Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

MaaS360 Mobile Enterprise Gateway

MaaS360 > MaaS360 Mobile Enterprise Gateway
MaaS360 Mobile Enterprise Gateway
Administrator Guide
MaaS360 > MaaS360 Mobile Enterprise Gateway
Copyright © 2014 Fiberlink Communications Corporation. All rights reserved.
Information in this document is subject to change without notice. The software described in this document is
furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in
accordance with the terms of those agreements. No part of this publication may be reproduced, stored in a
retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and
recording for any purpose other than the purchaser’s personal use without the written permission of Fiberlink
Communications Corporation.
All brands and their products are trademarks or registered trademarks of their respective holders and should be
noted as such.
Fiberlink Communications Corporation
1787 Sentry Parkway West
Blue Bell, PA 19422
January 2014
Version 4
020
2
MaaS360 > MaaS360 Mobile Enterprise Gateway
Table of Contents
Introduction ....................................................................................................................5
High Level Architecture: Relay Access Mode .............................................................................6
System Requirements: Relay Access Mode ................................................................................7
MaaS360 Mobile Enterprise Gateway ...................................................................................7
MaaS360 Mobile Enterprise Gateway Onboarding in RELAY access mode ...........................................9
Step 1: Download and install the gateway ............................................................................9
Step 2: Configure the gateway ..........................................................................................10
Step 3: Run the gateway as a service account .......................................................................13
Step 4: Configure intranet sites for gateway access ................................................................15
Step 5: Configure allowed number of devices per user.............................................................16
Step 6: Configure MaaS360 policies ....................................................................................17
Step 7: Download the secure browser and authenticate against the gateway .................................18
High Level Architecture: Direct Access Mode ............................................................................20
System Requirements: DIRECT Access mode .............................................................................21
MaaS360 Mobile Enterprise Gateway ...................................................................................21
MaaS360 Mobile Enterprise Gateway Onboarding in DIRECT Access mode ..........................................23
Step 1: Download and install the gateway ............................................................................23
Step 2: Configure the gateway ..........................................................................................24
Step 3: Run the gateway as a service account .......................................................................27
Step 4: Configure Direct Access Mode .................................................................................29
Step 5: Configure SSL Certificates for Direct Access Mode ........................................................29
Step 6: Configure intranet sites for gateway access ................................................................30
Step 7: Configure allowed number of devices per user.............................................................32
Step 8: Configure MaaS360 policies ....................................................................................32
Step 9: Download the secure browser and authenticate against the gateway .................................33
MaaS360 Mobile Enterprise Gateway in High Availability (HA) Configuration ......................................35
Architechture: .............................................................................................................35
System Requirements for High Availability (HA) Configuration ...................................................36
MaaS360 Mobile Enterprise Gateway Onboarding in HA mode: .......................................................37
Step 1: Install on a server ................................................................................................37
Step 2: Create the MaaS360 Mobile Enterprise Gateway database: ..............................................37
Step 3: Get the Database URI and Test your Database connection using Windows ODBC Data Source Admin
utility ........................................................................................................................39
3
MaaS360 > MaaS360 Mobile Enterprise Gateway
Step 4 - Install the First MaaS360 Mobile Enterprise Gateway (DO NOT REGISTER) ...........................43
Step 5: Configure the MaaS360 Gateway INI file .....................................................................44
Step 6: Register Your Gateway..........................................................................................44
Step 7: Add new Gateways to the Cluster ............................................................................45
Step 8: Setup your Load Balancer to distribute load amongst active gateways (DIRECT Mode only).......45
Recommendations for HA configuration changes ....................................................................45
Support & Troubleshooting ..................................................................................................46
Frequently Asked Questions (FAQs) ....................................................................................46
Appendix A: Gateway authentication against LDAP. ....................................................................47
4
MaaS360 > MaaS360 Mobile Enterprise Gateway
Introduction
MaaS360 Mobile Enterprise Gateway provides simple, secure mobile access to behind-the-firewall information
resources with no changes to your network or firewall security configuration. It provides mobile connectivity
without requiring any inbound TCP/IP connections from services or devices outside your LAN. Our robust, secure
communications technology, called MaaS360 Mobile Enterprise Gateway Link, is more efficient and more tolerant of
sometimes-spotty wireless networks than traditional approaches.
By eliminating the need to expose a mobile applications server to the public Internet, the MaaS360 Mobile
Enterprise Gateway solution does not leave your network vulnerable to probes and attacks. Since it does not require
the use of a VPN, you don’t have to worry about rogue apps on devices gaining access to your LAN, or the usability
and management headaches associated with VPN use on mobile devices.
Supporting a great experience for the mobile user, our technology provides the usability benefits of a native mobile
application without the need to develop and deploy code across multiple mobile platforms. Instead, new features
and functions can be added simply by making changes at the gateway. Unlike browser-based applications, where
device caching and browser history can lead to dangerous security leaks, MaaS360 Mobile Enterprise Gateway
technology ensures that confidential business data is never stored on devices in an unencrypted format, and that a
user’s ability to transfer that information elsewhere can be limited by administrative policy. MaaS360 Mobile
Enterprise Gateway technology ensures that corporate data can only be viewed on authorized mobile devices and
the communication between the enterprise gateway and the mobile devices are fully encrypted. MaaS360 Mobile
Enterprise Gateway’s link services will only be able to direct traffic between the devices and the gateway but will
not be able to read encrypted traffic.
With MaaS360, you don’t have to impose limits on what users can install, although you can easily block or enable
individual devices. That’s important, as executives and employees expect to use their smartphones to access
sensitive organizational data as well as their own personal applications. It’s also helpful if you need to expose
selected applications and assets to partners, contractors, or other 3rd parties for whom more general access to the
organization’s network is undesirable.
MaaS360 Mobile Enterprise Gateway provides simple, secure mobile access to behind-the-firewall information
resources. MaaS360 Mobile Enterprise Gateway operates in 2 modes:
a) Relay Access Mode: This is the default mode where the gateway establishes an outbound access to the MaaS360
relay server. The devices talk only to the relay server and not directly to the gateway.
b) Direct Access Mode: This is the second mode of operation where the devices directly talk to the MaaS360 Mobile
Enterprise Gateway for direct resource access and completely bypasses the MaaS360 hosted relay servers.
This document focusses on the following topics:

Section 1: Relay Access Mode architecture, requirements and installation steps.

Section 2: Direct Access Mode architecture, requirements and installation steps.

Section 3: High Availability Configuration of MaaS360 Mobile Enterprise Gateway (applies to both Relay and
Direct modes)
PS: If you plan to implement the MaaS360 Mobile Enterprise Gateway in High Availability (HA) mode,
please skip Sections 1 and 2 and directly refer to Section 3.
5
MaaS360 > MaaS360 Mobile Enterprise Gateway
High Level Architecture: Relay Access Mode
Here’s an architecture diagram of MaaS360 Mobile Enterprise Gateway implementation:
-
-
-
Client:
o The MaaS360 app and MaaS360 Secure Browser app is installed on mobile devices.
o The apps are available via iTunes or Google Play, and can be pushed using the MaaS360 App distribution
workflows.
o The MaaS360 App and MaaS360 Secure Browser connect to the relay services via HTTPS and post
requests or pick-up responses.
o Even though the connections are HTTPS, the payloads themselves are also encrypted with AES256-bit
encryption end-to-end, and remain encrypted even on the device.
o The mobile device itself is never on the organization’s network, nor do the MaaS360 app / MaaS360
Secure Browser ever directly see the network. This preserves network security and isolation.
Gateway:
o Server software that runs on a machine or VM on your organization’s internal network.
o The gateway establishes outbound connections to the Gateway Relay services in the cloud, and
processes any outstanding requests from mobiles and then posting the resulting payloads to the relay
services. All payloads are encrypted end-to-end with AES-256 bit encryption. The key is shared only
with the device.
o This assures that no direct network connection happens from anywhere outside the firewall, preserving
firewall integrity.
Cloud Link Services:
o Provisioning server: Gateway activation happens against this server. The devices / apps contact the
provisioning server to get the address of the relay server to use for the respective gateway.
o Relay Server: Web services in the cloud that facilitates communications between the clients and your
gateway. The Link service will not be able to read the encrypted communication between the clients
and the gateway.
6
MaaS360 > MaaS360 Mobile Enterprise Gateway
System Requirements: Relay Access Mode
MAAS360 MOBILE ENTERPRISE GATEWAY
MaaS360 Mobile Enterprise Gateway provides the point of control for mobile access to business resources. Before
beginning the installation, make sure the following requirements are met:
Item
Meets Requirement
Physical or Virtual Machine with Windows Server 2012, 2008 RC2,
2008, or 2003 as an installation target for the MaaS360 Mobile
Enterprise Gateway.
The MaaS360 Mobile Enterprise Gateway can run on 64-bit servers but
still requires x86 support for some components.
A service account that MaaS360 Mobile Enterprise Gateway can run as:

Member of Domain User group on your Active Directory

Member of Local Administrative group on the server
.NET Framework 3.5 or higher is required
Memory:

At least 2 GB of RAM is recommended.
Disk drives:

MaaS360 Mobile Enterprise Gateway takes less than 15 MB of
disk space.
Processor:

Dual Core
Access to the following URLs from the Mobile Enterprise Gateway
machine:

Port 443 outbound used by the gateway to communicate with
the MaaS360 Mobile Enterprise Relay Service over SSL.

There is no inbound port used for the relay.

Additional support for port 443 is available to enable Internet
communication through a proxy server.
o
Hostname: *.gw.m1.maas360.com
o
The gateway Control Panel can be accessed via
http://localhost:1456 on the gateway server
o
The gateway Control Panel can be accessed using the
latest versions of IE, Chrome, Safari, and Firefox
browsers
7
MaaS360 > MaaS360 Mobile Enterprise Gateway
Supported clients:
o
iOS 5.0 and higher
o
Android 3.1 or later (carrier versions)
8
MaaS360 > MaaS360 Mobile Enterprise Gateway
MaaS360 Mobile Enterprise Gateway Onboarding in RELAY access mode
STEP 1: DOWNLOAD AND INSTALL THE GATEWAY
1. Log in to MaaS360 and browse to the Services page: (Setup >> Services on the UI)
2. Under Secure Browser section, you should see that the MaaS360 Corporate Intranet feature has been enabled.
Note: if this has not been enabled, please contact your Fiberlink representative.
3. Download the MaaS360 Mobile Enterprise Gateway software from the download link from Step 1.
4. Complete the installation process as shown below:
9
MaaS360 > MaaS360 Mobile Enterprise Gateway
STEP 2: CONFIGURE THE GATEWAY
1. Once the installation completes, a web page is launched that lets you activate and configure the MaaS360
Mobile Enterprise Gateway. Start with the Click here to manage the gateway link.
2. This launches the MaaS360 Mobile Enterprise Gateway’s Control Panel.
a. Enter you username, email address, company name and a password for Control Panel access.
b. Click Continue.
MaaS360 Mobile Enterprise Gateway contacts the MaaS360 Gateway Provisioning Server to activate your
gateway, as shown above.
10
MaaS360 > MaaS360 Mobile Enterprise Gateway
3. Once the Enterprise Gateway is activated, you will receive an activation code to your registered email address
from MaaS360@fiberlink.com
Note: Please whitelist this address so that your mail server will deliver this code.
4. Enter the following information to activate the Mobile Enterprise Gateway:
a. Enter the Activation Code from the email.
b. Enter the Gateway Title. This is free-form text that gives a display name of your gateway.
c. Select the closest Relay Service based on your region (US/EU Instance).
d. Select Access to current intranet applications option and click Continue.
This will complete the activation.
11
MaaS360 > MaaS360 Mobile Enterprise Gateway
5. Once the gateway is activated, the 6-digit MaaS360 Gateway instant access code will appear on your screen.
Note: Please write down this code. It will be needed for policy configuration in the MaaS360 portal at a later
step.
12
MaaS360 > MaaS360 Mobile Enterprise Gateway
STEP 3: RUN THE GATEWAY AS A SERVICE ACCOUNT
PS: You can skip this step if you are using LDAP in your environment and not Microsoft Active Directory.
Please refer to LDAP Configuration section in Appendix A to setup your gateway to integrate to LDAP.
Configuring the gateway to run as a Service Account is required for two reasons:
1. Authenticating users against your active directory server for authentication before intranet access
2. Single Sign on (SSO) for intranet sites that uses NTLM authentication
Steps to configure the service account are detailed below:
1. Open the Services Console on the server (Start >> Run >> services.msc)
2. Locate the service MaaS360 Mobile Enterprise Gateway
3. Stop the service
4. Right-click on the service and select Properties >> Select Log On tab.
5. Enter a Service Account username and password and click Apply. The Service Account username must be a
Domain user in Active Directory, and it must be part of the Local Admin group on the server where the
installation is.
13
MaaS360 > MaaS360 Mobile Enterprise Gateway
6. On the General tab, select Start and make sure the service is running.
14
MaaS360 > MaaS360 Mobile Enterprise Gateway
STEP 4: CONFIGURE INTRANET SITES FOR GATEWAY ACCESS
The MaaS360 Mobile Enterprise Gateway provides an Intranet Tunneling service that acts as an intermediary for
requests from clients seeking resources from other intranet sites or services.
The MaaS360 Secure Browser client connects to the MaaS360 Mobile Enterprise Gateway requesting a connection to
other resource available from a different server. The MaaS360 Mobile Enterprise Gateway evaluates the request
according to its policy rules. If the request is validated by the policy, the MaaS360 Mobile Enterprise Gateway
connects to the relevant server and requests the resource for the client.
Follow the steps below to configure intranet sites that can be accessed via MaaS360 Secure Browser:
1. Log in to MaaS360 Mobile Enterprise Gateway’s Control Panel (http://localhost:1456)
2. Enter your username and password (from the Gateway Activation page) to log in to the console.
3. Select Policies menu and go to Hosts to which the gateway may provide proxy access.
15
MaaS360 > MaaS360 Mobile Enterprise Gateway
4. Add the hostnames of the sites that needs to be allowed through MaaS360 Secure Browser to this field.
Click on Save policy settings once the list is complete.
This is the Proxy Access List. It accepts comma-separated values of hostnames that must be allowed. Wild
characters like * and ? are also supported. Here are some examples:
Use Case
Proxy Access List
Allow individual intranet sites
site01.mydomain.com, site02.mydomain.com,
site03.mydomain.com
Allow any site with a particular sub-domain
*.mysubdomain.mydomain.com
Selective sites from certain domains
*.mysubdomain01.mydomain.com,
site02.mysubdomain02.mydomain.com
Allow any intranet site to be accessed
(This will cause your email, OWA, SSL sites to be proxied
through the gateway.)
*.mydomain.com
If you need to modify or delete hostnames from your Proxy Access List, the changes must be made to Hosts to
which the gateway may provide proxy access field and saved.
The next time the MaaS360 Secure Browser connects to the gateway—either when the user authenticates or the
next time the user tries to connect to the intranet site—the updated Proxy Access List gets pushed to the
connecting mobile devices.
STEP 5: CONFIGURE ALLOWED NUMBER OF DEVICES PER USER
MaaS360 Mobile Enterprise Gateway provides the administrator the ability to limit the number of devices that can
be used by one user to access intranet sites using the MaaS360 Secure Browser. The default can be set to 1 device, x
devices or any number of devices. This setting can be overridden for specific users as well.
16
MaaS360 > MaaS360 Mobile Enterprise Gateway
In order to configure this setting, select the Users tab and choose one of the following settings:
STEP 6: CONFIGURE MAAS360 POLICIES
You will need to configure the MaaS360 Secure Browser or Persona policies to integrate with the installed MaaS360
Mobile Enterprise Gateway to enabled access to published intranet sites via the MaaS360 Secure Browser.
1.
2.
3.
4.
5.
Log on to MaaS360 portal: https://portal.fiberlink.com
Browse to Security >> Policies
Select a Secure Browser or Persona policy
Click Edit
Select Enterprise Gateway Settings
17
MaaS360 > MaaS360 Mobile Enterprise Gateway
6. Enter the Gateway access code (6-digit number) you obtained during gateway activation.
7. The username and domain fields are pre-populated for each user to authenticate against the gateway. This
information is available from the enrollment request
8. There is an option to cache credentials locally in the app. If it’s selected, the user is not prompted again for
authentication each time the device accesses an intranet site. We recommend that it be selected for a better
end user experience
9. Save and publish the policy
STEP 7: DOWNLOAD THE SECURE BROWSER AND AUTHENTICATE AGAINST THE GATEWAY
1. Download and install the MaaS360 Secure Browser on the device—either from iTunes, Google Play or the App
Catalog
Note: It is recommended that you distribute the iOS and Android Secure Browser to enrolled devices via
MaaS360 so the user can install the apps from the MaaS360 App Catalog.
2. Ensure that the version of the App is 1.10 or higher (e.g.: Settings >> Browser >> Version on iOS devices &
Settings >> Apps >> Browser >> Version on Android devices)
3. Open the browser app and you will be prompted to authenticate
18
MaaS360 > MaaS360 Mobile Enterprise Gateway
4. The username and domain should be auto populated based on the AD credentials you used during the
enrollment process. Enter your password to initiate authentication
5. Once authenticated, the browser will load as usual. Now accessing an internal site will load the page on the
MaaS360 Secure Browser
19
MaaS360 > MaaS360 Mobile Enterprise Gateway
High Level Architecture: Direct Access Mode
Here’s an architecture diagram of MaaS360 Mobile Enterprise Gateway implementation in DIRECT Access Mode
-
Client:
o MaaS360 Secure Browser app and MaaS360 MDM App (integrated with client SDK for Gateway access)
o The apps are available via iTunes or Google Play, and can be pushed using the MaaS360 App distribution
workflows.
o The apps directly connect to the gateway DIRECT URL’s via HTTPS and post requests or pick-up
responses. All communication is over SSL (needs to be setup)
o Even though the connections are HTTPS, the payloads themselves are also encrypted with AES256-bit
encryption, and remain encrypted even on the device.
o The apps never talks to the Relay Servers for intermediation.
o The apps only talk to the provisioning server for Direct URL lookup during authentication.
-
Gateway:
o Server software that runs on a machine or VM on your organization’s internal network or DMZ.
o Authenticates users against AD / LDAP
o The gateway listens to inbound connections from Mobile Devices, and processes any outstanding
requests from mobiles and then posting the resulting payloads to the devices.
o This assures that no data flows through the Relay Services
o The gateway also establishes outbound SSL connections to the provisioning server to communicate any
changes to changes to the Direct URL configuration and to perform daily license pings.
-
Cloud Link Services:
o Provisioning Server hosts the mapping of the Gateway and its DIRECT URL
o Gateway provides its DIRECT URL during setup
o Devices can contact the provisioning server to lookup the DIRECT URL, but this URL is directly fed to
the devices through MaaS360 policies. The devices never contact the provisioning server in this model.
20
MaaS360 > MaaS360 Mobile Enterprise Gateway
System Requirements: DIRECT Access mode
MAAS360 MOBILE ENTERPRISE GATEWAY
MaaS360 Mobile Enterprise Gateway provides the point of control for mobile access to business resources. Before
beginning the installation, make sure the following requirements are met:
Item
Meets Requirement
Physical or Virtual Machine with Windows Server 2012, 2008 RC2,
2008, or 2003 as an installation target for the MaaS360 Mobile
Enterprise Gateway.
The MaaS360 Mobile Enterprise Gateway can run on 64-bit servers but
still requires x86 support for some components.
A service account that MaaS360 Mobile Enterprise Gateway can run as:

Member of Domain User group on your Active Directory

Member of Local Administrative group on the server
This requirement can be skipped if you are using LDAP.
.NET Framework 3.5 or higher is required
Memory:

At least 2 GB of RAM is recommended.
Disk drives:

500MB Free Disk Space
Processor:

Dual Core
Access to the following URLs from the Mobile Enterprise Gateway
machine:

Port 443 outbound used by the gateway to communicate with
the MaaS360 Mobile Enterprise Provisioning Service over SSL.
o

Hostname for DIRECT Access URL:
o

Hostname: provision.gw.m1.maas360.com
Should be accessible externally
Inbound Port for DIRECT Access URL:
o
Gateway listens to inbound requests on the DIRECT
Access URL (above) and the configured port.
21
MaaS360 > MaaS360 Mobile Enterprise Gateway

SSL Certificate:
o

For devices to SSL into the DIRECT Access URL, you
will need a certificate for the host and its private key
Additional support for port 443 is available to enable Internet
communication through a proxy server.
o
The gateway Control Panel can be accessed via
http://localhost:1456 on the gateway server. Can be
made to use https using the above SSL certificates
o
The gateway Control Panel can be accessed using the
latest versions of IE, Chrome, Safari, and Firefox
browsers
Supported clients:
o
iOS 5.0 and higher
o
Android 3.1 or later (carrier versions)
22
MaaS360 > MaaS360 Mobile Enterprise Gateway
MaaS360 Mobile Enterprise Gateway Onboarding in DIRECT Access mode
STEP 1: DOWNLOAD AND INSTALL THE GATEWAY
1. Log in to MaaS360 and browse to the Services page: (Setup >> Services screen)
2. Under Secure Browser section, you should see that the Intranet Access feature has been enabled.
Note: if this has not been enabled, please contact your Fiberlink representative.
3. Download the MaaS360 Mobile Enterprise Gateway software from the download link from Step 1.
4. Complete the installation process as shown below:
23
MaaS360 > MaaS360 Mobile Enterprise Gateway
STEP 2: CONFIGURE THE GATEWAY
1. Once the installation completes, a web page is launched that lets you activate and configure the MaaS360
Mobile Enterprise Gateway. Start with the Click here to manage the gateway link.
2. This launches the MaaS360 Mobile Enterprise Gateway’s Control Panel.
a. Enter you username, email address, company name and a password for Control Panel access.
b. Click Continue.
MaaS360 Mobile Enterprise Gateway contacts the MaaS360 Gateway Provisioning Server to activate your
gateway, as shown above.
24
MaaS360 > MaaS360 Mobile Enterprise Gateway
3. Once the Enterprise Gateway is activated, you will receive an activation code to your registered email address
from MaaS360@fiberlink.com
Note: Please whitelist this address so that your mail server will deliver this code.
4. Enter the following information to activate the Mobile Enterprise Gateway:
a. Enter the Activation Code from the email.
b. Enter the Gateway Title. This is free-form text that gives a display name of your gateway.
c. Select the closest Relay Service based on your region (US/EU Instance).
d. Select Access to current intranet applications option and click Continue.
This will complete the activation.
25
MaaS360 > MaaS360 Mobile Enterprise Gateway
5. Once the gateway is activated, the 6-digit MaaS360 Gateway instant access code will appear on your screen.
Note: Please write down this code. It will be needed for policy configuration in the MaaS360 portal at a later
step.
26
MaaS360 > MaaS360 Mobile Enterprise Gateway
STEP 3: RUN THE GATEWAY AS A SERVICE ACCOUNT
PS: You can skip this step if you are using LDAP in your environment and not Microsoft Active Directory.
Please refer to LDAP Configuration section in Appendix A to setup your gateway to integrate to LDAP.
Configuring the gateway to run as a Service Account is required for two reasons:
3. Authenticating users against your active directory server for authentication before intranet access
4. Single Sign on (SSO) for intranet sites that uses NTLM authentication
Steps to configure the service account are detailed below:
7. Open the Services Console on the server (Start >> Run >> services.msc)
8. Locate the service MaaS360 Mobile Enterprise Gateway
9. Stop the service
10. Right-click on the service and select Properties >> Select Log On tab.
11. Enter a Service Account username and password and click Apply. The Service Account username must be a
Domain user in Active Directory, and it must be part of the Local Admin group on the server where the
installation is.
27
MaaS360 > MaaS360 Mobile Enterprise Gateway
12. On the General tab, select Start and make sure the service is running.
28
MaaS360 > MaaS360 Mobile Enterprise Gateway
STEP 4: CONFIGURE DIRECT ACCESS MODE
MaaS360 Mobile Enterprise Gateway installs in RELAY mode by default. This step is to switch MaaS360 Mobile Enterprise
to operate in DIRECT mode.
1.
2.
3.
4.
5.
Log in to MaaS360 Mobile Enterprise Gateway’s Control Panel (http://localhost:1456)
Go to Network Tab
Uncheck “MaaS360 Relay Option” on the left (see screenshot below)
Check “MaaS360 Direct Option” on the right (see screenshot below)
Type in the Direct Access URL’s hostname and port in the fields highlighted. The gateway will listen to all
inbound connections from Mobile devices on this hostname and port. This hostname and port should be
externally accessible (either DMZ installation or Network Address Translation)
The assumption here is that the DNS entry for DIRECT access hostname has already been created as per the
requirements. If load balancers are being used, the DIRECT access hostnames should be resolvable from the
load balancer to the gateways.
STEP 5: CONFIGURE SSL CERTIFICATES FOR DIRECT ACCESS MODE
WHEN MaaS360 Mobile Enterprise Gateway is enabled for Direct Access Mode, the devices directly connect to the
gateway over port 80 (non-secured HTTP traffic) by default. In order to enable SSL, you will need the following:
-
SSL certificate for the Direct URL hostname (.cer). This should be in PEM format.
SSL Certificate private key (.key). Need an unencrypted private key.
Once you have obtained both, here are the steps to enable the gateway to use SSL Certificates:
1. Rename the SSL certificate to maas360gateway-ssl.cer
2. Rename the private key to maas360gateway-ssl.key
29
MaaS360 > MaaS360 Mobile Enterprise Gateway
3. Copy these two files in C:\ProgramData\MaaS360\MaaS360 Mobile Enterprise Gateway folder
4. Restart the MaaS360 Mobile Enterprise Gateway service
Alternately, you can configure MaaS360 Mobile Enterprise Gateway to point to the SSL certificate and private key at
any location.
1. Stop MaaS360 Mobile Enterprise Gateway Service
2. Open maas360gateway.ini in a text editor
3. Add the following line to the INI file:
a. portal_ssl_certificate='c:\certs\gateway;cert.cer’ <Path to your SSL certificate>
b. portal_ssl_private_key='c:\certs\gateway;key.key’ <Path to your SSL certificate’s private key>
4. Start the service
STEP 6: CONFIGURE INTRANET SITES FOR GATEWAY ACCESS
The MaaS360 Mobile Enterprise Gateway provides an Intranet Tunneling service that acts as an intermediary for
requests from clients seeking resources from other intranet sites or services.
The MaaS360 Secure Browser client connects to the MaaS360 Mobile Enterprise Gateway requesting a connection to
other resource available from a different server. The MaaS360 Mobile Enterprise Gateway evaluates the request
according to its policy rules. If the request is validated by the policy, the MaaS360 Mobile Enterprise Gateway
connects to the relevant server and requests the resource for the client.
Follow the steps below to configure intranet sites that can be accessed via MaaS360 Secure Browser:
1. Log in to MaaS360 Mobile Enterprise Gateway’s Control Panel (http://localhost:1456)
2. Enter your username and password (from the Gateway Activation page) to log in to the console.
3. Select Policies menu and go to Hosts to which the gateway may provide proxy access.
30
MaaS360 > MaaS360 Mobile Enterprise Gateway
4. Add the hostnames of the sites that needs to be allowed through MaaS360 Secure Browser to this field.
Click on Save policy settings once the list is complete.
This is the Proxy Access List. It accepts comma-separated values of hostnames that must be allowed. Wild
characters like * and ? are also supported. Here are some examples:
Use Case
Proxy Access List
Allow individual intranet sites
site01.mydomain.com, site02.mydomain.com,
site03.mydomain.com
Allow any site with a particular sub-domain
*.mysubdomain.mydomain.com
Selective sites from certain domains
*.mysubdomain01.mydomain.com,
site02.mysubdomain02.mydomain.com
Allow any intranet site to be accessed
(This will cause your email, OWA, SSL sites to be proxied
through the gateway.)
*.mydomain.com
If you need to modify or delete hostnames from your Proxy Access List, the changes must be made to Hosts to
which the gateway may provide proxy access field and saved.
The next time the MaaS360 Secure Browser connects to the gateway—either when the user authenticates or the
next time the user tries to connect to the intranet site—the updated Proxy Access List gets pushed to the
connecting mobile devices.
31
MaaS360 > MaaS360 Mobile Enterprise Gateway
STEP 7: CONFIGURE ALLOWED NUMBER OF DEVICES PER USER
MaaS360 Mobile Enterprise Gateway provides the administrator the ability to limit the number of devices that can
be used by one user to access intranet sites using the MaaS360 Secure Browser. The default can be set to 1 device, x
devices or any number of devices. This setting can be overridden for specific users as well.
In order to configure this setting, select the Users tab and choose one of the following settings:
STEP 8: CONFIGURE MAAS360 POLICIES
You will need to configure the MaaS360 Secure Browser or Persona policies to integrate with the installed MaaS360
Mobile Enterprise Gateway to enabled access to published intranet sites via the MaaS360 Secure Browser.
10.
11.
12.
13.
14.
Log on to MaaS360 portal: https://portal.fiberlink.com
Browse to Security >> Policies
Select a Secure Browser or Persona policy
Click Edit
Select Enterprise Gateway Settings
32
MaaS360 > MaaS360 Mobile Enterprise Gateway
15. For the Mobile Enterprise Gateway access code field, enter the direct access URL. With this setting, the
browser and the MaaS360 app will directly talk to the gateway and will skip the direct URL address resolution
on the provisioning server.
16. The username and domain fields are pre-populated for each user to authenticate against the gateway. This
information is available from the enrollment request
17. There is an option to cache credentials locally in the app. If it’s selected, the user is not prompted again for
authentication each time the device accesses an intranet site. We recommend that it be selected for a better
end user experience
18. Save and publish the policy
STEP 9: DOWNLOAD THE SECURE BROWSER AND AUTHENTICATE AGAINST THE GATEWAY
6. Download and install the MaaS360 Secure Browser on the device—either from iTunes, Google Play or the App
Catalog
Note: It is recommended that you distribute the iOS and Android Secure Browser to enrolled devices via
MaaS360 so the user can install the apps from the MaaS360 App Catalog.
7. Ensure that the version of the App is 1.10 or higher (e.g.: Settings >> Browser >> Version on iOS devices &
Settings >> Apps >> Browser >> Version on Android devices)
8. Open the browser app and you will be prompted to authenticate
33
MaaS360 > MaaS360 Mobile Enterprise Gateway
9. The username and domain should be auto populated based on the AD credentials you used during the
enrollment process. Enter your password to initiate authentication
10. Once authenticated, the browser will load as usual. Now accessing an internal site will load the page on the
MaaS360 Secure Browser
34
MaaS360 > MaaS360 Mobile Enterprise Gateway
MaaS360 Mobile Enterprise Gateway in High Availability (HA) Configuration
ARCHITECHTURE:
35
MaaS360 > MaaS360 Mobile Enterprise Gateway
MaaS360 Mobile Enterprise Gateway can be setup in High Availability (HA) mode for both RELAY and DIRECT access
deployments. The gateways share a common database (MySQL) and serve requests for Mobile Devices.
In Direct Mode, the traffic from the devices needs to be load balanced across multiple gateways using a load balancer.
In Relay Mode, the gateways automatically pick up requests in turns from the relay and there is no specific load
balancing required in this mode.
SYSTEM REQUIREMENTS FOR HIGH AVAILABILITY (HA) CONFIGURATION


General Requirements: Depending on the gateway mode you are looking to implement, check the
corresponding sections for requirements
o
Relay Mode requirements
o
Direct Mode requirements
HA specific Requirements:
o
MySQL 5.5+ or MSSQL 2008+
o
Load balancing software to distribute incoming DIRECT http(s) requests

Note: Load balancer only required for MaaS360 Mobile Enterprise Gateway Direct Access mode.
36
MaaS360 > MaaS360 Mobile Enterprise Gateway
MaaS360 Mobile Enterprise Gateway Onboarding in HA mode:
STEP 1: INSTALL ON A SERVER
MaaS360 Mobile Enterprise Gateway uses SQLite by default to store the gateway configuration. The SQLite DB file is
maintained as a file in the MaaS360 Mobile Enterprise Gateway Data Directory. In order to run multiple MaaS360 Mobile
Enterprise Gateways in High Availability (HA) mode, the configuration must be stored in a shared database. You can use
either MySQL or MS SQL database servers to setup this shared database.
MySQL Server Installation:
Please install MySQL on a server and ensure that the database server can be accessible by all Gateways on your
network.
Links to external resource is here.
MS SQL Server Installation:
Please install Microsoft SQL on a server and ensure that the database server can be accessible by all Gateways on your
network.
Links to external resource is here.
STEP 2: CREATE THE MAAS360 MOBILE ENTERPRISE GATEWAY DATABASE:
The database DBURI is defined in the maas360gateway.ini file located in the MaaS360 Mobile Enterprise Gateway Data
Directory. For the default MaaS360 Mobile Enterprise Gateway configuration you should see a dburi definition similar
to:
dburi = sqlite:///C:\ProgramData\MaaS360\MaaS360 Mobile Enterprise Gateway\maas360gateway.db
MaaS360 Mobile Enterprise Gateway in HA mode will have a dburi definition similar to:
dburi = mysql://user:password@hostname:port/dbname
or
dburi = mssql+ pyodbc://user:password@hostname:port/ dbname
To create a MaaS360 Mobile Enterprise Gateway in HA mode you need to specify the database SQL dburi when you
register your MaaS360 Mobile Enterprise Gateway. This can only be done at the time you register your MaaS360 Mobile
Enterprise Gateway. If you have an existing MaaS360 Mobile Enterprise Gateway configured to use the default SQLite
database it cannot be converted to an HA mode gateway. To register/create a new MaaS360 Mobile Enterprise Gateway
in HA mode follow these steps.
MySQL: Create the Gateway database and grant required permissions
To create the database and user in MySQL go to the MySQL prompt and type

create database maaS360gatewaydb;

grant all on maas360gatewaydb.* to USERNAME identified by "PASSWORD";
USERNAME and PASSWORD should be replaced by your actual user and password for the database.
37
MaaS360 > MaaS360 Mobile Enterprise Gateway
MS SQL: Create the Gateway database and grant required permissions
To create the database and user in MS SQL, use the Microsoft SQL Server Management Studio

Create a database called maaS360gatewaydb;

Create a SQL server local user from the Security >> Login >> New Login workflow. Select SQL server
authentication.
38
MaaS360 > MaaS360 Mobile Enterprise Gateway

Provide the correct Server role to the user to enable write access to the maas360gatewaydb

Map the user to the maas360gatewaydb if you require the admin to be restricted to just the maas360 database.
STEP 3: GET THE DATABASE URI AND TEST YOUR DATABASE CONNECTION USING WINDOWS ODBC
DATA SOURCE ADMIN UTILITY
Once the database has been created, you will be able to set the dburi for your MaaS360 Mobile Enterprise Gateway to
use MySQL or MSSQL.
You should test the database connection before attempting to install the MaaS360 Mobile Enterprise Gateway.
A good test is simply to use the Windows ODBC Data Source Admin utility. See examples below:
39
MaaS360 > MaaS360 Mobile Enterprise Gateway
MySQL: DBURI determination and DB connection test:
You can use the MySQL ODBC Driver to verify the correct settings to use in the dburi for the MaaS360 Mobile Enterprise
Gateway. Here is an example of the above settings tested from the MySQL ODBC Connector.
Click Test to confirm if the ODBC connector can connect to the database with the provided credentials. This test needs
to be done on the server on which MaaS360 Mobile Enterprise Gateway is installed.
Using the above settings the dburi would be:
dburi = mysql://maas360gateway:admin@123@10.17.40:3309/maas360gatewaydb
40
MaaS360 > MaaS360 Mobile Enterprise Gateway
MSSQL: DBURI determination and DB connection test:

Launch Microsoft ODBC admin tool and Add SQL Server Native Client driver

Add a server name, description and the hostname:

Enter the credentials for the user you created in the previous section against SQL server authentication
section.
41
MaaS360 > MaaS360 Mobile Enterprise Gateway

Choose default settings on the next screen, proceed to Test. On successful tests, you should see the following
screens.

As per the above configuration, your dbURI is going to be as follows:
dburi = mssql+pyodbc://sa:password@sqlserver01.fiberlink.local:1433/maas360gatewaydb
42
MaaS360 > MaaS360 Mobile Enterprise Gateway
STEP 4 - INSTALL THE FIRST MAAS360 MOBILE ENTERPRISE GATEWAY (DO NOT REGISTER)
The MaaS360 Mobile Enterprise Gateway Setup Wizard will walk you through the installation process. Once the MaaS360
Mobile Enterprise Gateway software has been installed, you will need to register and activate your MaaS360 Mobile
Enterprise Gateway prior to use. The following guide illustrates the installation and registration process.
Note: To install MaaS360 Mobile Enterprise Gateway in HA mode there are manual steps involved between the install
and registration. DO NOT register your gateway before making the required changes to the maas360gateway.ini file.
To install as a service you must run the install as an administrator.
1. Download the MaaS360 Mobile Enterprise Gateway software from the download link from MaaS360.
2. Complete the installation process as shown below:
STOP before you register your Gateway!
43
MaaS360 > MaaS360 Mobile Enterprise Gateway
STOP before you register your Gateway!
If you register your MaaS360 Mobile Enterprise Gateway now, it will be registered as a stand-alone Gateway and cannot
be converted to HA mode.
1. Close the registration window
2. Stop the MaaS360 Mobile Enterprise Gateway Service.
STEP 5: CONFIGURE THE MAAS360 GATEWAY INI FILE
Once the MaaS360 Mobile Enterprise Gateway Service has been stopped you will need to edit the maas360gateway.ini
file for your Gateway to convert this install into an HA setup.
1.
2.
3.
4.
5.
Go to C:\ProgramData\MaaS360\MaaS360 Mobile Enterprise Gateway
Open maas360gateway.ini in a text editor
Change the dburi to the URI from Step 3 depending on the type of database in use.
Save Changes
Start the MaaS360 Mobile Enterprise Gateway service
If the service fails to start, it indicates the connection to the database failed. You can check the Windows Event Viewer
for MaaS360 Mobile Enterprise Gateway Application Errors to verify the reason for the failure. Check your settings and
verify the connection before trying to start the Gateway Service again.
Once the Gateway Service starts you can continue with the next steps.
STEP 6: REGISTER YOUR GATEWAY
Now, register your gateway either in RELAY or DIRECT access mode by navigating to the URL http://localhost:1456


To register your gateway in Relay Mode, follow steps 2-7 here.
To register your gateway in Direct Mode, follow steps 2-9 here.

Important considerations for DIRECT Mode:
o Step 4: Configure DIRECT Access Mode
 The hostname of the DIRECT URL should be the public address of your load balancer
o Step 5: Configure SSL Certificates for Direct Access Mode.
 This step is optional
 Since a Load Balancer is involved in the configuration and supports SSL, setting up gateway for
SSL becomes optional if you have secured communication between your load balancer and the
gateways.
 Please note: Even if this channel is not secured, the packets themselves are still encrypted that
only the gateway can decrypt.
44
MaaS360 > MaaS360 Mobile Enterprise Gateway
STEP 7: ADD NEW GATEWAYS TO THE CLUSTER
You are now ready to install multiple gateways in your environment in a clustered setup. You cannot install multiple
gateways on the same single server. The new gateways will work in conjunction with the first gateway in HA mode.
Steps to add new gateways to the Cluster:
1. Install the new gateway as an administrator
2. DO NOT REGISTER the gateway.
PS: If you register the gateway, the gateway will register in stand-alone mode and cannot be converted to HA
mode.
3. Stop the MaaS360 Mobile Enterprise Gateway service
4. Delete all files from the Data Directory of the gateway. The path is C:\ProgramData\MaaS360\MaaS360 Mobile
Enterprise Gateway
5. Copy the MaaS360 Mobile Enterprise Gateway Data Directory from the first Gateway you installed in HA mode.
This Gateway will use the settings and configuration from your first HA Gateway.
6. Start the gateway service as a service account (same as the first Gateway).
Now the new gateway will talk to the same MySQL DB and operate in HA mode.
STEP 8: SETUP YOUR LOAD BALANCER TO DISTRIBUTE LOAD AMONGST ACTIVE GATEWAYS (DIRECT
MODE ONLY)
If you have implemented your HA gateway configuration in DIRECT mode, the one last step is to setup your load
balancer to distribute load across all active gateways. Please leverage expertise of your network administrator to set
this up in your environment.
Also, ensure that SSL is enabled on your load balancer for the devices to SSL into your environment.
RECOMMENDATIONS FOR HA CONFIGURATION CHANGES
Since all the MaaS360 Mobile Enterprise Gateways share a single configuration database, you can manage the
configuration from any active Gateway.
However, it is recommended that you pick one of the gateways as the primary and manage the gateways configuration
from that gateway. This is usually the first gateway you installed in the cluster.
45
MaaS360 > MaaS360 Mobile Enterprise Gateway
Support & Troubleshooting
FREQUENTLY ASKED QUESTIONS (FAQS)
All my users are unable to access one intranet site through the Secure Browser. How can I fix this?
1.
2.
3.
4.
5.
Log on to the server on which the gateway is installed, open a browser and try accessing the intranet site.
Try connecting the device to the corporate network—either Wi-Fi or VPN—and see if the site is accessible.
If both (1) and (2) are not working, the intranet site might have gone down.
Open the browser on the gateway, use developer tools and capture logs while loading the site in question.
Gather Gateway logs (using procedure highlighted below) and send it to MaaS360 for analysis.
None of my users are able to access ANY intranet sites through the Secure Browser. What should I do?
1. Log on to the server on which the gateway is installed, open the Services console and ensure that MaaS360
Mobile Enterprise Gateway service is running. If not, start the service.
2. With a test device, start the Secure Browser app, authenticate (if required) and confirm that you are able to
access the intranet sites.
3. If it’s still not working, open the browser on the gateway and try accessing intranet sites that are published.
Check to see if there have been any recent firewall/proxy changes in your internal network that might be
blocking this access.
4. Gather gateway logs (using the procedure below) and send it to MaaS360 for analysis.
How can I collect gateway logs?
1.
2.
3.
4.
5.
Replicate the issue in question using the Secure Browser and note down the timestamp.
Log on to the server on which the gateway is installed.
Browse to C:\ProgramData\MaaS360\MaaS360 Mobile Enterprise Gateway folder.
Copy gateway*.log, portal-access*.log and proxy-access*.log to a folder
Zip the contents of the folder and send it to MaaS360 support (ops@fiberlink.com) along with the timestamp
when the issue was replicated. Please provide your account number with the logs.
How can I collect Secure Browser logs?
1. Replicate the issue in question using the Secure Browser and note the timestamp.
2. In iOS, go to Settings >> Browser and set Email Logs to ON. Open the browser. This will launch your default
email client with a new email and logs as attachments.
3. In Android, open MaaS360 App, then Settings >> Email Logs. On the Secure Browser Settings menu, there is an
option to enable verbose logging as well, in case of assisted troubleshooting.
What should I do to get the latest proxy access list on my Secure Browser?
1. Minimize the app and bring it to foreground, or log out of the browser and re-authenticate. This will cause the
latest proxy list to be downloaded.
2. To log out of the iOS Secure Browser, go to Settings >> Browser >> Intranet Access Signout = ON.
3. To log out of the Android Secure Browser, access Settings menu from the Browser and go to Enterprise Gateway
Settings to key in new credentials.
How can I check the version of the Secure Browser installed on my device?
1. In iOS, go to Settings >> Browser, and version field indicates the version of the browser.
2. In Android, go to Settings >> Application Manager >> Browser to access the version.
46
MaaS360 > MaaS360 Mobile Enterprise Gateway
Appendix A: Gateway authentication against LDAP.
If you run the MaaS360 Mobile Enterprise Gateway as a service account, the gateway automatically authenticates users
against Active Directory.
If your environment has an LDAP and not Microsoft Active Directory, there is no requirement to run the gateway to run
as a service account. To integrate your gateway with LDAP for authentication, please follow the below steps:
1) Login to the gateway console and ensure that the gateway version on the About Tab is 2.71 or higher.
2) Browse to the gateway’s program files directory: C:\Program Files (x86)\MaaS360\MaaS360 Mobile Enterprise
Gateway
3) Launch LDAP_Configurator.exe. The LDAP configuration UI will show up.
4) Enter the values:
a. LDAP server name
b. LDAP port
c. Secure Authentication usage
d. Bind Username’s Distinguished Name
e. Bind Username’s password
f. Search Attribute (uid, mail etc.)
g. User Object Class: (person, dominoPerson etc.)
47
MaaS360 > MaaS360 Mobile Enterprise Gateway
h. LDAP search base(s):
i. Authentication timeout: Value in minutes for the gateway to timeout on authentication.
5) Save the configuration. The Test Action will show up.
6) Test authentication. Enter in credentials to confirm that the LDAP integration works.
7) Restart the gateway to pick up the LDAP configuration.
48
Related documents
“Planning Together” Revisited: Debriefing the Observation Exercise 11.201 GATEWAY: Planning Action
“Planning Together” Revisited: Debriefing the Observation Exercise 11.201 GATEWAY: Planning Action
System Center Advisor Slides from MMS 2012
System Center Advisor Slides from MMS 2012
Consignment sports equipment
Consignment sports equipment
Gateway assessor - York Citizens Advice Bureau
Gateway assessor - York Citizens Advice Bureau
Download