Hello all,

I had a SOTI PS Discovery Call and the best way to open the existing SOTI environment to the external internet would be by installing a second Deployment Server in the DMZ.

The PS team told me, they do not want to make me / the customer an offer for any paid services because installing a second Deployment Server could be easily done by me as a service provider.

I opened another topic just to be sure what I should keep in mind by installing a second Deployment Server:

 https://discussions.soti.net/thread/soti-mc-on-premise-add-a-second-deployment-server/

Thank you again Raymond and Jorge for your answers!

What device platforms are to be used on the MobiControl server instance?

Depending on the device platform(s) and device mode(s) to be used, there might be a need to re-enroll (and factory-reset for some device modes) some/all devices previously enrolled to the original MobiControl server instance restricted to your close corporate network.  Is your customer aware of this need and willing to do so?

Hello Felix,

I understood the scenario, your client is currently running homologation internally and in the future the devices will be accessing the internet from the outside correct?

For this you need to pay attention to two things:

1. Changing the MS certificate for the console to a trusted root is always a good way.
2. Exchange the DS certificate for a trusted root, this certificate will be used by ports 5494 and 5495.
3. You need to release the entire SOTI network port structure that is on this link
https://www.soti.net/mc/help/v15.1/en/setup/installing/network_ports.html

These are the addresses of the SOTI Service:

https://www.soti.net/mc/help/v14.2/en/setup/installing/soti_services.html

4. Release of Google / Samsung / Apple ip's or any manufacturer that you are using in the operation, below is a list of some addresses:

* .samsungknox.com *
* .secb2b.com
* .samsung.com
gslb.secb2b.com:443
us-elm.secb2b.com:443
us-prod-klm-b2c.secb2b.com:443
us-prod-klm.secb2b.com:443
usprod-knoxlog.secb2b.com:443/80

Other suggestions that I can give you are to make an IdP connection to authenticate users on the console and also allow access to port 443 on the firewall only for the ip or for the block that will have access for operation, it is not necessary to be open to the whole internet if you will only access the console internally. Ports 5494 and 5495 must be open in the DMZ

To avoid having to reprovision devices, set an alternative fqdn name in MobiControl Admin Utily.

In this way the devices will know the internal address as a primary and the external address as a secondary.

Use the address alternatives present in MCAdmin to avoid having to re-enroll devices as they will not know the internal network when they are on the internet, so it is important that you propagate a public FQDN as an alternative FQDN in MCAdmin.exe

Hi Felix,

As you have not provided any extra information I asked in any follow-up post, it's hard for me to say anything responsibly. Attention to details is always important for achieving seamless transition upon any kind of MDM server change.   As even a small procedural fault may potentially cause different levels of damages, sometime catastrophic, to the server or the devices 

Jorge has already provided some very basic information, but real implementations are all different and are seldom so simplistic.  For examples, your present configurations will affect the procedure required.  Also, your existing policies used before the change and required new policies to be used after the change also affect what and how things should be done.

Don't 100% trust what you hear from this forum (including from me or even from some Soti moderators here).  Sometimes the answer is irrelevant to your implementation, and sometimes a reader might overlook the assumptions made on which an answer is based.   If in doubt, cross check with Soti support team or Soti professional services team to get a official answer specific to your case.

Anyway, when you move on and encounter problems you can't handle,  I believe you will contact Soti support team or start more discussion threads in this forum.    Good luck to you and your customer.

Hello Raymond,
hello Jorge,

sorry for my late response and thank you for your answers.

What device platforms are to be used on the MobiControl server instance?

Windows Mobile and Android (only Android Enterprise, A8.1 or higher) but the external availability is intended for the Android devices only. The customer is aware of doing a re-enrollment of the devices, thank your for that information. It could be possible that only new devices get the internet access and all currently enrolled devices stay in the internal network. I will check that with my customer.

I understood the scenario, your client is currently running homologation internally and in the future the devices will be accessing the internet from the outside correct?

Yes.

1. Changing the MS certificate for the console to a trusted root is always a good way.
2. Exchange the DS certificate for a trusted root, this certificate will be used by ports 5494 and 5495.
3. You need to release the entire SOTI network port structure that is on this link
https://www.soti.net/mc/help/v15.1/en/setup/installing/network_ports.html

What are the differences between MS and DS certificate?

For point 3, I think I only have to open the needed ports like 5494 and 443 for device communication and the Google Play Store. I think all other comunications are inside of the internal network or not used. Please correct me if I am wrong.

These are the addresses of the SOTI Service:

Yes, thanks. They are already opened.

Other suggestions that I can give you are to make an IdP connection to authenticate users on the console and also allow access to port 443 on the firewall only for the ip or for the block that will have access for operation, it is not necessary to be open to the whole internet if you will only access the console internally. Ports 5494 and 5495 must be open in the DMZ

Is there a special reason why you make the IdP suggestion? The console connection is currently possible in the internal network with an LDAP connection and it is planed to continue this way in the future.

To avoid having to reprovision devices, set an alternative fqdn name in MobiControl Admin Utily.

In this way the devices will know the internal address as a primary and the external address as a secondary.

Use the address alternatives present in MCAdmin to avoid having to re-enroll devices as they will not know the internal network when they are on the internet, so it is important that you propagate a public FQDN as an alternative FQDN in MCAdmin.exe

Thank you for this idea, I will test this.

Thank you Raymond for your second answer! I really appreciate that.

Hello Felix,

The difference from DS to MS is quite simple.

MS is basically used to access the console and other web services.

DS is mainly used to communicate devices with the server on port 5494 and 5495. I have the habit of always exchanging both certificates to increase the security of the environment. I always allocate a trusted root certificate in these environments.

The login via LDAP will bring the same security aspect as that of the IdP. I also don't like working with fixed users on the MC console.

Using the secondary configuration you have the possibility to teach an alternative path for the devices, you can check if the device received this alternative address in Devices> Profile> Configurations> Connection Settings

Tell us later it worked!