Mobile Device Manager Gateway Server Architecture


Mobile Device Manager Gateway Server is the pivotal access point for managed devices. Typically, this server is installed in your perimeter network where a defense-in-depth approach helps protect the network security of your company. MDM Gateway Server is a stand-alone gateway that faces the Internet from inside the perimeter network. Typically, it is not domain-joined and shares no accounts or passwords with your company domain. It does not directly use Active Directory Domain Service, NTLM, or Kerberos access to authenticate devices because these would require Mobile Device Manager Gateway Server to be domain-joined or to store domain credentials.

MDM Gateway Server authenticates incoming connection requests by using an offline certificate evaluation process that queries the device machine certificate. It allows an end-to-end SSL session to be maintained between the client application and MDM application servers.

The following illustration shows the detailed architecture of MDM Gateway Server:


MDM Gateway Server has the following components:

  • Certificate store: MDM uses machine certificates to authenticate Windows Mobile devices and MDM Gateway Server and MDM Device Management Server. These certificates are stored in the Windows Certificate Store.
  • MDM VPN agent: The virtual private network (VPN) agent handles communications between MDM Device Management Server and MDM Gateway Server. For MDM Gateway Server, the MDM Gateway Server cannot start communication with servers in the company network. For improved security, the MDM VPN agent does not start connections to MDM Device Management Server.
    As a best practice, we recommend that you implement firewall rules so that MDM Device Management Server is the only internal host with which MDM Gateway Server communicates, and that the direction of the traffic is outgoing (MDM Device Management Server to MDM Gateway Server) only.
  • Mobile VPN policy engine: This component establishes and manages the IPsec tunnel to and from the device. It works with the Mobile VPN driver in the networking stack to enable the Mobile VPN client to establish authenticated and encrypted communications over the mobile operator network or through a Wi-Fi network.
  • MDM Alerter agent: The Alerter agent notifies the device that pending Open Mobile Alliance Device Management (OMA DM) commands are waiting, such as a device wipe. The Alerter agent then notifies the device to start an OMA session. The managed device communicates with MDM Device Management Server through the usual mechanisms and then retrieves the command.
  • Mobile VPN driver: The Mobile VPN driver manages network communications with the device. It checks that data coming from the device is valid and that the device has a valid IPsec Security Association (SA). If the connection is valid, the data is forwarded. If the connection is not valid, the data is discarded or is moved up the network stack to the Mobile VPN policy engine to negotiate a new connection.

After the managed device establishes a valid IPsec tunnel with MDM Gateway Server, it can access IT services for which the administrator provides access on your company network. The connection will fail if the user is denied access to a company IT service.

The internal and external facing interfaces from the MDM Gateway Server must be on separate subnets.