Product Documentation

Application Tunnels

Jan 31, 2011

Device Manager Application Tunnels (App Tunnels) are designed to increase service continuity and data transfer reliability for your mobile apps. App Tunnels are used to define proxy parameters between the client component of any mobile device app and the application server component.

Device Manager tunneling acts as a stream buffer to overcome inherent network issues, such as irregular latency or network hopping. Tunneling also provides checkpoint restart capabilities, which is critical when bouncing between cellular data points. Furthermore, Device Manager automatically applies on-the-fly data compression and AES encryption to all data traffic transiting within each tunnel.

You can assign a tunnel channel dedicated to each mobile app and monitor the apps. For each App Tunnel you define, Device Manager transmits and monitors the data streams in a separate tunnel.

App Tunnels provide the following benefits:

  • Security through encryption of data traffic.
  • Efficiency through compression of data traffic (can help reduce strain on your device data plan, as well as battery usage).
  • Reliability through buffering of data traffic. For example, if a device loses connectivity or switches from WiFi to 3G, App Tunnels make sure data traffic is buffered until the connection is reestablished.
Note: Each application requires its own tunnel.

This section includes procedures for creating App Tunnels in Device Manager and for creating a remote support App Tunnel specifically for the Remote Support help desk application.

To add an Application Tunnel

  1. In the Device Manager web console, click the Policies tab and then under MDM Policies, click the device type for which you want to add an Application Tunnel (App Tunnel).
  2. Click Tunnels and then click New tunnel.
  3. In the Create a tunnel dialog box, in Name, enter the tunnel name. Citrix recommends the format Application_Name.
  4. Select the Remote Support check box if the tunnel will be used for the Remote Support application. If you select this option, some of the options in the dialog box become unavailable. To complete the remote support tunnel configuration, see "To create a remote support App Tunnel."
  5. Under Connection configuration, in Connection initiated by, click Device if the connection is client-initiated or click Server if the connection is server-initiated. With the exception of Remote Support, App Tunnels are typically client-initiated.
  6. In Protocol, click Generic TCP or Active FTP as the tunnel protocol.
  7. In Max. connections per device, set the maximum connections, per device, per tunnel. (1 is recommended.)
  8. Optionally, set the connection timeout, in seconds. This option allows for App Tunnels to be closed cleanly, even if the app fails.
  9. Optionally, choose to use SSL encryption connection between the server running Device Manager and the desktop running the Remote Support application.
  10. Optionally, in Secure Connection, select the Use SSL connection check box to block the traffic through that tunnel when the devices are in a roaming situation.
  11. Under Application device parameters, click one of the following options to define the mobile application traffic redirection:
    • Through application settings. If you choose this option, you must set 127.0.0.1 in the application server field on the mobile device.
    • Using a local alias. The application on the mobile device will connect to the alias you enter; the alias will be resolved to localhost and intercepted by Device Manager Client Agent. An alias can be any name; for example: my_crm application, exchange server, and so on.
    • An IP address range. Specify a range of IP address targets for which the mobile application will try to connect to in order to make Device Manager tunnel the connection. For example:
      • From: 0.0.0.0 to 255.255.255.255. In that case, all the traffic from the mobile device is redirected through Device Manager.
      • From: 88.10.10.10 to 88.10.10.10. In that case, only the traffic toward 88.10.10.10 is redirected through Device Manager.
  12. In Client port, enter the port used by the application on the mobile device. This option is required.
  13. In Application server parameters, enter the application IP address or server name, and the server port number. These options are required. In most cases, this is the same value as for Client port.
  14. Click Create.
    Note: To properly use an App Tunnel, you need to configure the device-based apps to connect to the Device Manager server rather than to their own server. Usually, 127.0.0.1 (localhost) is specified as the server address. However, some apps may not allow this type of configuration, or it may be preferable not to change the configuration of applications already deployed. In such cases, select the Specify a local alias check box and enter the servers name. This name will be redirected automatically to 127.0.0.1 on the mobile devices.

To update or delete an App Tunnel

You can change the configuration settings of an existing tunnel in Device Manager, but you cannot change the name of the tunnel.
  1. In the Device Manager web console, click the Policies tab and then under MDM Policies, click the device type for which you want to update or delete the app tunnel.
  2. In the list of tunnels in the center pane, select the check box for the tunnel you want to edit or delete.
  3. Click Edit to change the settings or click Delete to remove the App Tunnel.
  4. In the Edit a tunnel dialog box, change the settings and then click Update.

To create a remote support App Tunnel

You need to create a remote support Application Tunnel (App Tunnel) to support the Remote Support help desk application, which allows for the remote control of mobile devices over-the-air through Device Manager.
  1. In the Device Manager web console, click the Policies tab and then under MDM Policies, click to expand the device type for which you want to configure a remote support App Tunnel.
  2. Click Tunnels and then click New tunnel.
  3. In the Create a tunnel dialog box, in Name, enter a name for the remote support App Tunnel.
  4. Select the Remote Support check box.
  5. Optionally, under Connection configuration, in Connection time-out, select the Define check box and then enter a value in seconds to indicate the interval in which the connection to the Remote Support application should time out.
  6. In Secure Connection, select the Use SSL connection check box if you want to configure a secure connection between the Device Manager server and the Remote Support application.
  7. In While roaming, select the Block cellular connections passing by check box if you want to block the tunnel while roaming.
    Note: WiFi and USB connections are not blocked.
  8. Click Create.