Although we planned the previous scenario without a Gateway Server, and got it working, it was inevitable that we would have to install a gateway as our next exercise 
We will be building on top of our existing “infrastructure”, and reconfigure some settings rather than do it all from scratch. So you may want to review the first guide:
http://mobilitydojo.net/2008/09/22/system-center-mobile-device-manager-2008-install-guide-no-gateway-part-1/
This server is also a virtual box, running Windows Server 2003 R2 x64, 2 GB RAM, etc.
Starting off make sure that you set the FQDN of the server, even though it is not domain-joined. (This is done manually through the “Change”-button.)
Just like the other servers there are some prerequisites on this box as well:
- Install IIS
- Install PowerShell
- Install MBCA
- Install SCMDM BPA
With the Gateway Server installation you should also run BPA first. But this one’s a little different. If you run the Pre Deployment Scan you may very likely get a big red error, but no explanation why. What we want to know regarding the Gateway is if it is reachable from the DM server. So you should click “Enable Port Listener” in BPA on the Gateway Server. Then run BPA from the DM Server testing the Gateway role and pointing it to the GW Server. (And either get some green lights, or warnings indicating what to fix.)
Installing Certificates
Before installing the Gateway Server you have to install certificates – the Root CA, and a Gateway certificate.
There are two methods for getting this in place; either creating files and submitting directly to the CA, or a web-based GUI. TechNet Library documents the non-graphical way, but for this scenario I’m choosing the web. This is possible in our scenario since there are no firewalls, and the internal interface of the Gateway is directly connected to the LAN.
Open http://md-dc-ca.mobilitydojo.net/Certsrv in your browser. (Add the site to “Trusted sites” for the scripts to work correctly.) Click “Download a CA certificate, certificate chain, or CRL”.
If you choose the install option it will not be installed in the correct certificate store, so you need to choose “Download CA certificate”.
Start a new MMC. File->Add/Remove Snapins->Certificates (Local Computer). Right-click the correct store and choose “Import”.
You should be able to just follow the wizard.
Then comes the more “tricky” part of generating and installing the certificate for the Gateway server itself. If you’ve still got your web browser open click “Home”, and then click “Request a certificate”.
Choose “advanced certificate request”.
“Create and submit a request to this CA”
Type in the FQDN of the server in the name field.
Scrolling down the page fill in the “Friendly name:”-field. (You can put anything you like here.)
And this is important: Check “Store certificate in the local computer certificate store” or the certificate will be installed in the user certificate store (which will not work).
Click “Submit”, and “Yes” in the warning popup.
Click “Install this certificate” and acknowledge the same warning.
Installing Gateway Server
You are now finally ready to install the Gateway Server.
The IP address you enter here must be the one assigned to the internal interface of the Gateway Server. When your Device Management Server resolves the Gateway address through DNS it must resolve to this IP.
Browse and choose the certificates you installed in the previous step.
“Install”.
And “Finish”. (Checking “Open the New Gateway Wizard Help” will just bring up a help file so we don’t need to check that.)
Configuring the gateway
Now it’s onto configuring the Gateway. I was banging my head against the wall trying to troubleshoot a connection problem, so to make sure you don’t run into the same problem later on verify the following:
The Gateway Management Web site (in IIS) must be configured to accept requests for the internal IP (the same you specified during the install process.) If not the Gateway will not accept connections from your DM Server (and you’ll get an “Unreachable” error).
You should also check your loopback settings (I disabled this on my server):
http://support.microsoft.com/kb/896861
Since we previously did not use a Gateway we need to change the EnrollmentConfig to reflect this. This is done with two cmd-lets:
Set-EnrollmentConfig –GatewayURI md-gw.mobilitydojo.net
Set-EnrollmentConfig –ActivateVPNbyDefault:$true
Adding the Gateway Server
Now we’re getting there. Last step I perform before adding the Gateway is logging on to the Domain Controller and creating a DNS (A) record for md-gw.mobilitydojo.net resolving to 192.168.10.40.
Open up your MDM Console, Find “Gateway Management” on the left, followed by “Add MDM Gateway Wizard” on the right.
The name can be anything you like.
The external IP address is the one assigned to your external interface. In my scenario my external connection is connected to another private IP range, but in a real live scenario it would be a “proper” external IP address. NAT will not work! The gateway is meant to be directly connected to the Internet. (Firewall in front is ok, as is other mechanisms that don’t introduce an address translation.)
The “Name”-field should match up with the DNS record we created.
Add an IP Address pool for the devices. The devices will be assigned addresses in this range dynamically. The range must not be an existing subnet, and it is “virtual” in the sense that no servers or other computers should be assigned addresses in this range. You can only specify complete subnet ranges; it would not work reserving only 192.168.20.10 – 192.168.20.50. It’s optional whether you want to route outbound traffic through the Gateway’s default gateway, or if you want to specify another gateway.
We don’t have a lot of servers here, so I’ll only specify the Domain Controller which by it’s nature is also a DNS Server.
“Add”.
“Finish”
The console needs a moment or two to connect, and exchange some data, and then it should look like this:
If your “Sync State” is not up-to-date this is where you start your troubleshooting…
Enrolling a device
Before you try to enroll a device we need to fix one more thing. I have created a separate subnet for the devices, but I have not configured any routes to this subnet so my servers will not be able to communicate with the device. (And the devices will not be able to communicate with any servers.) So run the following command on both your Gateway Server, and your DM Server:
route –p add 192.168.20.0 mask 255.255.255.0 192.168.10.40
A minor detail at this point…I do not have a router in my infrastructure, and thus the route addition above is sort of a workaround. You might remember that my virtual servers have their own private subnet, but with no gateway defined. Between the servers this is ok because no routing is involved. The gateway has an external interface (that does have a default gateway). In my lab this is not a proper external interface facing the Internet, but a different private IP range. I don’t want to interfere with any routing tables, or static routes, on this subnet. Waiting for a while will let the Gateway Server work out a new routing table, and my device will be able to connect. This is a larger topic, and we’re not doing it in a proper setting here anyways, so I’ll leave it be for now. (Work it out by reading the docs at TechNet at the moment – maybe I’ll expand on this later.) This does mean however, that you might have problems actually getting the devices to establish the VPN tunnel.
To wrap things up I’ll have to test that it actually works with a device, and that the VPN configuration is activated upon successful enrollment.
This time we are prompted for a reboot after enrollment.
You’ll quickly notice there’s a new icon on the task bar in the form of a “V” when the device boots up again. This is what it looks like when the VPN tunnel is established.
To verify communications, (it’s not enough “just” establishing the tunnel), you can ping the IP address of the device from the Device Management Server. To find the IP address to ping you can look it up in the “MDM Mobile VPN Connections” category in Event Viewer.
And with that we conclude the installation and configuration of a full working lab infrastructure for testing SCMDM2008. I’ll probably delve into “Best Practices” later on, and reconfigure parts of our lab to more closely mirror what you should do in a production environment.
I’d say that’s good progress
Now, it might be tricky getting the static routes properly configured as well, but getting the checked “V” is the hard part and you’re past that. You’ll be surfing the VPN tunnel in a short time.
Well everything is… working. But I’m still having one issue with routing. When I add the static route “route -p add mask 255.255.255.0 ” on every server I want to connect to everything is fine. So, I thought ok I’ll just add that static route to my firewall since the default gateway on my DM server is x.x.x.1 and that’s the interface on my firewall (Cisco ASA).
So once I added it, I removed the route from my DM server, and low and behold I cannot ping my phone. Add the route and I can ping it. As you might imagine I do not want to have to add this route to EVERY Server on my corporate intranet. I can ping it from teh firewall itself so I am fairly certain the route is correct.
I do have source based routing turned on pointing to x.x.x.1 which is the default gateway of my DM server. (Seems if I change that I loose connectivity with my phone). It seems that once I remove the route from my DM server it should go to the firewall (Default Gateway) and find the route and do what it needs to do, but it’s not. Do you have any ideas/suggestions… I’m sooo close yet so far!
Tricky… Can’t say I’m much of a Cisco expert either, but I don’t understand why it doesn’t accept static routes on the router. I have defined the VPN pool as a network on my ISA Server, and then the routes are automatically added/configured. Maybe a config error on your Cisco?
You could run around adding the routes manually – if this is feasible depends on how many servers that should be able to reach the mobile devices. Maybe push out a script or a GPO.
Question: This statement…
The external IP address is the one assigned to your external interface. In my scenario my external connection is connected to another private IP range, but in a real live scenario it would be a “proper” external IP address. NAT will not work! The gateway is meant to be directly connected to the Internet. (Firewall in front is ok, as is other mechanisms that don’t introduce an address translation.)
Does this mean that NAT to the external interface will not work? I have a firewall inbetween my DS and my DMZ, but I cannot ping the internal or external interface of my Gateway Server from MY Device Management server. So I setup a mapping (basically nat) 192.168.X.X -> 10.254.X.X will this NOT Work?
NAT is unsupported, and if you assign an IP address in a private range the Best Practice Analyzer will mark this as an error.
I made an attempt to NAT the gateway through an ISA Server just to see if it was workable, but I wasn’t able to bring up the VPN tunnel. There might have been other issues as well with that setup, but I deemed it to not be worth more effort in my scenario. So I cannot guarantee that it’s not possible to get sort of working with a clever NAT arrangement, but it may be that it’s not possible.
Even if you are able to establish the VPN you would probably lose out on features like wipe now. (Where the server IP is verified, and the device will not execute this in a NAT scenario on the server side.) Dropping the gateway, and using just the Enrollment and Device Management server should work over NAT though, but then you’re not getting the VPN functionality…
So what you’re saying is if I have a mapping between my device management server and my gateway my VPN isn’t going to work?
I am able to communicate to my device from my gateway server using nat.
I am able to communicate to my gateway server from my device management server using nat..
I can communicate to my gateway server from my enrolled device.
So I guess the only thing I’m missing is being able to communicate to my device from my device management server.
I’m thinking it’s probably a Firewall port issue.. but I cannot seem to figure out which one. Anyways, I’m sure your sick of hearing me rant, so thanks for all your help in the past. And hopefully I can get this deployed soon enough.
Rants are allowed on this site – I do it too in some of my posts
NAT on the client side is ok. After all a lot of mobile operators will only give out NATed IPs to devices.
NAT on the external interface of the gateway is not ok. But as I said, this might be one of those things you can get working even though official docs states something else. (I didn’t, but I have a simple network and with some Cisco stuff maybe it’s doable.)
NAT in any way between the DM server and the Gateway I am unsure of. (I have private IP ranges in both the DMZ and the LAN, so the ISA server in between has a route relationship between these two subnets.) The gateway is only supposed to listen on the internal interface from the DM server. If this implies a block on the external…not sure. It will not accept management requests, but pings should be a different thing.
I’d love to give you a really good answer, but I’ll admit I don’t know all the facets of a complicated product like SCMDM
Hi Andreas
I had the same problem as SKA. I am connecting my device through ActiveSync at the gateway machine (VMWARE with which i set 2 NIC cards)
Using your tool, I have set the device to resolve to the external IP. I have also changed the ip address of the device to a static ip in the same subnet as the external IP at the network connection. However there is still no VPN. The IP shown on the mobile however belongs to that of a randomly assigned one ( probably thru DHCP).
I have run out of idea to set up this poc. Please help
Another question is can we establish mobile vpn using wired connection (activesync) in the first place?
There are two modes for connectivity through ActiveSync. Most devices have a setting called “Advanced USB connectivity” or something similar. If your device has an IP address starting with 169.254 it’s not going to work. If the device connects in “advanced” mode it will get an IP address in the same range as the computer it is connected to.
I cannot remember if I tested this scenario or not though. There are other things that are difficult to test however when the device is cradled so if you are not able to test over GPRS/3G I’d recommend setting up an Access Point and connecting the device through WLAN.
Hi Andreas,
Will like to check with you, for mobile vpn to work. Is it necessary to connect to the internet? Currently my setup consist of the enrollment server, the gateway server, device manager all in VMs. I have 2 NIC card on the host machine. The gateway server is pointed to an AP. Basically thats all my for my set up.
The problem i saw when running BPA is basically
–VPNAddress is not having Extenal IP Address. VPNAddress should have the external IP address that a managed Windows Mobile powered device uses for remote virtual private network (VPN) connections to MDM Gateway Server. You can set this using Set-MDMGatewayServer cmdlet for specifying VpnAddress. Refer to Operations Guide for System Center Mobile Device Manager 2008
I am just trying to set up a simple POC as such there is no deployment need with an intention of using it for our company in the future.
No, it is not necessary to be connected to the internet. The BPA will flag a warning if you are using an IP address in the range 10.x.y.z, 172.x.y.z, or 192.x.y.z. But if you really are running the gateway for internal exposure only it should still work.
Thanks Andreas, your blog have been great help to me.Now that i have set up this correctly, i went on to test for the wipe now functionality. However, i still wasn’t able to see my expected wipe. Any idea whats wrong?
If the gateway is NATed you will not get an “instant wipe”, but instead the device will be wiped on the next scheduled connection which by default is 8 hours. To test wipe in this scenario you should run updatepolicycalculation on the server, and then do a “Connect Now” on the device. (If it still doesn’t wipe there’s some other thing that’s not quite right…)
I don’t think my gateway is NATed. HAven’t add any NAT to it. I checked the event viewer under MDM Mobile VPN Connection. Peer behind NAT is false. However when i send the wipe command, and checked the MDM mobile VPN policy engine, it gave the error 5507. Something about the alerter sent maximum number of tries to device but received no ack.
I read in forum that install SCMDM SPI greatly improved the VPN experience. Does it include solving this problem.
My goal is mainly to show remote wipe as a POC. Hence i will definitely need the VPN and gateway server
Is your device able to route directly to the gateway, or does the traffic go through a router/proxy that might change the IP address? (Does the gateway.domain.com resolve to the actual IP assigned to the gateway?) The message of the peer being behing NAT relates to the device (and the device may be NATed – that’s not a problem). If the gateway receives no ACK from the device that might indicate a problem. Is your device establishing the VPN tunnel, and applying policies in general to the device?
SP1 solves a number of issues related to the VPN, so it’s definitely worth a try if all other things look good in your infrastructure.
My device connects to the wireless router as an AP which assigns another IP address using DHCP (in the same subnet of the gateway). Using host file edit pro, i ‘forced’ the device to recognise gateway.domain.com as the actual IP of the gateway. My devie is able to establish a VPN tunnel as indicated by the vpn diagnostic tool.
Basically there is vpn connection. However i am unable to push down policy immediately or wipe my phone immediately
In terms of pushing policies, is it possible to push the policies immediately like “wipe now”?
Ok, your basic network config sounds good. Not sure if the device still might have NAT issues. As already mentioned SP1 improves on the situation server side, but there’s also some devices that have a buggy client. I can’t remember which build (of Windows Mobile) is required for the most bug-free experience.
But I assume that schedule wipe and policies work like they should? If not there’s most likely a routing issue.
There is no “instant policy”. Since SCMDM is designed to scale up to thousands of devices there’s some issues with trying to apply policies to plenty of devices at a time. Though I agree it would be nice to have the feature nonetheless as long as one know how to use it. (Maybe for a new release of SCMDM – don’t know…)
Hi,
I managed to establish mobile vpn as show on the tick icon of my device.
However besides establish that, i was not able to obtain schedule wipe or push down of any policies. I tried using mdm connect now tool, other then establishing the session id, the last connection status will show unknown.
If u need any other information. I will be glad to furnish you with it
Thanks a lot dude
It’s progress, but yeah, this is a tricky one in some scenarios. Since you’ve got the VPN tunnel established communication between the device and the gateway server should be ok.
However it seems your device is not able to communicate with the device management server. Most likely reasons are routing and/or firewall issues.
I assume that the servers themselves are ok, show no errors, and that the gateway is receiving config from the DM server.
- Check the Event Viewer on the GW to see if an IP address was assigned to the device.
- Check if you are able to ping this IP from your servers.
- Check if you can ping your server from your device (vxUtil works great for this purpose).
- If this is ok try opening https://DM-SERVER:8443/TEE/Handler.ashx from your device. (Should be prompted for a certificate.)
Your router needs to be able to recognize the subnet the device is part of, so you need to verify there is a route both to and from this subnet.
Hi,
1. The event view on my GW shows that the device was assigned 192.168.20.4 (based on the network subnets for the ipsec remote address assignment
2.I was unable to ping this Ip from my gateway server (external facing is 172.16.12.11 , internal was 192.168.165,15)
3.I was also not able to ping my gateway server from my device.
Clearly the handset was unable to communicate with gateway server. Also to take note is i am using hostedit file to force the handset to know gateway.scmdm.local to be known as 172.16.12.11. Pretty confusing for me
This confirms that the device is able to establish the VPN tunnel, and communications between the device and gateway is ok.
Now, of course your firewall could be blocking ping requests for a reason, but I still think the routing is something to look into as well.
At this point I’d check the routes on the gateway server, and probably fire up Wireshark or Network Monitor to try and trace the traffic to see what happens. It can be quite tricky, but you are probably dealing with a configuration issue in your infrastructure.
DHCP issues :
Hey, I followed your guide, and in the end of the day I have a lab with working enrollment, management and Gateway server.
My devices connect via wifi to the external interface of the gateway, and to the external interface of the enrollment server.
The enrollment process works great, the device (Samsung omnia ) asks for a reboot, and then troubles start
For some reason, which I cannot figure out, the device cannot join our wifi network. After some wireshark research is seems that there is something wrong with the DHCP or with the WIFI settings…
I can see DHCP offers but the client doesn’t take it. If I assign ip address manually, I can connect, and the client tries to connect to the gateway. However, even in this scenario, it cannot resolve the gateway’s ip address. Looking in wireshark I can see netbios requests (the client is trying to resolve the gateway’s address), which is strange since I have manually configure the dns server’s address in the client’s settings. Moreover, I cannot surf the web using these settings (the ip address statically set ), and I cannot see any dns requests from the client.
Any help will be very appreciated.
Thanks
Roee
WiFi can be a pain sometimes.
Are you enforcing that VPN must be connected? VPN should work over WiFi, but maybe there’s a conflict. Does it work connecting an enrolled device to the WiFi if VPN is disabled? And if you are able to get WiFi working, would it then be possible to connect the VPN tunnel manually afterwards?
Im having a nightmare with this at the moment. I just cant seem to create the Gateway Certificate, or request one from the root CA.
The CA is an x86 Server 2003 Enterprise server and all the other MDM servers are running x64 Server 2008 Std.
The error I an getting is:
Certificate not issued (Denied) Denied by Policy Module 0×80094800, The request was for a certificate template that is not supported by the Certificate Services policy: scmdmwebserver(Instance_Name). The requested certificate template is not supported by this CA. 0×80094800 (-2146875392)
Certificate Request Processor: The requested certificate template is not supported by this CA. 0×80094800 (-2146875392)
Denied by Policy Module 0×80094800, The request was for a certificate template that is not supported by the Certificate Services policy: scmdmwebserver(Instance_Name).
I am pulling my hair out trying to figure this out. Anyone have any ideas?
SCMDM is only supported on Windows Server 2003, not 2008 (or was that just a typo?)
I assume you’re installing SCMDM SP1? Have you performed all necessary ADConfig steps? (Check http://mobilitydojo.net/2008/12/30/scmdm-multiple-instance-deployment-part-1/ for the details.)
The error indicates that the templates either haven’t been created properly, or they aren’t enabled. Have you modified the templates, for instance upped the key length to 2048 or similar?
Hey Andreas,
I really need you opinion about a case, can you write to me? I will explain it all, please write to godog@supercable.net.ve. It about SCMDM, just an opinion.
Thanks a lot!