This section lists common issues encountered with Mobile Device Manager (MDM) Gateway Server. The MDMsetup.log file does not record the installation of MDM Gateway Server or other MSI-based installations, such as prerequisite applications. However, MDM Gateway Server installation creates a VpnGateway.log file in the Temp directory on the MDM Gateway Server if launched from the MDM Setup menu. Or you can create it using the /L or /L*v parameters at the command line.
MDM Gateway Server installation consists of the following steps:
- Configure the VPN Gateway certificates (manual process).
- Install the VPN Gateway Server.
- Set the Gateway Server URI; not for Gateway installation, but
for devices to connect after enrollment.
- Configure the Gateway in the Add New Gateway Wizard.
General MDM Gateway Server Troubleshooting
Look for errors, warnings, and informational events in MDM Gateway Server and MDM Device Management Server system event logs. All MDM gateway events are logged in the MDM Mobile VPN Connections event log and MDM Mobile VPN Policy Engine event log.
By using MDM Console, you can view the following MDM Gateway Server properties:
- The name of the computer that is running Mobile Device Manager
(MDM) Gateway Central Management (GCM)
- The state of the MDM GCM service (Running or Stopped)
- The state of synchronization (Unreachable, Error, Initializing,
or Up to date)
- The list of blocked devices
The key to isolating an issue is to determine whether the issue is specific to the client or to the virtual private network (VPN) gateway. VPN gateway issues frequently appear as symptoms on the client, such as an error message when the device tries to connect to the VPN gateway server. It is useful to obtain logging information from the device because it may point to an issue with the VPN server.
Check the following items to troubleshoot issues with client-side connectivity to MDM Gateway Server:
- Some Access Point Networks (APNs) have filtered the VPN ports,
Internet Key Exchange (IKE) and Internet Protocol Security
Encapsulating Security Payload (IPsec ESP). If your device uses a
filtered APN, the VPN will fail.
- Before you start to enroll a device, make sure that you
configure the device to use one of the supported APNs.
- Make sure that before you test the connection that you delete
all unnecessary General Packet Radio Service (GPRS) profiles.
MDM VPN Diagnostics Tool
MDM VPN Diagnostics Tool is an MDM utility that helps troubleshoot and determine potential VPN connection issues with managed Windows Mobile devices. Use this tool for testing only. For more information about how to use the tool, view the guide for the MDM VPN Diagnostics Tool.
VPNDiag.exe provides Status, Diagnosis, and Configuration screens, and lets you save and send VPN status reports. It lets you view the MDM VPN Diagnostics Tool log file (Ipsecvpnpm.txt) in the Program Files directory.
MDM Connect Now Tool provided in MDM Client Tools synchronizes a device with MDM Device Management Server through the VPN gateway. By default, first initial synchronization sessions are 5 to 15 minutes apart, and then 8 hours. You can modify this setting to suit your particular requirements and environment. MDM Connect Now Tool forces an immediate synchronization.
To download MDM Connect Now Tool and MDM VPN
Diagnostics Tool, see MDM Resource Kit Tools at this Microsoft Web
Enable Mobile VPN Logging on a Device
To enable and disable Mobile VPN logging on your Windows Mobile device, follow these steps:
- On the Start page, select
The MDM VPN Diagnostics Tool includes a Log Browser for viewing the VPN Service log file located at \Application Data\Logs\ipsecvpnpm.txt.
Using the Windows Mobile Network Analyzer PowerToy with MDM
To capture the network traffic (NetMon) log for analysis, run the start analyzerscript in the Program directory. Run the stop analyzerscript to stop the network logging. The log is stored in the NetworkLogs directory, or the Storage Card\NetworkLogs directory if using a storage card. For more information, view the readme file that accompanies the Windows Mobile Network Analyzer PowerToy.
To troubleshoot VPN issues on a Windows Mobile device:
- Install the Windows Mobile Network Analyzer PowerToy from this
Microsoft Web site:
- Install the MDM VPN Diagnostics Tool from this Microsoft Web
- Start the MDM VPN Diagnostics Tool, select
Menu, and then disable VPN.
- Make sure that you can browse the Internet using Internet
Explorer Mobile, and that the data connection is working.
- Start the Windows Mobile Network Analyzer PowerToy to capture
network traffic on the device.
- Enable VPN using the MDM VPN Diagnostics Tool.
- When the VPN connection fails, stop capturing network traffic,
and save the trace file.
- View the VPNDiag report and the ipsecvpnpm.txt file from the
device. For more instructions, see the readme file that accompanies
the MDM VPN Diagnostics Tool.
Invalid Certificates Installed on Enrolled Device
MDM installs a device certificate when a device enrolls with MDM. You cannot see this certificate in the Certificates CPL UI. But you can see it using the MDM VPN Diagnostics Tool in diagnosis mode. Select Certificates, and then select Validate certificate chain.
You can also query all of the certificates installed on
the device using the CertificateStore configuration service
provider (CSP). For information about this CSP, please visit
Certification Authority does not meet SCMDM Requirements
The server on which you install Certificate Services
must meet MDM requirements. For information about the System
Requirements for MDM Servers and Managed Devices, please visit
MDM does not support installing the certification authority on Windows Server 2008; doing so may cause VPN connection issues with devices.
MDM Gateway Server Certificates
The fully qualified domain name (FQDN) for MDM Gateway Server must exactly match the FQDN of the certificate in Internet Information Services (IIS). Make sure there is a private key associated with the certificate. Also make sure that the certificate chains appropriately. The Intermediate and Root Certification Authority certificates must be installed appropriately.
Validating the Gateway Server IP Address
During MDM Gateway Server installation, MDM does not validate if the specified IP and port combination corresponds to a valid socket on the computer. MDM Gateway Server installation might succeed, but the Web sites are not configured appropriately.
Gateway Installation Rolls Back with Certificate Error
This issue occurs if MDM Gateway Server Setup cannot find a certification authority (CA). It can also occur for the following reasons:
- Setup provided an intermediate CA. A root CA must also be
stored on the server.
- More than one CA is used. MDM only supports one CA. All
certificates issued must chain to the same root CA. The root CA can
be offline, and does not have to be a Microsoft CA. However, the
issuing CA must be online and a Microsoft CA.
To resolve this issue, follow these steps:
- Make sure all certificates issued for MDM components chain to
the same root CA.
- Put the appropriate CA certificates in the correct certificate
stores on MDM Gateway Server. This includes the CA certificate in
the Trusted Root Certification Authorities store, and the
intermediate CA certificates in the Intermediate Certification
Authorities store. For more information, see
Creating Manual Certificatesin the MDM Deployment
Setting the Gateway Server URI
This MDM Shell cmdlet enters the DNS name that maps to the IP Address for MDM Gateway Server into the database. If you use DNS load balancing for multiple computers that are running MDM Gateway Server, you should map all external IP addresses for all computers that are running MDM Gateway Server to the DNS name. Mobile devices enrolled with the incorrect MDM Gateway Server URI will try to contact that URI, but will be unmanageable until you correct the URI or re-enroll the device.
To set the enrollment configuration for the MDM Gateway Server URI, run the following cmdlet in MDM Shell:
Set-EnrollmentConfig -GatewayURI [External Gateway DNS
Gateway Sync Status Shows Error or None
This error indicates that either MDM Device Management Server is unable to contact MDM Gateway Server, or that MDM Gateway Server received the configuration settings but cannot process them. To resolve this issue, follow these steps:
- Check the MDM event log on MDM Device Management Server,
and the MDM Mobile VPN Policy engine or MDM Mobile VPN
Connection settings on MDM Gateway Server.
- If the event log on MDM Gateway Server contains no data, MDM
Device Management Server could not access MDM Gateway Server. Check
the MDM event log on MDM Device Management Server for errors.
- If the event log on MDM Gateway Server contains data that is
time-stamped to match MDM Gateway Server configuration, MDM Device
Management Server can access MDM Gateway Server. However, this
means that MDM Gateway Server properties have configuration
problems. Check the MDM Mobile VPN Policy engine event log on
MDM Gateway Server for errors. Common errors include entering
invalid device IP address pools, or an incorrect or an FQDN or IP
address that cannot be resolved for the MDM Gateway
If MDM Device Management Server cannot reach the VPN internal interface, try the following:
- Check the firewall log for traffic from MDM Device Management
Server to MDM Gateway Server.
- From MDM Device Management Server, ping the MDM Gateway Server
IP address and FQDN.
- From MDM Device Management Server, test the URL for MDM Gateway
https://<VPNServerName>.<domain>.com:443/Vpn/ApplyConfig.ashx. You should receive a certificate warning if the connection succeeds. Close the warning.
If the VPN external interface has errors, test the access to the interface from MDM Gateway Server and resolve any networking issues.
Enrolled Device Cannot Connect to Gateway
After you try to enroll a device, the device connection status shows that the device is enrolled. However, the device remains in the Pending Enrollmentsnode in MDM Console.
After the device finishes its session with MDM Enrollment Server, it tries to attach to MDM Gateway Server. However, in MDM Console, the device remains in the Pending Enrollmentslist because it is not yet managed.
This issue indicates a problem with the device connection to MDM Device Management Server. Until the device can contact MDM Device Management Server and become managed, it remains in Pending Enrollments.
To resolve issues contacting MDM Device Management Server:
- Check that the date and time are set correctly. The device
validates its certificate date against its system clock that can
reset incorrectly if you remove and then reinsert the device
- Ping the IP address and URL to check MDM Gateway Server DNS
- Check that the necessary ports are not blocked. For example, a
firewall might be blocking TCP port 8443 to MDM Device Management
- Check network connectivity because a persistent route is needed
from MDM Gateway Server to the company network through the back-end
firewall. You must have an additional route from the firewall
server to the MDM client network through MDM Gateway Server.
Route #1 (on the gateway): To add a route to the company
network through the back-end firewall, run the following command at
a command prompt.
route –p add <corporate subnet> mask <subnet mask> <Firewall IP>”.
Route #2 (on the firewall): To add a route to the
MDM client network through MDM Gateway Server, run the
following command at a command prompt.
route –p add <Client pool subnet> mask <subnet mask> < Gateway IP>”.
- Route #1 (on the gateway): To add a route to the company network through the back-end firewall, run the following command at a command prompt.
- Check that VPN ports 500 and 4500 are open. IP Protocol ID 50
must be enabled on the firewall for both inbound and outbound
filters, with Encapsulating Security Protocol (ESP) forwarding
allowed. Although there are zero errors recorded and the VPNDiag
log looks correct, the device cannot access internal or external
Web sites. Ipsecvpnpm.txt file on the device indicates that the
client can send and receive IKE_INIT messages over UDP port 500.
However, it times out when it sends IKE_AUTH messages over UDP port
4500. For more information about protocol 50 and enabling IPSec
traffic through a firewall, see the following Microsoft Web site:
To resolve this issue, open ports 500 and 4500 on MDM Gateway Server, and enable IP Protocol ID 50 on the Windows Firewall and any external firewalls or proxies. All these ports and protocols should be bi-directional. For more information about the necessary ports and protocols to enable, see Deployment Worksheetsin the MDM Planning Guide.
- Check that modified service connection points (SCPs) still
match the information provisioned on the device. If you have
manually updated the Active Directory SCP information for the
Device Management SCP (DefaultDeviceManagement), it must match the
information provisioned on the device.
During enrollment, the device receives a provisioning .xml file that contains information about the location of the device management and VPN server. At a command prompt, run the following cmdlet to retrieve this information.
Get-EnrollmentServiceLog | out-file C:\enrollmentservice.txt
For example, the provisioning .xml file from the Enrollment service log has the following information for TEE and VPN:
TEE: "ADDR" value="SCMDMServer.test.Mydomain.com:8443/SCMDM2008/TEE/bin"VPN: "VPNServerName" value="192.168.0.98"
Performance Counters do not Update on MDM Gateway Server
When MDM Gateway Server is simply forwarding network traffic that is not related to MDM, where MDM Device Management Server is neither the source nor the destination of this network traffic, the network interface performance counters will not be updated. This is because the IM Driver IPSecVPN.sys that MDM Gateway Server installs is located below the TCP/IP stack.
Unreachable Gateway Server
In the MDM Administrator Console, you might add an MDM Gateway Server and its status is Unreachable. You might also see events 5257 and 5258 in your event logs. For more information about these events, see the MDM Error and Event Messagestopic in the MDM Operations Guide.
If the MDM Device Management Server is able to establish an SSL connection to the MDM Gateway Server, and is able to resolve the server name through DNS from the MDM Device Management Server, then this issue might be the GCM certificate that is installed in the local computer certificate store.
The MDM Certificate Tool helps you to request
certificates for Global Certification Manager (GCM), MDM Device
Management Server, MDM Enrollment Server, and MDM Self Service
Portal. You can also set Access Control Lists (ACLs) on
certificates, place requested certificates in the correct store,
and invalidate GCM certificates. To download the
MDM Certificate Tool, see MDM Resource Kit Tools at this
Microsoft Web site:
If you use the MDM Certificate tool, or install the GCM certificate manually and restart the GCM service, and the errors still appear, then this might indicate a problem with your Certification Authorities or PKI infrastructure.
If you installed the enrollment service, you might also see event 2002.
To diagnose that this is an issue with the CRLs or CRL revocation, do the following:
- Go to the MDM Device Management Server.
- Open the local computer personal certificates store.
- Sort the certificates by intended purpose.
- Find the GCM certificates, which have an intended purpose of
220.127.116.11.4.1.318.104.22.168, Client Authentication.
- Double-click one of these certificates.
- On the
Copy to File.
The Certificate Export Wizard appears.
- On the
Welcome to the Certificate Export Wizardpage, choose
- On the
Export File Formatpage, make sure that
DER encoded binary X.509 (.CER)is selected, and then choose
- On the
File to Exportpage, type a file name such as
gcmCert, and then choose
- On the
Completing the Certificate Export Wizardpage, choose
- In the
Certificate Export Wizarddialog box informing you that the
export was successful, choose
- Make sure that the proxy settings are correct in the computer
- Open a command prompt window.
- Run the following command:
certutil -f –urlfetch -verify c:\gcmcert.cer
- Write the output to a file using the "
- In the output, look for the line
Leaf certificate revocation check passed.
- Also look for the following statements:
- Expired "Delta CRL (1633)" Time: 0
- [0.0.1] <crl location>
- Expired "Delta CRL (1633)" Time: 0
To resolve this issue, use the following steps to re-publish the delta CRL so that this check succeeds.
- From the
Startmenu, point to
All Programs, point to
Administrative Tools, and then choose
- In Certification Authority, expand the certification authority
server name, right-click
Revoked Certificates, point to
All Tasks, and then choose
- In the
Publish CRLdialog box, choose
Delta CRL only, and then choose
Alternatively, you can place the CRLs in the appropriate folder in the crl publishing location.
ISA Server Denies Device Connection with Spoofing Packet Dropped Error
If the address range assigned to MDM Gateway Server is not routable in the intranet, then ISA Server does not allow these addresses to be forwarded. Instead, ISA Server returns the error Denied Connection - FWX_E_FWE_SPOOFING_PACKET_DROPPED .
To resolve this issue, add the address range to the internal-facing network adapter so that one address in the address range (which is on the same subnet) is added to one of the network adapters on the ISA Server. Thereafter, ISA Server checks for the address, finds it on the network adapter of the server, and allows the traffic through without the error.
Cannot Disable IP Address Assigned by Gateway Server
You cannot disable the IP address assignment functionality of the MDM Gateway Server while maintaining the functionality of the Mobile VPN tunnel. For example, you cannot use a different DHCP server to assign IP addresses.
You can disable the Mobile VPN connection portion only for the device, but MDM Device Management Server must be reachable from the device connection point (for example, Wi-Fi access point or other access point network). This configuration is particularly useful for devices connected to a Wi-Fi corporate network. However, you should not disable the Mobile VPN connections for Internet-connected devices because the Mobile VPN connections help to increase the security of your deployment.
Routing Mobile VPN-Connected Clients to Internal Servers
You must configure a router for the network traffic from MDM Gateway Server to the servers in the internal network. The IP address pool for the Mobile VPN connections must be on a unique subnet, where the IP address range does not overlap with existing subnets in your network.
To validate that network traffic is able to pass
between MDM Gateway Server and MDM Device Management Server,
download and run the MDM Best Practices Analyzer tool from this
Microsoft Web site:
For information on configuring the IP address pool for
MDM, see the MDM Operations Guide at this Microsoft Web site: