Using a virtual private network

The diagram in this topic shows a network topology that uses a Virtual Private Network (VPN) server as the secure access point to the company intranet from mobile devices.

The first diagram in this topic shows a network topology that uses a Virtual Private Network (VPN) server as the secure access point to the a standalone IBM Traveler server on the company intranet from mobile devices.


The second diagram shows the same network topology with an HA pool of IBM Traveler servers. In this case, the function of spraying or load balancing the device requests is provided by a separate server in the trusted domain.


This solution allows for the most flexibility in terms of what applications can be connected by mobile devices and what protocols they are allowed to use. When you use a secure VPN tunnel between the mobile device and the company intranet, any applications that are running on the device can connect to any company server just as if it were running inside the company network. For example, you can use the device browser to open pages on an internal website or use instant messaging on the device that connects to internal messaging servers.

You might want to consider running the mobile device client connection with the HTTP protocol rather than the HTTPS protocol when you are using a VPN. The VPN typically provides a secure data channel. There is some performance gain using HTTP rather than SSL, because the mobile device and the IBM Traveler server do not need to encrypt all data. However, this leaves the connection unencrypted between the VPN connection point and the IBM Traveler server.

The type of VPN server that must be installed depends on the mobile device. Most of the mobile devices support some form of IPSec or PPTP protocol, so network VPN appliances can be used by the mobile devices. IBM® Mobile Connect provides mobile clients that support Android devices. It also offers a secure HTTP access solution for devices such as the Apple iPhone. For more information about the capabilities of IBM® Mobile Connect, see the IBM® Mobile Connect page, which includes a link to IBM® Mobile Connect documentation.

For Apple iOS devices, a VPN connection must be manually started by the device user. This connection may disconnect after it is started and will not restart automatically. Therefore, using a VPN connection as the primary method for connecting Mail, Calendar and Contacts applications on iOS devices to the IBM Traveler server is not recommended. You should consider an SSL connection directly to the IBM® Traveler server or an intermediate proxy.

In addition, pushed messages may not flow over an Apple VPN connection. As a result, it is suggested you not use a VPN solution if you intend to push messages.