After a device successfully finishes the enrollment process, it uses its Mobile virtual private network (VPN) client to connect to Mobile Device Manager (MDM) Gateway Server. The Mobile VPN client uses IPsec to authenticate and encrypt data passed between the devices and MDM Gateway Server. After authentication, you can manage the device over Mobile VPN and you can access your company network resources in a controlled manner.
 Note: |
|---|
| MDM manages network traffic from wireless wide area network (WWAN) and Wi-Fi connections only. It does not manage remote network driver interface specification (RNDIS) connections, or personal area network (PAN) connections, such as Bluetooth or Infrared Data Association (IrDA). |
The following illustration shows you how to create a connection to MDM Gateway Server from a Windows Mobile device:
The Windows Mobile device must create an IPsec tunnel to MDM Gateway Server to access the internal resources of your organization. The following steps show how the VPN tunnel is created:
- The device begins an Internet Key Exchange version 2 (IKEv2)
connection request by using the Mobile VPN client software that is
included in Windows Mobile 6.1.
- MDM Gateway Server receives the connection request, starts an
IKEv2 or IKEv2 Mobility and Multi-homing (MOBIKE) negotiation with
the devices.
- During this negotiation:
- To authenticate the device, MDM Gateway Server verifies with
the certification authority that the machine certificate of the
device is valid.
- The device verifies that the machine certificate for MDM
Gateway Server is valid and trusted.
- The device and MDM Gateway Server negotiate the Mobile VPN
connection parameters.
- To authenticate the device, MDM Gateway Server verifies with
the certification authority that the machine certificate of the
device is valid.
- The device then requests or renews a virtual IP address from
MDM Gateway Server. The server first checks that this is the only
connection that it has with the device (only one connection per
device is allowed), and then issues an IP address from the
available Mobile VPN address pool configured during MDM Gateway
Server Setup. If previously connected to MDM Gateway Server, the
device can request the same virtual IP address previously assigned.
MDM Gateway Server will assign it if it is available.
- The device uses the IP address received from the server as the
virtual IP address for the IPsec connection. After the IP address
is assigned and the connection parameters negotiation is complete,
an IPsec-encrypted tunnel can be set up between the device and
server.
- This IPsec connection forwards all traffic through the IPsec
tunnel to and from the device.
MDM Gateway Server now manages all network traffic from the device and provides an endpoint for the Mobile VPN tunnel. MDM Gateway Server can now route traffic from the device to your company network. MDM Gateway Server can be configured to forward Internet traffic toward a network proxy service (as shown in the diagram). Device traffic destined for the Internet is forwarded by the proxy to the internet or the corporate network as appropriate. Typically, device network traffic that leaves MDM Gateway Server filters through a firewall before reaching your company network. However, this depends on the infrastructure design and the location of MDM Gateway Server.