The following discusses the supported virtual private network (VPN) topology and configuration for System Center Mobile Device Manager (MDM). This information explains how to position MDM Gateway Server in the perimeter network and how to configure MDM Gateway Server and the managed device to meet MDM requirements.

The following shows the topology elements you configure and deploy for MDM:

Perimeter Network Topology

The following illustration shows the preferred enterprise perimeter network topology for MDM deployments.

The following are highlighted by number in the diagram:

  • 1: MDM Gateway Server allocates private IP addresses to managed devices from the VPN address pool for the server. You must use network address translation (NAT) for the address pool so that managed devices can access the Internet.

  • 2: All managed device HTTP and HTTPS traffic is routed to a Web proxy from MDM Gateway Server. The Web Proxy then routes the traffic to the Internet or company internal network.

    If you configure source-based routing, MDM Gateway Server directs IPsec tunneled traffic from managed devices to a different default gateway server. You do not have to configure the proxy server separately, as shown in the diagram. For more information, see MDM Gateway Server Source-Based Routing in Gateway Server Deployment Guidelines.
  • 3: Managed device traffic destined for the company network is routed from MDM Gateway Server through the internal firewall to the company intranet, where MDM Device Management Server is located.

MDM manages network traffic from wireless wide area network (WWAN) and Wi-Fi connections only. It does not manage remote network driver interface specification (RNDIS) connections, or personal area network (PAN) connections, such as Bluetooth or Infrared Data Association (IrDA).

The perimeter network topology diagram does not include a secure Web publishing proxy for the external enrollment Web site. The Web proxy shown in the illustration shows managed device access to the Internet. We strongly recommend that you use a Web publishing proxy for the external enrollment Web site URL.

Perimeter Network Deployment Requirements

The following outlines the servers, networking hardware, and subnet prerequisites to deploy the MDM perimeter network.

Required Servers and Network Hardware

The following servers and network hardware are required to configure the perimeter network for MDM:

  • A perimeter network that has external and internal firewalls

    A typical perimeter network topology is isolated within two firewalls: one that faces the Internet (external) and one that faces the company network (internal).
  • A Web proxy to route traffic back to the Internet

  • Each computer that will be running MDM Gateway Server must have two network adapters

  • Each network adapter on a computer running MDM Gateway Server must have only one IP Address assigned to it. MDM Gateway Server does not support multiple IP addresses on a single network adapter.

Perimeter Network Subnets

The perimeter network should consist of the following subnets:

  • Perimeter network public subnet. This is a routable public subnet with Internet IP addresses.

  • Perimeter network private subnet.

  • MDM client address pool (private). MDM Gateway Server will use this address pool to assign private IP addresses to the client Windows Mobile devices.

  • Company network (intranet).

Preparing MDM Gateway Server and the Firewalls

The following section shows you how to prepare servers and other network hardware to deploy MDM, together with a perimeter network. After you complete these steps, you can install MDM Gateway Server and remotely configure it to enable VPN remote access.

Preparing MDM Gateway Server

The following describes how to configure the network and routing for MDM Gateway Server:

  • The external interface on each computer running MDM Gateway Server should have a public IP address that belongs to the perimeter network public subnet

  • Route all traffic that is destined for the company network, the internal firewall, and the proxy through the internal interface

Configure MDM clients to use a Web proxy. The following are the requirements for the Web proxy server:

  • The Web proxy server can route managed device traffic back to the Internet

  • The Web proxy server can route managed device traffic back to internal line of business (LOB) servers and to computers that are running MDM Device Management Server, unless the managed device is routed directly from a proxy exception list

  • MDM Gateway Server can access the Web proxy server

Specifying an Alternative Redirection IP Address

You can use MDM Console to specify an alternative Redirection Gateway IP address for tunneled traffic that originates from Windows Mobile devices. After you set this parameter, MDM Gateway Server redirects tunneled network traffic from managed devices to this IP address and not to the default address for MDM Gateway Server configured locally on MDM Gateway Server.

If you configure a Redirection Default Gateway, MDM Gateway Server will still prioritize any local static routes configured to particular destinations. If there is no static route for the destination, then the packet will be forwarded to the Redirection Default Gateway.

Preparing the Internal Firewall

The following shows you how to configure the internal firewall to assign the external interface with two IP addresses:

  • The first IP address belongs to the perimeter network private subnet and enables MDM Gateway Server to route traffic that is destined for the company network through the internal interface

  • The second IP address is an Internet IP address that is required to publish MDM Enrollment Server to the Internet

    You can use a separate firewall to publish MDM Enrollment Server to the Internet. In this case, the internal firewall would not require the second Internet IP address.

The internal firewall should include the port configuration specified in the MDM Firewall Settings Worksheet.

Preparing the External Firewall

Configure the external firewall to enable direct access for all IPsec traffic from the Internet to the MDM Gateway Server public IP address, without changing the traffic source IP address.

The external firewall should include the port configuration specified in the MDM Deployment Worksheets.