This guide is for Information Technology (IT), Networking and Security professionals responsible for deploying System Center Mobile Device Manager (MDM) components in the enterprise. It describes how to configure external and internal firewalls to permit MDM to function as designed and to meet its goal of permitting more secure access to Line of Business (LoB) applications. It also describes how correctly configuring the internal firewall for permitting access by MDM VPN clients makes access to critical LoB applications possible.
Using this information you can gain the advantages of implementing Windows Mobile 6.1 and MDM in your enterprise infrastructure while at no point knowingly compromising the integrity of the environment.
Other than referencing Microsoft products such as MDM and ISA Server 2006, this document is intended to be product and manufacturer agnostic. It is entirely normal in the enterprise environment to have equipment from various manufacturers carrying out the firewall and proxy roles.
This guide contains the following sections:
-
Assumptions
-
Expected Environment
-
External Firewall
-
Internal Firewall
-
ISA Server 2006 with MDM
-
Planning Resources
-
Guidance for Publishing MDM Enrollment Server
on ISA Server 2006
The first part of this guide speaks to the areas of commonality such as traffic types, protocols and traffic flows. It presumes that IT professionals tasked with carrying out the necessary configuration changes and modifications on any third-party product can do so based on the information contained in this document.
The second part of the guide details three specific areas where ISA Server 2006 may be a good fit:
- Reverse proxy, publishing the Mobile Device Manager (MDM)
Enrollment Server
- Outbound proxy
- Internal firewall, for customers who may not have the
external/internal firewall combination and thus the perimeter
network which is addressed by the bulk of this guide. Using ISA
Server 2006 in this fashion will introduce an additional layer of
defense and so should be given serious consideration.
Helping to secure and protect the enterprise are the primary considerations. MDM was designed with security being of paramount importance. By applying accepted practices around firewall configurations, you can implement MDM in a highly secure fashion. The guiding principle of recommending a more secure configuration is applied throughout this document.
Assumptions
This guide is written for the Security professional tasked with applying their expertise in ensuring all reasonable steps are taken to protect the enterprise from intrusion. It was also written for the Networking/Firewall specialist tasked with modifying the external and internal firewalls and routers to implement MDM. This guide also assumes an understanding of MDM architecture, including the device management, enrollment, and MDM Gateway server roles.
Expected Environment
The following illustration shows the expected environment for most MDM implementations and is the focus of this guide:
The following numbers correspond with the numbers in the illustrations:
- Unmanaged devices use TCP 443 (SSL) to connect to the MDM
Enrollment Server. A reverse proxy protects the IIS instance on the
MDM Enrollment Server.
- Managed device access to Mobile Device Manager (MDM) Gateway
Server by using IPsec. Inbound communication with Mobile Device
Manager (MDM) Device Management Server is initiated from the MDM IP
address pool using SSL.
- Normal managed device communication with published LoB host.
This session uses LoB-specific protocols in the IPsec tunnel that
terminates at the MDM Gateway Server external interface, and from
the MDM Gateway Server internal interface to the LoB host.
Traffic Flow
The following illustration shows the critical elements and traffic flow from MDM Enrollment Server, through MDM client connectivity and LoB (Line of Business) application access. It is provided for your convenience, and is not as complete as the information presented in the remainder of the Firewalls section of this Integration Guide.
External Firewall
This section discusses only ports and traffic types
directed to the MDM Gateway Server internal and external
interfaces. It provides additional details to the information
covered in the
Note: |
---|
Never permit traffic to originate from MDM Gateway Server external or internal interfaces to the external firewall. Both IP addresses should be subject to explicit deny rules which would be applied to all traffic and protocols. For example, external and internal firewalls should have rules in place as follows: |
-
Rule 1:Source = Internal interface IP address; Destination =
ANY; Action = DENY
-
Rule 2:Source = External interface IP address; Destination =
ANY; Action = DENY
The following illustration shows the traffic flow to and from the external firewall.
The following section describes the ports that are used for enrollment and Windows Mobile device access to the MDM Gateway Server. You can also configure optional ports to increase security.
Enrollment Port
Purpose | Traffic Source | Destination | Default |
---|---|---|---|
Device Enrollment |
Unmanaged device (native IP address) |
Reverse Proxy which is publishing the MDM Enrollment Server. Host fulfilling this role should pass traffic onwards to the MDM Enrollment Server once it has been validated. |
TCP 443 |
IPsec Traffic
Traffic Source | Destination | Default |
---|---|---|
Device (native IP address) |
External Interface of MDM Gateway Server |
User Datagram Protocol (UDP) 500 (bi-directional) IKE |
Device (native IP address) |
External Interface of MDM Gateway Server |
UDP 4500 (bi-directional) Tunnel |
Device (native IP address) |
External Interface of MDM Gateway Server |
Protocol 50 IPsec (bi-directional) |
Other MDM Ports
Purpose | Traffic Source | Destination | Default |
---|---|---|---|
VPN services (NAT timeout detection) |
Managed device (native IP address) |
External Interface of MDM Gateway Server |
UDP 8901 (bi-directional) |
VPN Address Pool Traffic
Purpose | Traffic Source | Destination | Default |
---|---|---|---|
External Web site access |
Managed device (issued IP address) |
Network Address Translation (NAT) or proxy server in the perimeter network |
TCP 443, TCP 80 |
Optional Ports for Increased Security
Purpose | Traffic Source | Destination | Default |
---|---|---|---|
Block traffic to Alerter service port for increased security |
Internet |
External Interface of MDM Gateway Server |
UDP 5359 |
Internal Firewall
As with the External firewall, information contained in this section is similar, but more detailed, than that available in the MDM Planning Guide.
Note: |
---|
We strongly recommend that you not allow the MDM Gateway Server external or internal interfaces to initiate traffic in-bound towards the internal network. We recommended that both IP addresses be subject to an explicit deny all for all traffic, all protocols. |
The following illustration shows the traffic flow to and from the internal firewall.
The following sections describe the ports that are used for access through the internal firewall. You can also configure optional ports to increase security.
Ports Used by the MDM Server
Traffic Source | Destination | Default |
---|---|---|
MDM Device Management Server |
Internal Interface of MDM Gateway Server |
TLS 443 configurable |
Internal Ports
Purpose | Traffic Source | Destination | Default |
---|---|---|---|
Line of business (LOB) applications that use SSL |
Managed device (VPN pool address) |
LOB application server |
TCP 443 |
LOB applications (other) |
Managed device (VPN pool address) |
LOB application server |
Defined by type of application |
DNS |
Managed device (VPN pool address) |
Internal DNS |
UDP 53 |
WINS |
Managed device (VPN pool address) |
Internal WINS, if applicable |
UDP 137 |
WSUS – Unencrypted |
MDM Device Management Server |
Managed device (VPN pool address) |
TCP 8530 |
WSUS – SSL |
MDM Device Management Server |
Managed device (VPN pool address) |
TCP 8531 |
RDP (Optional) |
Managed device (VPN pool address) |
Target hosts on case-by-case basis |
TCP 3389 |
Communicator Mobile Clients |
Managed device (VPN pool address) |
Office Communications Server 2007 Director, Enterprise pool or Standard Edition Server |
TCP 5061 or TCP 443 |
File Shares |
Managed device (VPN pool address) |
Target File Servers on a case-by-case basis |
TCP 445 |
Optional Ports for Increased Security
Purpose |
Traffic source |
Destination |
Default |
Block traffic to Alerter service port for increased security |
Internal Network |
Device (VPN pool address) |
UDP 5359 |
ISA Server 2006 with MDM
You can use ISA Server 2006 with MDM as follows:
- To publish the MDM Enrollment Server
- As a proxy for clients that are enrolled in MDM.
- As the target for source-based routing
- As an internal firewall
- As a multifunction device, such as one that performs multiple
roles simultaneously
Publishing MDM Enrollment Server on ISA Server 2006
The following illustration shows how you can use ISA Server 2006 to publish the MDM Enrollment Server.
The detailed steps on how to configure ISA Server 2006 as a reverse proxy for the enrollment process are included in the “Guidance for Publishing MDM Enrollment Server on ISA Server 2006” section of this guide.
Using ISA Server as a Proxy for MDM Clients
This section is not intended to repeat information which has been extensively documented in the ISA Server 2006 library. For more information on planning, deploying and managing ISA Server 2006 please refer to the documents referenced in the planning resources section at the end of this guide, with particular attention to the sections on defining and implementing ISA Server 2006 as a proxy.
Pre-requisites
The ISA Server 2006 must meet the following criteria:
- It must be installed and configured for outbound Internet
access
- It must be dual homed
- Each interface must be located on a different IP subnet from
within the perimeter network
Some customers may want to use ISA Server 2006 as the outbound proxy for MDM VPN clients. The following illustration shows an example of this scenario:
If the Managed devices are configured to use this proxy (see later in this section), or Source-based Routing is configured to use it as the default gateway for the VPN pool of IP addresses, then the following is true:
- If the route to the target host is known by using the local
routing tables in MDM Gateway Server, then all non-HTTP or HTTPS
traffic is routed through the internal firewall.
- If the proxy is defined, all HTTP and HTTPS traffic (including
management traffic for enrolled devices) passes by way of the
proxy. If it meets the policies as configured, it is granted
authority to leave the company network and continue to its
destination on the Internet. Any traffic that does not conform to
policy is dropped, or access is denied. The user is notified of the
reason for denial.
- Because the MDM management traffic uses TCP 8443 by default, a
value that the administrator can configure, you must modify most
proxies to permit the traffic to pass correctly. The following
steps show how you can modify the proxy:
- Make sure that the proxy can resolve the DNS name for MDM
Device Management Server, and that this server can be accessed from
the proxy.
- Configure the proxy server to tunnel HTTPS packets on port
8443. To allow tunneling of port 8443 with ISA Server 2006 as the
proxy, use the AddTPRange.vbs script as described in “Managing
Tunnel Port Ranges” at this Microsoft Web site:
http://go.microsoft.com/fwlink/?LinkID=113972
- Make sure that the proxy can resolve the DNS name for MDM
Device Management Server, and that this server can be accessed from
the proxy.
You do not need to include the ISA Server 2006 firewall client when planning this since all MDM devices function in clientless mode very satisfactorily.
For clients to be directed to use this outbound proxy in MDM, one of the first group policies to create and send to a newly enrolled device should contain this information. To do this, you would create a new GPO that contains the name of the outgoing proxy for the MDM client to use.
The following steps show how to do perform this process:
- Start GPMC and select the OU against which the group policy is
to be applied. The settings for the Internet proxy are located
under Computer Configuration / Administrative Templates / Windows
Mobile Settings / Mobile VPN Settings
- Double-click
Corporate Proxy for Internet Accessas follows.
- Enter the address and port of the Proxy Gateway as follows:
- Apply the GP before exiting. This new policy is automatically
applied against all devices at the next scheduled connection.
Adding the Mobile VPN Subnet to the Routing Table
To add the Mobile VPN IP subnet range to ISA server
- In the ISA Server management console, expand the array name,
and then click the
Configurationnode.
- In the Networks node, double click the
Internal networkobject in the Task Pane.
- In the Addresses tab, click
Add Rangeand then type the IP subnet for managed devices
(such as 172.30.25.0).
- Click
OKtwice.
- Click
Applyto save changes and update the configuration.
Validate Internet Explorer Mobile Settings
In this procedure, you will validate the Internet Explorer Mobile settings for Windows Mobile Standard edition so that mobile Web browsing will work correctly.
- On an MDM managed Windows Mobile device, click
Start, point to
Internet Explorer, and then choose
Menu.
- Select
Tools, then
Options, and then
Connections.
- Check
Automatically detect settings.
For Windows Mobile 6.1 Professional edition, there is no option to force a specific connection for Internet Explorer Mobile. The behavior is to always automatically detect the connection to use.
Create an ISA Server Access Rule for the Internet
If you have not already done so, you must create an ISA
Server access rule that permits Web traffic for clients from the
internal to external network. For more information on ISA Server
2006 access rules, see “Publishing Concepts in ISA Server 2006” at
this Microsoft Web site:
Test the Mobile Device Proxy
- From Internet Explorer Mobile, navigate to mobile.live.com
The following screen will appear.
Using ISA as a Target for Source-based Routing
By default, a VPN client uses the same default gateway as the MDM Gateway Server unless directed otherwise. This may be impractical for some environments and consequently Source-based Routing has been implemented.
Source-based routing permits the MDM Gateway Server to make a routing decision based on the source address of the traffic. As an example, it handles traffic from itself in one fashion and directs VPN pool addresses differently. This gives the enterprise considerable flexibility and control.
The previous section showed how to use ISA Server 2006 as the out-going proxy for enforcing Corporate Policy on Web site access. To show how this is implemented in the context of MDM, this scenario uses the information from the Gateway Configuration screen which is managed from the Mobile Device Manager (MDM) Console.
For the purposes of this section, we will presume that the following has been defined on the MDM Gateway Server:
- The VPN pool has an IP Address range of 10.10.0.0. with a
subnet mask of 255.255.0.0.
- VPN clients use a default gateway other than the one defined on
the MDM Gateway Server. It uses ISA Server 2006 outbound proxy
(192.168.99.3).
Note: This is given as an example of implementing ISA Server 2006 as the outbound proxy. If your organization will use an existing proxy for this task, you should direct MDM clients to this proxy instead.
The following screen shows the IP address range to be assigned to VPN clients:
There are two options for Routing Configuration:
- Selecting the first option causes VPN clients to use the
default gateway of the MDM Gateway Server. In this instance this is
not desirable behavior.
- Selecting the second option separates VPN pool traffic from
that of the MDM Gateway Server.
In this scenario, we selected the second option and entered the target IP address of the ISA Proxy, 192.168.99.3. Therefore, all traffic destined for known networks will be directed according to the routing tables possessed locally by the MDM Gateway Server, but will use the VPN pool range as the source address rather than internal or external IP addresses of the MDM Gateway Server. All other traffic will be directed to the ISA Proxy.
Implementing ISA Server 2006 as an Internal Firewall
You can add a layer of defense by Implementing ISA Server 2006 as an Internal Firewall. Some enterprises may not have a perimeter network in which to place the MDM Gateway Server, and may instead have the MDM Gateway located in the same physical subnet as domain-joined servers. In this scenario, because the MDM Gateway Server is exposed to the Internet, it could be the target of attack. Although compromising this host would be difficult, you should not presume that it is impossible. We strongly recommend that you use a product such as ISA Server 2006 in this situation to add a layer of defense and provide additional protection to both the MDM Gateway Server and also all other internal resources.
The following illustration shows the MDM environment with an external firewall only.
Although the scenario of only an external firewall is supported, it is not recommended. A VPN client that terminates its session at the MDM Gateway Server could communicate in some fashion with every host on the internal network, not just the ones intended to be accessible as LoB hosts. This creates risk which may be unacceptable to some organizations. It also defeats the guiding principle as stated at the outset of this guide as most restrictive always being preferable and more secure.
To better protect your infrastructure, you may want to add an ISA Server to create a perimeter network to hold the dual-homed MDM Gateway Server. In this scenario, ISA Server 2006 acts as the internal firewall. The following illustration shows this scenario.
All guidance noted earlier in this document with regard to the Internal Firewall is applicable in this scenario.
Although it is easy to use ISA Server 2006 to configure a network-to-network relationship between the VPN pool of IP addresses and the internal subnet, this would go against the principle guidance of most restrictive being the preferred choice. Therefore, we highly recommend that you use filters to permit traffic between the VPN pool and the target LoB hosts and certification authority only on a case-by-case basis.
Using ISA Server 2006 as a Multifunction Device
In previous examples, ISA Server 2006 has been shown functioning in the role of the reverse proxy that more securely publishes the MDM Enrollment Server, as an outbound proxy, and as an internal firewall.
We do not recommend, however, that one you implement one ISA server in more than one role at any one time. This is undesirable because it creates a single point of failure and a single point of attack.
Planning Resources
The following Microsoft Web sites and technical articles provide background information that may prove useful for planning and deploying MDM 2008.
Reference Articles | Link |
---|---|
MDM Planning Guide |
|
MDM Architecture Guide |
|
MDM Security and Protection |
|
Microsoft ISA Server 2006 - Planning and Architecture |
|
Microsoft ISA Server 2006 – Deployment |
Guidance for Publishing MDM Enrollment Server on ISA Server 2006
When publishing the MDM Enrollment Server on ISA Server 2006, you must have the SSL certificate for the Enrollment Web site exported in a file. This file must contain both the private and the public key of the certificate. If you try to export the certificate directly from the Enrollment Web site on the MDM Enrollment Server the option to save the private key is not available and is grayed out. This is by design because the certificate template used by MDM for this Web site does not allow export of the private key for security reasons.
You can modify the template on the certification authority to allow export of private keys, however this operation is not a supported. Instead we recommend that you create a new certificate with the same common name that was used for the Enrollment Web site on the MDM Enrollment Server, and then use this certificate to publish. This new certificate must meet the following conditions:
- It must be issued by the same certification authority that is
used by MDM in your environment
- It must have the same common name as the original Enrollment
Web site certificate
The following shows an overview of this process:
- Request, create, and install the certificates
- Export the certificates.
- Import the certificates, to a protected location.
- Create ISA Server Web publishing Rules
- Validate Internet Enrollment Web Service by using ISA Server
Requesting the Certificate
Follow these steps to request, create, and install a certificate for ISA Server Enrollment Web Listener. You perform these procedures on the following:
- A computer that runs ISA Server on which the MDM Enrollment
Server is published (steps 1 through 4, and steps 8 and 9)
- Any domain-joined server that has access to the certification
authority (step 5)
To create a certificate request, create the certificate, and then install it
- On the ISA Server, start Notepad. Type the following
information:
[NewRequest]
Subject = “CN=EnrollmentServerFQDN”
MachineKeySet = True
KeySpec = 1
In the Subject field, type the external FQDN for the MDM Enrollment Server the devices will access through the Internet. For example, mobileenroll.contoso.com. - On the File menu, choose
Save As, in the File name box, type IsaEnCertReq.inf, and
then save the file to the desktop.
- Open a Command Prompt window, locate to the directory that has
IsaEnCertReq.inf, and then type the following command:
Copy Code certreq –new IsaEnCertReq.inf IsaEnCertReq.txt
- Press
ENTER.
- On a domain-joined server that has access to the certification
authority, do the following:
- Copy the IsaEnCertReq.txt file that you just created to a
protected directory on the domain-joined server.
- Open a Command Prompt window, navigate to the directory where
IsaEnCertReq.txt is located, and then type the following command:
Copy Code certreq –submit –attrib “CertificateTemplate:WebServer” IsaEnCertReq.txt IsaEnCert.cer
- Press
ENTER.
- If a dialog box instructs you to choose a certification
authority, choose your designated certification authority, and then
choose
OK. This creates the certificate for the ISA Server
Enrollment Web Listener. Next, you must put the newly created .cer
file on the computer that is running the ISA Server.
- Copy the IsaEnCertReq.txt file that you just created to a
protected directory on the domain-joined server.
- On the computer that is running the ISA Server, open a Command
Prompt window, locate to the directory that has IsaEnCert.cer, and
then type the following command:
Copy Code certreq –accept IsaEnCert.cer
- Press
ENTERand then close the Command Prompt window.
Exporting the Certification Authority Certificates
After you obtain the valid certificate for the ISA Server Web Listener, you must export the root certification authority certificate and any subordinate certification authority certificates.
Note: |
---|
If your root and subordinate certification authorities are already among the trusted certification authorities on your ISA server, you do not need to perform this step. |
These procedures assume that your root certification authority is offline and inaccessible from the company network. Perform the following procedures from a subordinate certification authority by using the Certification Authority snap-in, or from a desktop or server that has access to the Certification Authority console. During these procedures, make sure that do the following:
- Name each exported root or subordinate certificate
appropriately so that you can easily find them later.
- Transfer certificates, including the gateway certificate, in a
protected manner to MDM Gateway Server.
- Make sure that you can transfer text files and certificates on
and off the MDM Gateway Server.
To export root certification authority certificate
- Open the Certification Authority console from any domain-joined
computer or server.
- Right-click the name of the certification authority, and then
choose
Properties.
- In the certification authority Certificates dialog box, choose
the General tab, and then choose the certificate for the
certification authority you want to access.
- Choose
View Certificate.
- In the Certificate dialog box, choose the Certification
Authority tab. Choose the name of the root certification authority
and then choose
View Certificate.
- In the Certificate dialog box, choose the Details tab and then
choose
Copy to File.
- The Certificate Export Wizard appears. Choose
Next.
- On the Export File Format page, choose
DER encoded binary X.509(.CER), and then choose
Next.
- For File to Export, choose the path and name for the
certificate, and then choose
Next.
- Choose
Finish. The .cer file is created in the location that you
specified in the previous step.
- A dialog box appears to inform you that the export was
successful. Choose
OK.
To export subordinate certification authority certificates
- Open the Certification Authority console from any domain-joined
computer or server.
- Right-click the name of the certification authority, and then
choose
Properties.
- In the certification authority certificates dialog box, choose
the
Generaltab, and then choose the certificate for the
certification authority you want to access.
- Choose
View Certificate.
- In the Certificate dialog box, choose the
Certification Authoritytab. Choose the name of the
subordinate certification authority and then choose
View Certificate.
Note: You must export the subordinate certification authority certificates. In the Certificate dialog box, if the View Certificate option for your subordinate certification authority is disabled, choose the Details tab and then go to the next step. - In the Certificate dialog box, choose the
Detailstab, and then choose
Copy to File.
- The Certificate Export Wizard appears. Choose
Next.
- On the Export File Format page, choose
DER encoded binary X.509(.CER),.and then choose
Next.
- On the File to Export page, choose the path and name of the
certificate, and then choose
Next.
- Choose
Finish. The .cer file is created in the location that you
specified in the previous step.
- A dialog box appears to inform you that the export was
successful. Choose
OKto finish.
- Repeat these steps for each subordinate certification authority
that is listed on the Certification Authority tab (step 5).
Importing Certification Authority Certificates onto the ISA Server
On the server that is running the ISA Server, make sure that you import the root certification authority, and all intermediate certification authority certificates, to a protected location. From the protected location, you then import the certificates into the correct certificate stores.
Note: |
---|
If your root and subordinate certification authorities are already among the trusted certification authorities on your ISA server, you do not need to perform this step. |
The following shows an overview of this process:
- You put the root certification authority certificate into the
Trusted Root Authorities store on the computer that is running the
ISA Server.
- You put the intermediate certification authority certificates
into the Intermediate Certification Authorities store.
You must follow these steps for each intermediate or subordinate certification authority certificate.
To import the root certification authority certificate
- On the computer that is running ISA Server, open Microsoft
Management Console (MMC) with the Certificates snap-in added.
Note: When you create the snap-in for Certificates, make sure that you choose the Computer Account option and not the Service or User options. - Expand
Trusted Root Certification Authorities, right-click
Certificates, choose
All Tasks, and then choose
Import.
- On the Welcome to the Certificate Import Wizard, choose
Next.
- On the File to Import page, choose
Browseand locate the certification authority certificate
that you recently imported, and then choose
Next.
- On the Certificate Store page, make sure that you select
Place all certificates in the following storeand that
Trusted Root Certification Authoritiesis visible in the
Certificate Store section. Choose
Next.
- Choose
Finishto close the program.
To import the intermediate certification authority certificates
- On the computer that is running ISA Server, open MMC with the
Certificates snap-in added.
Note: When you create the snap-in for Certificates, make sure that you choose the Computer Account option and not the Service or User options. - Expand
Intermediate Certification Authorities, right-click
Certificates, choose
All Tasks, and then choose
Import.
- On the Welcome to the Certificate Import Wizard, choose
Next.
- On the File to Import page, choose
Browseand locate the intermediate certification authority
certificate that you recently imported, and then choose
Next.
- On the Certificate Store page, make sure that you select
Place all certificates in the following storeand that
Intermediate Certification Authoritiesis visible in the
Certificate Store section. Choose
Next.
- Choose
Finishto close the program.
Creating ISA Server Web Publishing Rules
To create ISA server Web publishing rules
- On your ISA Server computer, launch the
ISA Server Management Console.To do this, choose
Start,
Programs, and then choose
Microsoft ISA Server.
- Expand the local computer name, right click the Firewall Policy
Node, and then choose
New,
Web Site Publishing Rule.
- The New Web Publishing Rule Wizard Appears. Type MDM Enrollment
Web Publishing Rule in the
Web Publishing Rule Namefield and click
Next.
- In the Select Rule Action page verify that Allow is selected
under Action to take when rule conditions are met. Click
Next.
- On the Publishing Type Page, choose the default of
Publish a single Web site or load balancerand click
Next.
- On the Server Connection Security page verify that the default
of
Use SSL to connect to the published Web server or server
farmis selected and click
Next.
- On the Internal Publishing Details page, do the following:
- In the
Internal site namefield, type mobileenroll.yourdoamin.com,
where mobileenroll.yourdomain.com is your external enrollment
server FQDN .
- Select
Use a computer name or IP address to connect to the published
server
- Specify the IP address of the Enrollment server in the
Computer name or IP Addressfield.
- Click
Next.
- In the
Internal site namefield, type mobileenroll.yourdoamin.com,
where mobileenroll.yourdomain.com is your external enrollment
server FQDN .
- On the next Internal Publishing Details page, leave the
Path(optional)field blank and then click
Next.
- On the
Public Name Detailspage, do the following:
- In the
Public Namefield, type mobileenroll.yourdoamin.com, where
mobileenroll.yourdomain.com is your external enrollment server FQDN
.
- Leave the
Path(Optional)field blank and click
Next.
- In the
Public Namefield, type mobileenroll.yourdoamin.com, where
mobileenroll.yourdomain.com is your external enrollment server FQDN
.
- On the Select Web Listener Page, click
Newto launch the New Web Listener Wizard.
- Type
MDM Enrollment HTTPS Web Listenerin the Web Listener Name
field and click
Next.
- On the Client Connection Security page, accept the default
value of
Require SSL secured connections with clientsand click
Next.
- On the Web Listener IP Addresses page, do the following:
- In the
Listen for incoming Web requests on this networksfield,
Select
External..
- Leave the check box selected for
ISA Server will compress contentfield, and click
Next.
- In the
Listen for incoming Web requests on this networksfield,
Select
External..
- On the
Listener SSL Certificatespage, do the following:
- Choose
Select Certificateto display the list of available
certificates. The mobileenroll certificate should be listed and
installed correctly. If so, highlight the mobileenroll SSL
certificate and click
Select.
- Click
Nexton the Listener SSL Certificates page to continue the
New Web Listener Definition Wizard.
- Choose
Select Certificateto display the list of available
certificates. The mobileenroll certificate should be listed and
installed correctly. If so, highlight the mobileenroll SSL
certificate and click
Select.
- On the Authentication Settings Page, select
No Authentication in the Select how clients will provide
credentials to ISA Serverdrop down. Click
Next.
- On the Single Sign On Settings page, click
Next.
- Click
Finishon the Completing the New Web Listener Wizard page.
- The Select Web Listener page should now display the Web
listener that you created. Click
Next.
- On the Authentication Delegation page, select the
No delegation, but client may authenticate directly from the
drop downand click
Next.
- On the User Sets page accept the default of All Users and click
Next.
- Click
Finishon the Completing the New Web Publishing Rule Wizard.
- To save changes and updated the ISA Server 2006 configuration
click
Applyin the main Firewall Policy screen.
Validating Internet Enrollment Web Service by using ISA Server
Next, you will validate that the Enrollment Web Service functions properly. You can use any computer with the device for testing purposes.
Note: |
---|
Make sure that you can browse Web pages from Internet Explorer Mobile before performing these steps. |
To Validate Enrollment Web Service Functionality
- On your test mobile device, open Internet Explorer Mobile and
launch
https://mobileenroll.contoso.com/enrollmentserver/service.asmx,
where mobileenroll.contoso.com is your external enrollment server
FQDN.
The enrollment Web service page should display after a certificate warning appears.