Iphone VPN

Posted on 2009-04-26
Medium Priority
Last Modified: 2012-05-06
My company runs SBS 2008 and we have an "all in one" Cisco 871W (router,vpn...). We use the Cisco device for our VPN needs.
A few of my employees are starting to get Iphones and of course are wanting to set up their iphone to get their email via activesync or IMAP. I'm a bit concerned about them logging onto our server in an airport or hotel via wifi.
I've seen that you can set up a VPN connection on the Iphone... Is this a practical solution to ensure a secure connection to our email server? Can the VPN connection be "always on" ...At least for wifi use? It would be great if I could set this up on the Iphone so it automatically connected to the VPN without any user input. (Im the only young guy in the office, the rest of the guys are pushing 75 so the simpler, the better.)
We  use self-signed certs and I noticed that the Iphone was able to connect to our exchange server without installing the cert...That kind of suprised and scared me...
Question by:flyinace2
  • 2
LVL 12

Expert Comment

ID: 24239161
You can set up the VPN easily enough, and it will work fine with email. There is no option at present to allow the VPN to automatically connect, so they would need to manually connect to the VPN.

However, if the only concern is about email when connecting via a wifi link, then there is the option to set up the email to connect using SSL. This will encrypt the traffic over the wifi link which should provide sufficient security against snooping. The advantage of this is that you can set it up, and it will always configured, without your users having to remember to connect to the VPN prior to accessing their email.



Author Comment

ID: 24243425
So ssl is secure even if I did not install the self-signed cert? We do not have third party certificate verification...
I'm confused how SSL can secure the IPHONE considering I did not have to do anything to make it secure. I just entered in the server address, username, password and everything worked! Unlike my windows mobile phone which required the Cert be installed first.
LVL 12

Accepted Solution

dalesit earned 1600 total points
ID: 24246700
There are two different issues here. One is encryption, which deals with the security of the connection against eavesdropping. The second is verification, which concerns whether the server you have connected to is the one you think you have connected to.

If you are using a self-signed certificate, you need to authorise the certificate to confirm that the server you have connected to is the one you mean to connect to. This can either be by already having a copy of the certificate, or by accepting the certificate that you are given the first time you connect.

However, in either of these two situations, you will have an encrypted connection to the server. What I suspect happened is that when the users first connected to the mail server, an alert popped up stating that the certificate was not signed by a certifcate authority, and did the user wish to continue. They clicked yes, and the iPhone then used that certificate for the encryption of the data.

In either case, assuming you have SSL turned on, the data will be secure as far as anyone eavesdropping is concerned.


LVL 17

Assisted Solution

JohnGerhardt earned 400 total points
ID: 24262426
If you don't really need the VPN features. IE access to your internal network.
Then I would recommend you just stick with the normal active sync using SSL. This works very well and is totally secure. It has the benefit of also being easy to set up.
Depending on the number of phones that you are going to have connected to it, I would consider a front end mail server and / or an ISA server where the iPhone users connect to. This can help make the connect a little more robust.

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question