Publishing SCMDM Enrollment Server Through ISA Server 2006

October 27th, 2008 by Andreas | Posted in How-to's, SCMDM

I’m not going to spend a lot of time explaining the “why’s” of this exercise. This is just a quick guide to how you can publish the Enrollment Server of System Center Mobile Device Manager 2008 through ISA Server 2006. It is highly recommended to use some reverse proxy in front of the Enrollment Server – this does not have to be ISA Server, but you should have something in place.

The Enrollment Server can be published at any address you prefer, but devices trying to enroll will always try to look for mobileenroll.domain.com first. If you configure it to be available at enroll.domain.com that is ok, but the user then needs to provide this address instead. Configuration of SCMDM and the Enrollment Server is already covered in previous articles: http://mobilitydojo.net/2008/09/22/system-center-mobile-device-manager-2008-install-guide-no-gateway-part-1/

For the purposes of this article it is assumed you already have certificates installed on both the Enrollment Server and the ISA Server. In my scenario the DNS name is https://mobileenroll.mobilitydojo.net on both servers, and both certificates are issued by my internal CA. (You do not need to purchase a certificate from an external CA.) I’ll also assume you are comfortable with ISA Server as well, and know your way around it’s interface.

Publishing in ISA Server consists of two parts:
- Creating a web listener.
- Creating a publishing rule.

Creating the Web Listener:
It is “just” a matter of following the wizard. The important part is the authentication part which is configured to “No authentication”. This may sound strange, but SCMDM handles this internally, and there is no “secret” info if you should happen to surf to this page. (Remember: this is a basic scenario, you are free to modify it to suit your needs.)
WebListener_01

WebListener_02

WebListener_03

WebListener_04

WebListener_05

WebListener_06

WebListener_07

Creating the Web Publishing rule:
Same thing here – follow the wizard. I’ll comment on those points that need an explanation.
WebPublishing_01

WebPublishing_02

WebPublishing_03

WebPublishing_04

If the ISA Server is not able to look up the internal IP address through DNS you should specify it in the “Computer name or IP address”-textbox, but remember that the certificate must match the “Internal site name”.
WebPublishing_05

As it says entering a path in addition to the name is optional. It might be a good a idea to specify the path to restrict access further. If you want to do this the path you will need is “EnrollmentServer/Service.asmx”. WebPublishing_06

If you entered the path in the screenshot above you probably want to do the same thing externally – enter the same path below.
WebPublishing_07

Select the Web Listener we created in the first part of this procedure.
WebPublishing_08

We don’t use authentication, and thus there is no need to delegate authentication either.
WebPublishing_09

We’ll apply this rule to all users. (Since we’re not authenticating it doesn’t make sense to apply to a group of users.)
WebPublishing_10

Hit the “Finish”-button after using “Test Rule“ to see if there are any errors in your setup.
WebPublishing_11

At this time, hopefully it’s “Hey, it works!” after you’ve applied the settings in ISA Server :)

To verify that it works:
Open up https://mobileenroll.domain.com/EnrollmentServer/Service.asmx in a browser (from an external IP address), or try to enroll a WM 6.1 device.

What it should look like if it checks out ok in Internet Explorer:
image

What it looks like in ISA Server Traffic Simulator:
(Service Pack 1 for ISA Server 2006 is needed for this utility.)
TrafficSimulator

4 Responses to “Publishing SCMDM Enrollment Server Through ISA Server 2006”

  1. Flemming Riis
    Nov 3rd, 2008 at 5:34 pm

    nice walkthrough.

    Wouldnt you need to publish the DMS also though the ISA ? so you can manage the devices after enrollment ?

  2. Andreas
    Nov 3rd, 2008 at 5:44 pm

    This depends on your specific infrastructure. Ideally you would be using a gateway server, and the devices would then need to communicate through the gateway, and not require direct access to the DM server. (This would obviously need some firewall settings properly configured between the GW and DM.)
    You can skip the GW, and let devices access the DM directly, and in this case you would need to publish the DM as well.
    This guide was only intended to cover the very specific scenario of publishing the enrollment server (as this would be needed in most scenarios), but I might cover some other ISA scenarios in later articles :)

  3. Flemming Riis
    Nov 3rd, 2008 at 7:22 pm

    ran into it on a non gateway setup so i added 8443 to the dms seems a bit strange that they dont use ISA better it could be published only using SSL on one external address.

    Again thanks for some great articles.

  4. Andreas
    Nov 3rd, 2008 at 8:09 pm

    It’s positive feedback, and seeing that there are people using the articles that drives me to writing these articles. I know how frustrating it can be to install servers without enough docs to guide you.
    The decision to de-emphasize ISA is probably the Gateway, and it’s inability to function 100 percent behind NAT.
    If you’re not using the GW it is possible to make it work with one external IP address. (You need two DNS records, and SSL certs but there’s no cost associated to that.)
    You’ll have to perform some ISA tricks to chain an external and internal listener together. (Since you can’t use multiple authentication methods on one listener.)

Leave a Reply

CAPTCHA Image
*
RSS for Posts RSS for Comments