Home » Wi-Fi networks and VPN networks » Wi-Fi profiles and VPN profiles » Creating and configuring VPN profiles

Creating and configuring VPN profiles

Wi-Fi® enabled BlackBerry® devices have built-in VPN clients that supports several types of VPN concentrators.

To create a VPN profile, you configure the VPN configuration settings (for example, the IP address of the VPN concentrator, user names and passwords, and cryptographic methods that the BlackBerry® Enterprise Server uses) on a BlackBerry device or using a VPN profile or IT policy. If a user account has a VPN profile, you can associate the VPN profile with the Wi-Fi profile for the user account.

Depending on your organization's security policy, you can save a user name and password to a BlackBerry device to prevent the BlackBerry device from prompting the user for the login information the first time (or each time) the BlackBerry device connects to the enterprise Wi-Fi network.

Prerequisites: Creating Wi-Fi profiles and VPN profiles

You must install and configure wireless access points for your organization’s enterprise Wi-Fi® network. Perform the following actions:

Verify that the access points comply with the IEEE® 802.11a™ standard, IEEE® 802.11b™ standard, or IEEE® 802.11g™ standard.
Verify the number of connections for each access point to make sure that the access points can manage additional traffic.
Verify that users can roam between access points.
Refer to the documentation for the access points to complete a site survey and assign channels.
If your organization does not use a switched enterprise Wi-Fi network and your organization has multiple subnets, configure the subnets to cover the same physical area. The configuration can affect how users send or receive calls.
Assign an SSID to each access point or each group of access points that share an SSID.
If users can roam between the access points, configure all of the relevant SSID profiles on each access point.
If your organization uses NAT traversal, verify that the access points support NAT traversal.

You must configure authentication and encryption for the access points. Perform the following actions:

Configure authentication using a supported authentication method. For example, if your organization uses layer 2 access security, verify that your organization uses one of the supported layer 2 security methods.
Configure encryption using a supported encryption method.

If your organization’s environment requires a VPN concentrator, configure a VPN concentrator for VPN access security using IPsec VPN. See the administrator for your organization’s firewall or VPN concentrator to determine the appropriate configuration settings.

You must configure firewall settings. Perform the following actions:

If your organization use a proxy firewall, configure the proxy server so that it is transparent to users.
Verify that the IP addresses for the BlackBerry® Domain that are relevant to your organization’s environment are permitted addresses.
Verify that the Wi-Fi network can connect to the BlackBerry Router.
Verify that you add the IP address of the BlackBerry Router to the DNS server.

Configure the ports for the Wi-Fi network.

You must configure access to the DHCP server and DNS server. Perform the following actions:

If necessary, configure your organization’s enterprise Wi-Fi network to access the DHCP server.
If you do not use static IT addresses, use the DNS lookup tool on a Wi-Fi enabled BlackBerry device to verify that the BlackBerry device can access the DHCP server.
Use the DNS lookup tool on a Wi-Fi enabled BlackBerry device to verify that the BlackBerry device can access one or more DNS servers.

If your organization uses an AAA server, you must configure it. Perform the following actions:

Configure the AAA server to support the Wi-Fi authentication method that your organization uses.
Permit all access points to use the AAA server.

If you configure service-specific access security, create a captive portal login.

You must configure user accounts in your organization's environment. Perform the following actions:

Create authentication credentials for the user accounts.
If your organization uses EAP-TLS, EAP-TTLS, or PEAP authentication methods, permit the BlackBerry® Enterprise Server to access to the PKI infrastructure and certificates.

Add the MAC addressses of every BlackBerry device that you permit to access a specific enterprise Wi-Fi network (an allowed list) or prevent from accessing a specific enterprise Wi-Fi network (a restricted list) to the controller for each access point.

Create a VPN profile

In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Policy > Wi-Fi configuration.
Click Create VPN profile.
In the Name field, type a name for the VPN profile.
Click Save.

After you finish: Configure the VPN profile.

Create a VPN profile based on an existing VPN profile

In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Policy > Wi-Fi configuration.
Click Manage VPN profiles.
Click the name of the VPN profile that you want to copy.
Click Copy profile.
Type a name for the new VPN profile.
Click Save.

After you finish: Configure the VPN profile.

Configure a VPN profile

In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Policy > Wi-Fi configuration.
Click Manage VPN profiles.
Click the name of the VPN profile.
Click Edit profile.
On the VPN profile settings tab, change the values for the configuration settings.
Click Save All.

After you finish:

For information about VPN configuration settings, see the BlackBerry Enterprise Server Policy Reference Guide.
To update BlackBerry device information immediately, resend the IT policy to the BlackBerry device.

Associate a VPN profile with a Wi-Fi profile

To permit a BlackBerry® device to connect to a Wi-Fi® network using a VPN session, you must associate a VPN profile with a Wi-Fi profile that you assigned to the user account.

In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Policy > Wi-Fi configuration.
Click Manage Wi-Fi profiles.
Click the name of the Wi-Fi profile.
Click Edit profile.
On the Wi-Fi profile settings tab, in the Wi-Fi associations section, in the Associated VPN Profile drop-down list, click the VPN profile that you want to associate with the Wi-Fi profile.
Click Save All.

After you finish: To update the BlackBerry device information immediately, resend the IT policy to the BlackBerry device.

Assign a VPN profile to a user account

You can assign one or more VPN profile to a user account.

Before you begin: Create and configure a VPN profile.

In the BlackBerry® Administration Service, expand User.
Click Manage users.
Search for a user account.
Click the display name for the user account.
Click Edit user.
On the VPN profiles tab, in the VPN profile name section, in the drop-down list, click the appropriate VPN profile.
If required, in the VPN user specific settings section, specify the login information that you want to associate with the VPN profile.
Click the Add icon.
Click Save All.

When you assign a VPN profile to a user account, the BlackBerry Administration Service creates a job to deliver the resulting object to the BlackBerry device.

Assign a VPN profile to a group

You can assign one or more VPN profiles to a group.

Before you begin: Create and configure a VPN profile.

In the BlackBerry® Administration Service, on the BlackBerry solution management menu, expand Group.
Click Manage groups.
In the Manage groups section, click the group that you want to assign a VPN profile to.
On the VPN profiles tab, click Edit group.
In the Available VPN profiles list, click the profile that you want to assign to the group and click Add. Repeat for any additional profiles that you want to assign to the group.
Click Save.

When you assign a VPN profile to a group that has at least one user account assigned to it, the BlackBerry Administration Service creates jobs to deliver the resulting objects to BlackBerry devices.