Use a VPN proxy and certificate configuration in Apple devices

Proxy setup

• Configure a single proxy for all connections: Use the manual setting and provide the address, port, and authentication if necessary.

• Provide the device with an auto proxy configuration file using either the PAC file format or the Web Proxy Auto-Discovery (WPAD) Protocol method: Use the auto setting. For PAC over HTTPS, specify the URL of the PAC over HTTPS or JavaScript file. For WPAD, iOS, iPadOS, and macOS, ask DHCP and DNS for the appropriate settings.

The VPN proxy configuration is used when the VPN is providing the following:

• The default resolver and the default route: The VPN proxy is used for all web requests on the system.

• A split tunnel: Only connections to hosts that match the VPN’s DNS search domains use the VPN proxy.

Certificate setup

When you set up and install certificates:

• The server identity certificate must contain the server’s DNS name or IP address in the SubjectAltName field. The device uses this information to verify that the certificate belongs to the server. For more flexibility, you can specify the SubjectAltName using wildcard characters for per-segment matching, such as vpn.*.mycompany.com. If no SubjectAltName is specified, you can put the DNS name in the CommonName field.

• The certificate of the certification authority (CA) that signed the server’s certificate needs to be installed on the device. If it isn’t a root certificate, install the rest of the trust chain so that the certificate is trusted. If you use client certificates, make sure the trusted CA certificate that signed the client’s certificate is installed on the VPN server. When using certificate-based authentication, make sure the server is set up to identify the user’s group, based on fields in the client certificate.

  Important: The certificates and CAs must be valid (for example, trusted, and not expired). Sending the entire certificate trust chain by the server isn’t supported.