MDM Scaled-Out Distributed Configuration Topology

2/9/2009

The scaled-out, distributed configuration topology for System Center Mobile Device Manager is the recommended configuration for a production enterprise environment. This configuration allows for the greatest security, availability, and scalability.

Dd261743.aca360d5-4c9a-44a5-b54a-a31589542ccc(en-us,TechNet.10).gif

The following are highlighted by number in the illustration:

  • 1: Multiple computers that are running MDM Gateway Server. You must configure your MDM Gateway Server Domain Name System (DNS) name with multiple (A) resource records to load balance Internet Protocol security (IPsec) traffic; do not use hardware or software load balancers with MDM Gateway Server. Managed device traffic destined for the company network is routed through the internal firewall to the computers running MDM Device Management Server that are registered in DNS.
  • 2: You can use hardware or software load balancing. IP affinity must be enabled for managed device traffic that is destined for the load balancer in front of MDM Device Management Server. We recommend that you monitor the application pool for MDM servers if the load balancer supports this. For more information, consult the load balancer documentation.
    MDM Enrollment Server is usually assigned two fully qualified domain names (FQDNs) during MDM Setup. The first FQDN is for the external Windows Mobile device enrollment Web site. The second FQDN is for the administration Web site accessed by MDM Administrator Tools. These FQDNs are for the virtual IP (VIP) addresses for the load balancer.
  • 3: MDM Administrator Tools access MDM Enrollment Server and MDM Device Management Server Web services over ports as specified in the initial server setup. The tools obtain the load balancer FQDN information from the Active Directory Domain Services Service Connection Points (SCP).

The scaled-out, distributed topology diagram does not include other required components of the MDM system such as a domain controller, certification authority, and a Microsoft SQL Server database. However, the additional components are required when you configure MDM by using this topology.

In addition, you should configure a secure Web publishing proxy to use from the perimeter network to publish the external enrollment Web site.

Note

For each MDM topology, the Active Directory Domain Services, certification authority server, the computer that is running Microsoft SQL Server, MDM Device Management Server, and MDM Enrollment Server must be in the same site. However, servers that are running MDM Gateway Server do not have to be in the same geographical site. Active Directory, the certification authority server, the computer that is running SQL Server, MDM Device Management Server, and MDM Enrollment Server must be in the same domain.