After the VPN tunnel is established, the managed Windows Mobile device sends a request to Mobile Device Manager (MDM) Device Management Server through MDM Gateway Server. Based on the local routing settings, MDM Gateway Server routes the message directly to MDM Device Management Server through the internal firewall. MDM Device Management Server pushes a Group Policy setting to the managed device. These settings include the client VPN proxy and an exception proxy. The client proxy becomes active. Unless listed in the proxy exception list, all traffic that uses the connection manager on the managed device, including Open Mobile Alliance Device Management (OMA DM) traffic, now routes through this proxy.

The following illustration shows how this is a direct process between MDM Device Management Server and the managed device. MDM Gateway Server only forwards network traffic to and from the managed device.

The first time that the managed device successfully connects your company network by using MDM Gateway Server, it communicates with MDM Device Management Server to report its configuration and to check for updates. The following steps detail this process:

  1. After the device connects to MDM Gateway Server, it begins an OMA DM connection to MDM Device Management Server.

  2. MDM Device Management Server authenticates the managed device by using IIS Active Directory Certificate Mapping, which uses the machine certificate for that device, the SSL authentication process, and Active Directory® Domain Service machine account mapping. There is a one-to-one mapping between the machine certificate and the domain machine account.

  3. MDM Device Management Server configures the managed device with an initial connection schedule and then queries the device for information about its current configuration. When the query returns, the device disconnects.

  4. MDM Device Management Server calculates the Group Policy and the initial managed applications that are required for the device. These settings are calculated and cached as OMA DM commands in the MDM database to use when the client connects again.

  5. The device reconnects to MDM Device Management Server by using the schedule it received during the first connection. At this point, MDM Device Management Server pushes the OMA DM commands to the device to configure it.

  6. After the initial schedule and changes are complete, the device is set to a default reconnection schedule of eight hours. The administrator can change this setting.

  7. If the device has to receive Group Policy or software packages, MDM Device Management Server pushes these settings through MDM Gateway Server, down the IPsec tunnel, and to the device.

Internet Access

Before it is provisioned with proxy settings, the client might be unable to access the Internet. After it is provisioned with proxy settings, the managed device sends an HTTP request to an Internet Web site. The managed device checks the URL within the request, and then sends the request to the provisioned proxy through the VPN tunnel. When the request from the managed device arrives, the MDM Gateway Server queries the local routing table to see how to route this traffic to the Web proxy. The proxy receives the message, applies the proxy policy, changes its source IP address to a routable Internet IP address, and then sends the IP address back to the Internet.