Mobile Device Manager (MDM) Gateway Server is the pivotal access point for managed devices. Typically, this server is installed in your perimeter network where a defense-in-depth approach helps protect the network security of your company. MDM Gateway Server is a stand-alone gateway that faces the Internet from inside the perimeter network. Typically, it is not domain-joined and shares no accounts or passwords with your company domain. It does not directly use Active Directory Domain Service, NTLM, or Kerberos access to authenticate devices because these would require Mobile Device Manager (MDM) Gateway Server to be domain-joined or to store domain credentials.

MDM Gateway Server authenticates incoming connection requests by using an offline certificate evaluation process that queries the device machine certificate. It allows an end-to-end SSL session to be maintained between the client application and MDM application servers.

The following illustration shows the detailed architecture of MDM Gateway Server:

MDM Gateway Server has the following components:

After the managed device establishes a valid IPsec tunnel with MDM Gateway Server, it can access IT services for which the administrator provides access on your company network. The connection will fail if the user is denied access to a company IT service.

The internal and external facing interfaces from the MDM Gateway Server must be on separate subnets.