How to Set Up VPN Redirection?

Owned by Agat Support
Last updated: Apr 07, 2022 by Avi J. Levin (Unlicensed)
2 min read


In this guide, we are going to learn how to configure VPN Redirection. 

MDM integration has 2 types of behaviors:

  • Conditional Registration - Limiting registration only to managed devices by the MDM vendor.
  • Conditional Access -  Consistent validation that the device is managed and did not become out of compliance.

Regarding Conditional Access SphereShield can function according to the following approaches:

  • WiFi - Registration can only be done from and a WiFi network that requires a certificate in order to connect to. The certificate is managed by the MDM.
  • SkypeShield Application -  Registration can be performed only by using a specific SkypeShield (SkS) app, that is only available from the corporate store/catalog to the devices that are managed.
  • VPN Redirection - Registration can only be done from a device that is configured to work with Split Tunnel VPN managed by the MDM.

VPN redirection is a feature that validates the user's access to the VPN before letting them sign in. 

You can set it up in the following ways:

  1. Once per device, when registering it.
  2. Every time a user wants to sign in.

How VPN redirection works?

After the device performs Skype autodiscovery it will be redirected to a unique hostname that should trigger the split tunnel VPN.
That host will send traffic to the DMZ Bastion server via an internal IP address. That way the LAC filter will be able to know if the traffic came from the VPN.


How to setup VPN redirection?

IP Filtering Page

1.Navigate to the 'IP Filtering' page in the Access Portal

2

.

Set traffic to 'SfB Mobile'

You can set up 'Access Level'  in the following 2 ways:

  1. All - IP range will be allowed for all type of connections
  2. First Sign In - IP range will be allowed only for first time login/registration

Enter the beginning and the end of the IP range.

3. Click save

Registration Page

1.Navigate to the 'Registration' page in the Access Portal

2. Set 'Require registration via VPN' to YES.

3. Add the appropriative values to the following attributes:
Front End pool FQDN - your Skype for Business Front End pool.
VPN Host name for Bastion - The hostname that the user will be directed to after the autodiscovery. This hostname should be configured for the Split Tunnel VPN. It should also appear in the Bastion.xml configuration file.


4. Restart the Bastion service