Integration of Headwind MDM into a corporate network
Ports and servers
This diagram describes the components of Headwind MDM and ports used for network communication. The deployment could be done on a single virtual machine, however it can be scaled and deployed on up to 4 virtual machines.
The integration diagrams are drawn below.
External service (Internet-based) deployment
The most common way to deploy Headwind MDM is to set up an external server (outside of the corporate network) and assign a subdomain of your company’s domain to it.
All entities (administrators, external mobile devices using SIM cards, internal mobile devices using corporate WiFi) are communicating with Headwind MDM server through Internet by connecting to the MDM server’s domain name.
Despite this deployment is very easy to set up (here is the instruction), it may not be compliant with the corporate IT security rules.
Service deployed on a corporate resource
MDM service can be deployed on a host belonging to a corporate network. A corporate server usually has an internal IP address. Access to this server from the Internet is provided by a corporate firewall.
The company’s IT admin is responsible to set up the traffic forwarding on a firewall for all required ports.
Note that the MDM server must be available locally (Headwind MDM creates a HTTPS connection to itself to download the mobile agent and calculate its checksum). Also, internal users like mobile devices using a corporate WiFi must be able to communicate with the MDM server. Therefore, the IT admin is responsible for proper DNS configuration (at least locally, using /etc/hosts).
Here is the manual how to set up port forwarding when Headwind MDM is behind a firewall.
Service deployed on the LAN / closed network
Since Headwind MDM doesn’t require any cloud services to work with, it can be installed in the local or private network.
If Headwind MDM is installed on the LAN, the mobile devices must use either VPN or a private APN to become a part of the corporate network.
When installing Headwind MDM in a private network, the IT admin must take care of the following issues:
- Use a real domain (available on the Internet), because you must issue an SSL certificate for it;
- LetsEncrypt cannot renew certificates in a private network, so you need to purchase a commercial SSL certificate (the longer is its validity, the better);
- Device enrollment in local network may fail. We recommend using a separate WAN having access to the Internet for the device enrollment.
Read more about the Headwind MDM installation in a local network here.
Remote control module
The remote control module (Headwind Remote) is powered by a different web server (nginx) and uses ports different from the Headwind MDM ports. The list of ports used by Headwind Remote is here. The IT admin must take care for opening these ports.
It is recommended to deploy Headwind Remote on a different host.
Even if the Headwind Remote web interface will have another domain name, the remote control module is seamlessly integrated into the web panel, so the admin shouldn’t bother about the domain name.
Headwind Remote can also be configured to run on the same host where Headwind MDM is installed. This option is available in the Premium version only.
When running Headwind Remote behind a firewall, take care for opening UDP ports (Headwind Remote uses UDP to make the remote control faster and more responsive). Default UDP port range is 10000 – 10500.