- *BASICS*
- The Knox Ecosystem
- White Paper
- Samsung Knox Portal
- Knox Cloud Services
- General Knox Support
- Knox Licenses
- *FOR IT ADMINS*
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Introduction
- How-to videos
- Get started
- Features
- Register resellers
- Add an admin
- Create profiles
- Google device owner support
- MDM compatibility matrices
- Device users
- Activity log
- Enroll and unenroll devices
- Configure devices
- Provide KME feedback
- Use the Knox Deployment App (KDA)
- Recover Google FRP locked devices using KME
- Role-based access control (RBAC)
- Release notes
- FAQs
- Troubleshoot
- KBAs
- On-Premise
- Knox Configure
- Mobile
- Wearables
- Shared Device
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- View applications
- Add applications
- Introduction
- Add internal Android and iOS applications
- Add internal Windows applications
- Add public applications using Google Play Store
- Add public applications using iOS App Store
- Add public applications using Managed Google Play
- Add public applications using Managed Google Play Private
- Add public applications using Managed Google Play Store Private Web
- Add public applications using Microsoft Store
- Add Chrome OS applications
- Assign applications
- Introduction
- Assign internal Android and iOS apps
- Assign iOS App Store applications
- Assign Google Play applications
- Assign Managed Google Play applications
- Assign Managed Google Play Private applications
- Assign Managed Google Play public web apps
- Assign Windows applications
- Assign Chrome OS applications
- Manage applications
- Volume Purchase Program for iOS
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQs
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQs
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Introduction
- Accept or reject devices
- Upload devices
- Delete devices
- Complete payment
- Send payment overdue notification
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQs
- KBAs
- Support
- Samsung Care+ for Business
- *FOR RESELLERS*
- Knox Deployment Program
- *FOR MANAGED SERVICE PROVIDERS*
- Knox MSP Program
Understanding and using Knox VPNs
This article answers some of the basic questions you may have when trying to use VPNs with Knox.
What VPN encryption does Knox use?
Knox provides a comprehensive IPSec-based VPN solution for the most demanding enterprise requirements. Triple DES (56/168-bit), AES (128/256-bit) encryption with MD5 or SHA.
Can I configure VPN without a VPN client?
No. If you have a Knox Workspace license, download the Knox VPN Client before attempting to configure VPN.
Does the Knox VPN Framework call my service on device restart?
1. Does the Knox VPN framework call our VPN service on every device restart?
A: Yes
2. Can we expect a startConnection call from the Knox VPN framework on device restart even though we did not call the activate profile API?
A: Yes
3. When is the stopConnection called from the Knox VPN framework?
A: Few of the scenarios include:
- When admin calls deactivate profile
- When admin removes all the packages from the VPN profile
Should the VPN client be installed inside or outside the Knox container?
The VPN client can be installed inside and/or outside of the Knox container. If you have two containers created on your device, you can install the VPN client outside the Knox container so that it is available to both containers. On the other hand, if the VPN client is installed inside one container, the VPN client is not available to the other container.
How do I enable Dead Peer Detection (DPD) for VPN?
The Dead Peer Detection (DPD) feature is supported by the VPN gateway. The VPN connection is terminated automatically by DPD ACK from the gateway when no data is communicated through the VPN.
If the Mocana KeyVPN Client is being used, then DPD can be set by going to Advanced Settings >Enable > Dead Peer Detection.
How do I troubleshoot VPN configuration issues?
- After pushing the Knox VPN client via Samsung SDS IAM & EMM, verify that it appears on both the personal space and on the Knox container on users' devices.
- Verify that your VPN credentials are correct by manually setting up VPN in the personal space.
- Verify that you can connect to the Knox VPN gateway.
- If you can't connect to the Knox VPN gateway and:
- you are connected to a firewall, change your access point and try again.
- you aren't connected to a firewall, try to connect to any website using the device browser. If you can't access any of the websites, contact Samsung Knox Support.
- If the issue persists, capture log files and contact Samsung Knox Support.
Is it possible to manually configure any VPN client to chain VPNs without using VPN APIs?
Manually configuring any other 3rd-party VPN client for your Knox VPN chaining is not possible for Samsung devices that support the Knox framework. VPN chaining on these devices requires the Knox VPN framework and the Knox VPN profile configuration APIs. They require both the inner and outer VPN profiles to be set up in specific ways for dual tunneling to work.