Operation Manual

ManualsBrandsApple ManualsOtheriOS Implementierung

Chapter 4 Infrastructure and integration 39

VPN On Demand is congured using the OnDemandRules key in a VPN payload of a

conguration prole. Rules are applied in two stages:

•

Network Detection Stage: Denes VPN requirements that are applied when the device’s

primary network connection changes.

•

Connection Evaluation Stage: Denes VPN requirements for connection requests to domain

names on an as-needed basis.

For example, rules can be used to:

•

Recognize when an Apple device is connected to an internal network and VPN isn’t necessary

•

Recognize when an unknown Wi-Fi network is being used and require VPN for all network

activity

•

Require VPN when a DNS request for a specied domain name fails

Stages

VPN On Demand connects to your network in two stages.

Network detection stage

VPN On Demand rules are evaluated when the device’s primary network interface changes—

such as when an Apple device changes to a dierent Wi-Fi network, or switches to cellular on

iOS or Ethernet on OS X from Wi-Fi. If the primary interface is a virtual interface, such as a VPN

interface, VPN On Demand rules are ignored.

The matching rules in each set (dictionary) must all match in order for their associated action to

be taken If any one of the rules doesn’t match, evaluation falls through to the next dictionary in

the array, until the OnDemandRules array is exhausted.

The last dictionary should dene a “default” conguration—that is, it should have no matching

rules, only an action. This will catch all connections that haven’t matched the preceding rules.

Connection evaluation stage

VPN can be triggered as needed, based on connection requests to certain domains, rather than

unilaterally disconnecting or connecting VPN based on the network interface.

Rules and actions

Rules help dene the type of networks associated with VPN On Demand. Actions help dene

what happens when matching rules are found to be true.

On Demand matching rules

Specify one or more of the following matching rules for Cisco IPSec clients:

•

InterfaceTypeMatch: Optional. A string value of “cellular (for iOS) or Ethernet (for OS X)” or “Wi-

Fi.” If specied, this rule matches when the primary interface hardware is of the type specied.

•

SSIDMatch: Optional. An array of SSIDs to match against the current network. If the network

isn’t a Wi-Fi network or if its SSID does not appear in the list, the match fails. Omit this key and

its array to ignore SSID.

•

DNSDomainMatch: Optional. An array of search domains as strings. If the congured DNS

search domain of the current primary network is included in the array, this property matches.

Wildcard prex (*) is supported; e.g., *.example.com would match anything.example.com.

•

DNSServerAddressMatch: Optional. An array of DNS servers addresses as strings. If all of the

DNS server addresses currently congured for the primary interface are in the array, this

property will match. The wildcard character (*) is supported; for example, 1.2.3.* would match

any DNS servers with a 1.2.3. prex.

100% resize factor