Skip to main content

SureAccess

SureAccess is a secure VPN solution that ensures seamless and controlled connectivity to internal resources for Windows, macOS/iOS, and Android devices. By enforcing organization-defined access policies, SureAccess provides a robust mechanism to secure network traffic while allowing flexibility for IT administrators to configure access based on device type and enterprise needs.

Deployment Options: Choosing Between FE-only and FE + BE Configurations. SureAccess provides flexible VPN deployment options to suit varying enterprise network requirements. Depending on your infrastructure and access control needs, you can choose between:

  • FE-only configuration
  • FE + BE configuration
note

The Front-End (FE) server is a required component in all SureAccess deployments. The Back-End (BE) server is optional and should be used only when internal/private resource access is needed.

FE-only Configuration

In an FE-only setup, device traffic is routed through the SureAccess cloud-based Front-End (FE) server. This option requires no additional server setup by the customer.

Recommended for:

  • Organizations without internal or on-premise resources.
  • Quick deployments with minimal infrastructure overhead.
  • Secure access to internet-facing or cloud-based services.

FE + BE Configuration

In this model, the FE server continues to act as the initial access point. However, traffic destined for internal enterprise resources is further routed to a customer-hosted Back-End (BE) server.

Recommended for:

  • Enterprises that require access to internal systems, such as file servers, intranet apps, or databases.
  • Organizations with specific compliance, auditing, or data residency requirements. IT teams that need greater control over traffic flow and routing.

Follow the steps below for detailed instructions on setting up and configuring SureAccess to enable VPN functionality within your organization:

note

“SureAccess” requires an add-on license subscription and is available for Premium and Enterprise tiers. Contact our sales team at sales@42gears.com for licensing inquiries or trial licenses.

  • For FE-only Configuration, skip Step 2 and a few specified points in Step 1.
  • For FE+BE Configuration, all the steps apply

Step 1: Enable and Configure SureAccess Settings

  1. Navigate to Settings > Account Settings > Enterprise Integrations > SureAccess.

  2. Under the SureAccess Configuration tab, check Enable SureAccess to activate the VPN functionality.

  3. Enter the following Configuration Details:

  • Internal DNS Server: Enter the address of the internal DNS server. Multiple values can be entered. [ For FE + BE configuration only ]

  • Tunnelled FQDN List: Enter the Fully Qualified Domain Names (FQDNs) allowed to access the VPN.

  • Tunnelled CIDR List: Specify the Classless Inter-Domain Routing (CIDR) ranges allowed to access the VPN.

    Under Advanced Settings, configure the below optional settings to configure the Fully Qualified Domain Name (FQDN) and DNS server to resolve locally, without relying on the FE or the internet.

  • Local FQDN List: Specify the Fully Qualified Domain Names (FQDNs) that should be resolved using the local DNS server.

  • Local DNS Server: Enter the IP address of the DNS server to be used for resolving FQDNs listed in the Local FQDN List.

    Under SureAccess Authentication, select the authentication type for SureAccess on the device.

    note

    'Enable Authentication' from Profile Configuration should be enabled to enforce authentication.

  • SureAccess Authentication Type: Select from the following authentication types:

    • No Authentication: When selected, SureAccess will not be authenticated.

    • Require Password: Select this option for the users to be required to enter a password to authenticate SureAccess.

      • Enter Password: Specify the password to be entered on the device to authenticate.

    • OAuth Authentication: Select this option for Active Directory authentication for enterprises with an Active Directory domain account.

      • Auth Endpoint & Token Endpoint: Enter the Auth Endpoint and Token Endpoint.

      • Client ID: Click Generate to get the Client ID.

        note

        Client ID has to be generated only for the ADFS server. For Azure AD, G Suite, and others, there are pre-generated Client IDs.

      • Client Secret (EMM Only): Copy the Client Secret from the server machine.

    • SureIdP: Select this option for SureAccess to be authenticated by SureIdP. If SureIdP is not configured, configure it by following these instructions.

  1. Click Save to apply these settings. After a few minutes, the Status column in the Node Details tab will update to Running, indicating that the Front-End (FE) nodes have started successfully.

Step 2: Configure the SureAccess Gateway

Many organizations host critical resources, applications, or databases within their on-premises infrastructure. By utilizing a back-end server in a VPN setup, users can establish a secure connection to access these resources through a VPN tunnel.

  1. Access Node Details:
  • Go to the Node Details tab to proceed with the gateway setup.
  1. Download and Install the SureAccess Gateway:
  • Click SureAccess Gateway Setup, and in the pop-up that appears click Download to download the SureAccess Gateway Setup Package
  • The downloaded file must be installed on the BE server on a Linux server machine using the Enrollment PSK generated from the SureAccess Gateway Setup download pop-up.
  1. Set up for the BE Node
  • Log in to your Linux machine as an administrator
  • Run the SureAccess Gateway installer from the path where the file installer.tar.gz is placed.

Follow the on-screen instructions to complete the installation process:

  • Enter your SureMDM URL, and press Enter.
  • Enter your SureMDM Account ID, and press Enter.
  • Copy the secret key of Enrollment PSK from the SureAccess tab, paste it on the Linux machine, and then press Enter.
  • Enter a BE Node ID to register against an existing node. If you prefer not to initiate any specific node ID initially, leave it blank. The system will automatically select the one in the Not Started state.
  • In the Enter the Type of Server prompt, enter BE Enter the Replica Count as 1 or a number of your choice.
  • A BE Node will be created.
  • Enter the Network Mask and press Enter.
  • Go back to the SureMDM Console’s Node Details tab and click on Refresh.
  • You should see the BE Node in the Running state.

Your SureAccess Setup is now complete.

Node Details tab

  • Use the table under the Node Details section to see information about the Node, like Node ID, Type, Status of the node, Node Description, Last Connected, Public IP, NAT IP, Network Mask, Data Sent & Received and Active Endpoints.
  • Use the ‘Add’ button to add nodes. A total of 5 BE Gateways can be added.
  • Use ‘Delete’, ‘Refresh’ and ‘Sync Devices’ to delete, refresh or sync devices to FE.
  • Use Start/Stop the Gateway Node to start or stop the SureAccess gateway.

Step 3: Configure and Apply SureAccess Profile to Devices

note

This feature is supported on Android devices with SureMDM Agent version >= 27.35.35 and Windows devices with SureMDM Agent version >= 5.26.0.

Configuration Steps

  1. Navigate to the Profiles tab in the SureMDM Console.
  2. Select the required device platform.
PlatformNavigation Path and Documentation Link
AndroidClick New Profile > Google Play EMM API/AMAPI > Primary Profile. Configure the VPN settings in the VPN Policy. Android SureAccess Policy
WindowsClick New Profile. Configure the VPN settings in the SureAccess VPN Policy. Windows SureAccess Policy
macOSClick New Profile > Device Enrollment. Configure the VPN settings in the SureAccess VPN Policy. macOS SureAccess Policy
iOSClick New Profile. Configure the VPN settings in the SureAccess VPN Policy. iOS SureAccess Policy

Viewing SureAccess Device Status

  • The 'Device List' tab within the SureAccess section of the SureMDM console provides a real-time overview of all enrolled devices utilizing the SureAccess VPN policy.
  • Accessing the Device List: Once the SureAccess Policy is successfully configured and applied both on the SureMDM Console and received by the enrolled devices, the Device List tab will populate with detailed device data.
  • Device List Table Information: The table in the Device List tab offers comprehensive information regarding the status and usage of the SureAccess VPN across your fleet.

Technical Prerequisites for Windows

Before deploying SureAccess to Windows endpoints, ensure the following hardware requirements are met to guarantee the SureAccess Agent UI loads and functions correctly.

Graphics Driver Requirement: SureAccess utilizes high-performance UI rendering that requires a dedicated manufacturer display driver.

Required: Official drivers from Intel, NVIDIA, or AMD.

Not Supported: The Microsoft Basic Display Adapter is not compatible. If this generic driver is in use, the SureAccess Agent may fail to launch.

How to verify and fix:

  1. Open Device Manager > Display adapters.

  2. If "Microsoft Basic Display Adapter" is listed, you must update the driver.

For Intel devices, download the Intel® Driver & Support Assistant (Intel® DSA) to automatically install the correct drivers.

For other manufacturers, visit the respective support sites directly.