Proxy Configurations

Top  Previous  Next

What is the Proxy?

The Proxy is a program that accepts secure connections from mobile devices and then routes these connections to a listening Connection Manager Server (CMS).  This is a routing process, the proxy is not aware of the payload of the connection and it is incapable of reading any of the contents.  The features that are provided by the proxy include:

 

System hardening through a single point of access.  This improves system availability.
Simplified firewall configuration. The proxy minimizes or eliminates the need to open ports through your firewalls, this helps to maintain organizational security.
Load balancing and failover.  Proxies can be configured to collaborate to provide load balancing and resilience.

Proxy Configurations

mSuite will usually use a Proxy component.  The 3 proxy configurations are:

1.Internet Proxy (CommonTime Switching Center or CSC)
2.DMZ Proxy
3.Local Proxy

You need to decide which of these best meets your infrastructure requirements.

 

       Internet Proxy - CommonTime Switching Center (CSC)

In this configuration, you do not install a proxy component.  Instead the software is configured to use the CommonTime Switching Center as an Internet Proxy.

CommonTime Switching Center (CSC)

This is a remote Internet Proxy shared by many of our customers.  It is implemented in a highly resilient multi machine, multi data center configuration that is fully redundant.  Data centers are currently located in the US and the UK and the system will continue to operate even if a whole data center and half of the equipment in the other center fails.

The CSC operates as a switch, routing connecting mobile devices to the appropriate back-end systems.  For mSuite clients, the encrypted tunnel from the device to its server is maintained through the switch.  There is no data decryption and no ‘store and forward’.  mSuite clients have a completely secure conversation with their respective servers in an AES 256 bit encrypted VPN tunnel.  For Exchange ActiveSync (EAS) clients, the connections from the device to the CSC and from the mSuite server to the CSC will normally use SSL to secure the connection.

Firewall Requirements

Easiest Implementation - this implementation does not require any inbound ports through the outer firewall.  The only requirement is that the mSuite server can make an outbound connection to the CSC.

Load Balancing and Failover

Easiest Load Balancing and Failover – if you implement your mSuite installation using a resilient SQL configuration database, you can take advantage of the Load Balancing and Failover capabilities of the CSC to provide a fully redundant solution to your users.

Just implement a second mSuite server that shares the SQL configuration database and uses the same license key.

The CSC will automatically distribute incoming client connection between the servers based on workload.  It will also redirect traffic should one of the servers become unavailable.  The implementation can be scaled and made even more resilient by just adding more mSuite servers that share the database and the license key.

 

Internet Proxy - Illustration

 

       DMZ Proxy

This will be used where you want to traverse a standard DMZ maintaining the VPN tunnel through the DMZ to the mSuite server located in the secure zone.

In this configuration a CommonTime proxy is installed on a Windows 2003/2008 server class machine located in the DMZ.  Its purpose is to accept incoming connections from mobile device clients and connect them to the mSuite server.

Firewall Requirements

The DMZ proxy requires at least 1 TCP port (the port number is configurable) to accept inbound connections from mobile devices through the outer firewall.  It can be configured to listen for devices on multiple ports if necessary - contact CommonTime Technical Support for more information.

 

Benefits

All equipment in the solution is hosted on the customer’s premises.

 

Load balancing and Failover

This requires multiple Proxy/mSuite server installations.

This also requires either Round Robin DNS support for connecting to the proxies or hardware or software load balancing in front of the proxies.

 

DMZ proxy - Illustration

 

       Local Proxy - Behind a NAT firewall

This is typically used in smaller installations where there is a single firewall that provides NAT.

Firewall Requirements

The Local Proxy configuration requires 1 TCP port (the port number is configurable but defaults to 1700) to accept inbound connections.  This port needs to be published by the firewall.

Benefits

By using a Local Proxy, the Provisioning Portal, Exchange Adapter and CMS traffic are multiplexed onto a single port.  This simplifies the firewall requirements.

Load Balancing and Failover

This requires multiple proxy/mSuite server installations.

This also requires either Round Robin DNS support for connecting to the proxies or hardware or software load balancing in front of the proxies.

 

Local Proxy - Illustration

 

Complex configurations

mSuite is very configurable and can be implemented in multi layer DMZ or distributed architectures.  These advanced configurations are beyond the scope of this document.

 

Please contact our Pre-Sales or Professional Services teams via the support team (support@commontime.com) to discuss your requirements and plan an installation configuration that meets your requirements.

 


Page url: http://msuitehelp.commontime.com/index.html?ct_ref_proxy.htm