<p>Information on the Mobile Security Gateway, and tips on what action to take when attempts to install the Mobile Security Gateway for use with&nbsp;Symantec Mobile Security 7.2 (SMS 7.2)&nbsp;have led to difficulty.&nbsp;</p> <p>&nbsp;</p>

<p><strong>About&nbsp;Mobile Security Gateway (MSG)</strong></p> <p>Android devices communicate with a Gateway server that is connected virtually&nbsp;to the Symantec Management Server. Gateway servers add a layer of protection against the&nbsp;mobile device applications that may attempt to circumvent standard network&nbsp;security. In addition to&nbsp;providing an added layer of security when managing Android&nbsp;devices, the Mobile Security Gateway also consolidates Android device network traffic.&nbsp;</p> <p>By default, the initial Mobile Security&nbsp;Gateway server&nbsp;is established during installation on the Symantec Management&nbsp;Platform (SMP) that hosts Symantec Mobile&nbsp;Security. &nbsp;Additional&nbsp;Mobile Security Gateways can be created, and existing gateways can be edited or deleted.&nbsp;</p> <p>Often times, these Mobile Security Gateway servers are located in a DMZ. &nbsp;Communications are facilitated between Android smartphones (and other Android devices) in the outside world and the Symantec Management Platform on the private, internal corporate network. &nbsp;When installing in a DMZ, two Network Interface Cards are required (one external, one internal) and care must be taken that the Symantec web sites (MobileSecurityDeployment and&nbsp;MobileSecurityGateway) are bound only to the external IP. &nbsp;</p> <p>The Android device typically receives a mail with a download link on the Mobile Security Gateway, for example &quot;http://[IP of MSG]/MobileSecurityDeployment/AndroidInstall.aspx&quot; &nbsp;This initial download occurs over port 80 but subsequent communications with the Gateway will occur over the SSL&nbsp;port 443. &nbsp;</p> <p>The Mobile Security Gateway will use the server's FDQN by default. &nbsp;This can be renamed if desired or the IP address used instead.</p> <div>Users can manage the Mobile Security Gateways they have setup, or add new ones, using the Mobile Security Gateway page under <strong>Home-&gt;Mobile Security-&gt;Settings-&gt;Mobile Security Gateway.</strong></div> <div>&nbsp;</div> <p><strong>Adding new Gateways</strong></p> <p>You can add new Gateway servers to increase the capacity of a Symantec Mobile&nbsp;Security installation, to improve network performance, and to assist the&nbsp;management of security profiles. &nbsp;</p> <p>Please note that Gateway servers have specific hardware&nbsp;and software requirements: not just any server will do. &nbsp;The Mobile Security Gateway servers must be Windows 2008 R2 and have Microsoft IIS 7.5 (IIS 6.0 compatibility) and the other server requirements as the SMP itself. &nbsp;Also, the servers that host a Gateway&nbsp;server must have the Symantec&nbsp;Management Agent (Altiris agent) installed (<a href="http://www.symantec.com/docs/HOWTO63072 ">this agent can be pushed out from the SMP</a>, if necessary). The Agent&nbsp;provides data and communication&nbsp;integration to the Symantec Management&nbsp;Platform.</p> <p>If the MSG is not immediately installed on the target server, open the&nbsp;Symantec&nbsp;Management Agent&nbsp;and check for new tasks. &nbsp;The agent should then find and complete the task to install MSG.&nbsp;&nbsp;</p> <p style="text-align: center; "><img src="https://api-broadcom-ca.wolkenservicedesk.com/es/attachments/get_attachment_content?uniqueFileId=625584439898" alt="View of the SMA on the server where MSG is being installed" width="700" height="491" align="middle" />&nbsp;</p> <p>&nbsp;</p> <p>Once installed, there will be a new MobileSecurityGateway site created and visible in IIS Manager. There should be no need to manually adjust permissions, authorizations, or other settings in IIS Manager.</p> <p style="text-align: center; "><img src="https://api-broadcom-ca.wolkenservicedesk.com/es/attachments/get_attachment_content?uniqueFileId=625584910260" alt="MobileSecurityGateway site in IIS" width="800" height="183" /></p> <p>Also note: this MobileSecurityGateway site is intended only for data traffic between the mobile agents and the management components. &nbsp;Attempts to open a browser and view the MSG site and a web page should result in a HTTP 403 &quot;Forbidden&quot; message. &nbsp;This is by design. &nbsp;Enrollment takes place by clicking on the Enroll button on the Android device, not by accessing a web page and manually completing a form.&nbsp;</p> <p>The console will display information on each MSG, including how many Android devices are configured by policy to use each:</p> <p style="text-align: center; "><img src="https://api-broadcom-ca.wolkenservicedesk.com/es/attachments/get_attachment_content?uniqueFileId=625584313024" width="600" height="179" align="middle" alt="" /></p> <p>&nbsp;</p> <p><strong>Editing Gateways&nbsp;</strong></p> <p>To edit the settings for the Gateway, on the management console, go to <strong>Home &gt;Mobile Security &gt; Settings &gt; Mobile Security Gateway.</strong> On the toolbar, click the&nbsp;<strong>Edit </strong>(pencil) icon.</p> <p>The default port is 443. The&nbsp;binding port is used to configure IIS when&nbsp;you install a new Gateway server. &nbsp;If the server that will be used for a Mobile Security Gateway already has an application that uses this port, it is important to change to a different port. &nbsp;</p> <p>&nbsp;</p> <p><strong>Upgrading Gateways</strong></p> <p>If Android clients are able to successfully communicate with the SMP, there is no compelling technical reason to upgrade any MSGs that are displaying an older Gateway Version number. &nbsp;If an administrator wishes to upgrade an older SMP regardless, a detailed procedure is available in the Connect article <a href="https://www-secure.symantec.com/connect/articles/upgrading-mobile-security-gateways-symantec-mobile-security-72">Upgrading Mobile Security Gateways for Symantec Mobile Security 7.2</a>.</p> <p>&nbsp;</p> <p><strong>Deleting Gateways&nbsp;</strong></p> <p>Before you can delete a Gateway, be aware&nbsp;of the following:</p> <ul> <li>All of the devices that are enrolled with&nbsp;the Gateway must be reassigned to use&nbsp;an alternate Gateway. To change the&nbsp;Gateway assignment for devices, you&nbsp;provide a new policy to specify the&nbsp;alternate Gateway.</li> <li>Before you can delete a Gateway, any policy that references the Gateway must&nbsp;be reconfigured to use a different&nbsp;Gateway.</li> </ul> <p>&nbsp;</p> <p><strong>Troubleshooting Mobile Security Gateways&nbsp;</strong></p> <p>If error messages are seen when the Android device attempts to download and install the SMS 7.2 package, there can be a number of causes. &nbsp; These tips should assist:</p> <ul> <li>Use the <strong>verify</strong> button in the SMP to ensure that the SMP can communicate with the MSG. &nbsp;(Note that Verify functions may encounter difficulty on servers which use non-standard time and date formats common in some countries. <a href="http://www.symantec.com/docs/TECH198622 ">This can be corrected with a quick configuration change</a>.)&nbsp;</li> <li>Review the Symantec Management Agent logs to identify failure code</li> <li>Review the IIS logs to determine the exact nature of the failure</li> <li>If enrollment fails and you receive an error the first time you attempt to enroll an Android&nbsp;device through the Mobile Security Gateway, attempt to enroll the device again.</li> </ul> <p>&nbsp;</p> <p><strong>Windows Mobile devices protected by SMS 7.2</strong></p> <p>Windows Mobile clients do not connect through the MSG. &nbsp;Windows Mobiles must connect directly to the SMP server.</p> <p>&nbsp;</p><br/><p>