Integration of Headwind MDM into a corporate network

Ports and servers

This diagram describes the components of Headwind MDM and ports used for network communication. The deployment could be done on a single virtual machine, however it can be scaled and deployed on up to 4 virtual machines.

The integration diagrams are drawn below.

Ports and VMs of Headwind MDM

External service (Internet-based) deployment

The most common way to deploy Headwind MDM is to set up an external server (outside of the corporate network) and assign a subdomain of your company’s domain to it.

Headwind MDM as an external service

All entities (administrators, external mobile devices using SIM cards, internal mobile devices using corporate WiFi) are communicating with Headwind MDM server through Internet by connecting to the MDM server’s domain name.

Despite this deployment is very easy to set up (here is the instruction), it may not be compliant with the corporate IT security rules.

Service deployed on a corporate resource

MDM service can be deployed on a host belonging to a corporate network. A corporate server usually has an internal IP address. Access to this server from the Internet is provided by a corporate firewall.

Headwind MDM in the corporate network

The company’s IT admin is responsible to set up the traffic forwarding on a firewall for all required ports.

Note that the MDM server must be available locally (Headwind MDM creates a HTTPS connection to itself to download the mobile agent and calculate its checksum). Also, internal users like mobile devices using a corporate WiFi must be able to communicate with the MDM server. Therefore, the IT admin is responsible for proper DNS configuration (at least locally, using /etc/hosts).

Here is the manual how to set up port forwarding when Headwind MDM is behind a firewall.

Service deployed on the LAN / closed network

Since Headwind MDM doesn’t require any cloud services to work with, it can be installed in the local or private network.

Headwind MDM in LAN

If Headwind MDM is installed on the LAN, the mobile devices must use either VPN or a private APN to become a part of the corporate network.

When installing Headwind MDM in a private network, the IT admin must take care of the following issues:

  • Use a real domain (available on the Internet), because you must issue an SSL certificate for it;
  • LetsEncrypt cannot renew certificates in a private network, so you need to purchase a commercial SSL certificate (the longer is its validity, the better);
  • Device enrollment in local network may fail. We recommend using a separate WAN having access to the Internet for the device enrollment.

Read more about the Headwind MDM installation in a local network here.

Remote control module

The remote control module (Headwind Remote) is powered by a different web server (nginx) and uses ports different from the Headwind MDM ports. The list of ports used by Headwind Remote is here. The IT admin must take care for opening these ports.

It is recommended to deploy Headwind Remote on a different host.

Headwind Remote, standalone

Even if the Headwind Remote web interface will have another domain name, the remote control module is seamlessly integrated into the web panel, so the admin shouldn’t bother about the domain name.

Headwind Remote can also be configured to run on the same host where Headwind MDM is installed. This option is available in the Premium version only.

Headwind Remote, embedded

When running Headwind Remote behind a firewall, take care for opening UDP ports (Headwind Remote uses UDP to make the remote control faster and more responsive). Default UDP port range is 10000 – 10500.