iPhone users by allowing ActiveSync to the OWA server through the Palo Alto Networks firewall.  Full L3 VPN functionality is not needed for this.  This method actually provides a better user experience since it is native to the iPhone OS and uses less processing and battery resources.  It is effectively "always on" and works great.

There are some unique ways in which the Palo Alto Networks firewall can secure ActiveSync traffic.

  • App-ID to make sure only legitimate SSL traffic is hitting the ActiveSync port
  • SSL decryption to identify the application within the SSL traffic
  • App-ID again to make sure only ActiveSync traffic is hitting the server within the SSL session
  • Content-ID to identify and block vulnerabilities to the ActiveSync server

Remote users should only require a full L3 VPN tunnel if they need to access Intranet sites, telnet/ssh/ftp to internal resources, etc.

Cheers,

Kelly

Yeap i know that, we have already enable active sync for mail.

But as a big company we have a lot of needs such as CRM, telnet, SQL support from remote user, and last telnet and SSH. Most of them by IT department of course. And I can’t imagine to configure a switch from an iphone but from my iPAD i love to.

Just an update....

The following enterprise firewall vendors now have SSL VPN Solutions on the app store:

Checkpoint Mobile - Checkpoint

FortiMobile - Fortinet

Junos Pulse - Juniper

In addition - Cisco have 'Cisco Anyconnect' which I don't think is SSL VPN - but it's an application which makes VPN'ing from iphones easier than the standard iphone IPSEC support.

All the above apps are provided FREE - these four guys are the main competitors to PA we come up against again and again.

We are trying to sell PA firewalls, we do very well showing geeks the GUI - and what they can manage when at work. This always goes down extremely well. However, the inability of being able to manage any network infrastructure via iphone / ipad is a massive turn off - invariably when they need to get to the unit, they are not at work as it's an emergency etc.

Not much point having a great GUI - if you can't get to it when you are out and about.

It's very hard selling something to a CIO when his geeks are negative about it...

I really, really hope PA get this addressed soon as it's become a major barrier to sales now - the 'no plans' message is the real killer, because it offers the potential customer no hope at all.....

Jeff

The need for SSL VPN support for Android, Windows 7 and Apple iOS 4 is exploding.  6 months ago we began to transition away from Nortel Contivity to NetConnect.  Now there is a push to move from laptops to Pads or Tablet devices and vendors like Citrix are supporting any device with Virtual Applications and Desktops, but they still need a way into the corporate network.  Knowing when or if support for these devices is in the development plan would be helpful.  Saying not possible yet, has been my standard answer, but the soon we may need to start evaluating other remote access solutions.

Hi George,

Current status is that we are investigating a solution for this.  Earliest possible availability is 2nd half of this year, but there are still some open questions on the timing.  If you can hold off for another 4-6 weeks, we should have a better status update for you then.

Thanks,

Lee

I am very interested in this as well.  We just got two 2050's in and are starting the process of migrating from Check Point.  Discussions with Palo Alto while we were investigating the product led us to believe that these platforms were supported.  Obviously that's not the case.  Anyway, a solution for the iOS and Android platforms would be greatly appreciated...

  • 25511 Views
  • 58 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!