SOTI Pulse Logo

MobiControl - Separate services from single server to multiple

CR
Chris R.
SkyBitz - End User

Hi all,


I currently have a single MobiControl server hosting both the deployment and management services.  Due to our security departments concerns, we have to disable TLS 1.0 and 1.1 in the near term.  I tested this with our current environment, and although it seems that the web console works fine, all of our Windows Mobile devices were unable to connect once disabled.  Re-enabling TLS 1.0 allowed the devices to reconnect.  Soti support confirmed that older versions of WM may not support TLS 1.2.

So, as a way around this, I need to separate out the deployment server and management server into 2 servers so I can have the web console on it's own instance with TLS 1.0/1.1 disabled, and then the deployment server for the device communication will have them enabled.  I can then whitelist the firewall for TCP/5494 for only the source device IPs which we will always know to make our security team happy for that and also https will not have TLS 1.0 enabled.

Is there a best path to make this happen?  I know that multiple deployment servers can be used in an environment, so does it make sense to setup another server as a "failover" and then can have a way to migrate into that new server permanently?

Or, can I just build a new deployment server, stop the services on server 1, start the services on server 2, and then make a firewall NAT change to send traffic from our current public IP (and same URL) to send TCP/5494 to the new server?

Thanks for any help or advice.

deployment-server management-server migration
6 years ago
SOTI MobiControl
ANSWERS
S
Saro
6 years ago

I'd say consider a reverse proxy using nginx instead: allow port 5494 to "pass-through" as-is (through your firewall rules) but force port 443 (HTTPS) connections to the management web server to ride on TLS 1.2+. You can then keep a single server or split your services later on with greater ease.

Here is my configuration to get you started.

RC
Raymond Chan Diamond Contributor
6 years ago

If you want to achieve what you said:

    "So, as a way around this, I need to separate out the deployment server and management server into 2 servers so I can have the web console on it's own instance with TLS 1.0/1.1 disabled, and then the deployment server for the device communication will have them enabled.  I can then whitelist the firewall for TCP/5494 for only the source device IPs which we will always know to make our security team happy for that and also https will not have TLS 1.0 enabled."

then, the simple approach is probably to keep the deployment server on the same server instance that has your current public IP/FQDN communicating to all enrolled devices, and then install in another Windows server instance a new MobiControl management server, which you do not need any license and can in principle install as many insance(s) as you want.   Then run MCadmin to reconfigure your implementation to point to the new IP/FQDN of your new Management server.  Finally, start your web-console to connect to the new management server instance.

The above is a brief description of the general approach I would take, based on your limited description of your case, to minimize impact to enrolled devices.  Of course, there is always a risk that you can mess up things if you miss some steps or do them in the wrong order.  Please note that taking snapshots and simply falling back if something goes wrong may NOT always be able to restore full control of your enrolled devices.  The worst case will be recall of enrolled devices for re-enrollment, and possibly need factory reset if your enrolled device are DEP/supervised iOS devices or Android-Enterprise devices in device-owner mode.  So, evaluate your risks, especially for mission critical implementations with large number of enrolled devices, and you might need to find Soti professional service team or someone with the right expertise and experience to do it for you.

Similar Discussions