This section provides recommendations to configure Windows Mobile device access within System Center Mobile Device Manager (MDM).
As an overall guideline, we recommend that you implement every firewall rule on a point-to-point basis between specific source and destination hosts. Do not create an absolute rule that enables all traffic of one type to pass through regardless of the source and destination.
The following diagram shows MDM network traffic and the associated ports and protocols.
|We have made every effort to make sure that we have identified all known traffic and ports. However, the internal line of business (LOB) applications might use dedicated IP ports. In these cases, you must configure the firewall separately. The guidance provided here as to the direction of traffic flow and which firewall (internal or external) to modify remains accurate.|
|Although the diagram above shows network traffic in both directions between MDM Device Management Server and MDM Gateway Server on port 443, sessions are never directly initiated from the MDM Gateway Server to the MDM Device Management Server server.|
Configure Device Access to the Enrollment Service
For device enrollment to succeed, you must publish the IIS instance located on MDM Enrollment Server externally, and it should have a Domain Name System (DNS) <A> record that points to mobileenroll. domain.com, where domainis replaced with the domain name for your company.
The Enrollment service uses an auto-detect capability in which MDM Enrollment Server prompts the enrolling user for the Simple Mail Transfer Protocol (SMTP) e-mail address. The auto-detect software uses the host part of the e-mail address to interrogate DNS to locate MDM Enrollment Server. By default, the host name is MobileEnroll.
If during the enrollment process, the DNS <A> record is not located automatically, MDM client on the device prompts the user to enter the MDM Enrollment Server name. You should provide your users with a friendly server name so they can resolve the DNS record and successfully enroll. Another option for enrolling from an internal connection is to ensure that mobileenroll.domain.com resolves internally to the internal IP address, rather than the external one.
We recommend that you use the following best practices to publish a server that is running IIS to the Internet:
- Use a product, such as ISA Server 2006, to use its
capabilities to make the IIS instance available to an external
client in a more secure manner.
- Make the computer that is running MDM Enrollment Server more
secure by running the Security Configuration Wizard that is
available in Windows® Server® 2003 SP1, and then follow the
Web Server template. This is also known as hardening a server.
|MDM VPN Diagnostics Tool displays VPN configuration and status
to help you to diagnose managed device issues that are due to
incorrect VPN configuration. You can also generate managed device
report log files to send to a diagnostics team for further
analysis. To download MDM VPN Diagnostics Tool, see MDM Client
Tools at this Microsoft Web page:
Configure Device Access for LOB Applications
Consider the following best practices and recommendations when you configure managed device access to LOB applications.
- You must address LOB applications on a case-by-case basis to
determine which ports are used. The administrator who designs and
implements MDM should make sure that they know whether internal LOB
applications use IP ports other than TCP 443. After you determine
which ports are used, decide how you should configure firewall
rules to enable access for specific LOB applications while you
minimize the unnecessary security exposure of configuring access
that is more general.
- Although most mobile-enabled applications are transported
end-to-end over TCP 443 (SSL) within the MDM IPsec session, MDM
does not limit the ports that a customer application can use. MDM
and MDM Gateway Server, in particular, are the mechanisms by which
to achieve connectivity more securely. Customer application needs
will vary. For example, you may decide to change firewall rules to
enable LOB applications to transport over TCP 443 for specific
servers instead of to configure firewalls to enable all TCP 443
- Examples of infrastructure applications that you must enable to
traverse the internal firewall are DNS (UDP 53) and Remote Desktop
Protocol (RDP) (TCP 3389).
Configure Device Access to External (Internet) Resources
Consider the following best practices and recommendations when you configure managed device access to network resources outside the company network.
- In MDM, the device-to-gateway connection is in an always-up
state and all traffic routes through MDM Gateway Server.
- By default, IPsec split-tunneling is turned off in MDM as a
best practice. By turning off split-tunneling, you can make sure
that you enforce company policy on permitted Web sites and content
for managed device users.
- When a managed device successfully connects to MDM, MDM Gateway
Server issues the device an internal IP address. If the IP address
is a public (routable) IP address, you do not have to take
additional action except to make sure that the correct ports are
- If the address range used for issuing client addresses is part
of the RFC1918 range, the outgoing client session must be subject
to Network Address Translation (NAT) or proxying. Without proxying,
the managed device user cannot access the Internet.
- Regardless of whether the outgoing client session is subject to
proxying, MDM Gateway Server must route the addresses issued to the
managed device pool correctly in order to enable egress. The rules
must exist on the external firewalls to enable managed device
traffic to pass through HTTP and SSL.
To see a list of default port configurations for MDM Gateway Server operation, and to track port configuration changes that you make for MDM deployment, see MDM Deployment Worksheets.