Mobile Device Manager Gateway Server provides a network access point for managed Windows Mobile devices. MDM Gateway Server provides a security-enhanced IPsec tunnel between a managed device and the gateway. It enables Secure Sockets Layer (SSL) and TCP/UDP sessions to be maintained between the client application on the Windows Mobile device and internal application servers. MDM Gateway Server is not a member of the company domain, nor does it share network accounts or passwords.
MDM Gateway Server has the following characteristics:
- It stands alone, facing the Internet from inside the perimeter
network and outside the company network firewall.
- It can only receive connections from inside the company
network. Specifically, MDM Gateway Server can only receive
connections from the MDM GCM service on MDM Device Management
Server. For improved security, MDM Gateway Server does not
start any connections to the company network.
- It authenticates incoming connection requests by checking the
device certificate validity against the trusted certification
- It blocks incoming connections if the device name is in the
blocked-device list configured by the administrator, or if the
device certificate is in the certificate revocation list.
The following describes the key MDM Gateway Server components:
Certificate store: The certificate store contains machine
certificates that MDM Gateway Server uses to authenticate
Mobile VPN agent: The Mobile virtual private network (VPN)
agent handles communications between the Administrative service on
MDM Device Management Server and MDM Gateway Server. MDM
Gateway Server can only receive connections from inside the
company network. For improved security, MDM Gateway
Server does not start connections to the company network. MDM
Gateway Server only routes network traffic from VPN clients to
the company network based on internal firewall policies.
Note: You should lock resources on MDM Gateway Server by using access control lists (ACLs) to prevent VPN client access to local resources on MDM Gateway Server.
Mobile VPN policy engine: The mobile VPN policy engine
establishes and manages the IPsec tunnel with a managed device. The
policy engine works with the Mobile VPN network driver interface
specification (NDIS) IPsec Intermediate (IM) drivers to establish
authenticated and encrypted communications over the Mobile Operator
network or a public Wi-Fi network.
Alerter service: The Alerter service receives alerts from
MDM Device Management Server for urgent commands, such as a
managed device wipe. The Alerter service verifies that the managed
device is connected to the network. If the managed device is
connected to the network, the Alerter agent contacts the managed
device immediately to issue the required commands. If the device is
not connected, the Alerter agent caches the alert requests and
contacts the device immediately after it connects.
Mobile VPN NDIS IPsec IM Driver: The NDIS IM driver manages
network communications with the managed device. It checks that data
coming from the managed device is valid, encrypted and
authenticated, and that the device has a valid IPsec Security
Association. The NDIS IM driver performs data transformation,
filters packets, and forwards packets.
Note MDM does not report start and stop
events for its services in the system log. For more information,
see the knowledge base article
To work around this issue perform the following steps:
- On the
Run, and then in the
- From the menu bar, choose
Advanced, and then select
AT Service Account.
- In the
AT Service Account Configurationdialog box, choose
System Accountand then choose
- On the
Run, in the
cmdand then choose
- At the command prompt, type the following command:
AT 12:00/i mofcomp %windir%\system32\wbem\scm.mof
- Close the command prompt window and then re-start the computer.
Network Address Translation
Do not use network address translation (NAT) for the public IP address of MDM Gateway Server because doing so essentially masks the identity of MDM Gateway Server, thereby disrupting MDM functionality.
When you issue a device management command, such as a Wipe request, MDM Device Management Server instructs MDM Gateway Server to send a specially-formatted data packet to the device, instructing the device to request a policy refresh immediately.
The MDM Alerter agent running on the device compares the IP address of the MDM Gateway Server that it connects to, with the IP address of the MDM Gateway Server that sent the data packet. If these addresses do not match, then the device ignores the packet and does not connect to MDM Device Management Server until the regularly-scheduled refresh interval.