MDM Gateway Server Deployment Guidelines

  • Article

2/9/2009

Review the following deployment guidelines and security considerations as you plan your Mobile Device Manager Gateway Server deployment.

MDM Gateway Server Placement

MDM Gateway Server is installed on a stand-alone server, or servers, if you implement it as a Domain Name System (DNS) scheme for load balancing. The servers should be located in the perimeter network.

MDM Gateway Server includes support for geo-distributed servers. You can install multiple computers that run MDM Gateway Server in different countries, or on different continents.

Note

For a distributed scenario, you must use a global load-balancing solution to redirect managed device sessions to the appropriate MDM Gateway Server.

Managed Device Addresses

Managed devices connect to MDM by using the public address for MDM Gateway Server; for example, mobilegateway.contoso.com.

To service incoming managed device sessions, MDM Gateway Server must provide the following:

  1. An internal IP address to be issued to the managed device from a range of addresses explicitly assigned to each server running MDM Gateway Server
  2. Access to the DNS against which managed devices are to resolve host names
  3. Two separate network adapters and two IP subnets: one network adapter and IP subnet for communicating with external client devices, and one network adapter and IP subnet for communicating with internal users and servers

Managed Device Address Range

The managed device address range assigned to MDM Gateway Server should be a range of addresses from the RFC1918 ranges. The address range must be able to pass through the internal firewall and must be routable on the company network. To enable addresses to have the desired access and to be suitably routable, you must configure the internal firewall to allow for managed device traffic to carry over the IP ports as described in the tables of ports listed in MDM Firewall Settings Worksheet.

In addition, you must enable the managed device range to route as needed within a company network to make sure that the managed device session can establish with the target line-of-business (LOB) hosts.

When a managed device connects to MDM, the device is issued an internal IP address by MDM Gateway Server from the range of addresses assigned to the server. The internal IP address pool is not publicly routable, so you must use network address translation (NAT) for the address pool so that managed devices can access the Internet. In addition, the range of addresses in MDM Gateway Server must be large enough to support as many managed devices at the same time as are enrolled in MDM.

DNS for MDM Gateway Servers

Active Directory Domain Services–integrated Domain Name System (DNS) is the recommended DNS. The DNS to which devices resolve must be able to forward queries and lookups. This requirement is because hosts external to the enterprise, such as Web sites on the Internet, have to be resolved in addition to the DNS that resolves addresses of internal hosts.

Each MDM Gateway Server must have two sets of DNS names: one is the Internet-facing name and the other faces the intranet. The Internet name is published in your publicly-facing DNS servers. All servers running MDM Gateway Server within the same MDM instance should share a single public DNS name, to enable load balancing based on that DNS name.

The intranet-facing DNS name is published in the internal DNS server that the Device Management server accesses. Every MDM Gateway Server must have a unique internal DNS name and that name must match the subject name of its machine certificate.

As a best practice, you should direct managed devices at a secure internal DNS that you cannot ordinarily access from outside the enterprise. You should never directly resolve to resources that are located within the company enterprise by an untrusted external client.

In order for users to enroll their devices over the air (OTA), you must provide public DNS A records. Providing public DNS records enables enrollment to work correctly through publishing points for the Web proxy server for Windows Mobile devices.

MDM role DNS record to publish Record type X.509 certificate

MDM Enrollment Server

Mobileenroll. <domain name>, where <domain name> is replaced with your company domain name.

DNS <A>

Subject name must match published DNS <A> Record

MDM Gateway Server

FQDNs of the computers that are running MDM Gateway Server

DNS <A>

Blocking Device Access

MDM maintains a list Windows Mobile devices that are not allowed to access MDM. When a device attempts to access MDM, MDM Gateway Server checks the list of blocked devices, and devices on that list are not allowed access.

MDM adds managed devices to the blocked devices list when a device wipe completes successfully on the device. You can also manually add devices to the blocked devices list by running a cmdlet in MDM Console. To block a managed device from accessing MDM, see Blocking a Managed Device in MDM Operations at this Microsoft Web page:https://go.microsoft.com/fwlink/?LinkId=112415.

Communication Between MDM Gateway Server and MDM Device Management Server

Because MDM Gateway Server management is designed to be remote, MDM Gateway Server accepts incoming IP sessions from MDM Device Management Server for configuration and reporting. By design, at no point should MDM Gateway Server start inward-bound sessions. Only authenticated client devices can start sessions.

MDM Gateway Network Configuration

Review the network configuration options and requirements in this section before you configure MDM Gateway Server.

Note

For improved performance on Windows Server 2003 SP2, you should use network adapters that support receive-side scaling (RSS).

Network Configuration Requirements

You must follow these network configuration requirements for MDM Gateway Server:

  • Every computer that is running MDM Gateway Server must have its external interface configured with a public IP address, not a private IP address.
  • Every computer that is running MDM Gateway Server must have a discrete, non-overlapping IP address pool.
  • The IP address pool subnet cannot intersect with the internal subnet on MDM Gateway Server. Otherwise, network traffic from the company network to MDM Gateway Server will not be routable.
  • The IP address pool subnet cannot intersect with the internal subnet on your internal company network. Otherwise, network traffic from the internal network to the managed devices will not be routable.
  • Do not use teamed network adapters on computers that are running MDM Gateway Server.
  • Do not deploy MDM Gateway Server behind a Network Address Translation (NAT) server. Placing MDM Gateway Server behind an NAT is not a supported scenario for MDM; doing so essentially masks the identity of MDM Gateway Server, which prevents MDM from working properly. Placing computers running MDM Gateway Server behind a NAT device is not a supported configuration for the following reasons:
    • Devices will ignore Wipe Now requests. Devices will continue to be managed but will only be wiped when they synchronize with MDM Device Management Server at their normal connection interval—for example, the default interval of every eight hours. The device compares the IP address of the computer running MDM Gateway Server to which the device connects with the IP address of the computer running MDM Gateway Server that sent the packet. If the two IP addresses do not match, as is the case when MDM Gateway Server is behind a NAT device, the packet is ignored and the device does not connect to MDM Device Management Server until its regularly scheduled interval.
    • Load balancing multiple computers that are running MDM Gateway Server will not be possible. You must configure the MDM Gateway Server Domain Name System (DNS) name with multiple <A> records to load balance Internet Protocol security (IPsec) traffic. For more information about MDM Gateway Server load balancing, see MDM Scaled-Out Distributed Configuration Topology.
    • NAT timeout detection will not work.

When you issue a device management command, such as a wipe request, MDM Device Management Server instructs MDM Gateway Server to send a specially formatted data packet to the managed device, instructing the device to request a Group Policy refresh immediately.

MDM Gateway Server Source-Based Routing

By using source-based routing, MDM Gateway Server can direct Internet Protocol security (IPsec) tunneled traffic from managed devices to a different, non-MDM gateway server.

The following shows the benefits of source-based routing:

  • You can configure MDM Gateway Server with an Internet public IP address on the external segment and maintain the ability to redirect tunneled traffic that is destined for the Internet through a content filter firewall.
  • You can deploy MDM Gateway Server in the perimeter network without changing the perimeter network topology.
  • MDM can support managed device Internet access for all kinds of network traffic and protocols.
  • You can support Internet access for legacy applications that do not use connection manager proxy settings.
  • You do not have to configure the proxy server separately.

To configure source-based routing for MDM Gateway Server, use the Add MDM Gateway Wizard from MDM Console. To edit the settings for source-based routing, from the MDM Console, choose the Properties menu. For instructions about how to enable this feature, see Step 5h: Running the Add MDM Gateway Wizard in the MDM Deployment Guide.

Security Considerations for MDM Gateway Server

Follow the suggestions in this section to help make MDM Gateway Server more secure.

MDM Gateway Server Ports

After you install MDM Gateway Server, computers that are running MDM Gateway Server listen externally on the ports that are listed in MDM Firewall Settings Worksheet. Unless otherwise hardened as described later in this section, the internal interface allows network traffic on all standard TCP/IP ports.

If you enable the Windows Firewall client on computers that are running MDM Gateway Server, you must configure ports as described in MDM Firewall Settings Worksheet for successful operation of the MDM system.

MDM Gateway Server Security Configurations

You must use the following security configurations:

  • A domain-joined MDM Gateway Server defeats the purpose of separation of duties and is an unsupported implementation.
  • The MDM Gateway Server Web service must be always running. This service should be set to start automatically at system boot.

We recommend the following best practices for security:

  • You should make sure that MDM Gateway Server is part of the enterprise infrastructure and include it in all update-management processes to keep it up to date with security-related and operating system updates.
  • You should deny the IP address of MDM Gateway Server permission to start sessions through the internal firewall. However, you should enable it to respond to sessions that MDM Console and MDM Device Management Server start. You should also configure the IP address of MDM Gateway Server to respond to sessions initiated by the software update, antivirus, and other management mechanisms in the enterprise. This additional precautionary step can hinder malicious attacks if the system is compromised.

Harden the server before you install it in a potentially hazardous environment, such as the perimeter network. You can harden the server by using the Security Configuration Wizard included with Windows Server 2003 SP1 and in later versions.

Network Interfaces Configurations

MDM Gateway Server checks network packets to make sure that packets that come in on one network interface will route back through the same network interface. For security reasons, MDM Gateway Server will drop the packets if the two interfaces do not match.

To make sure that packets route correctly, follow these steps when you configure MDM Gateway Server:

  • Do not have more than one network interface that faces the same subnet
  • Do not have two default gateways of last resort that point to different network interfaces

Default MDM Gateway Server Routing

To enable MDM to successfully establish an incoming IPsec session with a managed device, MDM Gateway Server must respond to all initiating requests from a managed device along the same path in which MDM Gateway Server received the request. That is, Internet, intranet, and virtual private network (VPN) traffic must all be configured in the routing tables so that the same network adapter that is used for incoming traffic is also used for traffic going back along to the device.

We recommend that you configure MDM Gateway Server so that it cannot initiate out-bound sessions from its external or internal interfaces in any direction. This helps decrease the potential attack surface by limiting access options for MDM Gateway Server.

We recommend that you use source-based routing, as described earlier in this topic. If instead you choose to define a Web proxy for MDM Gateway Server, you should configure your network security settings to deny attempts to initiate a session externally from the external and internal interfaces.