11/11/2008

This section lists common issues encountered with Mobile Device Manager (MDM) Gateway Server. The MDMsetup.log file does not record the installation of MDM Gateway Server or other MSI-based installations, such as prerequisite applications. However, MDM Gateway Server installation creates a VpnGateway.log file in the Temp directory on the MDM Gateway Server if launched from the MDM Setup menu. Or you can create it using the /L or /L*v parameters at the command line.

MDM Gateway Server installation consists of the following steps:

  1. Configure the VPN Gateway certificates (manual process).

  2. Install the VPN Gateway Server.

  3. Set the Gateway Server URI; not for Gateway installation, but for devices to connect after enrollment.

  4. Configure the Gateway in the Add New Gateway Wizard.

General MDM Gateway Server Troubleshooting

Look for errors, warnings, and informational events in MDM Gateway Server and MDM Device Management Server system event logs. All MDM gateway events are logged in the MDM Mobile VPN Connections event log and MDM Mobile VPN Policy Engine event log.

By using MDM Console, you can view the following MDM Gateway Server properties:

  • The name of the computer that is running Mobile Device Manager (MDM) Gateway Central Management (GCM)

  • The state of the MDM GCM service (Running or Stopped)

  • The state of synchronization (Unreachable, Error, Initializing, or Up to date)

  • The list of blocked devices

The key to isolating an issue is to determine whether the issue is specific to the client or to the virtual private network (VPN) gateway. VPN gateway issues frequently appear as symptoms on the client, such as an error message when the device tries to connect to the VPN gateway server. It is useful to obtain logging information from the device because it may point to an issue with the VPN server.

Client-Side Connectivity

Check the following items to troubleshoot issues with client-side connectivity to MDM Gateway Server:

  • Some Access Point Networks (APNs) have filtered the VPN ports, Internet Key Exchange (IKE) and Internet Protocol Security Encapsulating Security Payload (IPsec ESP). If your device uses a filtered APN, the VPN will fail.

  • Before you start to enroll a device, make sure that you configure the device to use one of the supported APNs.

  • Make sure that before you test the connection that you delete all unnecessary General Packet Radio Service (GPRS) profiles.

MDM VPN Diagnostics Tool

MDM VPN Diagnostics Tool is an MDM utility that helps troubleshoot and determine potential VPN connection issues with managed Windows Mobile devices. Use this tool for testing only. For more information about how to use the tool, view the guide for the MDM VPN Diagnostics Tool.

VPNDiag.exe provides Status, Diagnosis, and Configuration screens, and lets you save and send VPN status reports. It lets you view the MDM VPN Diagnostics Tool log file (Ipsecvpnpm.txt) in the Program Files directory.

MDM Connect Now Tool provided in MDM Client Tools synchronizes a device with MDM Device Management Server through the VPN gateway. By default, first initial synchronization sessions are 5 to 15 minutes apart, and then 8 hours. You can modify this setting to suit your particular requirements and environment. MDM Connect Now Tool forces an immediate synchronization.

To download MDM Connect Now Tool and MDM VPN Diagnostics Tool, see MDM Resource Kit Tools at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkID=108953 .

Enable Mobile VPN Logging on a Device

To enable and disable Mobile VPN logging on your Windows Mobile device, follow these steps:

  1. On the Start page, select Menu.

  2. Select Logging.

  3. Select Enableor Disable.

The MDM VPN Diagnostics Tool includes a Log Browser for viewing the VPN Service log file located at \Application Data\Logs\ipsecvpnpm.txt.

Using the Windows Mobile Network Analyzer PowerToy with MDM

To capture the network traffic (NetMon) log for analysis, run the start analyzerscript in the Program directory. Run the stop analyzerscript to stop the network logging. The log is stored in the NetworkLogs directory, or the Storage Card\NetworkLogs directory if using a storage card. For more information, view the readme file that accompanies the Windows Mobile Network Analyzer PowerToy.

To troubleshoot VPN issues on a Windows Mobile device:

  1. Install the Windows Mobile Network Analyzer PowerToy from this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=115657 .

  2. Install the MDM VPN Diagnostics Tool from this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkID=108953 .

  3. Start the MDM VPN Diagnostics Tool, select Menu, and then disable VPN.

  4. Make sure that you can browse the Internet using Internet Explorer Mobile, and that the data connection is working.

  5. Start the Windows Mobile Network Analyzer PowerToy to capture network traffic on the device.

  6. Enable VPN using the MDM VPN Diagnostics Tool.

  7. When the VPN connection fails, stop capturing network traffic, and save the trace file.

  8. View the VPNDiag report and the ipsecvpnpm.txt file from the device. For more instructions, see the readme file that accompanies the MDM VPN Diagnostics Tool.

Invalid Certificates Installed on Enrolled Device

MDM installs a device certificate when a device enrolls with MDM. You cannot see this certificate in the Certificates CPL UI. But you can see it using the MDM VPN Diagnostics Tool in diagnosis mode. Select Certificates, and then select Validate certificate chain.

You can also query all of the certificates installed on the device using the CertificateStore configuration service provider (CSP). For information about this CSP, please visit http://go.microsoft.com/fwlink/?LinkId=115659 . For an example on how to query the Certificate Store CSP, please visit http://go.microsoft.com/fwlink/?LinkId=115660 .

Certification Authority does not meet SCMDM Requirements

The server on which you install Certificate Services must meet MDM requirements. For information about the System Requirements for MDM Servers and Managed Devices, please visit http://go.microsoft.com/fwlink/?LinkId=108945 .

MDM does not support installing the certification authority on Windows Server 2008; doing so may cause VPN connection issues with devices.

MDM Gateway Server Certificates

The fully qualified domain name (FQDN) for MDM Gateway Server must exactly match the FQDN of the certificate in Internet Information Services (IIS). Make sure there is a private key associated with the certificate. Also make sure that the certificate chains appropriately. The Intermediate and Root Certification Authority certificates must be installed appropriately.

Validating the Gateway Server IP Address

During MDM Gateway Server installation, MDM does not validate if the specified IP and port combination corresponds to a valid socket on the computer. MDM Gateway Server installation might succeed, but the Web sites are not configured appropriately.

Gateway Installation Rolls Back with Certificate Error

This issue occurs if MDM Gateway Server Setup cannot find a certification authority (CA). It can also occur for the following reasons:

  • Setup provided an intermediate CA. A root CA must also be stored on the server.

  • More than one CA is used. MDM only supports one CA. All certificates issued must chain to the same root CA. The root CA can be offline, and does not have to be a Microsoft CA. However, the issuing CA must be online and a Microsoft CA.

To resolve this issue, follow these steps:

  • Make sure all certificates issued for MDM components chain to the same root CA.

  • Put the appropriate CA certificates in the correct certificate stores on MDM Gateway Server. This includes the CA certificate in the Trusted Root Certification Authorities store, and the intermediate CA certificates in the Intermediate Certification Authorities store. For more information, see Creating Manual Certificatesin the MDM Deployment Guide.

Setting the Gateway Server URI

This MDM Shell cmdlet enters the DNS name that maps to the IP Address for MDM Gateway Server into the database. If you use DNS load balancing for multiple computers that are running MDM Gateway Server, you should map all external IP addresses for all computers that are running MDM Gateway Server to the DNS name. Mobile devices enrolled with the incorrect MDM Gateway Server URI will try to contact that URI, but will be unmanageable until you correct the URI or re-enroll the device.

To set the enrollment configuration for the MDM Gateway Server URI, run the following cmdlet in MDM Shell:

Copy Code
Set-EnrollmentConfig -GatewayURI [External Gateway DNS

Gateway Sync Status Shows Error or None

This error indicates that either MDM Device Management Server is unable to contact MDM Gateway Server, or that MDM Gateway Server received the configuration settings but cannot process them. To resolve this issue, follow these steps:

  • Check the MDM event log on MDM Device Management Server, and the MDM Mobile VPN Policy engine or MDM Mobile VPN Connection settings on MDM Gateway Server.

  • If the event log on MDM Gateway Server contains no data, MDM Device Management Server could not access MDM Gateway Server. Check the MDM event log on MDM Device Management Server for errors.

  • If the event log on MDM Gateway Server contains data that is time-stamped to match MDM Gateway Server configuration, MDM Device Management Server can access MDM Gateway Server. However, this means that MDM Gateway Server properties have configuration problems. Check the MDM Mobile VPN Policy engine event log on MDM Gateway Server for errors. Common errors include entering invalid device IP address pools, or an incorrect or an FQDN or IP address that cannot be resolved for the MDM Gateway Server interface.

If MDM Device Management Server cannot reach the VPN internal interface, try the following:

  • Check the firewall log for traffic from MDM Device Management Server to MDM Gateway Server.

  • From MDM Device Management Server, ping the MDM Gateway Server IP address and FQDN.

  • From MDM Device Management Server, test the URL for MDM Gateway Server: https://<VPNServerName>.<domain>.com:443/Vpn/ApplyConfig.ashx. You should receive a certificate warning if the connection succeeds. Close the warning.

If the VPN external interface has errors, test the access to the interface from MDM Gateway Server and resolve any networking issues.

Enrolled Device Cannot Connect to Gateway

After you try to enroll a device, the device connection status shows that the device is enrolled. However, the device remains in the Pending Enrollmentsnode in MDM Console.

After the device finishes its session with MDM Enrollment Server, it tries to attach to MDM Gateway Server. However, in MDM Console, the device remains in the Pending Enrollmentslist because it is not yet managed.

This issue indicates a problem with the device connection to MDM Device Management Server. Until the device can contact MDM Device Management Server and become managed, it remains in Pending Enrollments.

To resolve issues contacting MDM Device Management Server:

  • Check that the date and time are set correctly. The device validates its certificate date against its system clock that can reset incorrectly if you remove and then reinsert the device battery.

  • Ping the IP address and URL to check MDM Gateway Server DNS name resolution.

  • Check that the necessary ports are not blocked. For example, a firewall might be blocking TCP port 8443 to MDM Device Management Server.

  • Check network connectivity because a persistent route is needed from MDM Gateway Server to the company network through the back-end firewall. You must have an additional route from the firewall server to the MDM client network through MDM Gateway Server. For example:

    • Route #1 (on the gateway): To add a route to the company network through the back-end firewall, run the following command at a command prompt.

      Copy Code
      route –p add <corporate subnet> mask <subnet mask>
      <Firewall IP>”.
      
    • Route #2 (on the firewall): To add a route to the MDM client network through MDM Gateway Server, run the following command at a command prompt.

      Copy Code
      route –p add <Client pool subnet> mask <subnet mask>
      < Gateway IP>”.
      
  • Check that VPN ports 500 and 4500 are open. IP Protocol ID 50 must be enabled on the firewall for both inbound and outbound filters, with Encapsulating Security Protocol (ESP) forwarding allowed. Although there are zero errors recorded and the VPNDiag log looks correct, the device cannot access internal or external Web sites. Ipsecvpnpm.txt file on the device indicates that the client can send and receive IKE_INIT messages over UDP port 500. However, it times out when it sends IKE_AUTH messages over UDP port 4500. For more information about protocol 50 and enabling IPSec traffic through a firewall, see the following Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=111867 .

    To resolve this issue, open ports 500 and 4500 on MDM Gateway Server, and enable IP Protocol ID 50 on the Windows Firewall and any external firewalls or proxies. All these ports and protocols should be bi-directional. For more information about the necessary ports and protocols to enable, see Deployment Worksheetsin the MDM Planning Guide.

  • Check that modified service connection points (SCPs) still match the information provisioned on the device. If you have manually updated the Active Directory SCP information for the Device Management SCP (DefaultDeviceManagement), it must match the information provisioned on the device.

    During enrollment, the device receives a provisioning .xml file that contains information about the location of the device management and VPN server. At a command prompt, run the following cmdlet to retrieve this information.

    Copy Code
    Get-EnrollmentServiceLog | out-file C:\enrollmentservice.txt
    
    Compare the values, such as FQDN and port number, to the values in the keywords attribute in the DefaultDeviceManagement SCP, and then make any necessary corrections to the SCP values.

    For example, the provisioning .xml file from the Enrollment service log has the following information for TEE and VPN:

    Copy Code
    TEE: "ADDR"
    value="SCMDMServer.test.Mydomain.com:8443/SCMDM2008/TEE/bin"VPN:
    "VPNServerName" value="192.168.0.98"
    
    However, the SC keyword value changed at some point to the following:

    Copy Code
    SCMDMServer.test.Mydomain.com:8909/SCMDM2008/TEE/bin
    
    To resolve this issue, change the port number back to 8443 in the SCP. For information about how to locate and modify MDM SCPs, see How to Modify the Active Directory Service Connection Points in the MDM Deployment Guide.

Performance Counters do not Update on MDM Gateway Server

When MDM Gateway Server is simply forwarding network traffic that is not related to MDM, where MDM Device Management Server is neither the source nor the destination of this network traffic, the network interface performance counters will not be updated. This is because the IM Driver IPSecVPN.sys that MDM Gateway Server installs is located below the TCP/IP stack.

Unreachable Gateway Server

In the MDM Administrator Console, you might add an MDM Gateway Server and its status is Unreachable. You might also see events 5257 and 5258 in your event logs. For more information about these events, see the MDM Error and Event Messagestopic in the MDM Operations Guide.

If the MDM Device Management Server is able to establish an SSL connection to the MDM Gateway Server, and is able to resolve the server name through DNS from the MDM Device Management Server, then this issue might be the GCM certificate that is installed in the local computer certificate store.

The MDM Certificate Tool helps you to request certificates for Global Certification Manager (GCM), MDM Device Management Server, MDM Enrollment Server, and MDM Self Service Portal. You can also set Access Control Lists (ACLs) on certificates, place requested certificates in the correct store, and invalidate GCM certificates. To download the MDM Certificate Tool, see MDM Resource Kit Tools at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkID=108953 .

If you use the MDM Certificate tool, or install the GCM certificate manually and restart the GCM service, and the errors still appear, then this might indicate a problem with your Certification Authorities or PKI infrastructure.

If you installed the enrollment service, you might also see event 2002.

To diagnose that this is an issue with the CRLs or CRL revocation, do the following:

  1. Go to the MDM Device Management Server.

  2. Open the local computer personal certificates store.

  3. Sort the certificates by intended purpose.

  4. Find the GCM certificates, which have an intended purpose of 1.3.6.1.4.1.311.65.1.1, Client Authentication.

  5. Double-click one of these certificates.

  6. On the Detailstab, select Copy to File.

    The Certificate Export Wizard appears.

  7. On the Welcome to the Certificate Export Wizardpage, choose Next.

  8. On the Export File Formatpage, make sure that DER encoded binary X.509 (.CER)is selected, and then choose Next.

  9. On the File to Exportpage, type a file name such as gcmCert, and then choose Next.

  10. On the Completing the Certificate Export Wizardpage, choose Finish.

  11. In the Certificate Export Wizarddialog box informing you that the export was successful, choose OK.

  12. Make sure that the proxy settings are correct in the computer context, or proxycfg.exe.

  13. Open a command prompt window.

  14. Run the following command:

    Copy Code
    certutil -f –urlfetch -verify c:\gcmcert.cer
    
  15. Write the output to a file using the " >" parameter.

  16. In the output, look for the line Leaf certificate revocation check passed.

  17. Also look for the following statements:

    • Expired "Delta CRL (1633)" Time: 0

    • [0.0.1] <crl location>

To resolve this issue, use the following steps to re-publish the delta CRL so that this check succeeds.

  1. From the Startmenu, point to All Programs, point to Administrative Tools, and then choose Certification Authority.

  2. In Certification Authority, expand the certification authority server name, right-click Revoked Certificates, point to All Tasks, and then choose Publish.

  3. In the Publish CRLdialog box, choose Delta CRL only, and then choose OK.

Alternatively, you can place the CRLs in the appropriate folder in the crl publishing location.

ISA Server Denies Device Connection with Spoofing Packet Dropped Error

If the address range assigned to MDM Gateway Server is not routable in the intranet, then ISA Server does not allow these addresses to be forwarded. Instead, ISA Server returns the error Denied Connection - FWX_E_FWE_SPOOFING_PACKET_DROPPED .

To resolve this issue, add the address range to the internal-facing network adapter so that one address in the address range (which is on the same subnet) is added to one of the network adapters on the ISA Server. Thereafter, ISA Server checks for the address, finds it on the network adapter of the server, and allows the traffic through without the error.

Cannot Disable IP Address Assigned by Gateway Server

You cannot disable the IP address assignment functionality of the MDM Gateway Server while maintaining the functionality of the Mobile VPN tunnel. For example, you cannot use a different DHCP server to assign IP addresses.

You can disable the Mobile VPN connection portion only for the device, but MDM Device Management Server must be reachable from the device connection point (for example, Wi-Fi access point or other access point network). This configuration is particularly useful for devices connected to a Wi-Fi corporate network. However, you should not disable the Mobile VPN connections for Internet-connected devices because the Mobile VPN connections help to increase the security of your deployment.

Routing Mobile VPN-Connected Clients to Internal Servers

You must configure a router for the network traffic from MDM Gateway Server to the servers in the internal network. The IP address pool for the Mobile VPN connections must be on a unique subnet, where the IP address range does not overlap with existing subnets in your network.

To validate that network traffic is able to pass between MDM Gateway Server and MDM Device Management Server, download and run the MDM Best Practices Analyzer tool from this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=115900 .

For information on configuring the IP address pool for MDM, see the MDM Operations Guide at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=115901 .

[an error occurred while processing this directive]