SolutionBase: Using a Microsoft SmartPhone to Connect to a Corporate VPN

Mobile users present a special challenge to network administrators. When users are on the go, they still want access to resources on your network. Here's how you can configure a SmartPhone to VPN into your network to make everyone happy.

If you're a Microsoft SmartPhone owner or are looking into purchasing a SmartPhone, you probably know that you can use a SmartPhone to access the Internet. What you might not realize though is that once you have established an Internet connection, you can also connect to your company's VPN. In this article, I will show you how to configure your SmartPhone for VPN connectivity.

VPN Connectivity For The Original SmartPhone

Before I show you how to connect the original Microsoft SmartPhone to a VPN, I want to talk about a couple of issues that you may run into. First of all, I have heard a lot of people complain that SmartPhone VPN access is extremely slow. The reason why VPN access is so slow is because of the overhead involved in VPN communications.

Remember that when you communicate over a VPN, packets are encrypted so that they can be securely transmitted over the Internet. The encryption and encapsulation processes all involve a lot of overhead. This overhead means that VPN based communications are naturally slower than other types of Internet communications. Being that SmartPhones have slow Internet connections to begin with, the effects of VPN related overhead are more obvious than they would normally be.

The other issue that you need to know about is that some people have reported incompatibilities between the SmartPhone and the IPSec protocol. Of course, if IPSec doesn't work the SmartPhone will be unable to use the L2TP protocol for VPN tunneling. This particular compatibility issue seems to be mostly occurring in Europe. If you do happen to encounter this issue though, you can always use the PPTP protocol for VPM communications.

Since L2TP is the tunneling protocol of choice, let's configure our VPN connection using L2TP. To do so, click the Start button and press 8 for Settings. Next, press 9 for More, and press 2 for Data Connections. You will now see the Data Connections screen shown in Figure A.

Figure A

You can use the Data Connections screen to create a VPN connection.

At this point, click the Menu button and a pop-up menu will appear. Press [1] to Edit Connections, and then press [2] for VPN connections. Since no VPN connections actually exist, the VPN Connections screen will be almost completely blank, as shown in Figure B.

Figure B

It's normal to see a blank screen at this point in the configuration process.

Click the Menu button, and then press [1] button to add a VPN connection. When you do, you will see the Add VPN screen, shown in Figure C.

Figure C

Use the Add VPN screen to configure the VPN connection options.

Now, you can begin configuring your VPN client. Some of the configuration options will require you to enter text or numbers. To do so, you will have to use the buttons on the phone. For example, to type the letter B, you would have to press the [2] button twice. You can use the [*] button to toggle between capital and lower case letters. The [#] button can be used to insert a space.

If you look at the scroll bar on the right hand side of Figure C, you will notice that the VPN configuration options extend beyond the limits of the screen. You can use the cursor keys surrounding the blue button in the middle of the phone to move between configuration options and to scroll the screen as needed. If you look at Figure C, you will notice that some configuration options, such as VPN Type and Connects From have a left and right arrow. When you see something like this, it means that you can press the left and right cursor keys to select an option.

With that said, it's time to start the configuration process. Start by entering a description of the connection that you are creating. This might be something like Office VPN. Next, you will have to select the VPN type. For the purposes of this article, we will use IPSec / L2TP. Now, enter the IP address for your VPN server. You must then and set your Connects From option.

I want to take a moment and talk a little more in depth about the Connects From option, because there is a very similar option called Connects To that you will also have to set. The Connects From option allows you to specify what medium you want to use for outbound communications, while the Connects To option allows you to specify what you are connecting to.

Both of these options contain a list of items that you may choose from. The primary options are WAP, Secure WAP, Internet, and Work. Normally, in IT, WAP stands for Wireless Access Point. That isn't the case when you are talking about SmartPhones though. In the cell phone world, WAP stands for Wireless Application Protocol or Web Application Protocol (I've seen both used interchangeably). WAP is the protocol that makes it possible to interact with a Web site from a cell phone. Generally speaking, a Web site must have pages that are coded in WML format specifically for cell phones before they are WAP accessible. It is however possible to use a WAP proxy to translate a standard page into WML format.

I wanted to give you a quick explanation of WAP because WAP is a very important concept in cellular data communications. In most cases though, you won't use WAP for VPN access. Instead, you will usually set the Connect From option to Internet. Assuming that your company has a standard VPN configuration, you would then set the Connect To option to Work. For some reason, you use the Work option to tell the SmartPhone that you are connecting to a corporate VPN. After you have filled in the first few options, your screen should look something like what you see in Figure D.

Figure D

This screen shows the first four steps in configuring a VPN connection.

After you configure the Connect From and Connect To options, it's time to enter some user authentication credentials. Scroll down a little further and you will see prompts for a username, password, and domain. These are the authentication credentials for your Windows domain. Fill them in as shown in Figure E.

Figure E

Enter your authentication credentials for the Windows network.

The last two options that you will have to fill in are the IPSec authentication type and the pre-shared key, as shown in Figure F. When you select the IPSec authentication type, you will have two choices; a certificate or a shared key. If you choose to use a certificate, then you can leave the pre-shared key field blank, but you will have to make sure that your phone has a copy of the certificate that you are using. If you want to use a pre-shared key, then just enter it into the IPSec Pre-shared Key field. Press the Done button when you're finished.

Figure F

You must select the IPSec authentication method.

Creating A VPN Connection on a Pocket PC Phone

The procedure for creating a VPN connection is a little bit different on a Pocket PC phone than it is on a traditional SmartPhone. Begin the process by pressing the Start button and then selecting the Settings option from the Start menu. When the Settings screen appears, select the Connections tab and then click on the Connections icon.

At this point, you must click on the Add A New VPN Server Connection option. When you do, you will be taken to the initial VPN configuration screen. To begin the configuration process, enter a description for the VPN connection. Again, this might be something like "Corporate VPN". Next, enter either the IP address or the fully qualified domain name of your company's VPN server. I personally recommend using the IP address because doing so eliminates a DNS query, allowing you to establish a connection more quickly. While you are on this screen, you must also select either an IPSec / L2TP or a PPTP VPN type. If at all possible, I recommend going with the IPSec / L2TP option, as shown in Figure G.

Figure G

Enter a connection name, IP address, and VPN type.

Click Next, and you will be asked whether you would like to use a certificate that has already been uploaded to your phone, or a pre-shared key, as shown in Figure H. You can choose which ever option is appropriate for your organization, but if you select the pre-shared key option, you will have to enter the pre-shared key into the space provided.

Figure H

You must decide whether you want to use an existing certificate or a preshared key for VPN encryption.

The final VPN configuration screen, shown in Figure I, prompts you for your authentication credentials. This is where you would enter your username, password, and the domain that you are logging into. If you look at Figure I, you might also notice that there is an Advanced button.

Figure I

Enter your authentication credentials and click Finish.

Normally, you won't have to touch the Advanced button. What this button does is to allow you to manually enter an IP address for use with the VPN connection, along with manually assigned DNS, WINS, and gateway addresses. However, almost all VPNs use a DHCP server to assign these addresses automatically, so you shouldn't have to worry about the advanced options. Click Finish to complete the configuration process.

How Useful is the VPN Connection?

One last issue that I want to address is the usefulness of the VPN connections that I've shown you how to create. In other words, now that you have created the VPN connection, what can you do with it?

My honest opinion is that if you've got a traditional Microsoft SmartPhone, then creating a VPN connection is usually not worth the effort. Yes, you can create a VPN connection, and yes, you can use that connection to access your company's Exchange Server. However, given the phone's limited capabilities, accessing an Exchange Server is pretty much the only thing that you can use your phone's VPN connection for.

The reason why I say that setting up a VPN connection on a traditional SmartPhone is usually not worth the effort is because VPN connections are inherently slow on SmartPhones. You are usually much better off performance wise, accessing your E-mail through Outlook Mobile Access rather than passing through a VPN connection.

On the other hand, if you have the Pocket PC phone, then having a VPN connection could prove to be very useful. Yes, there are alternate methods for accessing your company's Exchange Server, but the Pocket PC phones can use a VPN connection for more than just E-mail access. For starters, the Pocket PC phones come with a terminal service client. If your company uses the terminal services, you could do just about anything from your phone that you could do from a laptop. Of course, performance will still be an issue, but it is physically possible to conduct a remote session through a Pocket PC Phone.

The Pocket PC phone also comes with a File Explorer, and a Pocket version of Microsoft Word and Excel. Although I haven't actually tried it out, I suspect that you can probably use these features to remotely view and edit files that exist on your company's file servers.

Editor's Picks