Instant APN Technical White Paper
Introduction
AccessMyLan Instant APN is a hosted service that provides access to a company
network via an Access Point Name (APN) on the AT&T mobile network. Any device on
the AT&T mobile network may be configured to connect using Instant APN including
Laptop Connect modems, Smartphones, mobile routers and M2M devices.
The service does not require any specialist CPE (Customer Premise Equipment) as the
Instant APN 'footprint' on the customer network consists of a software agent installed
on any Windows system on the LAN. The software, known as a VPN Agent, makes an
outbound SSL connection to the AccessMyLan service cloud which is hosted in
multiple data centres around the globe. Typically, no firewall changes are required
at the customer’s network perimeter and deployment in DMZ-style scenarios is fully
supported.
With no open inbound ports, no externally published DNS and no inbound routes,
there is no attack surface at the customer’s network edge and dependency on fixed
external IP's or specific ISP's is removed.
Asavie Technologies Ltd.
24 Herbert Lane
Dublin 2
Ireland
w: www.accesssmylan.com
e: sales@accessmylan.com
t: +353 1 6763585 (Int)
+1 866 576 9266 (USA)
+44 158 263 5013 (UK)
Technical White Paper
Service Architecture
Internet LAN
AT&T Instant APN
APN on AT&T VPN Agent
wireless network on LAN
Figure 1 - Service Architecture
▪ The VPN Agent installed on the LAN establishes and maintains an SSL tunnel
to the service via the Internet.
▪ The APN settings on the mobile device are configured to connect to the
Instant APN on the AT&T wireless network
▪ The service authenticates the mobile connection and brokers communication
between the mobile client and devices on the LAN
VPN Agents
Connectivity between the customer network and the service cloud is maintained by
VPN Agents. VPN Agents run as a service on any Windows platform (Windows 2000 or
later) and establish a permanent SSL connection to the service. In the event of an
Internet connection failure, the VPN Agent will automatically attempt to re-establish
connectivity to the service over any available Internet route.
Multiple VPN Agents can be deployed to provide resilience in the event of hardware
or network failure. In a default configuration, the first VPN Agent to connect
provides the route for remote traffic. If the first VPN Agent loses connectivity due to
hardware or network problems, the other VPN agent will immediately start providing
the route for remote traffic. VPN Agents may be deployed across multiple sites to
enable totally transparent failover of remote access in a disaster recovery scenario
or to provide concurrent connectivity to several sites. VPN Agents provide policy
2
Technical White Paper
based routing which can be used to split remote traffic between VPN agents based
on the service type and/or destination host.
Connecting Mobile Devices
No additional software is required on the mobile device as connectivity is established
by configuring Instant APN as a connection profile on the mobile device.
Figure 2 Configuring AT&T Communication Manager for access
The profile created can then be used to establish connectivity to the service.
Figure 3 Connecting to the service
3
Technical White Paper
Once connected, mobile devices are assigned an IP Address, DNS server and default
gateway by the service. The DNS server assigned relays DNS requests to the VPN
Agent for resolution simplifying integration with the corporate namespace.
The IP address assigned is a private address and by default is not contactable from
other mobile devices. The Machine to Machine (M2M) section of this paper explains
how the service supports applications that require static addressing and
communications between devices.
Mobile devices are assigned to users created by the system administrator with a
username and password. The system administrator adds a mobile device to a user by
specifying the mobile number or MSISDN of the device that the user will use to
access the service. When a device connects, it must provide the username and
password of the user to authenticate. The service will also verify the MSISDN/mobile
number of the device before authorizing access. Using the MSISDN/Mobile number for
access authorization provides additional security beyond basic username and
password credentials.
Network Architecture
The VPN Agent behaves like a NAT proxy and all remote user traffic on the LAN has a
source address of the system hosting the VPN Agent. Upon startup, the VPN Agent
automatically discovers routable subnets and DNS services which are configured at
connect time on remote devices.
When a mobile device authenticates successfully, the service assigns an IP address to
the remote device from an AccessMyLan address pool and configures DNS and
routing. The DNS is configured to use a company-specific DNS proxy on the service
which forwards requests to the VPN Agent for resolution. Routes are defined on the
client to route all traffic for RFC1918 addresses via the APN. Remote user traffic is
proxied by the VPN Agent so that all remote traffic on the LAN has the source IP
address of the VPN Agent host.
The following tracert example shows the routing in the network.
4
Technical White Paper
C:> tracert srv1.example.com
Tracing route to srv1.example.com [192.168.1.21] over a maximum of 30 hops
1 32 ms 31 ms 32 ms 10.128.0.1 Client Access Server
2 34 ms 34 ms 35 ms 10.192.0.3 Virtualised Customer Router/Firewall
3 66 ms 67 ms 66 ms 192.168.1.20 VPN Agent IP address on LAN
3 69 ms 67 ms 69 ms 192.168.1.21 Server address on LAN
Figure 4 - Network Routing
Each customer is assigned a virtualised VPN router/firewall in AccessMyLan which is
responsible for enforcing customer configured Access Controls and routing user
traffic via connected VPN Agents.
The virtualised VPN router also provides a DNS relay by forwarding any DNS UDP
datagrams addressed to the VPN router address to VPN Agents that have a DNS route
declared.
Access Controls
Access Rules
Network access rules are applied to all remote traffic and control access based on
the application protocol and the destination host. The administrator can define
custom services in addition to the standard service definitions.
Figure 5 - Network Access Rule Configuration
5
Technical White Paper
User access rules are applied on a per-user basis and are defined in the same manner
as network access rules.
User Authentication
By default, users are authenticated against the integrated AAA service. The service
implements a lockout policy which defines how many login failures a user may have
before being locked out. The policy also defines the lockout period before the user
may attempt to login again. User passwords are subject to an administrator
configurable password policy which defines the minimum length and character set
mix.
The service can be configured to authenticate users with any RADIUS capable
authentication server in the LAN such as Active Directory or SecureID. Authentication
requests are proxied via the VPN Agent to the internal RADIUS server defined by the
administrator.
Instant APN Applications
Internet Access Policy Compliance
While providing staff with mobility is a powerful business enabler, it can also pose
challenges as users have direct access from their mobile device to the Internet. This
may result in users wasting time, visiting inappropriate sites and downloading
dangerous material to company devices.
By configuring the mobile device so that it can only connect to Instant APN, mobile
users no longer have direct access to the internet. This restriction is applied by
disabling access to the Internet APN on the AT&T network which means that the user
cannot re-enable access through a local configuration.
Access to the Internet can be provided by configuring the mobile device browser to
use a proxy server located in the office. This approach subjects the mobile user to
the same access restrictions and monitoring as desk based users and provides the
controls to ensure that mobile users are in compliance with usage policies.
6
Technical White Paper
Machine to Machine
Instant APN provides an easy and secure way to integrate remote machines using the
AT&T wireless network. By using Instant APN, the devices are not exposed to the
Internet and there is no requirement for complex client-side software.
In an M2M environment, it may not be practical to configure each device with a
unique username and password. In these cases, a shared set of credentials may be
used with authorization of access being based on the MSISDN/Mobile number of the
mobile device.
Machine to Machine (M2M) applications will generally need static IP addresses on the
mobile devices and permit bi-directional communications between mobile devices
and LAN applications. The service supports the following two approaches to support
M2M projects.
Peer-to-Peer
In a Peer-to-Peer M2M environment, the service will assign static private IP addresses
to the mobile device from a service or customer defined pool of addresses. The
address pool can be in the following ranges:
▪ 192.168.0.0 to 192.168.255.255
▪ 172.16.0.0 to 172.31.255.255
▪ 10.1.0.0 to 10.126.255.255
All mobile devices are assigned a static address from the pool and can communicate
with each other. The AccessMyLan VPN Client is also supported by this Peer-to-Peer
network allowing connectivity to M2M devices on the mobile network from Windows
systems.
M2M Routed Mode
Where transparent routed connectivity between the M2M devices and servers on the
LAN is required, a route must be provided from the LAN to the mobile devices. This
is achieved by establishing a GRE tunnel between a router on the LAN and a VPN
Agent installed on the LAN. With this approach, any LAN host may communicate with
a mobile M2M device using the mobile device private static IP address.
7