Connection Manager Security

  • Article

Send Feedback

Connection Manager supports Dual Homing. Dual Homing enables devices to have multiple connections available and active, and provides the most optimal behavior in these scenarios.

There are many scenarios when a device would attempt to establish multiple types of connections using the Dual Homing feature. Here are a few examples:

  • A device has an active GPRS connection, and the user walks into an area with WiFi coverage
  • A device has an active GPRS connection, and the user docks (cradles) the device and establishes a Desktop Passthrough (DTPT) connection

Dual Homing introduces various security threats, such as the potential for bridging between two networks.

To help prevent the bridging between two networks and possible leaking between two interfaces, Connection Manager supports secure connections. OMA Client Provisioning (formerly WAP) and OMA DM configuration service providers for Connection Manager include the Secure parameter, which enables you to provision a connection as secure on a per-connection basis. You can determine if a connection is secure by performing an XML query or by using the ConnMgrQueryDetailedStatus function. The dwSecure flag indicates whether or not a connection is secure.

Note   Setting the value of Secure to 0 is not supported for Desktop Passthrough (DTPT) connections. DTPT was designed to work as a secure connection.

When a Virtual Private Network (VPN) connection is active, Connection Manager generally restricts any new connection to a network other than the one being used by the VPN connection. All traffic is handled by the VPN connection, regardless of the number of active connections, until the VPN connection is disconnected or a specific request to route network traffic to a connection other than the VPN connection occurs. You can call ConnMgrMapConRef to specifically request the routing of network traffic to a connection other than the VPN connection, and the Connection Manager will route traffic accordingly.

The only exception to this behavior is if the newly requested connection has the same security level as or a higher security level than the existing VPN connection. In this case, Connection Manager disables the existing connection and makes the newly requested connection to the network used by the original connection.

Best Practices

Provision a connection as secure

You can provision almost any connection as secure.

VPN and proxy connections cannot be provisioned as secure. When a VPN is connected over an interface, the routing table for that interface is modified in such a way that packets that are not destined for the interface's direct subnet are sent to the VPN network. This mechanism decreases the risk of security attacks.

DTPT connections are configured as secure by default.

See Also

Configuring a Windows Mobile-based Device Using XML | Security Levels of Connection Types

Send Feedback on this topic to the authors

Feedback FAQs

© 2006 Microsoft Corporation. All rights reserved.