This is retired content. This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Mobile VPN

A new menu option, Connect, was added to the VPN Client UI to allow a user to force a Mobile VPN to reconnect if it is disconnected. Menu options also allow a user to disable the Mobile VPN when it is disconnected but still enabled.

The following modifications have been made to improve the reliability of Mobile VPN on cellular networks when bad network conditions produce packet loss or when a network connection performs a time-out during a period of inactivity:

  • The Mobile VPN now sends the Network Address Translation (NAT) keep-alive in-band, encapsulated in an Encapsulating Security Protocol (ESP) packet, instead of IKE packets. This helps to recover from packet-loss and avoids having to reconnect after a connection has performed a time-out.

  • You can now configure the lifetime of a Mobile VPN Security Association (SA). This allows the SA re-key tuning, if necessary.

The Mobile VPN feature is not active by default in Windows Mobile devices. This feature is activated only after the device’s domain enrollment to a System Center Mobile Device Manager (MDM) system. When the device is not enrolled in an MDM system, the Mobile VPN feature is not activated and does not in any way affect the behavior of the device.

Other enhancements to Mobile VPN include:

  • Mobile VPN data now synchronizes with AirSync.

  • You can block access points for Mobile VPN. You can configure a registry list of access point names (APNs) that cannot be used by the VPN client. This list can be set during the initial provisioning at the time of a cold boot, or the mobile operator can update it later by using continuous provisioning.

  • You can now configure the cellular connection profile that is to be used by the Mobile VPN client.

  • The Mobile VPN now supports the MOBIKE protocol to update VPN security associations when a connection must be re-established after it was lost. Using the MOBIKE protocol allows the Mobile VPN to reconnect without having to perform a full Internet Key Exchange (IKE) v2 renegotiation. The benefits of this approach are faster reconnection time, improvement in device performance during reconnection, and less bandwidth usage.

User Scenario

The following scenario describes the user experience with the new Mobile VPN features.

From a lounge in the airport, Marco accesses his corporate network through an always-on VPN tunnel, which exists concurrently with a VPN tunnel to his mobile-operator network. His SMS messages all flow unimpeded, he has access to mobile-operator services just as he did prior to having the corporate VPN—and at the same time he can access SharePoint sites and internal applications within his corporate network. His Windows ®phone also receives and respects all policy settings, just as his previous Windows phone did.


Other improvements include:

  • Wireless networks are made more secure by preventing automatic configuration of unplanned networks unless the user selects the Only Computer-to-Computer option on the Configuration menu.

  • The enrollment client to MDM now supports autodiscovery of the instance in which the device needs to be enrolled when a company has an MDM deployment with multiple instances.

Mobile Operator Services Traffic (MOST)

The Mobile VPN provides an encrypted, authenticated channel from the Windows phone to a company’s perimeter network. The perimeter network is also known as a screened subnet. The IT department can control the traffic allowed through the perimeter network to the company network.

Until now, to provide the enterprise full control of the traffic, Windows phones did not allow traffic outside the VPN tunnel while the VPN was enabled. Because multihoming was not supported, traffic originating on the phone was sent over the VPN to the company perimeter network for screening, and was then forwarded or dropped. Traffic that tried to bypass the VPN was dropped.

For operator-subsidized phones, MOST allows selected mobile operator service traffic to access mobile operator servers directly instead of being blocked by the VPN. For operator non-subsidized devices, MOST is enabled by default.

For security reasons, all functionality related to enabling MOST with VPN is allowed only over a cellular connection.

See Also


What's New in Windows Mobile 6.5

Other Resources