Mobile VPN FAQ

2. What types of bearer networks does Columbitech Mobile VPN™ support?

Columbitech Mobile VPNTM should in principle work over any IP-network. The following types of connections have been explicitly tested: WiFi, GPRS, 3G, 4G (LTE), CDPD, PHS, Ethernet and modem Dial-Up.

3. What protocols are supported by Columbitech Mobile VPN™?

All protocols running on top of TCP, UDP and ICMP.

4. Does Columbitech Mobile VPN™ support multicast?

Yes. IGMP based multicast is supported.

6. Can Columbitech Mobile VPN™ servers run in a virtualization environment?

Absolutely, the servers have been tested on Hyper-V, VMware, and Xen.

7. Can I host other applications on the VPN Server computer?

No, we do not recommend running any other applications on the VPN Server computer (or Virtual Machine instance).

8. How is the Columbitech Mobile VPN licensed?

The license fee is based on the total number of users and the total number of Mobile VPN Servers. After installing the Mobile VPN Server, you have 30 days to receive your license as described here. During these 30 days the Mobile VPN Server is running with a fully functional 10 user evaluation license. To receive your license, you need to give the serial number of your Mobile VPN Server to your reseller, which in turn will give you your license. The license is unique for your installation.

9. What client authentication mechanisms are supported by Columbitech Mobile VPN™?

Columbitech Mobile VPN offers a complete range of authentication methods that satisfy the most security sensitive enterprise customers. We support Windows Domain username/password, client certificates (WTLS and X.509), RADIUS and RSA SecurID.

1. What client platforms are supported by Columbitech Mobile VPN™?

All client versions of Windows from Windows XP to Windows 10 (32- and 64-bit), all versions of Windows Mobile, Windows Phone 8, Embedded Systems, iOS and Android.

10. What server authentication mechanisms are supported by Columbitech Mobile VPN™?

WTLS and X.509 certificates.

11. Can you use a third party Certificate Authority to manage certificates?

Yes. Columbitech Mobile VPN support X.509 and WTLS certificates. When using certificates from other Certificate Authorities, like Microsoft Certificate Services or Verisign, make sure the private keys are saved in the PKCS#12 format (.p12 or .pfx).

12. What encryption does Columbitech Mobile VPN™ use?

Columbitech Mobile VPN uses AES (up to 256 bits) for symmetric encryption and RSA (up to 15000 bits) for key exchange.

13. What key exchange mechanism is used in Columbitech Mobile VPN™?

The RSA algorithm is used for key exchange.

14. How many users can Columbitech Mobile VPN™ handle simultaneously?

This depends mainly on the required bandwidth for connecting clients. In moderns servers with modern CPUs, you should basically be able to see the same throughput for a client with a VPN connection as without. If there are many clients connecting to the same server, those will be sharing the total output of the server, just like they would in a non-VPN setup.

15. How many users can log on to Columbitech Mobile VPN™ simultaneously?

A single Mobile VPN Server can handle between 10 to 30 certificate authentications per second. When not using client certificates this number is much higher.

16. How does seamless roaming work?

The roaming feature of Columbitech Mobile VPN solution is based on the session resume functionality in WTLS. Using WTLS session resume means that the communication bearer, for example the WiFi connection, can fail for different reasons without this having any serious effect on the actual user situation. At the beginning of a wireless work session, the VPN Client establishes a connection to Columbitech Mobile VPN Server, using the best possible connection available. As soon as a connection is established, the user can use any application in a normal way. The applications cannot detect the existence of the Columbitech Mobile VPN, they only see one usable connection; the Columbitech virtual network interface card (NIC). When a bearer fails (for instance the user might have moved out of WiFi coverage), the Columbitech Mobile VPN client automatically switches over to another available bearer, without interrupting the session. Behind the scenes, the Columbitech virtual network card (NIC) simulates having a connection while the client finds a new network, establishes a new TCP connection, makes a session resume and finally something we call transaction recovery. This last step is basically synchronization of the data flow, enabling for example a file transfer to continue. This is why the applications continue to work. During the switch to another bearer, there will be a short delay. The application however, will just think of that delay as a period of lower-than-usual data rate, and will therefore not complain.

17. How does Columbitech Mobile VPN™ handle bandwidth changes when roaming?

Through the use of split TCP connections. Each client application has a TCP connection to the VPN client and each corresponding server application has a TCP connection to the Mobile VPN Server. These connections are then multiplexed over a single TCP connection between the Mobile VPN Server and the Mobile VPN client, which is
transparent to the servers and to the client applications. Every time the client loses and regains network coverage or roams to another network, the single intermediate connection is dropped and a new one established, without breaking the application-to-application session.

18. How does Columbitech Mobile VPN™ manage flow control?

Columbitech Mobile VPNTM uses the TCP receive buffer for flow control. When the buffer is full, the flow of data from applications will cease, without any unnecessary retransmissions or control messages. This also allows the flow of data to be explicitly restarted after network suspension (failure or roaming), without relying on retransmission timers.

19. The mVPN client session resumes when network coverage is restored. What is exchanged to allow the resume? What risk is implicit if client device is lost/stolen?

Both the server and client do have a shared session secret, which is exchanged in the short handshake resuming the session. The risk, when a device is stolen without anyone’s notice, is that you do have an open session that has not timed out, and the thief can continue using the tunnel. This risk is always there with any VPN, since this is not a session resume functionality. The difference as compared to session resume is that the
session is open even if you don’t have network coverage, i.e. someone steals your device which is physically not connected but virtually (in session resume mode). However, normally you would disconnect if you leave your device, or let it hibernate or something else requiring you to enter a password. It is decided by the system administrator how long the session time out will be. 180 minutes is the default.

20. Why does Columbitech Mobile VPN™ use WTLS instead of TLS for security?

WTLS is a version of TLS that has been optimized for the wireless environment. There are some concrete advantages of using WTLS:

  • WTLS has optimized the handshake procedure compared to TLS.
  • WTLS uses shorter shared secrets that are changed more often compared to TLS. The shorter secrets give computational advantages on thin clients and security is maintained by changing them more often.
  • WTLS supports datagrams, TLS does not. The use of datagrams gives advantages when communicating over a packet switching network.
  • WTLS leaves the fragmentation of data to the transport layer.
  • WTLS has an additional error message type that is relevant when the connection is wireless.
21. Does Columbitech Mobile VPN™ have any problems with NAT (Network Address Translation)?

By using layer 5 (session layer) security mechanisms instead of layer 3 (network layer), it is possible to avoid the problem altogether. IP and TCP headers are unaffected by Columbitech Mobile VPN™.

22. Does Columbitech Mobile VPN™ support packet authentication?

IP and TCP/UDP headers are unaffected. The payload is WTLS-encrypted, with HMAC included.

5. What server platforms are supported by Columbitech Mobile VPN™?

All server versions of Windows from Windows Server 2003 to 2016 and basically all Linux distributions.