Recommendations for Configuring a Healthy Mobile Security Gateway for Symantec Mobile Security 7.2

book

Article ID: 157155

calendar_today

Updated On:

Products

Mobile Security

Issue/Introduction

Information on the Mobile Security Gateway, and tips on what action to take when attempts to install the Mobile Security Gateway for use with Symantec Mobile Security 7.2 (SMS 7.2) have led to difficulty. 

 

Resolution

About Mobile Security Gateway (MSG)

Android devices communicate with a Gateway server that is connected virtually to the Symantec Management Server. Gateway servers add a layer of protection against the mobile device applications that may attempt to circumvent standard network security. In addition to providing an added layer of security when managing Android devices, the Mobile Security Gateway also consolidates Android device network traffic. 

By default, the initial Mobile Security Gateway server is established during installation on the Symantec Management Platform (SMP) that hosts Symantec Mobile Security.  Additional Mobile Security Gateways can be created, and existing gateways can be edited or deleted. 

Often times, these Mobile Security Gateway servers are located in a DMZ.  Communications are facilitated between Android smartphones (and other Android devices) in the outside world and the Symantec Management Platform on the private, internal corporate network.  When installing in a DMZ, two Network Interface Cards are required (one external, one internal) and care must be taken that the Symantec web sites (MobileSecurityDeployment and MobileSecurityGateway) are bound only to the external IP.  

The Android device typically receives a mail with a download link on the Mobile Security Gateway, for example "http://[IP of MSG]/MobileSecurityDeployment/AndroidInstall.aspx"  This initial download occurs over port 80 but subsequent communications with the Gateway will occur over the SSL port 443.  

The Mobile Security Gateway will use the server's FDQN by default.  This can be renamed if desired or the IP address used instead.

Users can manage the Mobile Security Gateways they have setup, or add new ones, using the Mobile Security Gateway page under Home->Mobile Security->Settings->Mobile Security Gateway.
 

Adding new Gateways

You can add new Gateway servers to increase the capacity of a Symantec Mobile Security installation, to improve network performance, and to assist the management of security profiles.  

Please note that Gateway servers have specific hardware and software requirements: not just any server will do.  The Mobile Security Gateway servers must be Windows 2008 R2 and have Microsoft IIS 7.5 (IIS 6.0 compatibility) and the other server requirements as the SMP itself.  Also, the servers that host a Gateway server must have the Symantec Management Agent (Altiris agent) installed (this agent can be pushed out from the SMP, if necessary). The Agent provides data and communication integration to the Symantec Management Platform.

If the MSG is not immediately installed on the target server, open the Symantec Management Agent and check for new tasks.  The agent should then find and complete the task to install MSG.  

View of the SMA on the server where MSG is being installed 

 

Once installed, there will be a new MobileSecurityGateway site created and visible in IIS Manager. There should be no need to manually adjust permissions, authorizations, or other settings in IIS Manager.

MobileSecurityGateway site in IIS

Also note: this MobileSecurityGateway site is intended only for data traffic between the mobile agents and the management components.  Attempts to open a browser and view the MSG site and a web page should result in a HTTP 403 "Forbidden" message.  This is by design.  Enrollment takes place by clicking on the Enroll button on the Android device, not by accessing a web page and manually completing a form. 

The console will display information on each MSG, including how many Android devices are configured by policy to use each:

 

Editing Gateways 

To edit the settings for the Gateway, on the management console, go to Home >Mobile Security > Settings > Mobile Security Gateway. On the toolbar, click the Edit (pencil) icon.

The default port is 443. The binding port is used to configure IIS when you install a new Gateway server.  If the server that will be used for a Mobile Security Gateway already has an application that uses this port, it is important to change to a different port.  

 

Upgrading Gateways

If Android clients are able to successfully communicate with the SMP, there is no compelling technical reason to upgrade any MSGs that are displaying an older Gateway Version number.  If an administrator wishes to upgrade an older SMP regardless, a detailed procedure is available in the Connect article Upgrading Mobile Security Gateways for Symantec Mobile Security 7.2.

 

Deleting Gateways 

Before you can delete a Gateway, be aware of the following:

  • All of the devices that are enrolled with the Gateway must be reassigned to use an alternate Gateway. To change the Gateway assignment for devices, you provide a new policy to specify the alternate Gateway.
  • Before you can delete a Gateway, any policy that references the Gateway must be reconfigured to use a different Gateway.

 

Troubleshooting Mobile Security Gateways 

If error messages are seen when the Android device attempts to download and install the SMS 7.2 package, there can be a number of causes.   These tips should assist:

  • Use the verify button in the SMP to ensure that the SMP can communicate with the MSG.  (Note that Verify functions may encounter difficulty on servers which use non-standard time and date formats common in some countries. This can be corrected with a quick configuration change.) 
  • Review the Symantec Management Agent logs to identify failure code
  • Review the IIS logs to determine the exact nature of the failure
  • If enrollment fails and you receive an error the first time you attempt to enroll an Android device through the Mobile Security Gateway, attempt to enroll the device again.

 

Windows Mobile devices protected by SMS 7.2

Windows Mobile clients do not connect through the MSG.  Windows Mobiles must connect directly to the SMP server.

 


Attachments