Using IBM Mobile Connect Client to implement secure enterprise-class wireless communication

Introduction

Mobile communications and the Internet industry have become two of the fastest growing, most attractive businesses in the world because of their market potential. In many industries--- especially IT companies---the wireless office/communication trend has become a crucial part of doing business.

The rapid spread of mobile smart devices has enabled anyone to exchange information at anytime, anywhere. In contrast to personal and entertainment emails, the business email and documentation transmission requires a more secure strategy and tools. To achieve the implementation of enterprise-class mobile security and timely communication, IBM® Mobile Connect Client is a wise choice.

This article outlines a process for implementing IBM Mobile Connect (formerly known as IBM WebSphere® Everyplace^TM Connection Manager) whereby you can create secure, mobile virtual private networks (VPNs) with the Connection Manager host client on different wireless mobile platforms, such as Android, Symbian, and Microsoft® Windows® Mobile, as well as on computer OS's using wireless networks such as Windows, Linux®, and Macintosh.

The Mobile Connect Client product supports ten languages including English, Spanish, German, French, Italian, Brazilian Portuguese, Japanese, Simplified Chinese, Traditional Chinese, and Korean.

We will share some best practices for Mobile Connect Client users or enterprise-class VPN administrators to safely extend existing instant messaging and enterprise applications to their mobile devices, to increase work efficiency.

Overview of Mobile Connect Client

Here are some of the main features of the Mobile Connect Client:

• Guarantees secure information exchange, incorporating SSL connectivity, Wireless Transport Layer Security (WTLS), and Point-to-point Protocol (PPP) remote-access standards from PPP clients. It uses a symmetric encryption key to encode or decode data with varying key lengths, the strongest of which is the 256-key length used in the Advanced Encryption Standard (AES).

• The export/import feature of the client configuration files enables the deployment of client configuration changes over the air.

• Smart wizards that help you get up and running quicker, set up VPN connections, and configure new accounts.

• Full integration with IBM Lotus Notes®, IBM Lotus Notes Traveler, IBM Sametime®, and IBM Lotus iNotes®.

Also, the Connect Manager administrator has the ability to set or change client configuration properties and then quickly apply the new configuration to the client.

Implementing the Connect Client on smart mobile platforms

In this section we discuss the best practices for implementing the Mobile Connect Client on several smart mobile platforms.

There are three main mobile platforms supported by the Mobile Connect Client: Android, Symbian, and Windows Mobile. The setup and configuration procedures are similar among the different platforms, so we introduce the full implementation process on the Android platform, and then highlight the differences between the processes on the Symbian and Windows Mobile platforms, with some useful preparation steps and best practices.

Complete implementation process on the Android platform

A stable wireless connection to the Internet or to your corporate intranet is an important prerequisite to ensure a smooth setup and configuration process for the Mobile Connect client; otherwise, a bad network connection may cause up unknown issues or data loss.

A best practice is to use your company-level authentication tool to connect to the wireless network of your intranet since it is much more stable than public wireless networks.

Installing the Mobile Connect Client is made easy by the smart wizard that guides you in setting it up quickly, with limited background knowledge of networks or VPNs (see figure 1).

Figure 1. Mobile Connect Client Install Wizard for Android



Figure 2 shows the initial window that displays when you launch the Mobile Connect Client on Android after a successful install. Obviously we must check the “I trust this application” checkbox to proceed, to grant permission for the Mobile Connect Client to create a VPN.

Figure 2. Initial window after successful install


Connecting to the Connect Manager server is crucial in setting up a secure VPN. To do this, click the Add Connection button, and then input the required Connection Name, Connection Manager Server Address, the UDP/HTTP/HTTPs Port preferences, and your user log-in mode preference, as shown in figure 3.

Figure 3. Add Connection window



User Datagram Protocol (UDP) will always be the first default protocol used when the Mobility Client attempts to connect to the Connection Manager. The UDP port field indicates the port number that the Mobility Client uses to send data to the Connection Manager. The default value for this port is 8889. Figure 4 shows an example of a UDP connection created. The default value for the HTTP port is 80 and 443 for HTTPS port.

Figure 4. UDP authentication



HTTPS and Certificate authentication are much more secure. Generally we use the IBM Key Management tool to create a self-signed certificate (see figure 5) and then transfer the certificate to the Mobility Client end, after which the user can install and use the key to pass the authentication.

Figure 5. Create Self-Signed Certificate window



Note that the key generation operation can be executed only by the Connection Manager administrator. Figure 6 shows the connect success status and details.

Figure 6. Connect success status and details



The Mobility Client configuration files' export/import feature enables the deployment of client configuration changes over the air. The Mobility Client user can also choose to export the configuration file as a single-platform supported file or multi-platform supported file.

In addition, the Mobility Client enables the Diagnostic Logging function, whereby any traffic details can be recorded and exported to the SD Card or to email, so it is quite convenient for determining the data exchange details of a set period (see figure 7).

Figure 7. Diagnostic Logging window



When all valid Mobility Client users connect to the Connection Manager within the same VPN, they can securely communicate among one another or communicate with the Connection Manager administrator.

As the Mobility Client has full integration with Lotus Notes, Lotus Notes Traveler, IBM Sametime, and Lotus iNotes, implementing secure enterprise-class wireless communication becomes easier. For instance, in the same secure VPN range, mobile device users can have a Sametime chat with others to ask quick questions, send email through Lotus Notes or iNotes, or check new email using Notes Traveler, etc.

The Connection Manager administrator can broadcast an enterprise-class message to all users or a specific group of users (see figure 8), or the administrator can take timely action to Lock, Log Off, Reset Password, Reset failed login count, or Delete the account, if any insecure or unstable factor is identified from a user’s communication log (see figure 9).

Figure 8. Broadcast a message



Figure 9. Connection Manager Administration



Now that we've discussed the main features and best practices for setting up / configuring the Mobility Client on the Android platform, the next subsections will mention the differences between implementing on the Symbian platform or Windows Mobile, highlighting pre-steps and best practices and touching less on the details of the main features, since they are similar among the different mobile platforms.

Differences and best practices implementing on Symbian

Unlike with other smart mobile platforms, the best practice process to implement the Mobility Client on the Symbian platform relies on two main preparatory steps; one is the valid software certificate verification, and the other is pre-installing the correct version of the Nokia mobile VPN plug-in.

To implement large-scale Symbian smart devices, we create a global certificate with a defined valid period and embed it into the install package, saving time and effort. For short-period pilot testing or other temporary purposes, we could provide a list of the smart device's International Mobile Equipment Identity (IMEI) code, and then ask the software producer to integrate the information into the install package.

Both methods are good enough to perform the initial installation of the software. Before configuring VPN successfully between the Mobility Client and the Connect Manager server, we also must download and install the Nokia mobile VPN plug-in. This plug-in can be downloaded from Nokia's official Web site. Using the correct version of the plug-in that matches the Symbian platform is also a key factor for future VPN setups.

Unlike with the Android platform software, the Mobility Client for Symbian is not locale sensitive. The available user interface languages are listed in one step of the install wizard (see figure 10), meaning that even if the platform language is set as English, we can select Italian as the user interface of the software at this step.

Figure 10. Select the User Interface language


Another best practice is customizing system settings to enable connection between the Mobility Client and Connection Manager on Symbian platform version 9.3 or later. On other platforms or on Symbian versions 9.2 and earlier, users can easily locate the feature to add a connection from the software user interface, and the wizard for the VPN connection setup is ready to be used.

For Symbian platform 9.3 or later, however, you must perform the following steps:

1. Navigate to Menu --- Settings ---Connectivity --- Destinations --- Access point. Follow the wizard to select and then configure a wireless network Access point.
2. Go back to the Destinations section but now select Internet, and select the Access point you just created.
3. Start up Options --- Edit --- WLAN Security mode, select WPA/WPA2 --- EAP plug-in settings --- EAP-LEAP, and set the username and password for the wireless network authentication.
4. Select Options --- Exit.

After the connection is configured, set up an Account with the information as shown in figure 11, which is sufficient to connect to the VPN server.

Figure 11. Account settings on Symbian platform

Differences and best practice implementing on Windows Mobile

The Mobile Connect client installer for the Windows Mobile platform consists of two parts, the English software and the additional language packages. It is quite easy following the install wizard to install the English software; the difference is that it requires restarting the OS to complete the install.

The VPN connection setup wizard guides users to set up and configure, and other functions are similar to the Android platform (see figure 12).

Figure 12. Mobility Client wizard for creating a connection on Windows CE

Implementing Mobile Connect client on OS's using wireless networks

Besides smart mobile devices, we can also deploy the Mobile Connect client on several OS's using wireless networks. For instance, we can implement it on the Linux operation system, mainly on Red Hat and SuSE; implement it on the Windows OS, such as Windows XP and Windows 7; or implement on the Macintosh version 10.6 OS.

The implementation process is similar among these operation systems, and the Mobile Connect user interface on these OS's are also similar to that on Windows Mobile.

The installers for Linux, Windows, and Mac OS's are all locale sensitive, meaning that if you set your preferred locale, the installer will identify and display the corresponding user interface language. Figure 13 shows the main window for SuSE Desktop Enterprise 11.

Figure 13. Main SuSE Desktop Enterprise window



The Linux, Windows, and Mac OS's are the most common for office employees using wireless networks, and the IBM Mobility Connect Client can help create a VPN between these OS's and the Connection Manager server, ensuring the data transfer and communication security.

Conclusion

With the fast development of wireless data networks, many companies are struggling to manage costs and security for their mobile workforce. IBM Mobile Connect equips enterprises with secure connectivity across different networks, extending enterprise-class applications to their mobile workforce, no matter which operation system is used – Android, Symbian, Windows Mobile, Linux, Windows or Macintosh.

You should now be familiar with the best practices for Mobile Connect Client users or enterprise-class VPN administrators to safely extend existing instant messaging and enterprise applications to the mobile devices and increase work efficiency.

Tell us what you think

Please visit this link to take a one-question survey about this article:

Resources

• Refer to the IBM Mobile Connect documentation.
• Refer to the IBM Mobile Connect product page.
• Refer to the IBM Mobile Connect Info Center.
• Read the developerWorks article, “Enabling secure, remote access to IBM Lotus iNotes using IBM Lotus Mobile Connect.”

About the authors

Li Bo Zhang has more than seven years of globalization and localization experience in software testing and project management. Based at IBM's Beijing, China, Lab, her recent focus has been on the multi-language, multi-platform Mobile Connect Client globalization verification test project. You can reach her at zhlibo@cn.ibm.com

Zhen Rong Wang is an IBM Advisory Software Engineer with extensive experience in Globalization Verification Testing (GVT), translation, and Translation Verification Testing (TVT). You can reach her at wangzr@cn.ibm.com.