Assuming users' mobility, Desktop Central Server should be reachable via public IP address. So that devices in LAN and WAN can be managed all the time. There are two approaches in configuring the NAT settings. The two approaches are explained below:

 

Exposing Desktop Central Server to the Internet:

Desktop Central Server should be reachable via public IP address, you can configure the NAT settings in such a way that all the request that are sent to the Public IP address gets redirected to the Desktop Central Server.

For devices within the LAN

If you use the same DNS name for both public and private IP, then all internal requests within the LAN will be directed through the internal DNS to reach the private IP without getting routed through the public IP.

For devices in WAN

Devices from WAN uses the DNS name to reach the public IP address from where it gets directed to the private IP address.

It is recommended to use FQDN instead of IP address. You can also use self signed or third party certificates to ensure data security.  Since using certificates will encrypt the communication which is the sent to and from the server, this assures that the corporate data is secure in the internet. When you use any third party certificates it recognizes the server using the FQDN. To know more about using third party certificates, refer to this.

 

Exposing Desktop Central Forwarding Server to the Internet:

This section explains you about managing desktops and devices without exposing the Desktop Central Server directly to the internet.   This can be achieved with the use of a forwarding server. This ensures that the Desktop Central Server is secure from risks and threats from vulnerable attacks. Desktop Central Forwarding server is a component that will be exposed to the internet. This forwarding server acts as an intermediate between the managed desktops, devices and the Desktop Central server.

Desktop Central server communicates with the APNs/GCM to wake the mobile device. All communications from the mobile device will be navigated through the forwarding server. When the device tries to contact the Desktop Central server, forwarding server receives all the connections and redirects to the  Desktop Central Server. When an on-demand task is performed, computers within the LAN, will contact the Desktop Central server directly using the FQDN. Computers which are outside the corporate network will reach the forwarding server, which in-turn will route all requests to the Desktop Central server.

Configure NAT settings to locate the Desktop Central Server

To configure NAT Settings, follow the steps below:

  1. Select the MDM tab
  2. Click NAT Settings under Settings from the left pane.
  3. The details of the Desktop Central Server and the ports are pre-filled based on your current setup.
  4. Provide the public IP and the Ports of the forwarding server and Save

You have now successfully set up Desktop Central to manage desktops and devices.  To configure the forwarding server, follow the document mentioned below: Setting up the Desktop Central Forwarding Server.

Setting Up Forwarding Server

Setting up forwarding server, involves the following steps:

Configuring Forwarding Server

  1. Download the Forwarding Server from here https://www.manageengine.com/products/desktop-central/DCForwardingServer.exe

  2. Double click the exe to start the installation process

  3. Enter the Desktop Central Server Name, HTTP and HTTPS Port numbers and click Next DC Server Name : Specify the FQDN/DNS/IP address of the DC server

  4. DC HTTP Port : The port number that the forwarding server uses to contact the DC server (ex:8020)

  5. DC HTTPS Port : The port number that the mobile devices use to contact the DC server (ex:8383 - it is recommended to use the same port 8383(HTTPS) for Desktop Central Server in secured mode).

 Desktop Central will automatically detect the ports used for on-demand operations and list it. You should ensure that the ports are not blocked in the firewall/anti-virus. The default ports used for on-demand operations are 8027 & 8443.

Installing the Certificates

  1. Perform the sequence of operations as listed below:
    1. If you are using Self Signed Certificate, follow the steps mentioned below: Copy the server.crt and server.key files located in Desktop Central Server under ManageEngine\DesktopCentral_Server\apache\conf directory to the ManageEngine\MEForwardingServer\nginx\conf directory in the computer where Forwarding Server is installed 
      or
    2. If you are using Third Party Certificate, follow the steps mentioned below:
      1. Third Party Server Certificate has to be renamed as server.crt

      2. Private key has to be renamed as server.key

      3. If you are using an intermediate certificate, modify the file name as intermediate.crt

      4. Copy the server.crt, server.key and the intermediate certificate and paste it in the location where the forwarding server has been installed - ManageEngine\MEForwardingServer\nginx\conf\

      5. Navigate to ManageEngine\MEForwardingServer\conf\websetting.conf and add the line: intermediate.certificate=intermediate.crt 

You have successfully copied the cetificates, click install to complete the installation process.

 

Verifying the Forwarding Server

Forwarding Server will start automatically. You can verify the same by running services.msc from the same computer. Verify if, MangeEngine Forwarding Server - has started. You have successfully configured the forwarding server

 

Trouble Shooting Tips

  1. Verify if the certificates are copied to the specified location appropriately

  2. Ensure that following Ports are not used by some other service/process
  3. Ensure that you use “Run As Administrator” and have necessary permissions to install the service.