Video Screencast Help

Symantec MDM Server in the DMZ or Internal

Created: 27 Jul 2012 | 16 comments

Will my MDM Server be parked in the DMZ/Internet Zone or Internal.  We prefer it internally cos today our BES is internal.

I was reading the guide where the Androids users will have to fill in a weblink to connect to the MDM Server so I was wondering it has to be on the internet?


Comments 16 CommentsJump to latest comment

WildPacket's picture

I am using An Android - Samsung Galaxy Node for testing and using the Mobile MGMT - Enroll and its asking for address of an enrollment server or email address. 

I am entering the following but it cannot acecss since the server is not on the internet:

https://serverame/MobileEnrollment/SYMC-androidenroll.aspx   and I even tried my email but the enrollment fails.

Thank you .....

Mina Gerges's picture


If you don't want to publish your MDM server on the internet, then you have to use internal wifi for the devices, also keep in mind this means that devices will ONLY be able to communicate with the MDM when they use that corporate internal WIFI. 

This migh be your approach, but the purpose of MDM is to control the devices whenever they have internet access anywhere.

If you have securoty consideration it is recommended to use a Reverse Proxy.

WildPacket's picture

Thank you for your response.

I guess the best solution is to park it in the DMZ.  And I also guess there must be a users/admin guide on how to setup the MDM in DMZ, which ports to open etc!!!  Where can I find that information???


HighTower's picture

Our MDM services are in our internal network but we're using our Citrix Netscaler as a reverse proxy and have an alias published on the Internet.

We've also found that the product does not support wildcard certificates and that Symantec has little to no documentation for how to configure a reverse proxy for MMS using anything other than IIS.

WildPacket's picture

Thanks HT.

I am quite frustrated at this point with the unavailability of the documentation or I am not able to find it.

We would prefer to have our Symantec MMS on the internal LAN so it can talk to SQL, Exchange and AD.

HighTower's picture

That's what I've done.  What do you need help with?

WildPacket's picture

Much appreciated HT. 

I have downloaded a trial for 30 days and fiddling around.  I have figured few things out with people liek yourself assisting me here.   Currently I am trying to register/enroll an a test android I have but no luck so far ... still trying to find the documentation.

It appears, I have to create a Group in AD and add a user to that group and assign this android to that user. 

Plus, I am not sure at this point how my android will talk to my Symantec Mobile Server.  We also have our own Root CA.  But we want the users to be able to register using their email address no matter where they are.  it appeards I will need a proxy server setup in my DMZ pointing back to our SymMobile Server in the LAN.

HighTower's picture

I haven't gotten to the point of working with Android devices yet but I'll tell you what we did to get iOS devices working.  I suspect that there are similarities.

1.  Configured a Microsoft NDES server.

2.  Configured a reverse proxy.  You need to register an external DNS name for your mobile server and sign that address with an externally-generated cert (from GoDaddy or Verisign or wherever).

3.  Configured an external txt record to translate the enrolling email addressing to the desired URL for device enrollment.

Included in this link is a copy of the Best Practice Guide for 7.1.  Since full Android support didn't appear until 7.2 there will be some holes here, but the underlying infrastructure is still the same.

There are many moving parts to this and admittedly I was over my head for much of it.  That said, the most difficult part was getting our reverse proxy working because we'd not constructed the type of rules in our Netscaler that we needed to use before.  It was "difficult"... it was a learning experience for our network team.

If all else fails contact Symantec or a partner to help you do your Proof of Concept. 

WildPacket's picture

Thanks HT.

Thanks for the detailed response.

Why do we need Microsoft NDES?  I was thinking we receive certificates from Symantec and push that to the Androids? 

I am reading the other links you provided.

HighTower's picture

SCEP/NDES is a product requirement.  It's in the release notes on page 6:

The Simple Certificate Enrollment Protocol/Network Device Enrollment Service allows you to easily assign an authorization certificate to a device that's registered by a user.  It's a key feature that allows your non-domain mobile device assets to use some domain services.  Actually, we'll be configuring our Exchange ActiveSync system to require the issued SCEP cert in order to access ActiveSync.  No cert, no mobile mail...

The certificates that you get from Google or Apple are used to route commands through their Notification Systems.  MDM doesn't issue commands directly to the phone.  Apple's Push Notification System is the same thing that puts the little red numbers on applications... like an email has arrived, or whatever.  The way Apple and Google have designed their infrastructure is that you route your commands through them instead of you talking directly to a device like what you're familiar with on computer management.

HighTower's picture

We're also using a 2003 CA.  However, you need to use 2008R2 for your NDES and you'll need to update your AD schema to 2008R2 (you don't need to upgrade AD itself).

WildPacket's picture

Thanks HT.

I understood that we configure NDES/SCEP on the server where the RootCA is running? 

And in our case its on Windows 2003 so we need SCEP??? Advise please...

HighTower's picture

The 2003 version of NDES is not supported for this product.

It's best practice to set up a separate 2008R2 server for your NDES.  And, the Windows 2008R2 AD schema is required.  You do not need to upgrade your Active Directory, itself.

FYI, these requirements are the same for all of the major MDM products that are on the market.  They all basically work the same way so you won't avoid these issues if you chose to use a different vendor's product.

WildPacket's picture

HT - Thanks!

Let me check that out ...

We have our AD SChema preped already since we have so many DCs runnings 2008R2.

WildPacket's picture

HT - I know this a question for Windows Forum but gone throw out my question ....

when I create the first Certificate template using my Windows 2003 Root CA.  I duplicated the "exchange enrollment agent (offline request) when I am done and click apply and I see the new template i called : NDES Exchange enrollment (offline request)"  and under mimimum supported CAs is shows Windows Server 2003, Enterprise Edition. 

I am following it here .  (Under duplicate certificates > point 4)

It should show Windows 2008 Enterprise here?