After many hours of dorking around on various Web sites, bulletin boards and newsgroups, I finally got my head around the methodologies of Windows Mobile-based VPN. Actually, it turns out to be a fairly well-designed if somewhat esoteric system. I thought I might elaborate on the steps I took to reach my objective, in the hopes of perhaps being of aid to some other befuddled schmuck trawling the Googleverse for answers someday.
To recap: I needed to be able to connect to my home VPN server in order to effectively work with email on my new WM-based smartphone. This is one area where the Blackberry seems to be superior to Windows Mobile-based phones: RIM uses a push system that seamlessly interfaces with a number of mail systems, even (shudder) AOL, an ISP whose efforts to restrict their customers’ outside access to their own email is legendary. Getting a Windows Mobile phone to integrate with even an Exchange server can be a bit of a bugaboo if you’re trying to do it from outside the server’s network cluster.
Both my ISP and my work mail servers are POP3 (no IMAP), and both are really sticky about allowing outgoing email messages to be relayed through themselves from outside their home area….a good and cautious policy, to be sure, and one I wholeheartedly support. Mail servers that will accept outgoing mail traffic from any source are a huge problem, as they can serve as an open mail relay for those who are interested in moving massive amounts of email with relative anonymity, namely spammers and distributors of trojans and other malware.
On the other hand, this situation meant that, while I could receive my email via my phone, I could not send mail from it, because the POP3 servers would see my outgoing mail being relayed from the Verizon Wireless data network and promptly spank my connection, saying “Uh uh, not yours.” My sent mail would be bounced back to me with a “550” error.
On the other hand, my home network, which uses a fixed IP address, is on the whitelist for both my work mail server and–naturally–my ISP’s mail server. And since I already have a VPN server configured so I can occasionally check in to see how things are going on the LAN from abroad–and to provide a secure tunnel for my network activities when acessing public WiFi hotspots–I could use said VPN as a conduit through which to send my email. That way, when I send out an email from my phone, the message would first pass through my home network. The mail servers would see the outgoing mail as having come from my home, and allow the messages to pass through unmolested. Ingenious!
Only problem was, I could not for the life of me figure out how to get the dogmad muckerfuthing VPN configured on my phone in the first place. Adding and configuring the basic information–VPN type, IP address, authentication method, etc.–was fairly straightforward. All that stuff takes place in Settings\Connections, and there’s a mini-wizard (tiny guy in a robe with a pointy wide-brimmed hat and a long–for him–beard) to take you through the steps. No problem. You can then connect to the VPN server via Verizon’s broadband network or via other connections (my phone has WiFi as well as CDMA/EVDO, for instance). Verizon is nice enough to allow all forms of VPN traffic over their network; IPSec, PPTP, SSL (provided that the software is available for Windows Mobile; ActiveX- or Java-based tunnel adapters need not apply), unlike some carriers. At least, that is the scuttlebutt I kept reading in the various forums I trawled whilst searching for help.
But after successfully configuring and establishing the VPN connection, any attempt to actually use the damn thing netted me a big old steaming platter of bupkis. Either the VPN connection would be broken immediately upon attempting to check my mail (leaving me back at square one), or else the connection would maintain but I would lose the ability to get anywhere on the Net, including my mail servers (leaving me at square negative one). One or another of these scenarios happened again and again, irrespective of the settings I changed, the network I used or the number of albino two-headed goats I bled out over the phone’s touch screen (got that tip from the built-in Help system).
Through a combination of persistence, Web crawling and slamming my forehead into the laminate of my desk (felt like it helped, anyway), I finally figured it out.
Windows Mobile breaks your network connections into two major sections: “My ISP” and “My Work Network”. Everything under the “My ISP” heading is presumed to be a method by which your device will connect directly to the Internet; in my case, via Verizon’s data network, though you could add other forms of connection here as well; say, a Bluetooth modem or something. Everything under the “My Work Network” heading is designed to connect you to some other network (“Work”, presumably). VPN connections are configured and maintained under this section. The complication lies in the fact that Windows Mobile wants to keep these different connection schemes separate from each other, unless you intentionally and with forethought cross the streams.
First, you need to add your mail servers to the “Exceptions” list, found under the Advanced tab of Settings\Connections\Connections (yes, there’s a “Connections” item under the Connections tab of the Settings panel; don’t ask me why they couldn’t call it something else). Exceptions are URLs or IP addresses (or IP address ranges, such as 192.168.1.*) that Windows Mobile should not use your main Internet access connection to connect to. In my case, I added my entire home LAN address range, my work LAN address range, and the URLs of my two mail servers to the Exceptions list. If you don’t do this, then every time you try to access any of these sites or address ranges, Windows Mobile will break any other connections you may have established (say, for instance, your frigging VPN connection) in order to connect to those locations via your standard Internet connection. The exact opposite of what would actually work.
Then, you need to make some changes to the basic Accounts setup of Messaging, Windows Mobile’s built-in email/SMS program. By default, one would expect to set up one’s mail accounts to access “The Internet”, which is one of two connection types listed in the “Options” section of the Server Settings page of page 4 of Email Setup for each mail account you create. However, if you change the connection from “The Internet” to “Work”, then every time Messaging signs on to send of receive mail, it will “dial” the VPN connection you configured in Settings\Connections\Connections.
The upshot of all this is that my phone now connects to my home VPN server automatically every time I send or receive mail, and automatically breaks the VPN connection whenever I attempt to access any network resource not added to my Exceptions list. Receiving my mail via my VPN connection is considerably slower than doing it over Verizon’s network alone, but I have my phone set to check my mail every fifteen minutes automatically, so I’m not likely to notice the lag under most circumstances. And slow or not, sending mail is a hell of a lot faster over VPN than it is when every outgoing message is rejected by the server.
I sure hope that this humble missive turns out to be of help to someone else out there in Internetland, because I probably just bored three or four of my regular readers to death. Sorry ’bout that; I’ll send flowers. 😉