Configuring access to the Secure Browser

Configure access in the IBM® MaaS360® Portal to the IBM MaaS360 Secure Browser, where your users access intranet sites through the Mobile Enterprise Gateway (MEG).

About this task

Configure WorkPlace Persona policies in the IBM MaaS360 Portal to set up Secure Browser access to intranet sites.

Procedure

  1. From the IBM MaaS360 Portal, open the WorkPlace Persona policy.
  2. Select MaaS360 Gateway Settings, and configure the following policy settings.
    Option Description
    Allow caching of Corporate Credentials in the App Enable this setting to save the user credentials of the Secure Browser app in the encrypted database, and for overall security protection from the container.

    The browser reauthenticates against the gateway with these credentials, but does not prompt the user to reenter credentials each time. Users are prompted for credentials only when their password changes, and the browser fails to authenticate against the gateway.
    Identity Certificate Select the Identity Certificate Template (from your Cloud Extender® Certificate Integration setup).

    This identity certificate is used by the gateway to authenticate against upstream intranet sites that challenge for identity certificate credentials for authentication.
    Enable Corporate Network Detection to skip use of Enterprise Gateway Enable this setting to allow browser traffic for intranet sites to skip the gateway route when the specified corporate network server is resolved by the browser.
    Configure Corporate Network Detection Enable this setting to stop the sites that use identity certificate-based authentication.

    Site authentication does not work because the gateway presents the identity certificate to intranet sites that challenge for the same, but for the corporate network, the gateway route is bypassed.
  3. Select Browser, and then select MaaS360 Enterprise Gateway to configure the following settings.
    Option Description
    Default Enterprise Gateway Select one of the gateways or gateway clusters that you set up.

    The name of the gateway is displayed automatically in the list. If you do not configure regional gateways, all devices that are associated with this policy communicate with the default gateway.
    Configure Regional Gateways Enable this setting to route devices to regional gateways or gateway clusters based on the location of the device.

    Specifies the country and the regional gateway that the devices in that country communicate with. The location (country) of the device is determined by the time zone setting on the device and the GPS location of the device. Use this setting to manage one Persona policy for all devices, but still maintain awareness of the location of all devices around the globe.
    Access List for Intranet Resources Specifies the domains or IP addresses for intranet sites that are allowed by devices that connect to the gateway.

    This setting allows wildcards for domains such as *.companydomain.com (regular expressions). Restrict this access list to only intranet sites and domains, not proxy traffic to public sites.
    Exceptions Use an exception list, if you set your access list to *.companydomain.com, but you do not want to proxy traffic such as email messages or OWA from the gateway.

    Add the domain name of the mail server (email.companydomain.com) to the exception so traffic connects directly to your server on the internet and does not use the gateway.