A new menu option, Connect, was added to the VPN Client UI to allow a user to force a Mobile VPN to reconnect if it is disconnected. Menu options also allow a user to disable the Mobile VPN when it is disconnected but still enabled.

The following modifications have been made to improve the reliability of Mobile VPN on cellular networks when bad network conditions produce packet loss or when a network connection performs a time-out during a period of inactivity:

• The Mobile VPN now sends the Network Address Translation (NAT) keep-alive in-band, encapsulated in an Encapsulating Security Protocol (ESP) packet, instead of IKE packets. This helps to recover from packet-loss and avoids having to reconnect after a connection has performed a time-out.
  
  
• You can now configure the lifetime of a Mobile VPN Security Association (SA). This allows the SA re-key tuning, if necessary.
  
  

The Mobile VPN feature is not active by default in Windows Mobile devices. This feature is activated only after the device’s domain enrollment to a System Center Mobile Device Manager (MDM) system. When the device is not enrolled in an MDM system, the Mobile VPN feature is not activated and does not in any way affect the behavior of the device.

Other enhancements to Mobile VPN include:

• Mobile VPN data now synchronizes with AirSync.
  
  
• You can block access points for Mobile VPN. You can configure a registry list of access point names (APNs) that cannot be used by the VPN client. This list can be set during the initial provisioning at the time of a cold boot, or the mobile operator can update it later by using continuous provisioning.
  
  
• You can now configure the cellular connection profile that is to be used by the Mobile VPN client.
  
  
• The Mobile VPN now supports the MOBIKE protocol to update VPN security associations when a connection must be re-established after it was lost. Using the MOBIKE protocol allows the Mobile VPN to reconnect without having to perform a full Internet Key Exchange (IKE) v2 renegotiation. The benefits of this approach are faster reconnection time, improvement in device performance during reconnection, and less bandwidth usage.
  
  

The Mobile VPN provides an encrypted, authenticated channel from the Windows phone to a company’s perimeter network. The perimeter network is also known as a screened subnet. The IT department can control the traffic allowed through the perimeter network to the company network.

Until now, to provide the enterprise full control of the traffic, Windows phones did not allow traffic outside the VPN tunnel while the VPN was enabled. Because multihoming was not supported, traffic originating on the phone was sent over the VPN to the company perimeter network for screening, and was then forwarded or dropped. Traffic that tried to bypass the VPN was dropped.

For operator-subsidized phones, MOST allows selected mobile operator service traffic to access mobile operator servers directly instead of being blocked by the VPN. For operator non-subsidized devices, MOST is enabled by default.

For security reasons, all functionality related to enabling MOST with VPN is allowed only over a cellular connection.