The following illustration shows the critical elements and traffic flow from MDM Enrollment Server, through MDM client connectivity and LoB (Line of Business) application access. It is provided for your convenience, and is not as complete as the information presented in the remainder of the Firewalls section of this Integration Guide.

Purpose	Traffic Source	Destination	Default
Device Enrollment	Unmanaged device (native IP address)	Reverse Proxy which is publishing the MDM Enrollment Server. Host fulfilling this role should pass traffic onwards to the MDM Enrollment Server once it has been validated.	TCP 443

Traffic Source	Destination	Default
Device (native IP address)	External Interface of MDM Gateway Server	User Datagram Protocol (UDP) 500 (bi-directional) IKE
Device (native IP address)	External Interface of MDM Gateway Server	UDP 4500 (bi-directional) Tunnel
Device (native IP address)	External Interface of MDM Gateway Server	Protocol 50 IPsec (bi-directional)

Purpose	Traffic Source	Destination	Default
VPN services (NAT timeout detection)	Managed device (native IP address)	External Interface of MDM Gateway Server	UDP 8901 (bi-directional)

Purpose	Traffic Source	Destination	Default
External Web site access	Managed device (issued IP address)	Network Address Translation (NAT) or proxy server in the perimeter network	TCP 443, TCP 80

Purpose	Traffic Source	Destination	Default
Block traffic to Alerter service port for increased security	Internet	External Interface of MDM Gateway Server	UDP 5359

Traffic Source	Destination	Default
MDM Device Management Server	Internal Interface of MDM Gateway Server	TLS 443 configurable

Purpose	Traffic Source	Destination	Default
Line of business (LOB) applications that use SSL	Managed device (VPN pool address)	LOB application server	TCP 443
LOB applications (other)	Managed device (VPN pool address)	LOB application server	Defined by type of application
DNS	Managed device (VPN pool address)	Internal DNS	UDP 53
WINS	Managed device (VPN pool address)	Internal WINS, if applicable	UDP 137
WSUS – Unencrypted	MDM Device Management Server	Managed device (VPN pool address)	TCP 8530
WSUS – SSL	MDM Device Management Server	Managed device (VPN pool address)	TCP 8531
RDP (Optional)	Managed device (VPN pool address)	Target hosts on case-by-case basis	TCP 3389
Communicator Mobile Clients	Managed device (VPN pool address)	Office Communications Server 2007 Director, Enterprise pool or Standard Edition Server	TCP 5061 or TCP 443
File Shares	Managed device (VPN pool address)	Target File Servers on a case-by-case basis	TCP 445

Purpose	Traffic source	Destination	Default
Block traffic to Alerter service port for increased security	Internal Network	Device (VPN pool address)	UDP 5359

The following illustration shows how you can use ISA Server 2006 to publish the MDM Enrollment Server.

The detailed steps on how to configure ISA Server 2006 as a reverse proxy for the enrollment process are included in the “Guidance for Publishing MDM Enrollment Server on ISA Server 2006” section of this guide.

This section is not intended to repeat information which has been extensively documented in the ISA Server 2006 library. For more information on planning, deploying and managing ISA Server 2006 please refer to the documents referenced in the planning resources section at the end of this guide, with particular attention to the sections on defining and implementing ISA Server 2006 as a proxy.

Pre-requisites

The ISA Server 2006 must meet the following criteria:

• It must be installed and configured for outbound Internet access
  
• It must be dual homed
  
• Each interface must be located on a different IP subnet from within the perimeter network
  

Some customers may want to use ISA Server 2006 as the outbound proxy for MDM VPN clients. The following illustration shows an example of this scenario:

If the Managed devices are configured to use this proxy (see later in this section), or Source-based Routing is configured to use it as the default gateway for the VPN pool of IP addresses, then the following is true:

• If the route to the target host is known by using the local routing tables in MDM Gateway Server, then all non-HTTP or HTTPS traffic is routed through the internal firewall.
  
• If the proxy is defined, all HTTP and HTTPS traffic (including management traffic for enrolled devices) passes by way of the proxy. If it meets the policies as configured, it is granted authority to leave the company network and continue to its destination on the Internet. Any traffic that does not conform to policy is dropped, or access is denied. The user is notified of the reason for denial.
  
• Because the MDM management traffic uses TCP 8443 by default, a value that the administrator can configure, you must modify most proxies to permit the traffic to pass correctly. The following steps show how you can modify the proxy:
  
  • Make sure that the proxy can resolve the DNS name for MDM Device Management Server, and that this server can be accessed from the proxy.
    
  • Configure the proxy server to tunnel HTTPS packets on port 8443. To allow tunneling of port 8443 with ISA Server 2006 as the proxy, use the AddTPRange.vbs script as described in “Managing Tunnel Port Ranges” at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkID=113972
    

You do not need to include the ISA Server 2006 firewall client when planning this since all MDM devices function in clientless mode very satisfactorily.

For clients to be directed to use this outbound proxy in MDM, one of the first group policies to create and send to a newly enrolled device should contain this information. To do this, you would create a new GPO that contains the name of the outgoing proxy for the MDM client to use.

The following steps show how to do perform this process:

1. Start GPMC and select the OU against which the group policy is to be applied. The settings for the Internet proxy are located under Computer Configuration / Administrative Templates / Windows Mobile Settings / Mobile VPN Settings
   
2. Double-click Corporate Proxy for Internet Access as follows.
   
   
3. Enter the address and port of the Proxy Gateway as follows:
   
   
   Select Enabled then enter the address of the out-bound proxy. If the FQDN is used instead of the IP address then the format is the same: host:port. For example, proxy.contoso.com:8080.
   
4. Apply the GP before exiting. This new policy is automatically applied against all devices at the next scheduled connection.
   

To add the Mobile VPN IP subnet range to ISA server

1. In the ISA Server management console, expand the array name, and then click the Configuration node.
   
2. In the Networks node, double click the Internal network object in the Task Pane.
   
3. In the Addresses tab, click Add Range and then type the IP subnet for managed devices (such as 172.30.25.0).
   
4. Click OK twice.
   
5. Click Apply to save changes and update the configuration.
   

In this procedure, you will validate the Internet Explorer Mobile settings for Windows Mobile Standard edition so that mobile Web browsing will work correctly.

1. On an MDM managed Windows Mobile device, click Start, point to Internet Explorer, and then choose Menu.
   
2. Select Tools, then Options, and then Connections.
   
3. Check Automatically detect settings.
   

For Windows Mobile 6.1 Professional edition, there is no option to force a specific connection for Internet Explorer Mobile. The behavior is to always automatically detect the connection to use.

If you have not already done so, you must create an ISA Server access rule that permits Web traffic for clients from the internal to external network. For more information on ISA Server 2006 access rules, see “Publishing Concepts in ISA Server 2006” at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkID=105968.

1. From Internet Explorer Mobile, navigate to mobile.live.com
   The following screen will appear.
   
   

By default, a VPN client uses the same default gateway as the MDM Gateway Server unless directed otherwise. This may be impractical for some environments and consequently Source-based Routing has been implemented.

Source-based routing permits the MDM Gateway Server to make a routing decision based on the source address of the traffic. As an example, it handles traffic from itself in one fashion and directs VPN pool addresses differently. This gives the enterprise considerable flexibility and control.

The previous section showed how to use ISA Server 2006 as the out-going proxy for enforcing Corporate Policy on Web site access. To show how this is implemented in the context of MDM, this scenario uses the information from the Gateway Configuration screen which is managed from the Mobile Device Manager (MDM) Console.

For the purposes of this section, we will presume that the following has been defined on the MDM Gateway Server:

• The VPN pool has an IP Address range of 10.10.0.0. with a subnet mask of 255.255.0.0.
  
• VPN clients use a default gateway other than the one defined on the MDM Gateway Server. It uses ISA Server 2006 outbound proxy (192.168.99.3).
  

  Note:
  This is given as an example of implementing ISA Server 2006 as the outbound proxy. If your organization will use an existing proxy for this task, you should direct MDM clients to this proxy instead.

The following screen shows the IP address range to be assigned to VPN clients:

There are two options for Routing Configuration:

• Selecting the first option causes VPN clients to use the default gateway of the MDM Gateway Server. In this instance this is not desirable behavior.
  
• Selecting the second option separates VPN pool traffic from that of the MDM Gateway Server.
  

In this scenario, we selected the second option and entered the target IP address of the ISA Proxy, 192.168.99.3. Therefore, all traffic destined for known networks will be directed according to the routing tables possessed locally by the MDM Gateway Server, but will use the VPN pool range as the source address rather than internal or external IP addresses of the MDM Gateway Server. All other traffic will be directed to the ISA Proxy.

You can add a layer of defense by Implementing ISA Server 2006 as an Internal Firewall. Some enterprises may not have a perimeter network in which to place the MDM Gateway Server, and may instead have the MDM Gateway located in the same physical subnet as domain-joined servers. In this scenario, because the MDM Gateway Server is exposed to the Internet, it could be the target of attack. Although compromising this host would be difficult, you should not presume that it is impossible. We strongly recommend that you use a product such as ISA Server 2006 in this situation to add a layer of defense and provide additional protection to both the MDM Gateway Server and also all other internal resources.

The following illustration shows the MDM environment with an external firewall only.

Although the scenario of only an external firewall is supported, it is not recommended. A VPN client that terminates its session at the MDM Gateway Server could communicate in some fashion with every host on the internal network, not just the ones intended to be accessible as LoB hosts. This creates risk which may be unacceptable to some organizations. It also defeats the guiding principle as stated at the outset of this guide as most restrictive always being preferable and more secure.

To better protect your infrastructure, you may want to add an ISA Server to create a perimeter network to hold the dual-homed MDM Gateway Server. In this scenario, ISA Server 2006 acts as the internal firewall. The following illustration shows this scenario.

All guidance noted earlier in this document with regard to the Internal Firewall is applicable in this scenario.

Although it is easy to use ISA Server 2006 to configure a network-to-network relationship between the VPN pool of IP addresses and the internal subnet, this would go against the principle guidance of most restrictive being the preferred choice. Therefore, we highly recommend that you use filters to permit traffic between the VPN pool and the target LoB hosts and certification authority only on a case-by-case basis.

In previous examples, ISA Server 2006 has been shown functioning in the role of the reverse proxy that more securely publishes the MDM Enrollment Server, as an outbound proxy, and as an internal firewall.

We do not recommend, however, that one you implement one ISA server in more than one role at any one time. This is undesirable because it creates a single point of failure and a single point of attack.

Follow these steps to request, create, and install a certificate for ISA Server Enrollment Web Listener. You perform these procedures on the following:

• A computer that runs ISA Server on which the MDM Enrollment Server is published (steps 1 through 4, and steps 8 and 9)
  
• Any domain-joined server that has access to the certification authority (step 5)
  

To create a certificate request, create the certificate, and then install it

1. On the ISA Server, start Notepad. Type the following information:
   [NewRequest]
   Subject = “CN=EnrollmentServerFQDN”
   MachineKeySet = True
   KeySpec = 1
   In the Subject field, type the external FQDN for the MDM Enrollment Server the devices will access through the Internet. For example, mobileenroll.contoso.com.
   
2. On the File menu, choose Save As, in the File name box, type IsaEnCertReq.inf, and then save the file to the desktop.
   
3. Open a Command Prompt window, locate to the directory that has IsaEnCertReq.inf, and then type the following command:
   
   certreq –new IsaEnCertReq.inf IsaEnCertReq.txt

   This command creates the request file IsaEnCertReq.txt. It is created and stored in the same directory as IsaEnCertReq.inf.
   
4. Press ENTER.
   
5. On a domain-joined server that has access to the certification authority, do the following:
   
   1. Copy the IsaEnCertReq.txt file that you just created to a protected directory on the domain-joined server.
      
   2. Open a Command Prompt window, navigate to the directory where IsaEnCertReq.txt is located, and then type the following command:
      
      certreq –submit –attrib “CertificateTemplate:WebServer” IsaEnCertReq.txt IsaEnCert.cer

   3. Press ENTER.
      
   4. If a dialog box instructs you to choose a certification authority, choose your designated certification authority, and then choose OK. This creates the certificate for the ISA Server Enrollment Web Listener. Next, you must put the newly created .cer file on the computer that is running the ISA Server.
      
6. On the computer that is running the ISA Server, open a Command Prompt window, locate to the directory that has IsaEnCert.cer, and then type the following command:
   
   certreq –accept IsaEnCert.cer

   This command imports the new ISA Server Enrollment Web Listener certificate into the Personal Certificate Store.
   
7. Press ENTER and then close the Command Prompt window.
   

After you obtain the valid certificate for the ISA Server Web Listener, you must export the root certification authority certificate and any subordinate certification authority certificates.

These procedures assume that your root certification authority is offline and inaccessible from the company network. Perform the following procedures from a subordinate certification authority by using the Certification Authority snap-in, or from a desktop or server that has access to the Certification Authority console. During these procedures, make sure that do the following:

• Name each exported root or subordinate certificate appropriately so that you can easily find them later.
  
• Transfer certificates, including the gateway certificate, in a protected manner to MDM Gateway Server.
  
• Make sure that you can transfer text files and certificates on and off the MDM Gateway Server.
  

To export root certification authority certificate

1. Open the Certification Authority console from any domain-joined computer or server.
   
2. Right-click the name of the certification authority, and then choose Properties.
   
3. In the certification authority Certificates dialog box, choose the General tab, and then choose the certificate for the certification authority you want to access.
   
4. Choose View Certificate.
   
5. In the Certificate dialog box, choose the Certification Authority tab. Choose the name of the root certification authority and then choose View Certificate.
   
6. In the Certificate dialog box, choose the Details tab and then choose Copy to File.
   
7. The Certificate Export Wizard appears. Choose Next.
   
8. On the Export File Format page, choose DER encoded binary X.509(.CER), and then choose Next.
   
9. For File to Export, choose the path and name for the certificate, and then choose Next.
   
10. Choose Finish. The .cer file is created in the location that you specified in the previous step.
    
11. A dialog box appears to inform you that the export was successful. Choose OK.
    

To export subordinate certification authority certificates

1. Open the Certification Authority console from any domain-joined computer or server.
   
2. Right-click the name of the certification authority, and then choose Properties.
   
3. In the certification authority certificates dialog box, choose the General tab, and then choose the certificate for the certification authority you want to access.
   
4. Choose View Certificate.
   
5. In the Certificate dialog box, choose the Certification Authority tab. Choose the name of the subordinate certification authority and then choose View Certificate.
   

   Note:
   You must export the subordinate certification authority certificates. In the Certificate dialog box, if the View Certificate option for your subordinate certification authority is disabled, choose the Details tab and then go to the next step.

6. In the Certificate dialog box, choose the Details tab, and then choose Copy to File.
   
7. The Certificate Export Wizard appears. Choose Next.
   
8. On the Export File Format page, choose DER encoded binary X.509(.CER),.and then choose Next.
   
9. On the File to Export page, choose the path and name of the certificate, and then choose Next.
   
10. Choose Finish. The .cer file is created in the location that you specified in the previous step.
    
11. A dialog box appears to inform you that the export was successful. Choose OK to finish.
    
12. Repeat these steps for each subordinate certification authority that is listed on the Certification Authority tab (step 5).
    

On the server that is running the ISA Server, make sure that you import the root certification authority, and all intermediate certification authority certificates, to a protected location. From the protected location, you then import the certificates into the correct certificate stores.

The following shows an overview of this process:

1. You put the root certification authority certificate into the Trusted Root Authorities store on the computer that is running the ISA Server.
   
2. You put the intermediate certification authority certificates into the Intermediate Certification Authorities store.
   

You must follow these steps for each intermediate or subordinate certification authority certificate.

To import the root certification authority certificate

1. On the computer that is running ISA Server, open Microsoft Management Console (MMC) with the Certificates snap-in added.
   

   Note:
   When you create the snap-in for Certificates, make sure that you choose the Computer Account option and not the Service or User options.

2. Expand Trusted Root Certification Authorities, right-click Certificates, choose All Tasks, and then choose Import.
   
3. On the Welcome to the Certificate Import Wizard, choose Next.
   
4. On the File to Import page, choose Browse and locate the certification authority certificate that you recently imported, and then choose Next.
   
5. On the Certificate Store page, make sure that you select Place all certificates in the following store and that Trusted Root Certification Authorities is visible in the Certificate Store section. Choose Next.
   
6. Choose Finish to close the program.
   

To import the intermediate certification authority certificates

1. On the computer that is running ISA Server, open MMC with the Certificates snap-in added.
   

   Note:
   When you create the snap-in for Certificates, make sure that you choose the Computer Account option and not the Service or User options.

2. Expand Intermediate Certification Authorities, right-click Certificates, choose All Tasks, and then choose Import.
   
3. On the Welcome to the Certificate Import Wizard, choose Next.
   
4. On the File to Import page, choose Browse and locate the intermediate certification authority certificate that you recently imported, and then choose Next.
   
5. On the Certificate Store page, make sure that you select Place all certificates in the following store and that Intermediate Certification Authorities is visible in the Certificate Store section. Choose Next.
   
6. Choose Finish to close the program.
   

To create ISA server Web publishing rules

1. On your ISA Server computer, launch the ISA Server Management Console. To do this, choose Start, Programs, and then choose Microsoft ISA Server.
   
2. Expand the local computer name, right click the Firewall Policy Node, and then choose New, Web Site Publishing Rule.
   
3. The New Web Publishing Rule Wizard Appears. Type MDM Enrollment Web Publishing Rule in the Web Publishing Rule Name field and click Next.
   
4. In the Select Rule Action page verify that Allow is selected under Action to take when rule conditions are met. Click Next.
   
5. On the Publishing Type Page, choose the default of Publish a single Web site or load balancer and click Next.
   
6. On the Server Connection Security page verify that the default of Use SSL to connect to the published Web server or server farm is selected and click Next.
   
7. On the Internal Publishing Details page, do the following:
   
   1. In the Internal site name field, type mobileenroll.yourdoamin.com, where mobileenroll.yourdomain.com is your external enrollment server FQDN .
      
   2. Select Use a computer name or IP address to connect to the published server
      
   3. Specify the IP address of the Enrollment server in the Computer name or IP Address field.
      
   4. Click Next.
      
8. On the next Internal Publishing Details page, leave the Path(optional) field blank and then click Next.
   
9. On the Public Name Details page, do the following:
   
   1. In the Public Name field, type mobileenroll.yourdoamin.com, where mobileenroll.yourdomain.com is your external enrollment server FQDN .
      
   2. Leave the Path(Optional) field blank and click Next.
      
10. On the Select Web Listener Page, click New to launch the New Web Listener Wizard.
    
11. Type MDM Enrollment HTTPS Web Listener in the Web Listener Name field and click Next.
    
12. On the Client Connection Security page, accept the default value of Require SSL secured connections with clients and click Next.
    
13. On the Web Listener IP Addresses page, do the following:
    
    1. In the Listen for incoming Web requests on this networks field, Select External..
       
    2. Leave the check box selected for ISA Server will compress content field, and click Next.
       
14. On the Listener SSL Certificates page, do the following:
    
    1. Choose Select Certificate to display the list of available certificates. The mobileenroll certificate should be listed and installed correctly. If so, highlight the mobileenroll SSL certificate and click Select.
       
    2. Click Next on the Listener SSL Certificates page to continue the New Web Listener Definition Wizard.
       
15. On the Authentication Settings Page, select No Authentication in the Select how clients will provide credentials to ISA Server drop down. Click Next.
    
16. On the Single Sign On Settings page, click Next.
    
17. Click Finish on the Completing the New Web Listener Wizard page.
    
18. The Select Web Listener page should now display the Web listener that you created. Click Next.
    
19. On the Authentication Delegation page, select the No delegation, but client may authenticate directly from the drop down and click Next.
    
20. On the User Sets page accept the default of All Users and click Next.
    
21. Click Finish on the Completing the New Web Publishing Rule Wizard.
    
22. To save changes and updated the ISA Server 2006 configuration click Apply in the main Firewall Policy screen.
    

Next, you will validate that the Enrollment Web Service functions properly. You can use any computer with the device for testing purposes.

To Validate Enrollment Web Service Functionality

1. On your test mobile device, open Internet Explorer Mobile and launch https://mobileenroll.contoso.com/enrollmentserver/service.asmx, where mobileenroll.contoso.com is your external enrollment server FQDN.
   The enrollment Web service page should display after a certificate warning appears.