MDM Scaled-Out Distributed Configuration Topology

11/11/2008

The scaled-out, distributed configuration topology for System Center Mobile Device Manager (MDM) is the recommended configuration for a production enterprise environment. This configuration allows for the greatest security, availability, and scalability.

The following are highlighted by number in the diagram:

1: Multiple computers that are running MDM Gateway Server. You must configure your MDM Gateway Server Domain Name System (DNS) name with multiple <A> records to load balance IPsec traffic. Managed device traffic destined for the company network is routed through the internal firewall to the computers running MDM Device Management Server registered in DNS.
2: You can use hardware or software load balancing. IP affinity must be enabled for managed device traffic destined for the load balancer in front of MDM Device Management Server. MDM Enrollment Server is usually assigned two fully qualified domain names (FQDNs) during MDM Setup.

The first FQDN is for the external Windows Mobile device enrollment Web site. The second FQDN is for the administration Web site accessed by MDM Administrator Tools. These FQDNs are for the virtual IP (VIP) addresses for the load balancer.
3: MDM Administrator Tools access MDM Enrollment Server and MDM Device Management Server Web services over ports as specified in the initial server setup. The tools obtain the load balancer FQDN information from the Active Directory® Domain Services Service Connection Points (SCP).

The scaled-out, distributed topology diagram does not include other required components of the MDM system such as a domain controller, certification authority, and a Microsoft® SQL Server® database. However, the additional components are required when you configure MDM by using this topology.

In addition, you should configure a secure Web publishing proxy to use from the perimeter network to publish the external Enrollment Web site.

Note:
For each MDM topology, the Active Directory Domain Services, certification authority server, the computer that is running Microsoft SQL Server, MDM Device Management Server, and MDM Enrollment Server must be in the same site. However, servers that are running MDM Gateway Server do not have to be in the same geographical site. Active Directory, the certification authority server, the computer that is running SQL Server, MDM Device Management Server, and MDM Enrollment Server must be in the same domain.

Note:

For each MDM topology, the Active Directory Domain Services, certification authority server, the computer that is running Microsoft SQL Server, MDM Device Management Server, and MDM Enrollment Server must be in the same site. However, servers that are running MDM Gateway Server do not have to be in the same geographical site. Active Directory, the certification authority server, the computer that is running SQL Server, MDM Device Management Server, and MDM Enrollment Server must be in the same domain.