Cloud Link Configuration Guide March 2014
Copyright 2014 SOTI Inc. All rights reserved. This documentation and the software described in this document are furnished under and are subject to the terms of a license agreement or non-disclosure agreement. Except as expressly set forth in a license agreement, you agree that you shall not reproduce, store or transmit in any form or by any means, electronic, mechanical, or otherwise, all or any part of this document or the software described in this document. The specification and information regarding the products in this document are subject to change without notice and contains information confidential and proprietary to SOTI. All statements, information, and recommendations in the following documentation are believed to be accurate but are presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. In no event shall SOTI Inc. or its affiliates be liable for any indirect, special, consequential, or incidental damages, including without, lost profits or loss or damage to data arising out of the use or inability to use this documentation as recommended, even if SOTI Inc. or its affiliates have been advised of the possibility of such damage. SOTI Inc. and the SOTI Inc. logo and products are trademarks or registered trademarks of SOTI Inc. and/or its affiliates in Canada and other countries. i
Table of Contents Introduction... 1 Getting Started... 2 System & Communication Preparation... 2 Understanding Certificate Validation... 2 System Requirements... 3 MobiControl Cloud... 3 MobiControl Cloud Link Agent Host... 3 Supported Deployment Topologies... 4 Standard Cloud Link Deployment... 4 Network Requirements... 5 Cloud Link Communication through a Reverse Proxy... 5 Network Requirements... 6 Load Balancing Cloud Link Communication... 7 Network Requirements... 8 Configuring Cloud Link... 8 Downloading the Cloud Link Agent... 8 Running the Cloud Link Agent Installer... 9 Configuring MobiControl Cloud... 11 Configuring Cloud Link Agent... 12 Configuring Services to use a Cloud Link Agent... 13 Limiting Cloud Link Agent Communications... 14 Troubleshooting... 15 Testing Cloud Link Communication... 15 Cloud Link Logging... 16 MobiControl Cloud Logs... 16 Cloud Link Agent Logs... 16 Log Descriptions & Remediation... 16 Glossary... 18 ii
Introduction MobiControl Cloud offers a flexible, scalable, and highly available Enterprise Mobility Management (EMM) solution ideal for customers looking to reduce their investment in IT infrastructure and maintenance. This Software as a Service (SaaS) provides the same feature set available to an on-premise deployment of MobiControl, which often leverages other onpremise enterprise services such as directory services, and certificate authorities. In most environments, enterprise services are protected behind a corporate firewall and are not exposed to the Internet where MobiControl Cloud connections originate. Without the ability to communicate with these services MobiControl Cloud cannot provide features such as directoryauthenticated device enrollment and automated certificate distribution. To overcome this, MobiControl offers Cloud Link Agent, a light on-premise component which securely extends enterprise services to MobiControl Cloud. Cloud Link Agent accepts MobiControl Cloud requests and forwards them to the respective enterprise service, and then relays the response back to the Cloud in real-time. This MobiControl Cloud Link document is a technology overview and configuration guide. It also provides insight on several advanced deployment options including communication through a reverse proxy such as a Microsoft Threat Management Gateway (TMG), and load balancing Cloud Link communication. This document does not cover the initial setup of MobiControl and assumes that you have basic knowledge, and administrative access to all involved systems and firewalls. March 2014 Page 1
Getting Started Before configuring Cloud Link refer to the following System & Communication Preparation and Understanding Certificate Validation sections to help you prepare your environment by making several key decisions based on your organization s IT best practices and architecture. System & Communication Preparation Cloud Link s inbound HTTPs connection to your corporate network can communicate directly to the Cloud Link Agent, or in more advanced scenarios, through a reverse proxy or load balancer positioned at the edge of your network. Decide whether Cloud Link will communicate directly, through a reverse proxy, or through a load balancer Learn more about Cloud Link s Supported Deployment Topologies, and network requirements for each topology Prepare an on-premise server to host the Cloud Link Agent that meets the minimum System Requirements Assign a publicly accessible IP address that routes to the Cloud Link Agent Assign a fully qualified domain name (FQDN) to the IP address Understanding Certificate Validation Cloud Link communication is protected by mutually authenticated HTTPs sessions. MobiControl provides a Client Certificate for authenticating to the Cloud Link Agent, which can be validated by the Cloud Link Agent or a reverse proxy. Given the flexible deployment options for Cloud Link, a Server Certificate for the Cloud Link Agent is not provided and must be purchased or issued by your corporate infrastructure. Purchase or issue a Server Certificate for the Cloud Link Agent with a Common Name matching the FQDN MobiControl Cloud will communicate with Decide whether to issue your own Client Certificate or use the one provided by MobiControl Cloud Ensure you have the Root certificates on hand for any Certificate Authority you use to issue certificates March 2014 Page 2
System Requirements MobiControl Cloud MobiControl version 11.0.0 or later is required. MobiControl Cloud Link Agent Host MobiControl Cloud Link Agent can be hosted on Windows Vista, 7, 8, Server 2003, or 2008 except where Cloud Link Agent is extending ADCS via DCOM, which requires Windows 2003 or 2008 server. March 2014 Page 3
Supported Deployment Topologies MobiControl Cloud forms a mutually authenticated and encrypted connection to the Cloud Link Agent in order to make requests to enterprise services behind the corporate firewall. The inbound nature of this connection provides communication transparency and multiple deployment options to achieve scalability, high availability, and security. This section describes the different deployment topologies to extend enterprise resources to MobiControl while using Cloud Link. Standard Cloud Link Deployment In a standard Cloud Link deployment, MobiControl Cloud and the Cloud Link Agent communicate directly to extend enterprise resources required by MobiControl Cloud. The following diagram illustrates the standard deployment topology, which suggests that the Cloud Link Agent be positioned within the DMZ of your network. Figure 1 Standard Cloud Link Deployment March 2014 Page 4
Network Requirements The Standard Cloud Link Deployment Communication Matrix table represents the communication requirements between MobiControl Cloud and the Cloud Link Agent, and between the Cloud Link Agent and enterprise services available to MobiControl Cloud. Bold text represents mandatory communication. Table 1 - Standard Cloud Link Deployment Communication Matrix Protocol Source Port Destination Port HTTPs MobiControl Cloud 443 CLA Host 443 LDAPs CLA Host 636 AD 636 HTTPs CLA Host 443 ADCS 443 DCOM CLA Host 135 ADCS 135 Cloud Link Communication through a Reverse Proxy An alternative deployment for enhanced security is to leverage a reverse proxy that authenticates MobiControl Cloud requests destined for the Cloud Link Agent. In this topology, MobiControl Cloud is configured to communicate with the reverse proxy as if it was the Cloud Link Agent. The reverse proxy provides validation of the Client Certificate presented by MobiControl Cloud in the request and then publishes the request along with an authentication token to the Cloud Link Agent. The Cloud Link Agent verifies the authentication token and then returns the requested information to MobiControl Cloud. IMPORTANT: The reverse proxy must support passing a Windows Identity to the Cloud Link Agent. Generally, this is achieved through Kerberos Constrained Delegation (KCD), which requires that the reverse proxy and the Cloud Link Agent host be bound to the same Active Directory domain with the appropriate Service Principal Name (SPN) present. The following diagram illustrates Cloud Link communication through a Reverse Proxy and outlines the authentication flow of this topology. March 2014 Page 5
Figure 2 - Cloud Link Communication through a Reverse Proxy Network Requirements The Cloud Link Communication through Reverse Proxy Communication Matrix table represents the communication requirements between MobiControl Cloud and the reverse proxy, between the reverse proxy and the Cloud Link Agent, and between the Cloud Link Agent and enterprise services available to MobiControl Cloud. Bold text indicates required communication. Table 2 - Cloud Link Communication through Reverse Proxy Communication Matrix Protocol Source Port Destination Port HTTPs MobiControl Cloud 443 Reverse Proxy 443 HTTPs Reverse Proxy 443 CLA Host 443 LDAPs CLA Host 636 AD 636 HTTPs CLA Host 443 ADCS 443 March 2014 Page 6
DCOM CLA Host 135 ADCS 135 Load Balancing Cloud Link Communication To improve high availability and/or scalability, you can load balance Cloud Link communication using a common network appliance. While a combination of reverse proxy and load balancing is possible, the following example demonstrates a bare load balanced deployment. In this topology MobiControl Cloud will make requests to the load balancer, which will balance the requests across multiple Cloud Link Agents. The load balancer is transparent to the MobiControl Cloud, therefore mutual authentication is formed between MobiControl Cloud and Cloud Link Agent directly. NOTE: Cloud Link communication is stateless, so the use of sticky sessions can be avoided. It is therefore important that each Cloud Link Agent have the Server Certificate that matches the load balancer s FQDN. The following diagram illustrates the Load Balanced Cloud Link Communication deployment option. Figure 3 - Load Balanced Cloud Link Communication March 2014 Page 7
Network Requirements The Load Balanced Cloud Link Communication Matrix table represents the communication requirements for load balanced MobiControl Cloud to Cloud Link Agent communication. Bold text indicates required communication. Table 3 Load Balanced Cloud Link Communication Matrix Protocol Source Port Destination Port HTTPs MobiControl Cloud 443 Load Balancer 443 HTTPs Load Balancer 443 CLA Host 1 / 2 443 LDAPs CLA Host 1 / 2 636 AD 636 HTTPs CLA Host 1 / 2 443 ADCS 443 DCOM CLA Host 1 / 2 135 ADCS 135 Configuring Cloud Link Once your environment has been prepared and you have selected a deployment topology you can install and configure Cloud Link. Downloading the Cloud Link Agent To download the Cloud Link Agent, in the MobiControl Web Console: 1. Click on the All Devices Tab. 2. Click the Servers. 3. Right-click on Cloud Link Agents. 4. Select Download Cloud Link Agent Installer. March 2014 Page 8
5. From the same menu, select Download MobiControl Root Certificate. NOTE: The Cloud Link Agent establishes trust with requests made by MobiControl Cloud using the MobiControl Root certificate. If you plan to provide your own client certificate you may skip this step because trust will be established with the Root that issued the certificate you provide. 6. Copy CloudLinkAgentInstaller.exe and when needed, MobiControl Root Certificate to the Cloud Link Agent host. Running the Cloud Link Agent Installer To run the Cloud Link Agent Installer, from the Cloud Link Agent host computer: 1. Launch CloudLinkAgentInstaller.exe with administrative rights. 2. Follow the installation prompts providing the desired installation path, and click Next until complete. 3. Click Finish on the InstallShield Complete dialog box. The Cloud Link Agent Administration Utility will open. 4. Continue to March 2014 Page 9
5. Configuring MobiControl Cloud before configuring the Cloud Link Agent. March 2014 Page 10
Configuring MobiControl Cloud From the MobiControl Web Console: 1. Click on the All Devices tab. 2. Click the Servers. 3. Right-Click Cloud Link Agents. 4. Select Create Cloud Link Agent. 5. Use the following table as a guide to completing the Cloud Link Agent Properties window. Field Cloud Link Agent Name Cloud Link Agent Address Root Certificate Cloud Link Authentication Value / Description Enter an internal identifier for this Cloud Link Agent that will be used as a reference in the MobiControl console when configuring a service to use Cloud Link. Enter the HTTPs URL used by MobiControl Cloud to access the Cloud Link Agent. The URL must contain the fully qualified domain name followed by /cla. For example: https://fully.qualified.domain/cla If a reverse proxy or load balancer sits before your Cloud Link Agent, the FQDN should reflect that by using the FQDN of that host. Upload the Root certificate that issued the Server Certificate you purchased or issued for the Cloud Link Agent. If your certificate was issued via a commercial certificate authority, it is unlikely that you are required to provide a Root. Choose Internal MobiControl Certificate, or select Custom Certificate and upload a certificate issued from your own certificate authority. Record March 2014 Page 11
the Thumbprint displayed for use when configuring the Cloud Link Agent. Configuring Cloud Link Agent To configure the Cloud Link Agent, launch Cloud Link Administration Utility with administrative privileges: 1. Use the following table as a guide to configuring the Cloud Link Administration Utility according to your deployment topology: Field Fully Qualified Doman Name Matching SSL Certificate Security Value / Description Enter the publicly accessible FQDN used by the MobiControl Cloud to communicate to the Cloud Link Agent. Import or select the SSL certificate that matches the FQDN provided above. For direct or load balanced communication, select Authenticate using Certificates Select Accept certificates with this thumbprint only. Enter the Cloud Link Authentication certificate thumbprint provided when creating the Cloud Link Agent in the Web Console. Alternatively, if a reverse proxy is passing a Windows Identity instead of a Client Certificate choose Windows Identity and restrict the request to the expected user. IMPORTANT: Not restricting authentication to a certificate thumbprint or March 2014 Page 12
user is considerably less secure. The ability to do so is provided for troubleshooting purposes only. 2. Click Apply to restart the Cloud Link Agent service. Configuring Services to use a Cloud Link Agent Once you have configured the communication between MobiControl Cloud and the Cloud Link Agent, specify that your connection(s) to enterprise services communicate through the Cloud Link Agent instead of attempting a direct connection. To configure LDAP connections (the option is also available for Certificate Authorities) to communicate over Cloud Link, from the MobiControl Web Console: 1. Click on the All Devices tab. 2. Click the Servers. 3. In the Global Settings section, click on the wrench icon beside LDAP Connections. 4. Create or edit an existing LDAP connection. 5. In the Cloud Link Agent dropdown, select the Cloud Link Agent you want the connection to use. March 2014 Page 13
6. Click OK. Limiting Cloud Link Agent Communications In role-based administrative environments, the Cloud Link Agent provides greater security and peace of mind by optionally restricting the hosts MobiControl Cloud can communicate with. If MobiControl Cloud requests information from a server restricted by the Cloud Link Agent administrator, the request will be rejected. To limit the hosts the Cloud Link Agent can communicate with, from the Cloud Link Agent host computer: 1. Launch the CloudLinkAdminUtility.exe with administrative privileges. 2. In the Security section, select Accept requests for selected hosts only option. 3. In the text field, enter the FQDN of the host(s) you wish to allow the Cloud to communicate with. 4. Click Apply. The Cloud Link Agent service restarts. March 2014 Page 14
Troubleshooting Testing Cloud Link Communication MobiControl provides quick validation after Cloud Link agent configuration changes to ensure that authenticated communication is established between all components. To verify connectivity manually, from the Servers tab in the MobiControl Web Console: 1. Locate the Cloud Link Agent you created earlier. Note the visual indicator that represents the Cloud Link Agent s current status. 2. Right-click Cloud Link Agent, 3. In the dropdown list, click Cloud Link Agent Properties. 4. Click Test in the Cloud Link Agent Properties window. A success or failure message appears. NOTE: This test confirms that MobiControl Cloud can communicate with the Cloud Link Agent, not that the services the Cloud Link Agent is extending to the Cloud are accessible and responsive. March 2014 Page 15
Cloud Link Logging MobiControl Cloud Logs Cloud Link logs can be found in several different locations depending on the MobiControl component sending the request. Often the best way to diagnose a Cloud Link issue is to review the logs after such a request has been attempted. For example, configure your LDAP connection to use the Cloud Link, and perform an LDAP lookup. To access server-side logs, in the MobiControl Web Console click the? menu. Cloud Link Agent Logs Cloud Link Agent logs can be found in C:\ProgramData\SOTI\CloudLinkAgent.log on the Cloud Link Agent host computer. Log Descriptions & Remediation The following table provides guidance for troubleshooting common misconfiguration of environments using Cloud Link. Error / Log Entry EndpointNotFoundException: There was no endpoint listening at https://fully.qualified.domain/cla/xxx that could accept the message. SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'fully.qualified.domain'. Remediation The Cloud Link Agent is not running, or the hostname is invalid. Verify that the Cloud Link Agent service is running. Verify that the hostname for the Cloud Link Agent in the MobiControl console is correct. Certificate trust could not be established between MobiControl Cloud and the Cloud Link Agent. Verify you have uploaded the Root certificate that issued the Server Certificate for the Cloud Link Agent to the MobiControl console. Ensure that the common name of the certificate matches March 2014 Page 16
that of the host the MobiControl Cloud is communicating. System.ArgumentException: Access to specified server was not enabled FaultException: Access is denied. The Cloud Link Agent is restricting the hosts MobiControl cloud is communicating with. Add the FQDN of the intended host to the Security section of the Cloud Link Administration Utility. The Cloud Link Agent has rejected a request because the certificate or windows identity did not match what was expected. Verify the identity used during authentication, and that the Cloud Link Agent accepts requests from this identity. Cloud Link Agent responds to certificate authenticated requests with 403 Forbidden despite a valid client certificate being present in MobiControl Cloud. The issuer of the client certificate does not appear in the Trusted Issuers List presented by the Cloud Link Agent host. Refer to http://support.microsoft.com/kb/2464556 for more details. Shorten the Trusted Issuers List by removing unneeded Root certificates. Disable sending the Trusted Issuers List entirely. March 2014 Page 17
Glossary The following terms and abbreviations are used throughout this document and are listed here as a reference: AD Active Directory ADCS Active Directory Certificate Services CA Certificate Authority CLA Cloud Link Agent (service hosted on-premise) Client Certificate Credential used to prove the identity of the requesting party DCOM Distributed Component Object Model DMZ De-Militarized Zone DS Deployment Service (Responsible for Agent-based communication) DSE DS Extensions (Responsible for Web-based device communication) EMM Enterprise Mobility Management FQDN Fully Qualified Domain Name HTTP(s) Hypertext Transfer Protocol (secure) KCD Kerberos Constrained Delegation LDAP(s) Lightweight Directory Access Protocol (secure) MDM Mobile Device Management MS Management Service (Responsible for MobiControl Web Console) PKI Public Key Infrastructure SCEP Simple Certificate Enrollment Protocol Server Certificate Credential used to prove the identify of a server SPN Service Principal Name TMG Threat Management Gateway March 2014 Page 18