Configuring gateway settings for Cloud Extender
Configure gateway authentication, WebDAV, and intranet proxy settings for Cloud Extender®.
Procedure
- Open the Enterprise Gateway section in the Cloud Extender
Configuration Tool, click
Edit, and go to Step 3.
- In the Configure Session Details section, enter the amount and choose either
minutes, hours, or days from the drop-down menu. The gateway interval is configured to
reauthenticate users that connect to the gateway. The values are
5 minutesto90 days.For example, enter an authentication frequency of 1440 minutes and then configure the setting in the IBM® MaaS360® Portal to cache user credentials in the MaaS360 app. -
If certain intranet websites that use Basic or Digest access authentication are integrated with
corporate credentials for authentication, select Re-use user's credentials for intranet
resources that require Basic or Digest authentication on
Step 5.Enable this option under the following circumstances.- If an internal site challenges for
BasicorDigest accessauthentication, the gateway shares the user credentials that are received during gateway authentication with the site, and seamlessly logs the user on to the site. - If authentication fails, the challenge for credentials is sent back to the user on the MaaS360 app. When the user provides credentials, a new authentication is attempted. However, a failed authentication attempt occurs for the user before the user can authenticate.
If you disable this option, all Basic or Digest access authentication challenges are propagated back to the user to enter manually. - If an internal site challenges for
- In the Configure Session Details section, enter the amount and choose either
minutes, hours, or days from the drop-down menu. The gateway interval is configured to
reauthenticate users that connect to the gateway. The values are
- From the Untrusted Certificate Handling list, choose one of the
following options.
Option Description Reject All Configures the gateway to reject all untrusted certificates. The user cannot access a website with an untrusted certificate. Accept All Configures the gateway to accept all untrusted certificates. The user cannot prevent access to a website with an untrusted certificate. Prompt User The user decides whether to access a website with an untrusted certificate. If you select the Prompt User option and the user accesses a website from the MaaS360 Mobile Browser through Mobile Enterprise Gateway (MEG) that uses an invalid SSL certificate, the user receives a prompt on how the browser handles the exception. The user can either accept the exception and continue to the website or the user can reject the exception and cancel navigation to the website.
Notes:- Self-signed, expired, and valid certificates from an unknown or non-verified CA, or an invalid hostname can cause untrusted certificate exceptions.
- If the user accepts the prompt for an untrusted certificate exception, the MaaS360 Mobile Browser remembers the selection for that website. The next time that the user accesses that website, the site does not display the untrusted certificate exception prompt again. The user must clear their browser cache to display the untrusted certificate prompt again.
- If a user accepts the untrusted certificate exception, the untrusted root certificates are not automatically installed or remediated on the Mobile Enterprise Gateway (MEG) server. The administrator must manually add the server SSL certificates to the Trusted Root CA store on the Mobile Enterprise Gateway (MEG) server.
The new Cloud Extender Configuration Tool utility to test the validity of SSL certificates in the Mobile Enterprise Gateway (MEG) truststore can be found at Testing the validity of SSL certificates in the Mobile Enterprise Gateway (MEG) trust store. - On
Step 1, check Windows File Shares and CMIS sources area to enable access to network file shares.Use the Cloud Extender Configuration Tool utility to check whether the Mobile Enterprise Gateway (MEG) can connect to a WebDAV file share or folder on the network. - To configure proxy settings, select Advanced on
Step 6. Under the Internal Proxy Settings area, configure proxy settings for the proxy server that you use to access the internet. The Cloud Extender uses these settings to contact IBM MaaS360 backend services for overall configuration and management.- Choose a routing method. If your intranet sites are inaccessible from the gateway directly by not going through a proxy, or if you must proxy all traffic through a corporate content filtering platform, then select Route all resource requests though a Proxy server. This proxy setting is used for intranet resources only.
- Select one of the following proxy settings for your environment.
-
- Manual Proxy
- Enter the hostname (IP) and port of the proxy server.
-
- Proxy PAC URL
- The URL to the PAC file hosted in your environment.
-
- Auto Proxy
- The PAC file is typically hosted in your DHCP or DNS server as a Web Proxy Auto-Discovery Protocol (WPAD) file.
-
- If your proxy requires authentication, select the Use Proxy
Authentication checkbox. The credentials of the user who is accessing the resource are
used to authenticate against the proxy server. All users can authenticate against this proxy server.
This proxy setting is used for outbound connections from the cloud only. You can configure Mobile Enterprise Gateway (MEG) to use the connection method that is sent by the browser to connect to the proxy. To configure the Mobile Enterprise Gateway (MEG) to use these different connection options, add and then edit the following settings in the MobileGateway.properties file that is located in the C:\ProgramData\MaaS360\Cloud Extender\logs\ folder:
Setting Description meg.in.proxy.use_head_for_non_ssl=true If this property is set to true, Mobile Enterprise Gateway (MEG) uses the HTTP HEAD method, instead of the HTTP CONNECT method to connect to the proxy for non-SSL sites. meg.in.proxy.alt_connect_method_for_non_ssl=HEAD Mobile Enterprise Gateway (MEG) uses the HTTP HEAD command to connect to the proxy for non-SSL sites. meg.in.proxy.alt_connect_method_for_non_ssl=GET Mobile Enterprise Gateway (MEG) uses the HTTP GET command to connect to the proxy for non-SSL sites. meg.in.proxy.disable_non_ssl_tunnel=true This property overrides all properties and does not send a probing request to open a tunnel. The same connection method that arrives to the gateway from the device is used to connect to the proxy. Note: Add these properties to the MobileGateway.properties file. These properties are not currently included in that file. Restart the Mobile Enterprise Gateway (MEG) service for changes to the properties file to take effect. - Click Test to validate your settings. After confirmation, click OK and save your changes. The gateway makes API calls against the IBM MaaS360 backend and gateway provisioning service, and then completes the gateway registration process.