IBM Security MaaS360

I have a perimeter with built-in VPN capabilities which I would like to use instead of the MaaS360 VPN.

One of the requirements, however, is that I want to utilise the iOS on-demand VPN where, when someone attempts specific DNS entries on their iOS device, iOS automatically connect to the VPN in the background (no user involvement required). This works flawlessly with the MaaS360 VPN. However, does not work with the perimeter VPN iOS client because the VPN client is configured to require a username/password to authenticate.

The perimeter VPN client supports certificate-based authentication. And I wanted to touch base with the MaaS360 community to see if anyone has had any luck using the Certificate Integration with their Cloud Extender, using those certificates to authenticate to their perimeter VPN. If so, could you provide any feedback or a step-by-step guide I could follow?

Also, I see from the MaaS360 Certificate Integration module documentation it says that it supports CAs like Microsoft CA, Symantec Managed PKI, Entrust Identity Guard and Admin Services, and Verison MCS PKI. Is there an option to implement this without purchasing another service from a third party? I am trying to avoid configuring a Microsoft CA and also don't want to purchase a PKI service. 

Thanks in advance.

Hi Timothy

The use of certificates can complement the use of usernames and passwords for additional security. In the IBM network we use MaaS360 enrolled devices to download a certificate which authorises the device to access the internal network so for example when in office you don't need to make a VPN connection. 

The certificates have to come from a Certificate Authority which is the software responsible for creating them. If you have Microsoft Active Directory OnPremise then the NDLS and PKI are a part of the product. 

Configuration of authentication settings such as username and password and/or certificate can be set in the device policy. 

When you are using certificates you can either use a generic certificate meaning it is not specific to the device or user. In this case you retrieve a standard / generic certificate from the PKI CA and use this to authenticate all devices. However if you perform Cloud Extender integration for PKI, you can retrieve custom certificates which are either user-based or device-based and thus are specific and can be revoked for specific users or devices. 

Hope this helps. 

I have a perimeter with built-in VPN capabilities which I would like to use instead of the MaaS360 VPN.

One of the requirements, however, is that I want to utilise the iOS on-demand VPN where, when someone attempts specific DNS entries on their iOS device, iOS automatically connect to the VPN in the background (no user involvement required). This works flawlessly with the MaaS360 VPN. However, does not work with the perimeter VPN iOS client because the VPN client is configured to require a username/password to authenticate.

The perimeter VPN client supports certificate-based authentication. And I wanted to touch base with the MaaS360 community to see if anyone has had any luck using the Certificate Integration with their Cloud Extender, using those certificates to authenticate to their perimeter VPN. If so, could you provide any feedback or a step-by-step guide I could follow?

Also, I see from the MaaS360 Certificate Integration module documentation it says that it supports CAs like Microsoft CA, Symantec Managed PKI, Entrust Identity Guard and Admin Services, and Verison MCS PKI. Is there an option to implement this without purchasing another service from a third party? I am trying to avoid configuring a Microsoft CA and also don't want to purchase a PKI service. 

Thanks in advance.

Hi Eamonn,

Excellent. Thank you.

Configuring the Cloud Extender Certificate Integration using CAs like Microsoft, Verizon, Symantec (etc.) seems well documented in the IBM Support documents. However, I have not been able to find any documentation for the "Generic" option.

Is there a downside to using the "Generic" option? And is it possible to use a LetsEncrypt certificate as the CA for the Generic option? My goal is to use LetsEncrypt as the CA, and to have the MaaS360 Certificate Integration issue certificates to mobile devices that uniquely identify users so that the perimeter VPN knows who's connecting/authenticating. 

My apologies if the "Generic" option means I cannot issue these sort of certificates. Admittedly Certificate-based authentication is new to me, and I'm struggling to understand how to use the "Generic" option since the documentation for the MaaS360 Cloud Extender Certificate Integration seems to be heavily pointing users towards using CAs like Microsoft or Entrust.

Hi Timothy

The use of certificates can complement the use of usernames and passwords for additional security. In the IBM network we use MaaS360 enrolled devices to download a certificate which authorises the device to access the internal network so for example when in office you don't need to make a VPN connection. 

The certificates have to come from a Certificate Authority which is the software responsible for creating them. If you have Microsoft Active Directory OnPremise then the NDLS and PKI are a part of the product. 

Configuration of authentication settings such as username and password and/or certificate can be set in the device policy. 

When you are using certificates you can either use a generic certificate meaning it is not specific to the device or user. In this case you retrieve a standard / generic certificate from the PKI CA and use this to authenticate all devices. However if you perform Cloud Extender integration for PKI, you can retrieve custom certificates which are either user-based or device-based and thus are specific and can be revoked for specific users or devices. 

Hope this helps. 

I have a perimeter with built-in VPN capabilities which I would like to use instead of the MaaS360 VPN.

One of the requirements, however, is that I want to utilise the iOS on-demand VPN where, when someone attempts specific DNS entries on their iOS device, iOS automatically connect to the VPN in the background (no user involvement required). This works flawlessly with the MaaS360 VPN. However, does not work with the perimeter VPN iOS client because the VPN client is configured to require a username/password to authenticate.

The perimeter VPN client supports certificate-based authentication. And I wanted to touch base with the MaaS360 community to see if anyone has had any luck using the Certificate Integration with their Cloud Extender, using those certificates to authenticate to their perimeter VPN. If so, could you provide any feedback or a step-by-step guide I could follow?

Also, I see from the MaaS360 Certificate Integration module documentation it says that it supports CAs like Microsoft CA, Symantec Managed PKI, Entrust Identity Guard and Admin Services, and Verison MCS PKI. Is there an option to implement this without purchasing another service from a third party? I am trying to avoid configuring a Microsoft CA and also don't want to purchase a PKI service. 

Thanks in advance.

Hi Timothy

The problem we have is that when you refer to 'generic' integrations and then using a specific product to perform your requirements, the code tends to be proprietary and can force us to need an integration which requires development and testing from our Development / Engineering team. 

The set of products currently supported are described on this page: https://www.ibm.com/docs/en/maas360?topic=module-cloud-extender-certificate-integration-configuration

If you want to propose for us to take on another product and support that, you can request a new feature on our Ideas page: https://ideas.ibm.com

Best

Hi Eamonn,

Excellent. Thank you.

Configuring the Cloud Extender Certificate Integration using CAs like Microsoft, Verizon, Symantec (etc.) seems well documented in the IBM Support documents. However, I have not been able to find any documentation for the "Generic" option.

Is there a downside to using the "Generic" option? And is it possible to use a LetsEncrypt certificate as the CA for the Generic option? My goal is to use LetsEncrypt as the CA, and to have the MaaS360 Certificate Integration issue certificates to mobile devices that uniquely identify users so that the perimeter VPN knows who's connecting/authenticating. 

My apologies if the "Generic" option means I cannot issue these sort of certificates. Admittedly Certificate-based authentication is new to me, and I'm struggling to understand how to use the "Generic" option since the documentation for the MaaS360 Cloud Extender Certificate Integration seems to be heavily pointing users towards using CAs like Microsoft or Entrust.

Hi Timothy

The use of certificates can complement the use of usernames and passwords for additional security. In the IBM network we use MaaS360 enrolled devices to download a certificate which authorises the device to access the internal network so for example when in office you don't need to make a VPN connection. 

The certificates have to come from a Certificate Authority which is the software responsible for creating them. If you have Microsoft Active Directory OnPremise then the NDLS and PKI are a part of the product. 

Configuration of authentication settings such as username and password and/or certificate can be set in the device policy. 

When you are using certificates you can either use a generic certificate meaning it is not specific to the device or user. In this case you retrieve a standard / generic certificate from the PKI CA and use this to authenticate all devices. However if you perform Cloud Extender integration for PKI, you can retrieve custom certificates which are either user-based or device-based and thus are specific and can be revoked for specific users or devices. 

Hope this helps. 

I have a perimeter with built-in VPN capabilities which I would like to use instead of the MaaS360 VPN.

One of the requirements, however, is that I want to utilise the iOS on-demand VPN where, when someone attempts specific DNS entries on their iOS device, iOS automatically connect to the VPN in the background (no user involvement required). This works flawlessly with the MaaS360 VPN. However, does not work with the perimeter VPN iOS client because the VPN client is configured to require a username/password to authenticate.

The perimeter VPN client supports certificate-based authentication. And I wanted to touch base with the MaaS360 community to see if anyone has had any luck using the Certificate Integration with their Cloud Extender, using those certificates to authenticate to their perimeter VPN. If so, could you provide any feedback or a step-by-step guide I could follow?

Also, I see from the MaaS360 Certificate Integration module documentation it says that it supports CAs like Microsoft CA, Symantec Managed PKI, Entrust Identity Guard and Admin Services, and Verison MCS PKI. Is there an option to implement this without purchasing another service from a third party? I am trying to avoid configuring a Microsoft CA and also don't want to purchase a PKI service. 

Thanks in advance.

Hi Eamonn,

Forgive me, but I am referring to the "Generic" option in the Certificate Integration wizard on the MaaS360 Cloud Extender:

I'm not seeing any documentation that discusses how to use this option. Can you shed some light on what functionality this is meant to offer?

Hi Timothy

The problem we have is that when you refer to 'generic' integrations and then using a specific product to perform your requirements, the code tends to be proprietary and can force us to need an integration which requires development and testing from our Development / Engineering team. 

The set of products currently supported are described on this page: https://www.ibm.com/docs/en/maas360?topic=module-cloud-extender-certificate-integration-configuration

If you want to propose for us to take on another product and support that, you can request a new feature on our Ideas page: https://ideas.ibm.com

Best

Hi Eamonn,

Excellent. Thank you.

Configuring the Cloud Extender Certificate Integration using CAs like Microsoft, Verizon, Symantec (etc.) seems well documented in the IBM Support documents. However, I have not been able to find any documentation for the "Generic" option.

Is there a downside to using the "Generic" option? And is it possible to use a LetsEncrypt certificate as the CA for the Generic option? My goal is to use LetsEncrypt as the CA, and to have the MaaS360 Certificate Integration issue certificates to mobile devices that uniquely identify users so that the perimeter VPN knows who's connecting/authenticating. 

My apologies if the "Generic" option means I cannot issue these sort of certificates. Admittedly Certificate-based authentication is new to me, and I'm struggling to understand how to use the "Generic" option since the documentation for the MaaS360 Cloud Extender Certificate Integration seems to be heavily pointing users towards using CAs like Microsoft or Entrust.

Hi Timothy

The use of certificates can complement the use of usernames and passwords for additional security. In the IBM network we use MaaS360 enrolled devices to download a certificate which authorises the device to access the internal network so for example when in office you don't need to make a VPN connection. 

The certificates have to come from a Certificate Authority which is the software responsible for creating them. If you have Microsoft Active Directory OnPremise then the NDLS and PKI are a part of the product. 

Configuration of authentication settings such as username and password and/or certificate can be set in the device policy. 

When you are using certificates you can either use a generic certificate meaning it is not specific to the device or user. In this case you retrieve a standard / generic certificate from the PKI CA and use this to authenticate all devices. However if you perform Cloud Extender integration for PKI, you can retrieve custom certificates which are either user-based or device-based and thus are specific and can be revoked for specific users or devices. 

Hope this helps. 

I have a perimeter with built-in VPN capabilities which I would like to use instead of the MaaS360 VPN.

One of the requirements, however, is that I want to utilise the iOS on-demand VPN where, when someone attempts specific DNS entries on their iOS device, iOS automatically connect to the VPN in the background (no user involvement required). This works flawlessly with the MaaS360 VPN. However, does not work with the perimeter VPN iOS client because the VPN client is configured to require a username/password to authenticate.

The perimeter VPN client supports certificate-based authentication. And I wanted to touch base with the MaaS360 community to see if anyone has had any luck using the Certificate Integration with their Cloud Extender, using those certificates to authenticate to their perimeter VPN. If so, could you provide any feedback or a step-by-step guide I could follow?

Also, I see from the MaaS360 Certificate Integration module documentation it says that it supports CAs like Microsoft CA, Symantec Managed PKI, Entrust Identity Guard and Admin Services, and Verison MCS PKI. Is there an option to implement this without purchasing another service from a third party? I am trying to avoid configuring a Microsoft CA and also don't want to purchase a PKI service. 

Thanks in advance.

Hi Tim 

Apologies I hadn't understood this. 

There are 2 possibilities based on the product you are using: 

a) If the product you are using, uses generic-only command and no custom code, it is more probable that the integration will work successfully. 

b) If the product uses custom code developed by the software company, there is a higher probability of the integration not working. 

You will only know this by testing. If not working and given the product will be a non-generic response to a generic solution - it is most appropriate that you would raise a new feature request to support this product, through https://Ideas.IBM.com

Best

Hi Eamonn,

Forgive me, but I am referring to the "Generic" option in the Certificate Integration wizard on the MaaS360 Cloud Extender:

I'm not seeing any documentation that discusses how to use this option. Can you shed some light on what functionality this is meant to offer?

Hi Timothy

The problem we have is that when you refer to 'generic' integrations and then using a specific product to perform your requirements, the code tends to be proprietary and can force us to need an integration which requires development and testing from our Development / Engineering team. 

The set of products currently supported are described on this page: https://www.ibm.com/docs/en/maas360?topic=module-cloud-extender-certificate-integration-configuration

If you want to propose for us to take on another product and support that, you can request a new feature on our Ideas page: https://ideas.ibm.com

Best

Hi Eamonn,

Excellent. Thank you.

Configuring the Cloud Extender Certificate Integration using CAs like Microsoft, Verizon, Symantec (etc.) seems well documented in the IBM Support documents. However, I have not been able to find any documentation for the "Generic" option.

Is there a downside to using the "Generic" option? And is it possible to use a LetsEncrypt certificate as the CA for the Generic option? My goal is to use LetsEncrypt as the CA, and to have the MaaS360 Certificate Integration issue certificates to mobile devices that uniquely identify users so that the perimeter VPN knows who's connecting/authenticating. 

My apologies if the "Generic" option means I cannot issue these sort of certificates. Admittedly Certificate-based authentication is new to me, and I'm struggling to understand how to use the "Generic" option since the documentation for the MaaS360 Cloud Extender Certificate Integration seems to be heavily pointing users towards using CAs like Microsoft or Entrust.

Hi Timothy

The use of certificates can complement the use of usernames and passwords for additional security. In the IBM network we use MaaS360 enrolled devices to download a certificate which authorises the device to access the internal network so for example when in office you don't need to make a VPN connection. 

The certificates have to come from a Certificate Authority which is the software responsible for creating them. If you have Microsoft Active Directory OnPremise then the NDLS and PKI are a part of the product. 

Configuration of authentication settings such as username and password and/or certificate can be set in the device policy. 

When you are using certificates you can either use a generic certificate meaning it is not specific to the device or user. In this case you retrieve a standard / generic certificate from the PKI CA and use this to authenticate all devices. However if you perform Cloud Extender integration for PKI, you can retrieve custom certificates which are either user-based or device-based and thus are specific and can be revoked for specific users or devices. 

Hope this helps. 

I have a perimeter with built-in VPN capabilities which I would like to use instead of the MaaS360 VPN.

One of the requirements, however, is that I want to utilise the iOS on-demand VPN where, when someone attempts specific DNS entries on their iOS device, iOS automatically connect to the VPN in the background (no user involvement required). This works flawlessly with the MaaS360 VPN. However, does not work with the perimeter VPN iOS client because the VPN client is configured to require a username/password to authenticate.

The perimeter VPN client supports certificate-based authentication. And I wanted to touch base with the MaaS360 community to see if anyone has had any luck using the Certificate Integration with their Cloud Extender, using those certificates to authenticate to their perimeter VPN. If so, could you provide any feedback or a step-by-step guide I could follow?

Also, I see from the MaaS360 Certificate Integration module documentation it says that it supports CAs like Microsoft CA, Symantec Managed PKI, Entrust Identity Guard and Admin Services, and Verison MCS PKI. Is there an option to implement this without purchasing another service from a third party? I am trying to avoid configuring a Microsoft CA and also don't want to purchase a PKI service. 

Thanks in advance.

Yikes. I do not understand this response at all. Anyone else with comments?

Hi Tim 

Apologies I hadn't understood this. 

There are 2 possibilities based on the product you are using: 

a) If the product you are using, uses generic-only command and no custom code, it is more probable that the integration will work successfully. 

b) If the product uses custom code developed by the software company, there is a higher probability of the integration not working. 

You will only know this by testing. If not working and given the product will be a non-generic response to a generic solution - it is most appropriate that you would raise a new feature request to support this product, through https://Ideas.IBM.com

Best

Hi Eamonn,

Forgive me, but I am referring to the "Generic" option in the Certificate Integration wizard on the MaaS360 Cloud Extender:

I'm not seeing any documentation that discusses how to use this option. Can you shed some light on what functionality this is meant to offer?

Hi Timothy

The problem we have is that when you refer to 'generic' integrations and then using a specific product to perform your requirements, the code tends to be proprietary and can force us to need an integration which requires development and testing from our Development / Engineering team. 

The set of products currently supported are described on this page: https://www.ibm.com/docs/en/maas360?topic=module-cloud-extender-certificate-integration-configuration

If you want to propose for us to take on another product and support that, you can request a new feature on our Ideas page: https://ideas.ibm.com

Best

Hi Eamonn,

Excellent. Thank you.

Configuring the Cloud Extender Certificate Integration using CAs like Microsoft, Verizon, Symantec (etc.) seems well documented in the IBM Support documents. However, I have not been able to find any documentation for the "Generic" option.

Is there a downside to using the "Generic" option? And is it possible to use a LetsEncrypt certificate as the CA for the Generic option? My goal is to use LetsEncrypt as the CA, and to have the MaaS360 Certificate Integration issue certificates to mobile devices that uniquely identify users so that the perimeter VPN knows who's connecting/authenticating. 

My apologies if the "Generic" option means I cannot issue these sort of certificates. Admittedly Certificate-based authentication is new to me, and I'm struggling to understand how to use the "Generic" option since the documentation for the MaaS360 Cloud Extender Certificate Integration seems to be heavily pointing users towards using CAs like Microsoft or Entrust.

Hi Timothy

The use of certificates can complement the use of usernames and passwords for additional security. In the IBM network we use MaaS360 enrolled devices to download a certificate which authorises the device to access the internal network so for example when in office you don't need to make a VPN connection. 

The certificates have to come from a Certificate Authority which is the software responsible for creating them. If you have Microsoft Active Directory OnPremise then the NDLS and PKI are a part of the product. 

Configuration of authentication settings such as username and password and/or certificate can be set in the device policy. 

When you are using certificates you can either use a generic certificate meaning it is not specific to the device or user. In this case you retrieve a standard / generic certificate from the PKI CA and use this to authenticate all devices. However if you perform Cloud Extender integration for PKI, you can retrieve custom certificates which are either user-based or device-based and thus are specific and can be revoked for specific users or devices. 

Hope this helps. 

I have a perimeter with built-in VPN capabilities which I would like to use instead of the MaaS360 VPN.

One of the requirements, however, is that I want to utilise the iOS on-demand VPN where, when someone attempts specific DNS entries on their iOS device, iOS automatically connect to the VPN in the background (no user involvement required). This works flawlessly with the MaaS360 VPN. However, does not work with the perimeter VPN iOS client because the VPN client is configured to require a username/password to authenticate.

The perimeter VPN client supports certificate-based authentication. And I wanted to touch base with the MaaS360 community to see if anyone has had any luck using the Certificate Integration with their Cloud Extender, using those certificates to authenticate to their perimeter VPN. If so, could you provide any feedback or a step-by-step guide I could follow?

Also, I see from the MaaS360 Certificate Integration module documentation it says that it supports CAs like Microsoft CA, Symantec Managed PKI, Entrust Identity Guard and Admin Services, and Verison MCS PKI. Is there an option to implement this without purchasing another service from a third party? I am trying to avoid configuring a Microsoft CA and also don't want to purchase a PKI service. 

Thanks in advance.