The managed device address range assigned to MDM Gateway Server should be a range of addresses from the RFC1918 ranges. The address range must be able to pass through the internal firewall and must be routable on the company network. To enable addresses to have the desired access and to be suitably routable, you must configure the internal firewall to allow for managed device traffic to carry over the IP ports as described in the tables of ports listed in MDM Firewall Settings Worksheet.

In addition, you must enable the managed device range to route as needed within a company network to make sure that the managed device session can establish with the target line-of-business (LOB) hosts.

When a managed device connects to MDM, the device is issued an internal IP address by MDM Gateway Server from the range of addresses assigned to the server. The internal IP address pool is not publicly routable, so you must use network address translation (NAT) for the address pool so that managed devices can access the Internet. In addition, the range of addresses in MDM Gateway Server must be large enough to support as many managed devices at the same time as are enrolled in MDM.

Active Directory Domain Services–integrated Domain Name System (DNS) is the recommended DNS. The DNS to which devices resolve must be able to forward queries and lookups. This requirement is because hosts external to the enterprise, such as Web sites on the Internet, have to be resolved in addition to the DNS that resolves addresses of internal hosts.

Each MDM Gateway Server must have two sets of DNS names: one is the Internet-facing name and the other faces the intranet. The Internet name is published in your publicly-facing DNS servers. All servers running MDM Gateway Server within the same MDM instance should share a single public DNS name, to enable load balancing based on that DNS name.

The intranet-facing DNS name is published in the internal DNS server that the Device Management server accesses. Every MDM Gateway Server must have a unique internal DNS name and that name must match the subject name of its machine certificate.

As a best practice, you should direct managed devices at a secure internal DNS that you cannot ordinarily access from outside the enterprise. You should never directly resolve to resources that are located within the company enterprise by an untrusted external client.

In order for users to enroll their devices over the air (OTA), you must provide public DNS A records. Providing public DNS records enables enrollment to work correctly through publishing points for the Web proxy server for Windows Mobile devices.

You must follow these network configuration requirements for MDM Gateway Server:

• Every computer that is running MDM Gateway Server must have its external interface configured with a public IP address, not a private IP address.
  
• Every computer that is running MDM Gateway Server must have a discrete, non-overlapping IP address pool.
  
• The IP address pool subnet cannot intersect with the internal subnet on MDM Gateway Server. Otherwise, network traffic from the company network to MDM Gateway Server will not be routable.
  
• The IP address pool subnet cannot intersect with the internal subnet on your internal company network. Otherwise, network traffic from the internal network to the managed devices will not be routable.
  
• Do not use teamed network adapters on computers that are running MDM Gateway Server.
  
• Do not deploy MDM Gateway Server behind a Network Address Translation (NAT) server. Placing MDM Gateway Server behind an NAT is not a supported scenario for MDM; doing so essentially masks the identity of MDM Gateway Server, which prevents MDM from working properly. Placing computers running MDM Gateway Server behind a NAT device is not a supported configuration for the following reasons:
  
  • Devices will ignore Wipe Now requests. Devices will continue to be managed but will only be wiped when they synchronize with MDM Device Management Server at their normal connection interval—for example, the default interval of every eight hours. The device compares the IP address of the computer running MDM Gateway Server to which the device connects with the IP address of the computer running MDM Gateway Server that sent the packet. If the two IP addresses do not match, as is the case when MDM Gateway Server is behind a NAT device, the packet is ignored and the device does not connect to MDM Device Management Server until its regularly scheduled interval.
    
  • Load balancing multiple computers that are running MDM Gateway Server will not be possible. You must configure the MDM Gateway Server Domain Name System (DNS) name with multiple <A> records to load balance Internet Protocol security (IPsec) traffic. For more information about MDM Gateway Server load balancing, see MDM Scaled-Out Distributed Configuration Topology.
    
  • NAT timeout detection will not work.
    

When you issue a device management command, such as a wipe request, MDM Device Management Server instructs MDM Gateway Server to send a specially formatted data packet to the managed device, instructing the device to request a Group Policy refresh immediately.

By using source-based routing, MDM Gateway Server can direct Internet Protocol security (IPsec) tunneled traffic from managed devices to a different, non-MDM gateway server.

The following shows the benefits of source-based routing:

• You can configure MDM Gateway Server with an Internet public IP address on the external segment and maintain the ability to redirect tunneled traffic that is destined for the Internet through a content filter firewall.
  
• You can deploy MDM Gateway Server in the perimeter network without changing the perimeter network topology.
  
• MDM can support managed device Internet access for all kinds of network traffic and protocols.
  
• You can support Internet access for legacy applications that do not use connection manager proxy settings.
  
• You do not have to configure the proxy server separately.
  

To configure source-based routing for MDM Gateway Server, use the Add MDM Gateway Wizard from MDM Console. To edit the settings for source-based routing, from the MDM Console, choose the Properties menu. For instructions about how to enable this feature, see Step 5h: Running the Add MDM Gateway Wizard in the MDM Deployment Guide.

After you install MDM Gateway Server, computers that are running MDM Gateway Server listen externally on the ports that are listed in MDM Firewall Settings Worksheet. Unless otherwise hardened as described later in this section, the internal interface allows network traffic on all standard TCP/IP ports.

If you enable the Windows Firewall client on computers that are running MDM Gateway Server, you must configure ports as described in MDM Firewall Settings Worksheet for successful operation of the MDM system.

You must use the following security configurations:

• A domain-joined MDM Gateway Server defeats the purpose of separation of duties and is an unsupported implementation.
  
• The MDM Gateway Server Web service must be always running. This service should be set to start automatically at system boot.
  

We recommend the following best practices for security:

• You should make sure that MDM Gateway Server is part of the enterprise infrastructure and include it in all update-management processes to keep it up to date with security-related and operating system updates.
  
• You should deny the IP address of MDM Gateway Server permission to start sessions through the internal firewall. However, you should enable it to respond to sessions that MDM Console and MDM Device Management Server start. You should also configure the IP address of MDM Gateway Server to respond to sessions initiated by the software update, antivirus, and other management mechanisms in the enterprise. This additional precautionary step can hinder malicious attacks if the system is compromised.
  

Harden the server before you install it in a potentially hazardous environment, such as the perimeter network. You can harden the server by using the Security Configuration Wizard included with Windows Server 2003 SP1 and in later versions.

MDM Gateway Server checks network packets to make sure that packets that come in on one network interface will route back through the same network interface. For security reasons, MDM Gateway Server will drop the packets if the two interfaces do not match.

To make sure that packets route correctly, follow these steps when you configure MDM Gateway Server:

• Do not have more than one network interface that faces the same subnet
  
• Do not have two default gateways of last resort that point to different network interfaces
  

To enable MDM to successfully establish an incoming IPsec session with a managed device, MDM Gateway Server must respond to all initiating requests from a managed device along the same path in which MDM Gateway Server received the request. That is, Internet, intranet, and virtual private network (VPN) traffic must all be configured in the routing tables so that the same network adapter that is used for incoming traffic is also used for traffic going back along to the device.

We recommend that you configure MDM Gateway Server so that it cannot initiate out-bound sessions from its external or internal interfaces in any direction. This helps decrease the potential attack surface by limiting access options for MDM Gateway Server.

We recommend that you use source-based routing, as described earlier in this topic. If instead you choose to define a Web proxy for MDM Gateway Server, you should configure your network security settings to deny attempts to initiate a session externally from the external and internal interfaces.