Mobile Device Manager (MDM) Gateway Server is the pivotal access point for managed devices. Typically, this server is installed in your perimeter network where a defense-in-depth approach helps protect the network security of your company. MDM Gateway Server is a stand-alone gateway that faces the Internet from inside the perimeter network. Typically, it is not domain-joined and shares no accounts or passwords with your company domain. It does not directly use Active Directory Domain Service, NTLM, or Kerberos access to authenticate devices because these would require Mobile Device Manager (MDM) Gateway Server to be domain-joined or to store domain credentials.
MDM Gateway Server authenticates incoming connection requests by using an offline certificate evaluation process that queries the device machine certificate. It allows an end-to-end SSL session to be maintained between the client application and MDM application servers.
The following illustration shows the detailed architecture of MDM Gateway Server:
MDM Gateway Server has the following components:
-
Certificate store: MDM uses machine certificates to
authenticate Windows Mobile devices and MDM Gateway Server and MDM
Device Management Server. These certificates are stored in the
Windows Certificate Store.
-
MDM VPN agent: The virtual private network (VPN) agent
handles communications between MDM Device Management Server and MDM
Gateway Server. For MDM Gateway Server, the MDM Gateway Server
cannot start communication with servers in the company network. For
improved security, the MDM VPN agent does not start connections to
MDM Device Management Server.
As a best practice, we recommend that you implement firewall rules so that MDM Device Management Server is the only internal host with which MDM Gateway Server communicates, and that the direction of the traffic is outgoing (MDM Device Management Server to MDM Gateway Server) only. -
Mobile VPN policy engine: This component establishes and
manages the IPsec tunnel to and from the device. It works with the
Mobile VPN driver in the networking stack to enable the Mobile VPN
client to establish authenticated and encrypted communications over
the mobile operator network or through a Wi-Fi network.
-
MDM Alerter agent: The Alerter agent notifies the device
that pending Open Mobile Alliance Device Management (OMA DM)
commands are waiting, such as a device wipe. The Alerter agent then
notifies the device to start an OMA session. The managed device
communicates with MDM Device Management Server through the usual
mechanisms and then retrieves the command.
-
Mobile VPN driver: The Mobile VPN driver manages network
communications with the device. It checks that data coming from the
device is valid and that the device has a valid IPsec Security
Association (SA). If the connection is valid, the data is
forwarded. If the connection is not valid, the data is discarded or
is moved up the network stack to the Mobile VPN policy engine to
negotiate a new connection.
After the managed device establishes a valid IPsec tunnel with MDM Gateway Server, it can access IT services for which the administrator provides access on your company network. The connection will fail if the user is denied access to a company IT service.
Note: |
---|
The internal and external facing interfaces from the MDM Gateway Server must be on separate subnets. |