SOTI Pulse Logo

Deployment Server in the DMZ

F
Ferenc
Aufzugswerke Schmitt + Sohn GmbH & Co. KG

Hello all,

We are planing to set up a second deployment server in the DMZ to be able to use auto enrollment.
With that we will also use wildcard certificates. Quick sidenote: We mostly have Samsung devices and a couple of Zebra enrolled as Android Enterprise as well as Classic. Server Version: 15.5.2.1003

I have a few questions regarding this.
1, We have separate wildcard certificast for internal as we have in public (DMZ) use. Is it possible to use different certificates on our 2. DP?

2, Useing wildcard certificates, I won't have to wait up till all our devices check in after I install the certificate right? Because the root certificate should be already known by the devices.

3, Plese correct me, if I miss a step or make a wrong statement but the installation should look like this:

    a, Installing only the deployment server with the exact same version and build nr. as the MS Server
    b, Allow communication between DMZ and LAN on ports 5494,5495 and 443 (Do I need 1433 from  DP            to the SQL too?)
    c, Edit Seondary Agent Adress and Port + Alternate Deployment Server and Port in the Admin Utility                  on the MS Server
    d, Install and bind certificates.

4, If I use LDAP Auth for the device enrollment do I need some extra ports?

Thank you for your help in advance.

2 years ago
SOTI MobiControl
ANSWERS
SB
Simon Breuer
2 years ago

Hi Ferenc, I will try to answer to your questions.

1) Yes, you can use different certificates on both your Deployment Servers.

2) I don't know, what you mean with this question. After installation of the DS you can apply the certificates via Admin Utility.

3a) Yes. Run the installer on your DMZ machine and choose to install a Deployment Server. Select the corresponding database during setup and the new DS will be added to your environment.

3b) You need the following ports open:

  • 5494 and 443 from your devices to new DS
  • 5494 from MS to new DS
  • 5495 from your existing DS and MS to new DS
  • SQL-Port from new DS to database

3c) On the new DS you edit the Primary Agent Address. Enter the FQDN of the DS, which your devices can reach through port 5494. You can leave the Secondary Agent Address empty or enter another valid FQDN/IP for this specific DS. After that, both your old and new DS have their own different Primary Agent Addresses.

Alternate Deployment Server can also left empty. Just fill Deployment Server IP/FQDN with the FQDN of your new DS. This may be the same value as Primary Agent Address.

3d) Correct. Bind the certificates to both Deployment Server (Port 5494) and Deployment Server Extensions (443).

4) I think for LDAP you need ports 389 or 636 (LDAPS) open from DS to your LDAP servers.

F
Ferenc
2 years ago

Hello,

Thank you for the quick and detailed reply. It is very much appreciated. And I think I had almost all my questions anwserd.

I would like to clarify my second question with an examlpe: 

In the past as Android 10 came out we had to switch our certificate from SHA1 to SHA2. In order to do so, we had to generate a new root CA in the Admin Utility and wait up till all out enrolled devices check in.
Only after that we changed the binding of the DS and the DS Expansion.
Since the root CA of a wildcard certificate should be known by all the devices, I dont even have to import it in the Admin Utility just install the certificate under windows and bind it from the "Local Computer Personal Storage".

And I have one more question, since I saw a network config diagram on https://soti.net/mc/help/v15.3/en/network_config_diagram/network_config_diagram.html

In the diagram if you select the environment DMZ and checkmark Firewall, you will see that the deployment server communicates with MobiControl Search on Ports 9200.
We have MobiControl Serch and MS + the initial DS on one machine in the LAN. So do I also need the port 9200 from DMZ to LAN?

SB
Simon Breuer
2 years ago

If your wildcad certificate is issued by a known official issuer (i.e. DigiCert, Telekom, Symantec, Let's Encrypt, ...) the devices trust these issuers automatically and you don't need to import the CA anywhere.

And you are right: Port 9200 is also needed for your new DS to talk with the Search Service on your existing server. I forgot it in my previous answer.

F
Ferenc
2 years ago

Thank you again. This anwser made me also think:

"3c) On the new DS you edit the Primary Agent Address. Enter the FQDN of the DS, which your devices can reach through port 5494. You can leave the Secondary Agent Address empty or enter another valid FQDN/IP for this specific DS. After that, both your old and new DS have their own different Primary Agent Addresses.

Alternate Deployment Server can also left empty. Just fill Deployment Server IP/FQDN with the FQDN of your new DS. This may be the same value as Primary Agent Address."

So that means the installer also installs the Admin Utility on the second DS which is not in sync with the first one? This way both can have theyr own Primary Agent Address, Alternate Deployment Server, and certificates right?

SB
Simon Breuer
2 years ago

Yes, they only share the "Device Management Address", which is Port 443. The DMA is shared accross all Deployment Servers.

All other addresses are customizable for each DS.

F
Ferenc
2 years ago

Thank you very much, the installation can take some time. In the meantime I will make some tests and, if we encounter any issues I will keep this thread updated. 

G
GPMOD@SOTI
2 years ago

Hi Ference, 

Thank you for posting on SOTI Pulse and thanks Simon for your response.

Has Simon's suggestion cleared your doubts or do you need further assistance regarding this query?

Here are some useful links for System requirements and certificate. please have a look. 

https://www.soti.net/mc/help/v15.5/en/setup/installing/system_requirements.html?hl=system%2Crequirements


https://www.soti.net/mc/help/v15.5/en/console/reference/dialogs/globalsettings/certificates/certificate_authorities.html?hl=certificate%2Cauthority

Kind regards,

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

Similar Discussions