MaaS360 Mobile Enterprise Gateway

MaaS360 > MaaS360 Mobile Enterprise Gateway

MaaS360 Mobile Enterprise Gateway Administrator Guide

2


Copyright © 2014 Fiberlink Communications Corporation. All rights reserved.

Information in this document is subject to change without notice. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those agreements. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Fiberlink Communications Corporation.

All brands and their products are trademarks or registered trademarks of their respective holders and should be noted as such.

Fiberlink Communications Corporation

1787 Sentry Parkway West

Blue Bell, PA 19422

January 2014

Version 4

020

3


Table of Contents

Introduction ....................................................................................................................5

High Level Architecture: Relay Access Mode .............................................................................6

System Requirements: Relay Access Mode ................................................................................7

MaaS360 Mobile Enterprise Gateway ...................................................................................7

MaaS360 Mobile Enterprise Gateway Onboarding in RELAY access mode ...........................................9

Step 1: Download and install the gateway ............................................................................9

Step 2: Configure the gateway ..........................................................................................10

Step 3: Run the gateway as a service account .......................................................................13

Step 4: Configure intranet sites for gateway access ................................................................15

Step 5: Configure allowed number of devices per user.............................................................16

Step 6: Configure MaaS360 policies ....................................................................................17

Step 7: Download the secure browser and authenticate against the gateway .................................18

High Level Architecture: Direct Access Mode ............................................................................20

System Requirements: DIRECT Access mode .............................................................................21

MaaS360 Mobile Enterprise Gateway ...................................................................................21

MaaS360 Mobile Enterprise Gateway Onboarding in DIRECT Access mode ..........................................23

Step 1: Download and install the gateway ............................................................................23

Step 2: Configure the gateway ..........................................................................................24

Step 3: Run the gateway as a service account .......................................................................27

Step 4: Configure Direct Access Mode .................................................................................29

Step 5: Configure SSL Certificates for Direct Access Mode ........................................................29

Step 6: Configure intranet sites for gateway access ................................................................30

Step 7: Configure allowed number of devices per user.............................................................32

Step 8: Configure MaaS360 policies ....................................................................................32

Step 9: Download the secure browser and authenticate against the gateway .................................33

MaaS360 Mobile Enterprise Gateway in High Availability (HA) Configuration ......................................35

Architechture: .............................................................................................................35

System Requirements for High Availability (HA) Configuration ...................................................36

MaaS360 Mobile Enterprise Gateway Onboarding in HA mode: .......................................................37

Step 1: Install on a server ................................................................................................37

Step 2: Create the MaaS360 Mobile Enterprise Gateway database: ..............................................37

Step 3: Get the Database URI and Test your Database connection using Windows ODBC Data Source Admin utility ........................................................................................................................39

4


Step 4 - Install the First MaaS360 Mobile Enterprise Gateway (DO NOT REGISTER) ...........................43

Step 5: Configure the MaaS360 Gateway INI file .....................................................................44

Step 6: Register Your Gateway..........................................................................................44

Step 7: Add new Gateways to the Cluster ............................................................................45

Step 8: Setup your Load Balancer to distribute load amongst active gateways (DIRECT Mode only).......45

Recommendations for HA configuration changes ....................................................................45

Support & Troubleshooting ..................................................................................................46

Frequently Asked Questions (FAQs) ....................................................................................46

Appendix A: Gateway authentication against LDAP. ....................................................................47

5


Introduction

MaaS360 Mobile Enterprise Gateway provides simple, secure mobile access to behind-the-firewall information resources with no changes to your network or firewall security configuration. It provides mobile connectivity without requiring any inbound TCP/IP connections from services or devices outside your LAN. Our robust, secure communications technology, called MaaS360 Mobile Enterprise Gateway Link, is more efficient and more tolerant of sometimes-spotty wireless networks than traditional approaches.

By eliminating the need to expose a mobile applications server to the public Internet, the MaaS360 Mobile Enterprise Gateway solution does not leave your network vulnerable to probes and attacks. Since it does not require the use of a VPN, you don’t have to worry about rogue apps on devices gaining access to your LAN, or the usability and management headaches associated with VPN use on mobile devices.

Supporting a great experience for the mobile user, our technology provides the usability benefits of a native mobile application without the need to develop and deploy code across multiple mobile platforms. Instead, new features and functions can be added simply by making changes at the gateway. Unlike browser-based applications, where device caching and browser history can lead to dangerous security leaks, MaaS360 Mobile Enterprise Gateway technology ensures that confidential business data is never stored on devices in an unencrypted format, and that a user’s ability to transfer that information elsewhere can be limited by administrative policy. MaaS360 Mobile Enterprise Gateway technology ensures that corporate data can only be viewed on authorized mobile devices and the communication between the enterprise gateway and the mobile devices are fully encrypted. MaaS360 Mobile Enterprise Gateway’s link services will only be able to direct traffic between the devices and the gateway but will not be able to read encrypted traffic.

With MaaS360, you don’t have to impose limits on what users can install, although you can easily block or enable individual devices. That’s important, as executives and employees expect to use their smartphones to access sensitive organizational data as well as their own personal applications. It’s also helpful if you need to expose selected applications and assets to partners, contractors, or other 3rd parties for whom more general access to the organization’s network is undesirable.

MaaS360 Mobile Enterprise Gateway provides simple, secure mobile access to behind-the-firewall information resources. MaaS360 Mobile Enterprise Gateway operates in 2 modes:

a) Relay Access Mode: This is the default mode where the gateway establishes an outbound access to the MaaS360 relay server. The devices talk only to the relay server and not directly to the gateway.

b) Direct Access Mode: This is the second mode of operation where the devices directly talk to the MaaS360 Mobile Enterprise Gateway for direct resource access and completely bypasses the MaaS360 hosted relay servers.

This document focusses on the following topics:

Section 1: Relay Access Mode architecture, requirements and installation steps.

Section 2: Direct Access Mode architecture, requirements and installation steps.

Section 3: High Availability Configuration of MaaS360 Mobile Enterprise Gateway (applies to both Relay and Direct modes)

PS: If you plan to implement the MaaS360 Mobile Enterprise Gateway in High Availability (HA) mode, please skip Sections 1 and 2 and directly refer to Section 3.

6


High Level Architecture: Relay Access Mode

Here’s an architecture diagram of MaaS360 Mobile Enterprise Gateway implementation:

- Client: o The MaaS360 app and MaaS360 Secure Browser app is installed on mobile devices. o The apps are available via iTunes or Google Play, and can be pushed using the MaaS360 App distribution

workflows. o The MaaS360 App and MaaS360 Secure Browser connect to the relay services via HTTPS and post

requests or pick-up responses. o Even though the connections are HTTPS, the payloads themselves are also encrypted with AES256-bit

encryption end-to-end, and remain encrypted even on the device. o The mobile device itself is never on the organization’s network, nor do the MaaS360 app / MaaS360

Secure Browser ever directly see the network. This preserves network security and isolation. - Gateway:

o Server software that runs on a machine or VM on your organization’s internal network. o The gateway establishes outbound connections to the Gateway Relay services in the cloud, and

processes any outstanding requests from mobiles and then posting the resulting payloads to the relay services. All payloads are encrypted end-to-end with AES-256 bit encryption. The key is shared only with the device.

o This assures that no direct network connection happens from anywhere outside the firewall, preserving firewall integrity.

- Cloud Link Services: o Provisioning server: Gateway activation happens against this server. The devices / apps contact the

provisioning server to get the address of the relay server to use for the respective gateway. o Relay Server: Web services in the cloud that facilitates communications between the clients and your

gateway. The Link service will not be able to read the encrypted communication between the clients and the gateway.

7


System Requirements: Relay Access Mode

MAAS360 MOBILE ENTERPRISE GATEWAY

MaaS360 Mobile Enterprise Gateway provides the point of control for mobile access to business resources. Before beginning the installation, make sure the following requirements are met:

Item Meets Requirement

Physical or Virtual Machine with Windows Server 2012, 2008 RC2, 2008, or 2003 as an installation target for the MaaS360 Mobile Enterprise Gateway.

The MaaS360 Mobile Enterprise Gateway can run on 64-bit servers but still requires x86 support for some components.

A service account that MaaS360 Mobile Enterprise Gateway can run as:

Member of Domain User group on your Active Directory

Member of Local Administrative group on the server

.NET Framework 3.5 or higher is required

Memory:

At least 2 GB of RAM is recommended.

Disk drives:

MaaS360 Mobile Enterprise Gateway takes less than 15 MB of disk space.

Processor:

Dual Core

Access to the following URLs from the Mobile Enterprise Gateway machine:

Port 443 outbound used by the gateway to communicate with the MaaS360 Mobile Enterprise Relay Service over SSL.

There is no inbound port used for the relay.

Additional support for port 443 is available to enable Internet communication through a proxy server.

o Hostname: *.gw.m1.maas360.com

o The gateway Control Panel can be accessed via http://localhost:1456 on the gateway server

o The gateway Control Panel can be accessed using the latest versions of IE, Chrome, Safari, and Firefox browsers

http://gw.m1.maas360.com/

http://localhost:1456/

8


Supported clients:

o iOS 5.0 and higher

o Android 3.1 or later (carrier versions)

9


MaaS360 Mobile Enterprise Gateway Onboarding in RELAY access mode

STEP 1: DOWNLOAD AND INSTALL THE GATEWAY

1. Log in to MaaS360 and browse to the Services page: (Setup >> Services on the UI) 2. Under Secure Browser section, you should see that the MaaS360 Corporate Intranet feature has been enabled.

Note: if this has not been enabled, please contact your Fiberlink representative.

3. Download the MaaS360 Mobile Enterprise Gateway software from the download link from Step 1. 4. Complete the installation process as shown below:

10


STEP 2: CONFIGURE THE GATEWAY

1. Once the installation completes, a web page is launched that lets you activate and configure the MaaS360 Mobile Enterprise Gateway. Start with the Click here to manage the gateway link.

2. This launches the MaaS360 Mobile Enterprise Gateway’s Control Panel. a. Enter you username, email address, company name and a password for Control Panel access. b. Click Continue.

MaaS360 Mobile Enterprise Gateway contacts the MaaS360 Gateway Provisioning Server to activate your gateway, as shown above.

11


3. Once the Enterprise Gateway is activated, you will receive an activation code to your registered email address from [email protected] Note: Please whitelist this address so that your mail server will deliver this code.

4. Enter the following information to activate the Mobile Enterprise Gateway: a. Enter the Activation Code from the email. b. Enter the Gateway Title. This is free-form text that gives a display name of your gateway. c. Select the closest Relay Service based on your region (US/EU Instance). d. Select Access to current intranet applications option and click Continue.

This will complete the activation.

mailto:[email protected]

12


5. Once the gateway is activated, the 6-digit MaaS360 Gateway instant access code will appear on your screen. Note: Please write down this code. It will be needed for policy configuration in the MaaS360 portal at a later step.

13


STEP 3: RUN THE GATEWAY AS A SERVICE ACCOUNT PS: You can skip this step if you are using LDAP in your environment and not Microsoft Active Directory.

Please refer to LDAP Configuration section in Appendix A to setup your gateway to integrate to LDAP.

Configuring the gateway to run as a Service Account is required for two reasons:

1. Authenticating users against your active directory server for authentication before intranet access 2. Single Sign on (SSO) for intranet sites that uses NTLM authentication

Steps to configure the service account are detailed below:

1. Open the Services Console on the server (Start >> Run >> services.msc) 2. Locate the service MaaS360 Mobile Enterprise Gateway 3. Stop the service

4. Right-click on the service and select Properties >> Select Log On tab. 5. Enter a Service Account username and password and click Apply. The Service Account username must be a

Domain user in Active Directory, and it must be part of the Local Admin group on the server where the installation is.

14


6. On the General tab, select Start and make sure the service is running.

15


STEP 4: CONFIGURE INTRANET SITES FOR GATEWAY ACCESS

The MaaS360 Mobile Enterprise Gateway provides an Intranet Tunneling service that acts as an intermediary for requests from clients seeking resources from other intranet sites or services.

The MaaS360 Secure Browser client connects to the MaaS360 Mobile Enterprise Gateway requesting a connection to other resource available from a different server. The MaaS360 Mobile Enterprise Gateway evaluates the request according to its policy rules. If the request is validated by the policy, the MaaS360 Mobile Enterprise Gateway connects to the relevant server and requests the resource for the client.

Follow the steps below to configure intranet sites that can be accessed via MaaS360 Secure Browser:

1. Log in to MaaS360 Mobile Enterprise Gateway’s Control Panel (http://localhost:1456) 2. Enter your username and password (from the Gateway Activation page) to log in to the console.

3. Select Policies menu and go to Hosts to which the gateway may provide proxy access.


16


4. Add the hostnames of the sites that needs to be allowed through MaaS360 Secure Browser to this field. Click on Save policy settings once the list is complete.

This is the Proxy Access List. It accepts comma-separated values of hostnames that must be allowed. Wild characters like * and ? are also supported. Here are some examples:

Use Case Proxy Access List

Allow individual intranet sites site01.mydomain.com, site02.mydomain.com, site03.mydomain.com

Allow any site with a particular sub-domain *.mysubdomain.mydomain.com

Selective sites from certain domains *.mysubdomain01.mydomain.com, site02.mysubdomain02.mydomain.com

Allow any intranet site to be accessed (This will cause your email, OWA, SSL sites to be proxied

through the gateway.)

*.mydomain.com

If you need to modify or delete hostnames from your Proxy Access List, the changes must be made to Hosts to which the gateway may provide proxy access field and saved. The next time the MaaS360 Secure Browser connects to the gateway—either when the user authenticates or the next time the user tries to connect to the intranet site—the updated Proxy Access List gets pushed to the connecting mobile devices.

STEP 5: CONFIGURE ALLOWED NUMBER OF DEVICES PER USER

MaaS360 Mobile Enterprise Gateway provides the administrator the ability to limit the number of devices that can be used by one user to access intranet sites using the MaaS360 Secure Browser. The default can be set to 1 device, x devices or any number of devices. This setting can be overridden for specific users as well.

17


In order to configure this setting, select the Users tab and choose one of the following settings:

STEP 6: CONFIGURE MAAS360 POLICIES

You will need to configure the MaaS360 Secure Browser or Persona policies to integrate with the installed MaaS360 Mobile Enterprise Gateway to enabled access to published intranet sites via the MaaS360 Secure Browser.

1. Log on to MaaS360 portal: https://portal.fiberlink.com 2. Browse to Security >> Policies 3. Select a Secure Browser or Persona policy 4. Click Edit 5. Select Enterprise Gateway Settings

https://portal.fiberlink.com/

18


6. Enter the Gateway access code (6-digit number) you obtained during gateway activation. 7. The username and domain fields are pre-populated for each user to authenticate against the gateway. This

information is available from the enrollment request 8. There is an option to cache credentials locally in the app. If it’s selected, the user is not prompted again for

authentication each time the device accesses an intranet site. We recommend that it be selected for a better end user experience

9. Save and publish the policy

STEP 7: DOWNLOAD THE SECURE BROWSER AND AUTHENTICATE AGAINST THE GATEWAY

1. Download and install the MaaS360 Secure Browser on the device—either from iTunes, Google Play or the App Catalog Note: It is recommended that you distribute the iOS and Android Secure Browser to enrolled devices via MaaS360 so the user can install the apps from the MaaS360 App Catalog.

2. Ensure that the version of the App is 1.10 or higher (e.g.: Settings >> Browser >> Version on iOS devices & Settings >> Apps >> Browser >> Version on Android devices)

3. Open the browser app and you will be prompted to authenticate

19


4. The username and domain should be auto populated based on the AD credentials you used during the enrollment process. Enter your password to initiate authentication

5. Once authenticated, the browser will load as usual. Now accessing an internal site will load the page on the MaaS360 Secure Browser

20


High Level Architecture: Direct Access Mode

Here’s an architecture diagram of MaaS360 Mobile Enterprise Gateway implementation in DIRECT Access Mode

- Client: o MaaS360 Secure Browser app and MaaS360 MDM App (integrated with client SDK for Gateway access) o The apps are available via iTunes or Google Play, and can be pushed using the MaaS360 App distribution

workflows. o The apps directly connect to the gateway DIRECT URL’s via HTTPS and post requests or pick-up

responses. All communication is over SSL (needs to be setup) o Even though the connections are HTTPS, the payloads themselves are also encrypted with AES256-bit

encryption, and remain encrypted even on the device. o The apps never talks to the Relay Servers for intermediation. o The apps only talk to the provisioning server for Direct URL lookup during authentication.

- Gateway:

o Server software that runs on a machine or VM on your organization’s internal network or DMZ. o Authenticates users against AD / LDAP o The gateway listens to inbound connections from Mobile Devices, and processes any outstanding

requests from mobiles and then posting the resulting payloads to the devices. o This assures that no data flows through the Relay Services o The gateway also establishes outbound SSL connections to the provisioning server to communicate any

changes to changes to the Direct URL configuration and to perform daily license pings.

- Cloud Link Services: o Provisioning Server hosts the mapping of the Gateway and its DIRECT URL o Gateway provides its DIRECT URL during setup o Devices can contact the provisioning server to lookup the DIRECT URL, but this URL is directly fed to

the devices through MaaS360 policies. The devices never contact the provisioning server in this model.

21


System Requirements: DIRECT Access mode

MAAS360 MOBILE ENTERPRISE GATEWAY

MaaS360 Mobile Enterprise Gateway provides the point of control for mobile access to business resources. Before beginning the installation, make sure the following requirements are met:

Item Meets Requirement

Physical or Virtual Machine with Windows Server 2012, 2008 RC2, 2008, or 2003 as an installation target for the MaaS360 Mobile Enterprise Gateway.

The MaaS360 Mobile Enterprise Gateway can run on 64-bit servers but still requires x86 support for some components.

A service account that MaaS360 Mobile Enterprise Gateway can run as:

Member of Domain User group on your Active Directory

Member of Local Administrative group on the server

This requirement can be skipped if you are using LDAP.

.NET Framework 3.5 or higher is required

Memory:

At least 2 GB of RAM is recommended.

Disk drives:

500MB Free Disk Space

Processor:

Dual Core

Access to the following URLs from the Mobile Enterprise Gateway machine:

Port 443 outbound used by the gateway to communicate with the MaaS360 Mobile Enterprise Provisioning Service over SSL.

o Hostname: provision.gw.m1.maas360.com

Hostname for DIRECT Access URL:

o Should be accessible externally

Inbound Port for DIRECT Access URL:

o Gateway listens to inbound requests on the DIRECT Access URL (above) and the configured port.

22


SSL Certificate:

o For devices to SSL into the DIRECT Access URL, you will need a certificate for the host and its private key

Additional support for port 443 is available to enable Internet communication through a proxy server.

o The gateway Control Panel can be accessed via http://localhost:1456 on the gateway server. Can be made to use https using the above SSL certificates

o The gateway Control Panel can be accessed using the latest versions of IE, Chrome, Safari, and Firefox browsers

Supported clients:

o iOS 5.0 and higher

o Android 3.1 or later (carrier versions)


23


MaaS360 Mobile Enterprise Gateway Onboarding in DIRECT Access mode

STEP 1: DOWNLOAD AND INSTALL THE GATEWAY 1. Log in to MaaS360 and browse to the Services page: (Setup >> Services screen) 2. Under Secure Browser section, you should see that the Intranet Access feature has been enabled.

Note: if this has not been enabled, please contact your Fiberlink representative.

3. Download the MaaS360 Mobile Enterprise Gateway software from the download link from Step 1. 4. Complete the installation process as shown below:

24


STEP 2: CONFIGURE THE GATEWAY

1. Once the installation completes, a web page is launched that lets you activate and configure the MaaS360 Mobile Enterprise Gateway. Start with the Click here to manage the gateway link.

2. This launches the MaaS360 Mobile Enterprise Gateway’s Control Panel. a. Enter you username, email address, company name and a password for Control Panel access. b. Click Continue.

MaaS360 Mobile Enterprise Gateway contacts the MaaS360 Gateway Provisioning Server to activate your gateway, as shown above.

25


3. Once the Enterprise Gateway is activated, you will receive an activation code to your registered email address from [email protected] Note: Please whitelist this address so that your mail server will deliver this code.

4. Enter the following information to activate the Mobile Enterprise Gateway: a. Enter the Activation Code from the email. b. Enter the Gateway Title. This is free-form text that gives a display name of your gateway. c. Select the closest Relay Service based on your region (US/EU Instance). d. Select Access to current intranet applications option and click Continue.

This will complete the activation.


26


5. Once the gateway is activated, the 6-digit MaaS360 Gateway instant access code will appear on your screen. Note: Please write down this code. It will be needed for policy configuration in the MaaS360 portal at a later step.

27


STEP 3: RUN THE GATEWAY AS A SERVICE ACCOUNT

PS: You can skip this step if you are using LDAP in your environment and not Microsoft Active Directory.

Please refer to LDAP Configuration section in Appendix A to setup your gateway to integrate to LDAP.

Configuring the gateway to run as a Service Account is required for two reasons:

3. Authenticating users against your active directory server for authentication before intranet access 4. Single Sign on (SSO) for intranet sites that uses NTLM authentication

Steps to configure the service account are detailed below:

7. Open the Services Console on the server (Start >> Run >> services.msc) 8. Locate the service MaaS360 Mobile Enterprise Gateway 9. Stop the service

10. Right-click on the service and select Properties >> Select Log On tab. 11. Enter a Service Account username and password and click Apply. The Service Account username must be a

Domain user in Active Directory, and it must be part of the Local Admin group on the server where the installation is.

28


12. On the General tab, select Start and make sure the service is running.

29


STEP 4: CONFIGURE DIRECT ACCESS MODE

MaaS360 Mobile Enterprise Gateway installs in RELAY mode by default. This step is to switch MaaS360 Mobile Enterprise to operate in DIRECT mode.

1. Log in to MaaS360 Mobile Enterprise Gateway’s Control Panel (http://localhost:1456) 2. Go to Network Tab 3. Uncheck “MaaS360 Relay Option” on the left (see screenshot below) 4. Check “MaaS360 Direct Option” on the right (see screenshot below) 5. Type in the Direct Access URL’s hostname and port in the fields highlighted. The gateway will listen to all

inbound connections from Mobile devices on this hostname and port. This hostname and port should be externally accessible (either DMZ installation or Network Address Translation)

The assumption here is that the DNS entry for DIRECT access hostname has already been created as per the requirements. If load balancers are being used, the DIRECT access hostnames should be resolvable from the load balancer to the gateways.

STEP 5: CONFIGURE SSL CERTIFICATES FOR DIRECT ACCESS MODE WHEN MaaS360 Mobile Enterprise Gateway is enabled for Direct Access Mode, the devices directly connect to the gateway over port 80 (non-secured HTTP traffic) by default. In order to enable SSL, you will need the following:

- SSL certificate for the Direct URL hostname (.cer). This should be in PEM format. - SSL Certificate private key (.key). Need an unencrypted private key.

Once you have obtained both, here are the steps to enable the gateway to use SSL Certificates:

1. Rename the SSL certificate to maas360gateway-ssl.cer 2. Rename the private key to maas360gateway-ssl.key


30


3. Copy these two files in C:\ProgramData\MaaS360\MaaS360 Mobile Enterprise Gateway folder 4. Restart the MaaS360 Mobile Enterprise Gateway service

Alternately, you can configure MaaS360 Mobile Enterprise Gateway to point to the SSL certificate and private key at any location.

1. Stop MaaS360 Mobile Enterprise Gateway Service 2. Open maas360gateway.ini in a text editor 3. Add the following line to the INI file:

a. portal_ssl_certificate='c:\certs\gateway;cert.cer’ <Path to your SSL certificate> b. portal_ssl_private_key='c:\certs\gateway;key.key’ <Path to your SSL certificate’s private key>

4. Start the service

STEP 6: CONFIGURE INTRANET SITES FOR GATEWAY ACCESS

The MaaS360 Mobile Enterprise Gateway provides an Intranet Tunneling service that acts as an intermediary for requests from clients seeking resources from other intranet sites or services.

The MaaS360 Secure Browser client connects to the MaaS360 Mobile Enterprise Gateway requesting a connection to other resource available from a different server. The MaaS360 Mobile Enterprise Gateway evaluates the request according to its policy rules. If the request is validated by the policy, the MaaS360 Mobile Enterprise Gateway connects to the relevant server and requests the resource for the client.

Follow the steps below to configure intranet sites that can be accessed via MaaS360 Secure Browser:

1. Log in to MaaS360 Mobile Enterprise Gateway’s Control Panel (http://localhost:1456) 2. Enter your username and password (from the Gateway Activation page) to log in to the console.

3. Select Policies menu and go to Hosts to which the gateway may provide proxy access.


31


4. Add the hostnames of the sites that needs to be allowed through MaaS360 Secure Browser to this field. Click on Save policy settings once the list is complete.

This is the Proxy Access List. It accepts comma-separated values of hostnames that must be allowed. Wild characters like * and ? are also supported. Here are some examples:

Use Case Proxy Access List

Allow individual intranet sites site01.mydomain.com, site02.mydomain.com, site03.mydomain.com

Allow any site with a particular sub-domain *.mysubdomain.mydomain.com

Selective sites from certain domains *.mysubdomain01.mydomain.com, site02.mysubdomain02.mydomain.com

Allow any intranet site to be accessed (This will cause your email, OWA, SSL sites to be proxied

through the gateway.)

*.mydomain.com

If you need to modify or delete hostnames from your Proxy Access List, the changes must be made to Hosts to which the gateway may provide proxy access field and saved. The next time the MaaS360 Secure Browser connects to the gateway—either when the user authenticates or the next time the user tries to connect to the intranet site—the updated Proxy Access List gets pushed to the connecting mobile devices.

32


STEP 7: CONFIGURE ALLOWED NUMBER OF DEVICES PER USER

MaaS360 Mobile Enterprise Gateway provides the administrator the ability to limit the number of devices that can be used by one user to access intranet sites using the MaaS360 Secure Browser. The default can be set to 1 device, x devices or any number of devices. This setting can be overridden for specific users as well.

In order to configure this setting, select the Users tab and choose one of the following settings:

STEP 8: CONFIGURE MAAS360 POLICIES

You will need to configure the MaaS360 Secure Browser or Persona policies to integrate with the installed MaaS360 Mobile Enterprise Gateway to enabled access to published intranet sites via the MaaS360 Secure Browser.

10. Log on to MaaS360 portal: https://portal.fiberlink.com 11. Browse to Security >> Policies 12. Select a Secure Browser or Persona policy 13. Click Edit 14. Select Enterprise Gateway Settings

https://portal.fiberlink.com/

33


15. For the Mobile Enterprise Gateway access code field, enter the direct access URL. With this setting, the browser and the MaaS360 app will directly talk to the gateway and will skip the direct URL address resolution on the provisioning server.

16. The username and domain fields are pre-populated for each user to authenticate against the gateway. This information is available from the enrollment request

17. There is an option to cache credentials locally in the app. If it’s selected, the user is not prompted again for authentication each time the device accesses an intranet site. We recommend that it be selected for a better end user experience

18. Save and publish the policy

STEP 9: DOWNLOAD THE SECURE BROWSER AND AUTHENTICATE AGAINST THE GATEWAY

6. Download and install the MaaS360 Secure Browser on the device—either from iTunes, Google Play or the App Catalog Note: It is recommended that you distribute the iOS and Android Secure Browser to enrolled devices via MaaS360 so the user can install the apps from the MaaS360 App Catalog.

7. Ensure that the version of the App is 1.10 or higher (e.g.: Settings >> Browser >> Version on iOS devices & Settings >> Apps >> Browser >> Version on Android devices)

8. Open the browser app and you will be prompted to authenticate

34


9. The username and domain should be auto populated based on the AD credentials you used during the enrollment process. Enter your password to initiate authentication

10. Once authenticated, the browser will load as usual. Now accessing an internal site will load the page on the MaaS360 Secure Browser

35


MaaS360 Mobile Enterprise Gateway in High Availability (HA) Configuration

ARCHITECHTURE:

36


MaaS360 Mobile Enterprise Gateway can be setup in High Availability (HA) mode for both RELAY and DIRECT access deployments. The gateways share a common database (MySQL) and serve requests for Mobile Devices.

In Direct Mode, the traffic from the devices needs to be load balanced across multiple gateways using a load balancer.

In Relay Mode, the gateways automatically pick up requests in turns from the relay and there is no specific load balancing required in this mode.

SYSTEM REQUIREMENTS FOR HIGH AVAILABILITY (HA) CONFIGURATION General Requirements: Depending on the gateway mode you are looking to implement, check the

corresponding sections for requirements

o Relay Mode requirements

o Direct Mode requirements

HA specific Requirements:

o MySQL 5.5+ or MSSQL 2008+

o Load balancing software to distribute incoming DIRECT http(s) requests

Note: Load balancer only required for MaaS360 Mobile Enterprise Gateway Direct Access mode.

37


MaaS360 Mobile Enterprise Gateway Onboarding in HA mode:

STEP 1: INSTALL ON A SERVER MaaS360 Mobile Enterprise Gateway uses SQLite by default to store the gateway configuration. The SQLite DB file is maintained as a file in the MaaS360 Mobile Enterprise Gateway Data Directory. In order to run multiple MaaS360 Mobile Enterprise Gateways in High Availability (HA) mode, the configuration must be stored in a shared database. You can use either MySQL or MS SQL database servers to setup this shared database.

MySQL Server Installation: Please install MySQL on a server and ensure that the database server can be accessible by all Gateways on your network.

Links to external resource is here.

MS SQL Server Installation: Please install Microsoft SQL on a server and ensure that the database server can be accessible by all Gateways on your network.

Links to external resource is here.

STEP 2: CREATE THE MAAS360 MOBILE ENTERPRISE GATEWAY DATABASE: The database DBURI is defined in the maas360gateway.ini file located in the MaaS360 Mobile Enterprise Gateway Data Directory. For the default MaaS360 Mobile Enterprise Gateway configuration you should see a dburi definition similar to:

dburi = sqlite:///C:\ProgramData\MaaS360\MaaS360 Mobile Enterprise Gateway\maas360gateway.db

MaaS360 Mobile Enterprise Gateway in HA mode will have a dburi definition similar to:

dburi = mysql://user:password@hostname:port/dbname

or

dburi = mssql+ pyodbc://user:password@hostname:port/ dbname

To create a MaaS360 Mobile Enterprise Gateway in HA mode you need to specify the database SQL dburi when you register your MaaS360 Mobile Enterprise Gateway. This can only be done at the time you register your MaaS360 Mobile Enterprise Gateway. If you have an existing MaaS360 Mobile Enterprise Gateway configured to use the default SQLite database it cannot be converted to an HA mode gateway. To register/create a new MaaS360 Mobile Enterprise Gateway in HA mode follow these steps.

MySQL: Create the Gateway database and grant required permissions To create the database and user in MySQL go to the MySQL prompt and type

create database maaS360gatewaydb;

grant all on maas360gatewaydb.* to USERNAME identified by "PASSWORD";

USERNAME and PASSWORD should be replaced by your actual user and password for the database.

http://dev.mysql.com/doc/refman/5.1/en/installing.html

http://msdn.microsoft.com/en-us/library/bb500433%28v=sql.120%29.aspx

38


MS SQL: Create the Gateway database and grant required permissions To create the database and user in MS SQL, use the Microsoft SQL Server Management Studio

Create a database called maaS360gatewaydb;

Create a SQL server local user from the Security >> Login >> New Login workflow. Select SQL server authentication.

39


Provide the correct Server role to the user to enable write access to the maas360gatewaydb

Map the user to the maas360gatewaydb if you require the admin to be restricted to just the maas360 database.

STEP 3: GET THE DATABASE URI AND TEST YOUR DATABASE CONNECTION USING WINDOWS ODBC DATA SOURCE ADMIN UTILITY Once the database has been created, you will be able to set the dburi for your MaaS360 Mobile Enterprise Gateway to use MySQL or MSSQL.

You should test the database connection before attempting to install the MaaS360 Mobile Enterprise Gateway.

A good test is simply to use the Windows ODBC Data Source Admin utility. See examples below:

40


MySQL: DBURI determination and DB connection test: You can use the MySQL ODBC Driver to verify the correct settings to use in the dburi for the MaaS360 Mobile Enterprise Gateway. Here is an example of the above settings tested from the MySQL ODBC Connector.

Click Test to confirm if the ODBC connector can connect to the database with the provided credentials. This test needs to be done on the server on which MaaS360 Mobile Enterprise Gateway is installed.

Using the above settings the dburi would be:

dburi = mysql://maas360gateway:admin@[email protected]:3309/maas360gatewaydb

41


MSSQL: DBURI determination and DB connection test:

Launch Microsoft ODBC admin tool and Add SQL Server Native Client driver

Add a server name, description and the hostname:

Enter the credentials for the user you created in the previous section against SQL server authentication section.

42


Choose default settings on the next screen, proceed to Test. On successful tests, you should see the following screens.

As per the above configuration, your dbURI is going to be as follows: dburi = mssql+pyodbc://sa:[email protected]:1433/maas360gatewaydb

43


STEP 4 - INSTALL THE FIRST MAAS360 MOBILE ENTERPRISE GATEWAY (DO NOT REGISTER)

The MaaS360 Mobile Enterprise Gateway Setup Wizard will walk you through the installation process. Once the MaaS360 Mobile Enterprise Gateway software has been installed, you will need to register and activate your MaaS360 Mobile Enterprise Gateway prior to use. The following guide illustrates the installation and registration process.

Note: To install MaaS360 Mobile Enterprise Gateway in HA mode there are manual steps involved between the install and registration. DO NOT register your gateway before making the required changes to the maas360gateway.ini file.

To install as a service you must run the install as an administrator.

1. Download the MaaS360 Mobile Enterprise Gateway software from the download link from MaaS360. 2. Complete the installation process as shown below:

STOP before you register your Gateway!

44


STOP before you register your Gateway!

If you register your MaaS360 Mobile Enterprise Gateway now, it will be registered as a stand-alone Gateway and cannot be converted to HA mode.

1. Close the registration window 2. Stop the MaaS360 Mobile Enterprise Gateway Service.

STEP 5: CONFIGURE THE MAAS360 GATEWAY INI FILE Once the MaaS360 Mobile Enterprise Gateway Service has been stopped you will need to edit the maas360gateway.ini file for your Gateway to convert this install into an HA setup.

1. Go to C:\ProgramData\MaaS360\MaaS360 Mobile Enterprise Gateway 2. Open maas360gateway.ini in a text editor 3. Change the dburi to the URI from Step 3 depending on the type of database in use. 4. Save Changes 5. Start the MaaS360 Mobile Enterprise Gateway service

If the service fails to start, it indicates the connection to the database failed. You can check the Windows Event Viewer for MaaS360 Mobile Enterprise Gateway Application Errors to verify the reason for the failure. Check your settings and verify the connection before trying to start the Gateway Service again.

Once the Gateway Service starts you can continue with the next steps.

STEP 6: REGISTER YOUR GATEWAY Now, register your gateway either in RELAY or DIRECT access mode by navigating to the URL http://localhost:1456

To register your gateway in Relay Mode, follow steps 2-7 here.

To register your gateway in Direct Mode, follow steps 2-9 here.

Important considerations for DIRECT Mode: o Step 4: Configure DIRECT Access Mode

The hostname of the DIRECT URL should be the public address of your load balancer o Step 5: Configure SSL Certificates for Direct Access Mode.

This step is optional Since a Load Balancer is involved in the configuration and supports SSL, setting up gateway for

SSL becomes optional if you have secured communication between your load balancer and the gateways.

Please note: Even if this channel is not secured, the packets themselves are still encrypted that only the gateway can decrypt.


45


STEP 7: ADD NEW GATEWAYS TO THE CLUSTER

You are now ready to install multiple gateways in your environment in a clustered setup. You cannot install multiple gateways on the same single server. The new gateways will work in conjunction with the first gateway in HA mode.

Steps to add new gateways to the Cluster:

1. Install the new gateway as an administrator 2. DO NOT REGISTER the gateway.

PS: If you register the gateway, the gateway will register in stand-alone mode and cannot be converted to HA mode.

3. Stop the MaaS360 Mobile Enterprise Gateway service 4. Delete all files from the Data Directory of the gateway. The path is C:\ProgramData\MaaS360\MaaS360 Mobile

Enterprise Gateway 5. Copy the MaaS360 Mobile Enterprise Gateway Data Directory from the first Gateway you installed in HA mode.

This Gateway will use the settings and configuration from your first HA Gateway. 6. Start the gateway service as a service account (same as the first Gateway).

Now the new gateway will talk to the same MySQL DB and operate in HA mode.

STEP 8: SETUP YOUR LOAD BALANCER TO DISTRIBUTE LOAD AMONGST ACTIVE GATEWAYS (DIRECT MODE ONLY)

If you have implemented your HA gateway configuration in DIRECT mode, the one last step is to setup your load balancer to distribute load across all active gateways. Please leverage expertise of your network administrator to set this up in your environment.

Also, ensure that SSL is enabled on your load balancer for the devices to SSL into your environment.

RECOMMENDATIONS FOR HA CONFIGURATION CHANGES Since all the MaaS360 Mobile Enterprise Gateways share a single configuration database, you can manage the configuration from any active Gateway.

However, it is recommended that you pick one of the gateways as the primary and manage the gateways configuration from that gateway. This is usually the first gateway you installed in the cluster.

46


Support & Troubleshooting

FREQUENTLY ASKED QUESTIONS (FAQS)

All my users are unable to access one intranet site through the Secure Browser. How can I fix this?

1. Log on to the server on which the gateway is installed, open a browser and try accessing the intranet site. 2. Try connecting the device to the corporate network—either Wi-Fi or VPN—and see if the site is accessible. 3. If both (1) and (2) are not working, the intranet site might have gone down. 4. Open the browser on the gateway, use developer tools and capture logs while loading the site in question. 5. Gather Gateway logs (using procedure highlighted below) and send it to MaaS360 for analysis.

None of my users are able to access ANY intranet sites through the Secure Browser. What should I do?

1. Log on to the server on which the gateway is installed, open the Services console and ensure that MaaS360 Mobile Enterprise Gateway service is running. If not, start the service.

2. With a test device, start the Secure Browser app, authenticate (if required) and confirm that you are able to access the intranet sites.

3. If it’s still not working, open the browser on the gateway and try accessing intranet sites that are published. Check to see if there have been any recent firewall/proxy changes in your internal network that might be blocking this access.

4. Gather gateway logs (using the procedure below) and send it to MaaS360 for analysis.

How can I collect gateway logs?

1. Replicate the issue in question using the Secure Browser and note down the timestamp. 2. Log on to the server on which the gateway is installed. 3. Browse to C:\ProgramData\MaaS360\MaaS360 Mobile Enterprise Gateway folder. 4. Copy gateway*.log, portal-access*.log and proxy-access*.log to a folder 5. Zip the contents of the folder and send it to MaaS360 support ([email protected]) along with the timestamp

when the issue was replicated. Please provide your account number with the logs.

How can I collect Secure Browser logs?

1. Replicate the issue in question using the Secure Browser and note the timestamp. 2. In iOS, go to Settings >> Browser and set Email Logs to ON. Open the browser. This will launch your default

email client with a new email and logs as attachments. 3. In Android, open MaaS360 App, then Settings >> Email Logs. On the Secure Browser Settings menu, there is an

option to enable verbose logging as well, in case of assisted troubleshooting.

What should I do to get the latest proxy access list on my Secure Browser?

1. Minimize the app and bring it to foreground, or log out of the browser and re-authenticate. This will cause the latest proxy list to be downloaded.

2. To log out of the iOS Secure Browser, go to Settings >> Browser >> Intranet Access Signout = ON. 3. To log out of the Android Secure Browser, access Settings menu from the Browser and go to Enterprise Gateway

Settings to key in new credentials.

How can I check the version of the Secure Browser installed on my device?

1. In iOS, go to Settings >> Browser, and version field indicates the version of the browser. 2. In Android, go to Settings >> Application Manager >> Browser to access the version.


47


Appendix A: Gateway authentication against LDAP.

If you run the MaaS360 Mobile Enterprise Gateway as a service account, the gateway automatically authenticates users against Active Directory.

If your environment has an LDAP and not Microsoft Active Directory, there is no requirement to run the gateway to run as a service account. To integrate your gateway with LDAP for authentication, please follow the below steps:

1) Login to the gateway console and ensure that the gateway version on the About Tab is 2.71 or higher. 2) Browse to the gateway’s program files directory: C:\Program Files (x86)\MaaS360\MaaS360 Mobile Enterprise

Gateway 3) Launch LDAP_Configurator.exe. The LDAP configuration UI will show up.

4) Enter the values: a. LDAP server name b. LDAP port c. Secure Authentication usage d. Bind Username’s Distinguished Name e. Bind Username’s password f. Search Attribute (uid, mail etc.) g. User Object Class: (person, dominoPerson etc.)

48


h. LDAP search base(s): i. Authentication timeout: Value in minutes for the gateway to timeout on authentication.

5) Save the configuration. The Test Action will show up.

6) Test authentication. Enter in credentials to confirm that the LDAP integration works.

7) Restart the gateway to pick up the LDAP configuration.

MaaS360 Mobile Enterprise Gateway

Documents

Transcript of MaaS360 Mobile Enterprise Gateway