Iphone VPN

My company runs SBS 2008 and we have an "all in one" Cisco 871W (router,vpn...). We use the Cisco device for our VPN needs.
A few of my employees are starting to get Iphones and of course are wanting to set up their iphone to get their email via activesync or IMAP. I'm a bit concerned about them logging onto our server in an airport or hotel via wifi.
I've seen that you can set up a VPN connection on the Iphone... Is this a practical solution to ensure a secure connection to our email server? Can the VPN connection be "always on" ...At least for wifi use? It would be great if I could set this up on the Iphone so it automatically connected to the VPN without any user input. (Im the only young guy in the office, the rest of the guys are pushing 75 so the simpler, the better.)
We  use self-signed certs and I noticed that the Iphone was able to connect to our exchange server without installing the cert...That kind of suprised and scared me...
Who is Participating?
There are two different issues here. One is encryption, which deals with the security of the connection against eavesdropping. The second is verification, which concerns whether the server you have connected to is the one you think you have connected to.

If you are using a self-signed certificate, you need to authorise the certificate to confirm that the server you have connected to is the one you mean to connect to. This can either be by already having a copy of the certificate, or by accepting the certificate that you are given the first time you connect.

However, in either of these two situations, you will have an encrypted connection to the server. What I suspect happened is that when the users first connected to the mail server, an alert popped up stating that the certificate was not signed by a certifcate authority, and did the user wish to continue. They clicked yes, and the iPhone then used that certificate for the encryption of the data.

In either case, assuming you have SSL turned on, the data will be secure as far as anyone eavesdropping is concerned.


You can set up the VPN easily enough, and it will work fine with email. There is no option at present to allow the VPN to automatically connect, so they would need to manually connect to the VPN.

However, if the only concern is about email when connecting via a wifi link, then there is the option to set up the email to connect using SSL. This will encrypt the traffic over the wifi link which should provide sufficient security against snooping. The advantage of this is that you can set it up, and it will always configured, without your users having to remember to connect to the VPN prior to accessing their email.


flyinace2Author Commented:
So ssl is secure even if I did not install the self-signed cert? We do not have third party certificate verification...
I'm confused how SSL can secure the IPHONE considering I did not have to do anything to make it secure. I just entered in the server address, username, password and everything worked! Unlike my windows mobile phone which required the Cert be installed first.
If you don't really need the VPN features. IE access to your internal network.
Then I would recommend you just stick with the normal active sync using SSL. This works very well and is totally secure. It has the benefit of also being easy to set up.
Depending on the number of phones that you are going to have connected to it, I would consider a front end mail server and / or an ISA server where the iPhone users connect to. This can help make the connect a little more robust.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.