Configuring External and Internal Firewalls in MDM 2008 SP1

  • Article

2/9/2009

This guide is for Information Technology (IT), Networking and Security professionals responsible for deploying Microsoft System Center Mobile Device Manager (MDM) 2008 Service Pack 1 components in the enterprise. It describes how to configure external and internal firewalls to help MDM to function as designed and to meet its goal of permitting more secure access to Line-of-Business (LOB) applications. It also describes how correctly configuring the internal firewall for permitting access by MDM virtual private network (VPN) clients makes access to critical LOB applications possible.

By using this information, you can gain the advantages of implementing Windows Mobile 6.1 and MDM in your enterprise infrastructure while at no point knowingly compromising the integrity of the environment.

Other than referencing Microsoft products such as MDM and ISA Server 2006, this document is intended to be product and manufacturer agnostic. It is entirely normal in the enterprise environment to have equipment from various manufacturers carrying out the firewall and proxy roles.

This guide contains the following sections:

  • Assumptions
  • Expected Environment
  • External Firewall
  • Internal Firewall
  • ISA Server 2006 with MDM
  • Planning Resources
  • Guidance for Publishing MDM Enrollment Server on ISA Server 2006

The first part of this guide describes areas of commonality such as traffic types, protocols, and traffic flows. The guide assumes that IT professionals responsible for making the necessary configuration changes and modifications on any third-party product can do so based on the information contained in this document.

The second part of the guide details three specific areas where ISA Server 2006 may be a good fit:

  • Reverse proxy, publishing MDM Enrollment Server
  • Outbound proxy
  • Internal firewall, for customers who may not have the external/internal firewall combination and thus the perimeter network which is addressed by the bulk of this guide. Using ISA Server 2006 in this fashion will introduce an additional layer of defense and so should be given serious consideration.

Helping to secure and protect the enterprise are the primary considerations. MDM was designed with security being of paramount importance. By applying accepted practices around firewall configurations, you can implement MDM in a more secure fashion. The guiding principle of recommending a more secure configuration is applied throughout this document.

Assumptions

This guide is written for Security professionals responsible for applying their expertise in helping to ensure that all reasonable steps are taken to protect the enterprise from intrusion. It was also written for the Networking/Firewall specialist responsible for modifying the external and internal firewalls and routers to implement MDM.

This guide assumes an understanding of MDM architecture, including the device management, enrollment, and MDM Gateway Server roles.

Expected Environment

The following illustration shows the expected environment for most MDM implementations and is the focus of this guide:

Dd441397.f8b4906b-c9b3-4d04-abd7-362736691bdd(en-us,TechNet.10).gif

The following numbers correspond with the numbers in the illustrations:

  1. Unmanaged devices use TCP 443 (SSL) to connect to MDM Enrollment Server. A reverse proxy protects the IIS instance on MDM Enrollment Server.
  2. Managed device access to Mobile Device Manager Gateway Server by using IPsec. Inbound communication with Mobile Device Manager Device Management Server is initiated from the MDM IP address pool using SSL.
  3. Normal managed device communication with published LOB host. This session uses LOB-specific protocols in the IPsec tunnel that terminates at the MDM Gateway Server external interface, and from the MDM Gateway Server internal interface to the LOB host.

Traffic Flow

The following illustration shows the critical elements and traffic flow from MDM Enrollment Server, through MDM client connectivity and LOB application access. It is provided for your convenience, and is not as complete as the information presented in the following External Firewall and Internal Firewall sections of this guide.

Dd441397.3e37a025-752b-4f4c-8448-b1ffb9420d00(en-us,TechNet.10).gif

External Firewall

This section discusses only ports and traffic types directed to the MDM Gateway Server internal and external interfaces. It provides additional details to the information covered in the MDM Planning Guide at this Microsoft Web page: https://go.microsoft.com/fwlink/?LinkID=130854.

Note

Never permit traffic to originate from MDM Gateway Server external or internal interfaces to the external firewall. Both IP addresses should be subject to explicit deny rules which would be applied to all traffic and protocols. For example, external and internal firewalls should have rules in place as follows:

  • Rule 1: Source = Internal interface IP address; Destination = ANY; Action = DENY
  • Rule 2: Source = External interface IP address; Destination = ANY; Action = DENY

The following illustration shows the traffic flow to and from the external firewall.

Dd441397.c642268b-0630-43b3-8d6d-226fb0f28ae1(en-us,TechNet.10).gif

The following section describes the ports that are used for enrollment and Windows Mobile device access to the MDM Gateway Server. You can also configure optional ports to increase security.

Enrollment Port

Purpose Traffic Source Destination Default

Device Enrollment

Unmanaged device (native IP address)

Reverse Proxy which is publishing the MDM Enrollment Server.

Host fulfilling this role should pass traffic onwards to the MDM Enrollment Server once it has been validated.

TCP 443

IPsec Traffic

Traffic Source Destination Default

Device (native IP address)

External Interface of MDM Gateway Server 

User Datagram Protocol (UDP) 500 (bi-directional) IKE

Device (native IP address)

External Interface of MDM Gateway Server 

UDP 4500

(bi-directional) Tunnel

Device (native IP address)

External Interface of MDM Gateway Server 

Protocol 50 IPsec

(bi-directional)

Other MDM Ports

Purpose Traffic Source Destination Default

VPN services (NAT timeout detection)

Managed device (native IP address)

External Interface of MDM Gateway Server 

UDP 8901

(bi-directional)

VPN Address Pool Traffic

Purpose Traffic Source Destination Default

External Web site access

Managed device (issued IP address)

Network Address Translation (NAT) or proxy server in the perimeter network

TCP 443, TCP 80

Optional Ports for Increased Security

Purpose Traffic Source Destination Default

Block traffic to Alerter service port for increased security

Internet

External Interface of MDM Gateway Server 

UDP 5359

Internal Firewall

As with the External firewall, information contained in this section is similar, but more detailed, than that available in the MDM Planning Guide at this Microsoft Web page: https://go.microsoft.com/fwlink/?LinkID=130854.

Note

We strongly recommend that you not allow the MDM Gateway Server external or internal interfaces to initiate traffic in-bound towards the internal network. We recommend that both IP addresses be subject to an explicit deny all for all traffic, all protocols.

The following illustration shows the traffic flow to and from the internal firewall.

Dd441397.17587bf7-719f-4d28-a9ec-f073b6a2f84a(en-us,TechNet.10).gif

The following sections describe the ports that are used for access through the internal firewall. You can also configure optional ports to increase security.

Ports Used by the MDM Server

Traffic Source Destination Default

MDM Device Management Server

Internal Interface of MDM Gateway Server 

TLS 443 configurable

Internal Ports

Purpose Traffic Source Destination Default

LOB applications that use SSL

Managed device (VPN pool address)

LOB application server

TCP 443

LOB applications (other)

Managed device (VPN pool address)

LOB application server

Defined by type of application

DNS

Managed device (VPN pool address)

Internal DNS

UDP 53

WINS

Managed device (VPN pool address)

Internal WINS, if applicable

UDP 137

WSUS – Unencrypted

MDM Device Management Server

Managed device (VPN pool address)

TCP 8530

WSUS – SSL

MDM Device Management Server

Managed device (VPN pool address)

TCP 8531

RDP (Optional)

Managed device (VPN pool address)

Target hosts on case-by-case basis

TCP 3389

Communicator Mobile Clients

Managed device (VPN pool address)

Office Communications Server 2007 Director, Enterprise pool or Standard Edition Server

TCP 5061 or TCP 443

File Shares

Managed device (VPN pool address)

Target File Servers on a case-by-case basis

TCP 445

Optional Ports for Increased Security

Purpose

Traffic source

Destination

Default

Block traffic to Alerter service port for increased security

Internal Network

Device (VPN pool address)

UDP 5359

ISA Server 2006 with MDM

You can use ISA Server 2006 with MDM as follows:

  • To publish the MDM Enrollment Server
  • As a proxy for clients that are enrolled in MDM.
  • As the target for source-based routing
  • As an internal firewall
  • As a multifunction device, such as one that performs multiple roles simultaneously

Publishing MDM Enrollment Server on ISA Server 2006

The following illustration shows how you can use ISA Server 2006 to publish the MDM Enrollment Server.

Dd441397.51c3316e-a7b6-4a6e-8954-adb1bf0e48f2(en-us,TechNet.10).gif

The detailed steps on how to configure ISA Server 2006 as a reverse proxy for the enrollment process are included in the “Guidance for Publishing MDM Enrollment Server on ISA Server 2006” section of this guide.

Using ISA Server as a Proxy for MDM Clients

This section is not intended to repeat information which has been extensively documented in the ISA Server 2006 library. For more information on planning, deploying and managing ISA Server 2006 please refer to the documents referenced in the planning resources section at the end of this guide, with particular attention to the sections on defining and implementing ISA Server 2006 as a proxy.

Pre-requisites

The ISA Server 2006 must meet the following criteria:

  • It must be installed and configured for outbound Internet access
  • It must be dual homed
  • Each interface must be located on a different IP subnet from within the perimeter network

Some customers may want to use ISA Server 2006 as the outbound proxy for MDM VPN clients. The following illustration shows an example of this scenario:

Dd441397.c37031d0-883a-4a3f-bdfe-0b93b223094f(en-us,TechNet.10).gif

If the managed devices are configured to use this proxy (as described later in this section), or source-based routing is configured to use the proxy as the default gateway for the VPN pool of IP addresses, then the following is true:

  • If the route to the target host is known by using the local routing tables in MDM Gateway Server, then all non-HTTP or HTTPS traffic is routed through the internal firewall.
  • If the proxy is defined, all HTTP and HTTPS traffic (including management traffic for enrolled devices) passes by way of the proxy. If it meets the policies as configured, it is granted authority to leave the company network and continue to its destination on the Internet. Any traffic that does not conform to policy is dropped, or access is denied. The user is notified of the reason for denial.
  • Because the MDM management traffic uses TCP 8443 by default, a value that the administrator can configure, you must modify most proxies to permit the traffic to pass correctly. The following steps show how you can modify the proxy:
    • Make sure that the proxy can resolve the DNS name for MDM Device Management Server, and that this server can be accessed from the proxy.
    • Configure the proxy server to tunnel HTTPS packets on port 8443. To allow tunneling of port 8443 with ISA Server 2006 as the proxy, use the AddTPRange.vbs script as described in “Managing Tunnel Port Ranges” at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=113972.

You do not need to include the ISA Server 2006 firewall client when planning this since all MDM devices function in clientless mode very satisfactorily.

For clients to be directed to use this outbound proxy in MDM, one of the first group policies to create and send to a newly enrolled device should contain this information. To do this, you would create a new GPO that contains the name of the outgoing proxy for the MDM client to use.

The following steps show how to do perform this process:

  1. Start GPMC and select the OU against which the group policy is to be applied. The settings for the Internet proxy are located under Computer Configuration / Administrative Templates / Windows Mobile Settings / Mobile VPN Settings
  2. Double-click Corporate Proxy for Internet Access as follows.
    Dd441397.1c14efe1-bcc1-4818-92a3-73a97e7c41c0(en-us,TechNet.10).gif
  3. Enter the address and port of the Proxy Gateway as follows:
    Dd441397.a77e52fe-88a4-44f2-a5fe-8d93db8093bf(en-us,TechNet.10).gif Select Enabled, then type the address of the out-bound proxy. If the FQDN is used instead of the IP address then the format is the same: host:port. For example, proxy.contoso.com:8080.
  4. Apply the Group Policy before you exit. The new policy is applied against all devices at the next scheduled connection.

Adding the Mobile VPN Subnet to the Routing Table

To add the Mobile VPN IP subnet range to ISA server

  1. In the ISA Server management console, expand the array name, and then choose the Configuration node.
  2. In the Networks node, double-click the Internal network object in the Task Pane.
  3. In the Addresses tab, choose Add Range and then type the IP subnet for managed devices. For example: 172.30.25.0
  4. Choose OK twice.
  5. Choose Apply to save changes and update the configuration.

Validate Internet Explorer Mobile Settings

In this procedure, you will validate the Internet Explorer Mobile settings for Windows Mobile Standard edition so that mobile Web browsing will work correctly.

  1. On an MDM managed Windows Mobile device, click Start, point to Internet Explorer, and then choose Menu.
  2. Select Tools, then Options, and then Connections.
  3. Check Automatically detect settings.

For Windows Mobile 6.1 Professional edition, there is no option to force a specific connection for Internet Explorer Mobile. The behavior is to always automatically detect the connection to use.

Create an ISA Server Access Rule for the Internet

If you have not already done so, you must create an ISA Server access rule that permits Web traffic for clients from the internal to external network. For more information on ISA Server 2006 access rules, see “Publishing Concepts in ISA Server 2006” at this Microsoft Web page: https://go.microsoft.com/fwlink/?LinkID=105968.

Test the Mobile Device Proxy

  • From Internet Explorer Mobile, navigate to mobile.live.com
    The following screen appears.

Dd441397.c72cb066-14d5-46ca-9d3c-ac25e5778255(en-us,TechNet.10).gif

Using ISA as a Target for Source-based Routing

By default, a VPN client uses the same default gateway as MDM Gateway Server unless directed otherwise. This may be impractical for some environments and consequently source-based routing has been implemented.

Source-based routing permits MDM Gateway Server to make a routing decision based on the source address of the traffic. For example, it handles traffic from itself in one fashion and directs VPN pool addresses differently. This gives the enterprise considerable flexibility and control.

The previous section showed how to use ISA Server 2006 as the out-going proxy for enforcing Corporate Policy on Web site access. To show how this is implemented in the context of MDM 2008 SP1, this scenario uses the information from the Gateway Configuration screen which is managed from the Mobile Device Manager Console.

For the purposes of this section, we will presume that the following has been defined on MDM Gateway Server:

  • The VPN pool has an IP Address range of 10.10.0.0. with a subnet mask of 255.255.0.0.

  • VPN clients use a default gateway other than the one defined on the MDM Gateway Server. It uses ISA Server 2006 outbound proxy (192.168.99.3).

    Note

    This is given as an example of implementing ISA Server 2006 as the outbound proxy. If your organization will use an existing proxy for this task, you should direct MDM clients to this proxy instead.

The following screen shows the IP address range to be assigned to VPN clients:

Dd441397.83213dbe-04b1-4c55-b1b0-8e7a4ffd858e(en-us,TechNet.10).gif

There are two options for Routing Configuration:

  • Selecting the first option causes VPN clients to use the default gateway of the MDM Gateway Server. In this instance, this is not desirable behavior.
  • Selecting the second option separates VPN pool traffic from that of the MDM Gateway Server.

In this scenario, we selected the second option and entered the target IP address of the ISA Proxy, 192.168.99.3. Therefore, all traffic destined for known networks will be directed according to the routing tables possessed locally by the MDM Gateway Server, but will use the VPN pool range as the source address rather than internal or external IP addresses of the MDM Gateway Server. All other traffic will be directed to the ISA Proxy.

Implementing ISA Server 2006 as an Internal Firewall

You can add a layer of defense by Implementing ISA Server 2006 as an Internal Firewall. Some enterprises may not have a perimeter network in which to place the MDM Gateway Server, and may instead have the MDM Gateway located in the same physical subnet as domain-joined servers. In this scenario, because the MDM Gateway Server is exposed to the Internet, it could be the target of attack. Although compromising this host would be difficult, you should not presume that it is impossible. We strongly recommend that you use a product such as ISA Server 2006 in this situation to add a layer of defense and provide additional protection to both the MDM Gateway Server and also all other internal resources.

The following illustration shows the MDM environment with an external firewall only.

Dd441397.3bb3f217-fddd-4771-b562-f6179b7239ca(en-us,TechNet.10).gif

Although the scenario of only an external firewall is supported, it is not recommended. A VPN client that terminates its session at the MDM Gateway Server could communicate in some fashion with every host on the internal network, not just the ones intended to be accessible as LOB hosts. This creates risk which may be unacceptable to some organizations. It also defeats the guiding principle as stated at the outset of this guide as most restrictive always being preferable and more secure.

To better protect your infrastructure, you may want to add an ISA Server to create a perimeter network to hold the dual-homed MDM Gateway Server. In this scenario, ISA Server 2006 acts as the internal firewall. The following illustration shows this scenario.

Dd441397.7e9fd37e-4996-4973-82ab-dc1fdcd22609(en-us,TechNet.10).gif

All guidance noted earlier in this document with regard to the Internal Firewall is applicable in this scenario.

Although it is easy to use ISA Server 2006 to configure a network-to-network relationship between the VPN pool of IP addresses and the internal subnet, this would go against the principle guidance of most restrictive being the preferred choice. Therefore, we highly recommend that you use filters to permit traffic between the VPN pool and the target LOB hosts and certification authority only on a case-by-case basis.

Using ISA Server 2006 as a Multifunction Device

In previous examples, ISA Server 2006 has been shown functioning in the role of the reverse proxy that more securely publishes the MDM Enrollment Server, as an outbound proxy, and as an internal firewall.

We do not recommend, however, that one you implement one ISA server in more than one role at any one time. This is undesirable because it creates a single point of failure and a single point of attack.

Planning Resources

The following Microsoft Web sites and technical articles provide background information that may be useful for planning and deploying MDM 2008 SP1.

Reference Articles Link

MDM Planning Guide

https://go.microsoft.com/fwlink/?LinkID=130854

MDM Architecture Guide

https://go.microsoft.com/fwlink/?LinkID=116397

MDM Security and Protection

https://go.microsoft.com/fwlink/?LinkID=130987

Microsoft ISA Server 2006 - Planning and Architecture

https://go.microsoft.com/fwlink/?LinkId=116498

Microsoft ISA Server 2006 – Deployment

https://go.microsoft.com/fwlink/?LinkId=116499

Guidance for Publishing MDM Enrollment Server on ISA Server 2006

When publishing MDM Enrollment Server on ISA Server 2006, you must have the SSL certificate for the Enrollment Web site exported in a file. This file must contain both the private and the public key of the certificate. If you try to export the certificate directly from the Enrollment Web site on MDM Enrollment Server the option to save the private key is not available and is grayed out. This is by design because the certificate template used by MDM for this Web site does not allow export of the private key for security reasons.

You can modify the template on the certification authority to allow export of private keys, however this operation is not a supported. Instead we recommend that you create a new certificate with the same common name that was used for the Enrollment Web site on the MDM Enrollment Server, and then use this certificate to publish. This new certificate must meet the following conditions:

  • It must be issued by the same certification authority that is used by MDM in your environment
  • It must have the same common name as the original Enrollment Web site certificate

The following shows an overview of this process:

  1. Request, create, and install the certificates
  2. Export the certificates.
  3. Import the certificates, to a protected location.
  4. Create ISA Server Web publishing Rules
  5. Validate Internet Enrollment Web Service by using ISA Server

Requesting the Certificate

Follow these steps to request, create, and install a certificate for ISA Server Enrollment Web Listener. You perform these procedures on the following:

  • A computer that runs ISA Server on which the MDM Enrollment Server is published (steps 1 through 4, and steps 6 and 7)
  • Any domain-joined server that has access to the certification authority (step 5)

To create a certificate request, create the certificate, and then install it

  1. On the ISA Server, start Notepad. Type the following information:
    [NewRequest]
    Subject = “CN=EnrollmentServerFQDN”
    MachineKeySet = True
    KeySpec = 1
    In the Subject field, type the external FQDN for the MDM Enrollment Server the devices will access through the Internet. For example, mobileenroll.contoso.com.

  2. On the File menu, choose Save As. In the File name box, type IsaEnCertReq.inf. Then save the file to the desktop.

  3. Open a Command Prompt window, locate to the directory that has IsaEnCertReq.inf, and then type the following command:

    certreq –new IsaEnCertReq.inf IsaEnCertReq.txt

    This command creates the request file IsaEnCertReq.txt. It is created and stored in the same directory as IsaEnCertReq.inf.

  4. Press ENTER.

  5. On a domain-joined server that has access to the certification authority, do the following:

    1. Copy the IsaEnCertReq.txt file that you just created to a protected directory on the domain-joined server.

    2. Open a Command Prompt window, navigate to the directory where IsaEnCertReq.txt is located, and then type the following command:

      certreq –submit –attrib “CertificateTemplate:WebServer” IsaEnCertReq.txt IsaEnCert.cer

    3. Press ENTER.

    4. If a dialog box instructs you to choose a certification authority, choose your designated certification authority, and then choose OK. This creates the certificate for the ISA Server Enrollment Web Listener. Next, you must put the newly created .cer file on the computer that is running the ISA Server.

  6. On the computer that is running the ISA Server, open a Command Prompt window, locate to the directory that has IsaEnCert.cer, and then type the following command:

    certreq –accept IsaEnCert.cer

    This command imports the new ISA Server Enrollment Web Listener certificate into the Personal Certificate Store.

  7. Press ENTER and then close the Command Prompt window.

Exporting the Certification Authority Certificates

After you obtain the valid certificate for the ISA Server Web Listener, you must export the root certification authority certificate and any subordinate certification authority certificates.

Note

If your root and subordinate certification authorities are already among the trusted certification authorities on your ISA server, you do not need to perform this step.

These procedures assume that your root certification authority is offline and inaccessible from the company network. Perform the following procedures from a subordinate certification authority by using the Certification Authority snap-in, or from a desktop or server that has access to the Certification Authority console. During these procedures, make sure that you do the following:

  • Name each exported root or subordinate certificate appropriately so that you can easily find them later.
  • Transfer certificates, including the gateway certificate, in a protected manner to MDM Gateway Server.
  • Make sure that you can transfer text files and certificates on and off the MDM Gateway Server.

To export root certification authority certificate

  1. Open the Certification Authority console from any domain-joined computer or server.
  2. Right-click the name of the certification authority, and then choose Properties.
  3. In the certification authority Certificates dialog box, choose the General tab, and then choose the certificate for the certification authority you want to access.
  4. Choose View Certificate.
  5. In the Certificate dialog box, choose the Certification Authority tab. Choose the name of the root certification authority and then choose View Certificate.
  6. In the Certificate dialog box, choose the Details tab and then choose Copy to File.
  7. The Certificate Export Wizard appears. Choose Next.
  8. On the Export File Format page, choose DER encoded binary X.509(.CER), and then choose Next.
  9. For File to Export, choose the path and name for the certificate, and then choose Next.
  10. Choose Finish. The .cer file is created in the location that you specified in the previous step.
  11. A dialog box appears to inform you that the export was successful. Choose OK.

To export subordinate certification authority certificates

  1. Open the Certification Authority console from any domain-joined computer or server.

  2. Right-click the name of the certification authority, and then choose Properties.

  3. In the certification authority certificates dialog box, choose the General tab, and then choose the certificate for the certification authority you want to access.

  4. Choose View Certificate.

  5. In the Certificate dialog box, choose the Certification Authority tab. Choose the name of the subordinate certification authority and then choose View Certificate.

    Note

    You must export the subordinate certification authority certificates. In the Certificate dialog box, if the View Certificate option for your subordinate certification authority is disabled, choose the Details tab and then go to the next step.

  6. In the Certificate dialog box, choose the Details tab, and then choose Copy to File.

  7. The Certificate Export Wizard appears. Choose Next.

  8. On the Export File Format page, choose DER encoded binary X.509(.CER),.and then choose Next.

  9. On the File to Export page, choose the path and name of the certificate, and then choose Next.

  10. Choose Finish. The .cer file is created in the location that you specified in the previous step.

  11. A dialog box appears to inform you that the export was successful. Choose OK to finish.

  12. Repeat these steps for each subordinate certification authority that is listed on the Certification Authority tab (step 5).

Importing Certification Authority Certificates onto the ISA Server

On the server that is running the ISA Server, make sure that you import the root certification authority, and all intermediate certification authority certificates, to a protected location. From the protected location, you then import the certificates into the correct certificate stores.

Note

If your root and subordinate certification authorities are already among the trusted certification authorities on your ISA server, you do not need to perform this step.

The following shows an overview of this process:

  1. You put the root certification authority certificate into the Trusted Root Authorities store on the computer that is running the ISA Server.
  2. You put the intermediate certification authority certificates into the Intermediate Certification Authorities store.

You must follow these steps for each intermediate or subordinate certification authority certificate.

To import the root certification authority certificate

  1. On the computer that is running ISA Server, open Microsoft Management Console (MMC) with the Certificates snap-in added.

    Note

    When you create the snap-in for Certificates, make sure that you choose the Computer Account option and not the Service or User options.

  2. Expand Trusted Root Certification Authorities, right-click Certificates, choose All Tasks, and then choose Import.

  3. On the Welcome to the Certificate Import Wizard, choose Next.

  4. On the File to Import page, choose Browse and locate the certification authority certificate that you recently imported, and then choose Next.

  5. On the Certificate Store page, make sure that you select Place all certificates in the following store and that Trusted Root Certification Authorities is visible in the Certificate Store section. Choose Next.

  6. Choose Finish to close the program.

To import the intermediate certification authority certificates

  1. On the computer that is running ISA Server, open MMC with the Certificates snap-in added.

    Note

    When you create the snap-in for Certificates, make sure that you choose the Computer Account option and not the Service or User options.

  2. Expand Intermediate Certification Authorities, right-click Certificates, choose All Tasks, and then choose Import.

  3. On the Welcome to the Certificate Import Wizard, choose Next.

  4. On the File to Import page, choose Browse and locate the intermediate certification authority certificate that you recently imported, and then choose Next.

  5. On the Certificate Store page, make sure that you select Place all certificates in the following store and that Intermediate Certification Authorities is visible in the Certificate Store section. Choose Next.

  6. Choose Finish to close the program.

Creating ISA Server Web Publishing Rules

To create ISA server Web publishing rules

  1. On your ISA Server computer, launch the ISA Server Management Console. To do this, choose Start, Programs, and then choose Microsoft ISA Server.
  2. Expand the local computer name, right click the Firewall Policy Node, and then choose New, Web Site Publishing Rule.
  3. The New Web Publishing Rule Wizard Appears. Type MDM Enrollment Web Publishing Rule in the Web Publishing Rule Name field and click Next.
  4. In the Select Rule Action page verify that Allow is selected under Action to take when rule conditions are met. Click Next.
  5. On the Publishing Type Page, choose the default of Publish a single Web site or load balancer and click Next.
  6. On the Server Connection Security page verify that the default of Use SSL to connect to the published Web server or server farm is selected and click Next.
  7. On the Internal Publishing Details page, do the following:
    1. In the Internal site name field, type mobileenroll.yourdoamin.com, where mobileenroll.yourdomain.com is your external enrollment server FQDN .
    2. Select Use a computer name or IP address to connect to the published server
    3. Specify the IP address of the Enrollment server in the Computer name or IP Address field.
    4. Click Next.
  8. On the next Internal Publishing Details page, leave the Path(optional) field blank and then click Next.
  9. On the Public Name Details page, do the following:
    1. In the Public Name field, type mobileenroll.yourdoamin.com, where mobileenroll.yourdomain.com is your external enrollment server FQDN .
    2. Leave the Path(Optional) field blank and click Next.
  10. On the Select Web Listener Page, click New to launch the New Web Listener Wizard.
  11. Type MDM Enrollment HTTPS Web Listener in the Web Listener Name field and click Next.
  12. On the Client Connection Security page, accept the default value of Require SSL secured connections with clients and click Next.
  13. On the Web Listener IP Addresses page, do the following:
    1. In the Listen for incoming Web requests on this networks field, Select External.
    2. Leave the check box selected for ISA Server will compress content field, and click Next.
  14. On the Listener SSL Certificates page, do the following:
    1. Choose Select Certificate to display the list of available certificates. The mobileenroll certificate should be listed and installed correctly. If so, highlight the mobileenroll SSL certificate and click Select.
    2. Click Next on the Listener SSL Certificates page to continue the New Web Listener Definition Wizard.
  15. On the Authentication Settings Page, select No Authentication in the Select how clients will provide credentials to ISA Server drop down. Click Next.
  16. On the Single Sign On Settings page, click Next.
  17. Click Finish on the Completing the New Web Listener Wizard page.
  18. The Select Web Listener page should now display the Web listener that you created. Click Next.
  19. On the Authentication Delegation page, select the No delegation, but client may authenticate directly from the drop down and click Next.
  20. On the User Sets page accept the default of All Users and click Next.
  21. Click Finish on the Completing the New Web Publishing Rule Wizard.
  22. To save changes and updated the ISA Server 2006 configuration click Apply in the main Firewall Policy screen.

Validating Internet Enrollment Web Service by using ISA Server

Next, you will validate that the Enrollment Web Service functions properly. You can use any computer with the device for testing purposes.

Note

Make sure that you can browse Web pages from Internet Explorer Mobile before performing these steps.

To Validate Enrollment Web Service Functionality