IPSecVPN MOST Configuration Service Provider

  • Article

4/8/2010

By default, when there is a Mobile VPN connection, the Connection Manager blocks all traffic except Internet Key Exchange version 2 (RFC 3406) on the real interfaces on the device (for example, Wi-Fi and GPRS). Mobile operator service traffic (MOST) lets users access services offered by mobile operators outside of the Mobile VPN connection while VPN is being used.

The IPSecVPN MOST Configuration Service Provider lets you configure the MOST IP addresses and hostnames. Typically the OEM includes the mobile operator's MOST rules (hostnames and IP addresses) on a commercialized device. The mobile operator can then use this configuration service provider to update the rules through provisioning.

Note

This Configuration Service Provider can be managed over both OMA Client Provisioning (formerly WAP Client Provisioning) and the OMA DM protocol.

Note

Access to this Configuration Service Provider is determined by Security roles. Because OEMs and Mobile Operators can selectively disallow access, ask them about the availability of this Configuration Service Provider. For more information about roles, see Security Roles and Default Roles for Configuration Service Providers.

The following table shows the default security settings for the IPSecVPN Configuration Service Provider. The default security role maps to each subnode unless specific permission is granted to the subnode.

Permissions

Read/write

Roles allowed to query and update setting

Manager

To help protect devices, make sure to read the Security Considerations below.

The following image shows the Configuration Service Provider in tree format as used by OMA Client Provisioning.

Ff599680.113c8d84-e476-4983-934e-90a1fa11e6ed(en-us,MSDN.10).gif

The following image shows the Configuration Service Provider in tree format as used by OMA DM Provisioning.

Ff599680.0eb431ab-338e-41d9-befc-69028ae99375(en-us,MSDN.10).gif

Parameters

  • IPSecVPN
    The root node of the IPSecVPN object. The default security role maps to each subnode unless specific permission is granted to the subnode.

    Data type

    Node

    Roles allowed to query setting

    Manager

    Access Type

    Get

    Occurs

    One

    Scope

    Permanent

  • IPSecVPN/MOST
    The MOST subnode of the IPSecVPN root node. This characteristic is used for the MOST rules. Using the metabase and the mobile operator certificate on the device, Windows Mobile assures that only the mobile operator can gain access to the MOST.

    Data type

    Node

    Roles allowed to query setting

    Operator

    Access Type

    Get

    Occurs

    One

    Scope

    Permanent

  • IPSecVPN/MOST/Service<#>
    A service to be allowed under MOST.

    Data type

    node

    Roles allowed to query setting

    operator

    Access Type

    Get/Add/Replace/Delete

    Occurs

    Zero or more

    Scope

    Dynamic

  • IPSecVPN/MOST/Service<#>/URL<#>
    The hostname or IP address associated with the corresponding mobile operator services.

    Data type

    chr

    Roles allowed to query setting

    operator

    Access Type

    Get/Add/Replace/Delete

    Occurs

    Zero or more

    Scope

    Dynamic

Remarks

Mobile operator services are identified by the servers that provide them, and each server is identified either by its hostname or its IP address. The VPN architecture ensures transparent passage of traffic to and from these hostnames and IP addresses.

In the IPSecVPN MOST Configuration Service Provider, the MOST characteristic is used for the MOST rules.

A service is identified by using the SERVICE<#> characteristic. For example, SERVICE1. For each service, URL<#> tags specify the IP addresses and hostnames associated with the service.

The corresponding value attribute will be a hostname or IP address. The maximum number of URLs for all services together is 100.

Security Considerations

To allow only the OEM and mobile operator to configure MOST settings, you should do the following:

  • If you will manage the MOST settings over OMA Client Provisioning, make sure that you preconfigure the OMA Client Provisioning Server on the device. For information about how to do this, see Bootstrapping To Use an OMA Client Provisioning Server.
  • If you will manage MOST settings over OMA DM, make sure that you preconfigure the ROLE parameter in the OMA DM account bootstrap message that is handled by the DMS Configuration Service Provider. Configure the ROLE parameter to a value of 152 (SECROLE_TPS + SECROLE_MANAGER + SECROLE_USER_AUTH).
  • If you will manage the MOST settings over both OMA Client Provisioning and OMA DM, then both sets of comments above are applicable.

See Also

Tasks

IPSecVPN MOST Configuration Service Provider Examples for OMA Client Provisioning
IPSecVPN MOST Configuration Service Provider Example for OMA DM

Concepts

Creating a Metanetwork
IPSecVPN MOST DDF File
Configuration Service Provider Reference for Windows Mobile Devices