Secure Deployment

The following diagram shows the configuration necessary for a secure deployment. We make the following assumptions:

The Challenge Response Service and Host Identification Service listen on the same port.

Security on the File Transfer Service, Socket Service and MDS push communication is either globally enabled or disabled.

The same certificate is used to secure the Socket Service and the File Transfer Service.

MLM

Figure 18: Secure Deployment for Android

MLM

Figure 19: Secure Deployment for iPhone

The management center is used to configure the socket service port, the port of the file transfer web service, and the shared port of the Challenge Response Service and Host Location Service.

By default, the management center configures the socket service host name as the FQDN of the server. This value is customizable in the management center if the organization has its network infrastructure setup, so that clients can make connections to a different address.

If security is enabled, the certificate used to secure the file transfer service and socket service must also be configured. The subject must be the host name of the broker service, and it must be issued by an authority trusted by the device.

  • The relative paths of each HTTP service are hardcoded constants.

  • The Host Location Service returns the details of the socket service and Challenge Response Service to the device.

File download links are sent in-band with the chat history as direct download links to the file transfer service. Hence, the client must only be configured with the load-balanced URL of the Host Identification Service.

HTTP Proxy

Given that the client connects to the proxy and not directly to the hostname, port or even potentially the relative path of the actual broker service when using an HTTP proxy, the actual URLs to connect to must be made configurable.

Since the client connects to the URL in its own IT policy or local configuration for the Host Location Service, only the URLs of the Challenge Response Service and the File Transfer Service must be configured on the server via the management center/app config.

MLM

Figure 20: HTTP Proxy Configuration for iPhone

  • The Challenge Response Proxy URL and File Transfer Proxy URL are configured on the server via the management center/app config.

  • The proxy URL of the Challenge Response Service is sent to the client in the response from the Host Location Service.

  • The File Transfer Proxy URL is used to form file download links sent to the client in messages.

Note: the security protocol on the proxied URLs is not necessarily linked to whether security is enabled on the server, as the HTTP proxy may be configured to perform HTTPS communication and/or offloading between itself and the client, or itself and the Mobile Broker.

The client is configured with the proxied URL of the load balanced Host Location Service.