How to secure communications to MDM, using Secure Gateway?

Description

As the devices to be managed are mobile and are always on the go, you need to expose your MDM server, to the external networks. This ensures the devices can contact the MDM server, ensuring continued management of devices. For those concerned with the security aspect of server exposure, you can use Secure Gateway. As the name suggests, Secure Gateway adds an additional layer of security ensuring all the incoming communications are directed to the Secure Gateway instead of MDM server. The Secure Gateway acting as intermediary, then routes the communication back to the MDM server. Secure Gateway ensures the MDM server is not directly exposed to the Internet, thus securing it from risks and threats. Secure Gateway also ensures the users cannot access the MDM server(web console) through the FQDN/IP of the machine running Secure Gateway. You can know more about configuring Secure Gateway in about 3 minutes through this demo video

MDM Secure Gateway Architecture

Pre-requisites

Ensure port #9383 is open and accessible on the machine running the Secure Gateway.

Steps

Modify MDM server settings

  • On the MDM server, click on the Admin tab from the top menu and select NAT Settings, present under Setting up MDMP.
  • Provide the IP address/FQDN of the machine where the Secure Gateway is to be installed. It is recommended that you provide the FQDN.

Install and configure Secure Gateway

  • Download and install Secure Gateway on a machine.
  • Specify the following details under Setting up the Secure Gateway window, which will open after the installation process.
    • Server Name: Specify the FQDN/DNS/IP address of the MDM server
    • HTTP Port: Specify the port number that the Secure Gateway uses to contact the MDM server. Generally, port #9020 is used.
    • HTTPS Port: Specify the port number used by mobile devices to contact the MDM server. Generally, port #9383 is used.

Copy the certificates

If you are using self-signed certificates,

  • Navigate to ManageEngine\MDMServer\apache\conf in the machine running MDM server and copy server.crt and server.key files.
  • On the machine running the Secure Gateway, navigate to ManageEngine\ME_Secure_Gateway_Server\nginx\conf and paste the copied files

If you are using third-party certificates,

  • Rename the third-party certificate as server.crt, the private key as server.key and if you are using an intermediate certificate, rename it as intermediate.crt. Copy the renamed files
  • On the machine running the Secure Gateway, navigate to ManageEngine\ME_Secure_Gateway_Server\nginx\conf and paste the copied files.
  • Navigate to ManageEngine\ME_Secure_Gateway_Server\conf and open the file websettings.conf.
  • Add the line intermediate.certificate=intermediate.crt to the file and save it.

Follow the on-screen instructions to complete the installation. 

Verifying Secure Gateway installation

To verify the Secure Gateway has been installed and running successfully, go to services.msc and ensure ManageEngine Secure Gateway is running.

Troubleshooting tips

1. If there are issues with communication to/from the Secure Gateway, ensure the machine on which Secure Gateway is installed, is running and the network connectivity allows it to contact the MDM server.

2. Check if the Secure Gateway is running on the machine, as explained above.

3. If you are using third-party certificates, ensure the certificates have been correctly copied as explained here.

If you still face the issue, contact MDM Support(mdm-support@manageengine.com)