As part of the MDM (Modern Device Management) implementation, it is important to understand the usage of internal and external references for your MDM server.

This article has some commonly ask questions about how to use internal and external FQDN references for a MDM server.

Main online documentation about MDM topic can be found here:

Modern Device Management (broadcom.com)

Setting up MDM for macOS (broadcom.com)

Setting up MDM for Windows (broadcom.com)

ITMS 8.7

These are some of the questions and responses (based on an MDM implementation for Windows computers):

1. What domain name should we use? Knowing that "Internal-Example.com" is the company's internal domain (the one we see internally) and "External-Example.com" is the alias we use for connections made outside the corporate network, for example devices connected to the Internet (CEM mode).
   
   Response:
   

   From our online documentation:
   Setting up MDM for Windows (broadcom.com)

   "MDM policies and actions initiated within the Symantec Management Console are first communicated to an MDM Server. The MDM Server then communicates the policy information and commands to devices. Information collected from devices is communicated back to the MDM Server, where it is aggregated, and then transmitted to the Notification Server."

   "You can install the MDM Server on a computer in either your organization’s demilitarized zone (DMZ), or on a computer behind the firewall. You then configure the MDM Server (if it is behind a firewall) to use the Internet Gateway to communicate with devices outside the firewall via Cloud Enabled Management."

   "An MDM Server installed on a computer in your organization’s DMZ must open port 443 to facilitate communication with devices and the Notification Server. For more information on configuring the MDM Server to communicate with devices via the Internet Gateway, see Using MDM Server with Internet Gateway."

   What we can say is that you can choose either but the external name should be the primary one if you are planning to use MDM as well when in CEM mode.

   
   
   
2. Does the name we choose for the server have to be visible over the Internet or will it use the alias that the computers that connect through the Gateway have?, which is CEMCloud.External-Example.com.
   
   
   Response:
   

   From our online documentation:
   Using MDM Server with Internet Gateway (broadcom.com)
   
   "If you are using Cloud Enabled Management to manage devices outside your organization’s firewall, install the MDM Server on a computer behind your organization’s firewall, and then configure the Internet Gateway to facilitate communication between devices and the MDM Server. When configuring the MDM Server, you must know the FQDN of the Internet Gateway."

   As you can read further in the mentioned link above, you will need to configure your Internet Gateway and add your MDM server to it under the "Servers" tab so the Internet Gateway can redirect the traffic accordingly.

   
   
   
3. Is the certificate public or can it be a certificate self-signed by our CA?
   
   Response:
   

   From our online documentation:
   Using MDM Server with Internet Gateway (broadcom.com)

   "You must configure the Internet Gateway to use a certificate issued by a trusted certificate authority to enable devices without the Symantec Management Agent to trust the Internet Gateway".

   So, it can be either way, it just needs to be valid and available to the endpoint devices and Internet Gateways.

4. Can we use the same Internet Gateway we have or do we have to use a dedicated one for MDM?
   
   Response:
   

   You can use the same Internet Gateway. Just remember that the current best practices refer to have at least 2 Internet Gateways in order to provide redundancy and load balancing.
   
   About Preparing the Internet Gateway Computer (broadcom.com)

   "Symantec recommends that you configure at least two Internet gateways to provide failover options, load balancing, and to maintain communication continuity. The Cloud-Enabled Agent can switch among multiple available gateways for load balancing and fail-over purposes. Load balancing is performed automatically by the Agent. All gateways are considered to be equal, and the agent determines the best route to the SMP Server. Automatic failover will also switch the endpoint to another Internet Gateway if the agent senses a failure in the connection to the current gateway the agent is connected to. Each Internet gateway can serve multiple Notification Servers."

   
   
   
5. Regarding the URL that must be associated with the MDM server, can it be a generic URL or does it have to be associated with the MDM server name? because in the documentation it is associated with the FQDN of the equipment.
   
   Response:
   

   It may be some other name like alias if MDM server is accessible by it, but in that case server certificate also should be issues to this alias name.
   
   It is also mentioned in documentation - https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/it-management-suite/ITMS/Administration/About-Modern-Device-Management/setting-up-mdm-for-windows/obtaining-and-importing-the-mdm-server-certificate-for-windows.html

   "You must obtain a certificate for the MDM Server from a trusted certificate authority (such as DigiCert), and then import it. The name of the certificate must be the same as the Fully Qualified Domain Name (FQDN) of the MDM Server, even if the MDM Server is configured to work via the Symantec Management Platform’s Internet Gateway. If you configured the MDM Server to use a custom external FQDN, issue the server certificate to the custom FQDN."

   
   
   
6. Also referring to the URL, if the MDM server is on the corporate network, this means that we will be able to see it through the Internet Gateway, so does that same URL of the MDM have to have an associated public IP address?
   
   Response:
   

   If MDM server works through an Internet Gateway, then public address is not needed. Outside endpoints should access Gateway, instead of MDM server directly.

   So in that case server certificate needs to be issued to internal FQDN of MDM server (We usually suppose that Internet Gateway should access it by internal FQDN), but URL needs to be corrected to public Gateway address so that outside endpoints may enroll using this URL.
   
   This is also mentioned in documentation - https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/it-management-suite/ITMS/Administration/About-Modern-Device-Management/setting-up-mdm-for-windows/setting-up-and-configuring-mdm-server-for-windows/using-mdm-server-with-internet-gateway.html

   "When using the MDM Server to communicate with devices via the Internet Gateway, configure the MDM Server to use the FQDN of the Internet Gateway for the URL, but the certificate of MDM Server.  If an MDM Server is configured to communicate through the Internet Gateway, all communication will go through the Internet Gateway. That means devices must be enrolled using the Internet Gateway URL. In such a case, it is not possible to enroll a device directly with the MDM Server, bypassing the Internet Gateway."