VPN
Samsung Knox supports select Virtual Private Network (VPN) solutions. This section describes how to implement the Knox VPN client on a device.
VPN on Knox
See the Knox White Paper for a comprehensive overview of VPN integration on Knox.
Supported VPN types and descriptions.
- Per-app VPN: The admin can set a policy to make sure that the traffic from a single app, or a set of apps, is routed through VPN.
- User-wide VPN: The admin can set a policy to make sure that the traffic from the entire user is routed through VPN.
- Device-wide VPN: The admin can set a policy to make sure that the traffic from the entire device is routed through VPN. To set this policy the admin should be the owner of all the non main-users (Knox users) and the VPN client needs to be installed in either user 0 or main user.
- On-demand connections: The admin can set a policy to start/stop the VPN connection only when the apps added to the VPN profile are launched/closed. The policy is applicable to only per-app use-cases.
- Chaining VPN servers: The admin can set a policy to doubly encrypt the data-traffic from apps added to the VPN profile. The admin should have two different VPN clients supporting the Knox VPN framework. The policy is applicable on a per-app, per-user, or per-device wide use-cases. Both the VPN clients need to be installed in the same user space. Note – Chaining is currently not supported by Android VPN management for Knox.
The flow is structured as follows: Apps generate traffic which is handled by VPN client 1, then by VPN client 2, then by the Device Physical Network interface [WIFI/Mobile], then by VPN server 2, then by VPN server 1 before heading to traffic destination - Embedded UID/PIDs: The admin can set a policy to embed the end-point details, such as UID and PID, in IPv4 data packets. Cisco AnyConnect is the only VPN client which currently supports this feature. The policy is applicable on a per-app, per-user, or per-device wide use-cases.
- Static HTTP proxy: This policy is applicable on a per-app, per-user, or per-device use-case.
- No authentication proxy: The admin can set a policy to route the HTTP/HTTPS traffic through a proxy server present behind the VPN server before reaching the actual destination. The proxy server configured by the admin during profile creation has no authentication.
- Basic authentication proxy by admin: The admin can set a policy to route the HTTP/HTTPS traffic through a proxy server present behind the VPN server before reaching the actual destination. The proxy server configured by the admin during profile creation has basic authentication. The authentication details are provided by the admin during profile configuration.
- Basic authentication proxy by end-user: The admin can set a policy to route the HTTP/HTTPS traffic through a proxy server present behind the VPN server before reaching the actual destination. The proxy server configured by the admin during profile creation has basic authentication. The authentication details are provided by the end-users when a pop-up is provided by the system.
- PAC HTTP proxy support: This policy is applicable on a per-app, per-user, or per-device wide use-cases.
- No Auth: The admin can set a policy to route the HTTP/HTTPS traffic through a proxy server present behind the VPN server before reaching the actual destination. The selection of proxy server is based on the original destination of the traffic as mentioned in the PAC URL. The proxy server selected has no authentication.
- Basic/NTLM authentication provided by admin: The admin can set a policy to route the HTTP/HTTPS traffic through a proxy server present behind the VPN server before reaching the actual destination. The selection of a proxy server is based on the original destination of the traffic as mentioned in the PAC URL. The framework supports a proxy server which can be authenticated through basic or NTLM authentication. The authentication details are provided by the admin during profile configuration.
- Basic/NTLM authentication provided by end-user: The admin can set a policy to route the HTTP/HTTPS traffic through a proxy server present behind the VPN server before reaching the actual destination. The selection of a proxy server is based on the original destination of the traffic as mentioned in the PAC URL. The framework supports a proxy server which can be authenticated through basic or NTLM authentication. The authentication details are provided by the end-users when a pop-up is provided by the system.
- Traffic blocking: When VPN is down, the Knox VPN framework will block both DNS and data traffic originating from the apps added to the VPN profile. When VPN is up, and if the VPN interface supports only IPv4, IPv6 data traffic originating from the apps added to the VPN profile will be blocked and vice-versa.
- Android Settings-based VPN configuration: Basic VPN configuration through the Settings menu can support Knox VPN features such as on-demand, per-app, device-wide, user-wide, static and PAC Proxy connections.
- IPv4 and IPv6 formats: The Knox VPN framework supports both IPv4 and IPv6 tunnels.
- Both a static proxy server can be represented with an IPv6 address and a domain name can be resolved to an IPv6 address as long as the VPN interface supports the IPv6 address format.
- Both a PAC URL can be represented with an IPv6 address and a domain name can be resolved to an IPv6 address as long as the VPN interface supports the IPv6 address format.
- Both a proxy server mentioned in the PAC URL can be represented with an IPv6 address or a domain name can be resolved to an IPv6 address as long as the VPN interface supports the IPv6 address format.
- Multiple VPN tunnels: Multiple VPN clients can be active at the same time in the same user space. The Knox VPN framework supports VPN clients which support multiple VPN tunnels.
VPN profile with an MDM
Typically you will create VPN profiles in your MDM and mass deploy them to your devices. In this example below, we set up an L2TP / IPSec PSK tunnel in our Knox Manage MDM console. Once you have pushed a profile to a device, it will appear under Settings > Connections > More Connections > VPN
You can also enable many useful features, such as VPN thorough a single app as shown below. Here we have turned on the VPN for the S browser only.
For added security, we have also turned on Always on VPN and that using the VPN requires authentication.
VPN profile on device
You can also create a VPN configuration on the device itself through the settings menu. This method may not be suitable for mass deployment
This tunnel is accessed through the normal VPN user interface and then selecting the appropriate options for the type of connection. This example below shows you how to set up a standard VPN tunnel.
- On the device, go to Settings > Connections > More Connections > VPN > Add VPN.
- Enter a name for this VPN connection.
- Select the VPN type. The available types depend on the Android VPN client preloaded onto the device.
- Enter the IP address of the VPN server.
- Configure the VPN settings so that they match or are compatible with the VPN server settings.
Workspace VPN (container wide)
See the Knox Workspace VPN topic for more details on setting up a container wide VPN.