Iphone VPN

Posted on 2009-04-26
Last Modified: 2012-05-06
My company runs SBS 2008 and we have an "all in one" Cisco 871W (router,vpn...). We use the Cisco device for our VPN needs.
A few of my employees are starting to get Iphones and of course are wanting to set up their iphone to get their email via activesync or IMAP. I'm a bit concerned about them logging onto our server in an airport or hotel via wifi.
I've seen that you can set up a VPN connection on the Iphone... Is this a practical solution to ensure a secure connection to our email server? Can the VPN connection be "always on" ...At least for wifi use? It would be great if I could set this up on the Iphone so it automatically connected to the VPN without any user input. (Im the only young guy in the office, the rest of the guys are pushing 75 so the simpler, the better.)
We  use self-signed certs and I noticed that the Iphone was able to connect to our exchange server without installing the cert...That kind of suprised and scared me...
Question by:flyinace2
    LVL 12

    Expert Comment

    You can set up the VPN easily enough, and it will work fine with email. There is no option at present to allow the VPN to automatically connect, so they would need to manually connect to the VPN.

    However, if the only concern is about email when connecting via a wifi link, then there is the option to set up the email to connect using SSL. This will encrypt the traffic over the wifi link which should provide sufficient security against snooping. The advantage of this is that you can set it up, and it will always configured, without your users having to remember to connect to the VPN prior to accessing their email.



    Author Comment

    So ssl is secure even if I did not install the self-signed cert? We do not have third party certificate verification...
    I'm confused how SSL can secure the IPHONE considering I did not have to do anything to make it secure. I just entered in the server address, username, password and everything worked! Unlike my windows mobile phone which required the Cert be installed first.
    LVL 12

    Accepted Solution

    There are two different issues here. One is encryption, which deals with the security of the connection against eavesdropping. The second is verification, which concerns whether the server you have connected to is the one you think you have connected to.

    If you are using a self-signed certificate, you need to authorise the certificate to confirm that the server you have connected to is the one you mean to connect to. This can either be by already having a copy of the certificate, or by accepting the certificate that you are given the first time you connect.

    However, in either of these two situations, you will have an encrypted connection to the server. What I suspect happened is that when the users first connected to the mail server, an alert popped up stating that the certificate was not signed by a certifcate authority, and did the user wish to continue. They clicked yes, and the iPhone then used that certificate for the encryption of the data.

    In either case, assuming you have SSL turned on, the data will be secure as far as anyone eavesdropping is concerned.


    LVL 17

    Assisted Solution

    If you don't really need the VPN features. IE access to your internal network.
    Then I would recommend you just stick with the normal active sync using SSL. This works very well and is totally secure. It has the benefit of also being easy to set up.
    Depending on the number of phones that you are going to have connected to it, I would consider a front end mail server and / or an ISA server where the iPhone users connect to. This can help make the connect a little more robust.

    Featured Post

    Training Course: Android App Development

    This course will involve creating widgets, customize list view, grid view, spinners, etc. Creating applications using audio, video, and SQLite database. Ending with publication on Google Play.

    Join & Write a Comment

    Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
    If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now