Recommendations for Using Mobile VPN
4/8/2010
When active, the Mobile virtual private network (VPN), can have several important impacts on device function.
Important
Mobile VPN is inactive by default and affects the device only after System Center Mobile Device Manager (MDM) enrollment.
Mobile VPN Best Practices
To help guarantee a seamless integration with Mobile VPN, make sure to consider the following guidelines:
- When you write an application that requires network connectivity, the application must request data connectivity through Connection Manager, and listen to notifications that are sent from Connection Manager. For more information, see Connection Manager.
- If the application is able to support a proxy server, make sure to include that support when you write the application. To include proxy server support, use Connection Manager to obtain the access type and proxy information, and then pass this data to the WININET InternetOpen function. For more information, see Connection Manager Application Development and HTTP Sessions.
- When the Mobile VPN is enabled, any data that is sent over a cellular or Wi-Fi connection and not over the Mobile VPN connection will be blocked.
- The Mobile VPN connection provides access only to the Internet, Work, and Sync metanetworks. No other metanetworks are supported. If your application requires another specific metanetwork, it will not work while the Mobile VPN is enabled.
Mobile VPN NDIS Intermediate Driver Installation
During Mobile VPN bootstrap, the Mobile VPN component installs a Network Driver Interface Specification (NDIS) intermediate driver that binds the Mobile VPN to each wide area network (WAN) and each wireless local area network (WLAN) network adapter that is present on the device. After binding, the name of each bound network adapter changes to include the intermediate driver prefix.
For example, after installing an NDIS intermediate driver, the <WiFiAdapterName1> wireless LAN adapter will be displayed as <NDISPrefix>\<WiFiAdapterName1>, where the <NDISPrefix> tag is defined by the NDIS intermediate driver.
For example, if the device has a wireless LAN adapter named WiFiAdapterName1
, after installing an NDIS intermediate driver, the name appears as <NDISPrefix>\WiFiAdapterName
.
To help ensure a seamless binding process, you need to adhere to the following guidelines:
- An application or driver should not hard-code WAN or WLAN network adapter names in registry paths or in code.
- An application should verify that the device functions the same way whether or not an intermediate driver is installed. Otherwise, Wi-Fi user interface on the device might not work correctly. The device might take a long time to discover Wi-Fi access points, or it might not retain its Wi-Fi state after being restarted.
- The Mobile VPN intermediate driver is designed to bind dynamically to all existing protocol drivers and WAN/WLAN network adapters that are present on the device. For seamless integration with the Mobile VPN intermediate drivers and with any third-party intermediate driver, the protocol drivers and network adapters should not hard-code the bindings that are created between the different layers.
Current limitations of the Mobile VPN intermediate driver
The Mobile VPN intermediate driver has the following limitations:
- The Mobile VPN intermediate driver only supports Ethernet II frame types. It does not support the Ethernet 802.3 frame types.
- Windows Mobile does not support the use of other intermediate drivers in conjunction with the Mobile VPN intermediate driver. MDM administrators should not install any application that installs an intermediate driver. If an application must use an intermediate driver, ensure the following conditions are met:
- The intermediate driver of your application supports dynamic bindings.
- The Mobile VPN intermediate driver binds directly to the network adapters. The intermediate driver of your application needs to be installed between the protocol adapters and the Mobile VPN intermediate driver. **
Mobile VPN Starts Automatically After Activation
After Mobile VPN is activated for the device, Mobile VPN runs automatically whenever Windows Mobile loads. This might cause the device to take a few seconds longer to load, depending on what device platform is installed. Every device on which Mobile VPN runs must verify that the drivers or applications that run whenWindows Mobile is loaded behave consistently, are not time-sensitive, and do not affect the startup time.