This section provides recommendations to configure Windows Mobile device access within System Center Mobile Device Manager (MDM).

As an overall guideline, we recommend that you implement every firewall rule on a point-to-point basis between specific source and destination hosts. Do not create an absolute rule that enables all traffic of one type to pass through regardless of the source and destination.

The following diagram shows MDM network traffic and the associated ports and protocols.

We have made every effort to make sure that we have identified all known traffic and ports. However, the internal line of business (LOB) applications might use dedicated IP ports. In these cases, you must configure the firewall separately. The guidance provided here as to the direction of traffic flow and which firewall (internal or external) to modify remains accurate.
Although the diagram above shows network traffic in both directions between MDM Device Management Server and MDM Gateway Server on port 443, sessions are never directly initiated from the MDM Gateway Server to the MDM Device Management Server server.

Configure Device Access to the Enrollment Service

For device enrollment to succeed, you must publish the IIS instance located on MDM Enrollment Server externally, and it should have a Domain Name System (DNS) <A> record that points to mobileenroll. domain.com, where domainis replaced with the domain name for your company.

The Enrollment service uses an auto-detect capability in which MDM Enrollment Server prompts the enrolling user for the Simple Mail Transfer Protocol (SMTP) e-mail address. The auto-detect software uses the host part of the e-mail address to interrogate DNS to locate MDM Enrollment Server. By default, the host name is MobileEnroll.

If during the enrollment process, the DNS <A> record is not located automatically, MDM client on the device prompts the user to enter the MDM Enrollment Server name. You should provide your users with a friendly server name so they can resolve the DNS record and successfully enroll. Another option for enrolling from an internal connection is to ensure that mobileenroll.domain.com resolves internally to the internal IP address, rather than the external one.

We recommend that you use the following best practices to publish a server that is running IIS to the Internet:

  • Use a product, such as ISA Server 2006, to use its capabilities to make the IIS instance available to an external client in a more secure manner.

  • Make the computer that is running MDM Enrollment Server more secure by running the Security Configuration Wizard that is available in Windows® Server® 2003 SP1, and then follow the Web Server template. This is also known as hardening a server.

MDM VPN Diagnostics Tool displays VPN configuration and status to help you to diagnose managed device issues that are due to incorrect VPN configuration. You can also generate managed device report log files to send to a diagnostics team for further analysis. To download MDM VPN Diagnostics Tool, see MDM Client Tools at this Microsoft Web page: http://go.microsoft.com/fwlink/?LinkID=108953 .

Configure Device Access for LOB Applications

Consider the following best practices and recommendations when you configure managed device access to LOB applications.

  • You must address LOB applications on a case-by-case basis to determine which ports are used. The administrator who designs and implements MDM should make sure that they know whether internal LOB applications use IP ports other than TCP 443. After you determine which ports are used, decide how you should configure firewall rules to enable access for specific LOB applications while you minimize the unnecessary security exposure of configuring access that is more general.

  • Although most mobile-enabled applications are transported end-to-end over TCP 443 (SSL) within the MDM IPsec session, MDM does not limit the ports that a customer application can use. MDM and MDM Gateway Server, in particular, are the mechanisms by which to achieve connectivity more securely. Customer application needs will vary. For example, you may decide to change firewall rules to enable LOB applications to transport over TCP 443 for specific servers instead of to configure firewalls to enable all TCP 443 traffic.

  • Examples of infrastructure applications that you must enable to traverse the internal firewall are DNS (UDP 53) and Remote Desktop Protocol (RDP) (TCP 3389).

Configure Device Access to External (Internet) Resources

Consider the following best practices and recommendations when you configure managed device access to network resources outside the company network.

  • In MDM, the device-to-gateway connection is in an always-up state and all traffic routes through MDM Gateway Server.

  • By default, IPsec split-tunneling is turned off in MDM as a best practice. By turning off split-tunneling, you can make sure that you enforce company policy on permitted Web sites and content for managed device users.

  • When a managed device successfully connects to MDM, MDM Gateway Server issues the device an internal IP address. If the IP address is a public (routable) IP address, you do not have to take additional action except to make sure that the correct ports are open.

  • If the address range used for issuing client addresses is part of the RFC1918 range, the outgoing client session must be subject to Network Address Translation (NAT) or proxying. Without proxying, the managed device user cannot access the Internet.

  • Regardless of whether the outgoing client session is subject to proxying, MDM Gateway Server must route the addresses issued to the managed device pool correctly in order to enable egress. The rules must exist on the external firewalls to enable managed device traffic to pass through HTTP and SSL.

To see a list of default port configurations for MDM Gateway Server operation, and to track port configuration changes that you make for MDM deployment, see MDM Deployment Worksheets.