KB40360 - VPN On Demand for iOS with Pulse WorkSpace and Pulse Connect Secure

This articles provides information about the VPN On Demand (VOD) feature with iOS and configuration steps with Pulse WorkSpace and Pulse Connect Secure.

Prerequisites:

• Pulse WorkSpace with VPN Certificate Auth and VPN Safari Domains configured
• Pulse Connect Secure with certificate auth configured
• Device certificate from the PCS device must be trusted by iOS device.  If a private CA or self-signed certificate is being utilized, the root certificate / self-signed certificate must be installed on all endpoints.

The following article will highlights the important steps needed to configure VPN On Demand with Pulse WorkSpace and Pulse Connect Secure.  For detailed step-by-step instructions how to configure a L4 (Per-App VPN) or L3 tunnel, please refer to the following knowledge base articles:

• KB40328 - How to configure Per-App VPN for Pulse Mobile for iOS with Pulse Workspace and Pulse Connect Secure (PCS) device

Pulse WorkSpace Configuration:

For VOD to work properly, a client certificate must be issued to each WorkSpace endpoint and VPN Safari Domains must be configured via the policy.  These options can be found in the WorkSpace Policy under Properties > VPN.

1. Under the VPN section, locate VPN Certificate Auth and click Edit icon on the right side.  Click the radio button for True. 
    

2. Locate VPN Safari Domains and click the Edit icon on the right side. Enter the list of domain names to trigger VPN On Demand.  

3. In the upper right hand corner, click the gear icon and select VPN cert.

 

4. Under VPN Certificate, click the download cert link.

This certificate will need to be installed on the PCS device with the steps below.

Pulse Connect Secure configuration:

1. Login to PCS admin console
2. Navigate to Configuration > Certificates > Trusted Client CAs
3. Click Import CA Certificate

4. Click Browse
5. Navigate to the VPN certificate exported from Pulse WorkSpace (above)
6. Click Import Certificate
7. From the top menu bar, navigate to Authentication > Auth. Servers.

8. From the New drop-down menu, select Certificate Server.

9. Click New Server.

10. In the Name field, enter a friendly name for the auth server.
    • Default value for User name template is recommended, but may be change if common name (CN) does not met your need.

10. Click Save Changes.
11. From the top menu bar, navigate to Users > User Realms > User Realms.
12. From the list of User Realms, select the corresponding User Realm used for L3 or L4 connections.
13. Under Servers, select the certificate auth server from the authentication drop-down menu.