Help Center

Local Navigation

Using a VPN with a Wi-Fi enabled BlackBerry device

If your organization’s environment includes VPNs, such as IPSec VPNs, you can configure a Wi-Fi® enabled BlackBerry® device to authenticate with the VPN so that it can access an enterprise Wi-Fi network. A VPN provides an encrypted tunnel between a BlackBerry device and your organization’s network. VPN is the only layer 3 security method that the BlackBerry device supports.

A VPN solution consists of a VPN client on the BlackBerry device and a VPN concentrator. The BlackBerry device can use the VPN client to authenticate with a VPN concentrator, which acts as the gateway to the enterprise Wi-Fi network. Each BlackBerry device includes a built-in VPN client that supports several VPN concentrators. The VPN client on the BlackBerry device is designed to use strong encryption to authenticate itself with the VPN concentrator. It creates an encrypted tunnel between the BlackBerry device and VPN concentrator that the BlackBerry device and enterprise Wi-Fi network can use to communicate.

After you configure a VPN, the BlackBerry device can use a layer 2 security method to connect to the enterprise Wi-Fi network, and use the VPN to provide authentication with the enterprise Wi-Fi network. In this scenario, you can configure the enterprise Wi-Fi network as an untrusted network, and specify that only a VPN concentrator can connect to the enterprise Wi-Fi network.

Unlike other supported security methods for enterprise Wi-Fi networks, a VPN does not use the wireless access point during data encryption.

For a list of supported VPN concentrators, visit www.blackberry.com/support to read article KB13354.

Permitting a Wi-Fi enabled BlackBerry device to log in to a VPN concentrator

To permit a Wi-Fi® enabled BlackBerry® device to log in to a VPN concentrator automatically after it connects to an enterprise Wi-Fi network, you or a user can configure a VPN profile that includes a user name and password for authentication with the VPN concentrator. Depending on your organization’s security policy, you or the user can save the user name and password for authentication with the VPN concentrator on the BlackBerry device. When you or the user saves the user name and password, the BlackBerry device does not prompt the user for the user name and password the first time or each time that the BlackBerry device connects to the enterprise Wi-Fi network.

The BlackBerry device is also compatible with VPN environments that use two-factor authentication using hardware tokens or software tokens for credentials. When the BlackBerry device tries to log in to the VPN, the BlackBerry device uses credentials that the token generates or that the user provides.

For more information about configuring VPN profiles, see the BlackBerry Enterprise Server Administration Guide.

Using a segmented network to reduce the spread of malware on an enterprise Wi-Fi network that uses a VPN

When a Wi-Fi® enabled BlackBerry® device connects to an enterprise Wi-Fi network that uses a VPN, the BlackBerry device might permit the VPN concentrator to send data directly to a BlackBerry® Enterprise Server over your organization's network. The VPN concentrator sends data over port 4101. In this scenario, only the VPN concentrator connects to the enterprise Wi-Fi network.

To configure your organization’s VPN concentrator to prevent it from opening unnecessary connections to your organization’s network, you can configure a segmented network. In a segmented network, you can divide components of your organization’s network using firewalls to reduce the spread of malware.

For more information about reducing the spread of malware, see Protecting the BlackBerry device platform against malware.


Was this information helpful? Send us your comments.