7.33. IDERI note Gateway deployment options

Figure 7.106 shows a simplified diagram of a classic IDERI note environment within an Active Directory® much like as in a multitude of production environments: The fictitious Active Directory® domain ideri.local is comprised of the windows server computer dc01.ideri.local, acting as a domain controller, the windows server computer inotesrv.ideri.local, where the IDERI note server is installed that delivers messages to IDERI note client installations on domain workstations (client01.ideri.local, client02.ideri.local, ...). The secure network perimeter of the domain network is separated from the internet by a firewall. Based on this infrastructure, the following text in this paragraph will present different IDERI note Gateway deployment options of different complexity and with different properties.

A classic IDERI note environment without any mobile devices

Figure 7.106: A classic IDERI note environment without any mobile devices

7.33.1. Accessing the IDERI note Gateway from the corporate network/WLAN exclusively

The simplest extension to the classic IDERI note environment from figure 7.106 is comprised of the IDERI note Gateway being installed on an Active Directory® member server as illustrated in figure 7.107 . Mobile devices typically only have a Wifi interface installed to connect to a corporate LAN. Using this Wifi interface, mobile devices can connect to the IDERI note Gateway and receive messages.

This deployment method is the simplest one and also the most secure variant, but its drawback is its limitation of network accessibility to the corporate Wifi access points. However, for many use cases this can be fully sufficient.

A variant of this deployment method uses a VPN client installed in addition on the mobile devices, connecting the mobile device to the corporate LAN. Using this variant allows to extend the applicability to mobile devices connected to the internet only, using the VPN tunnel over either the device’s Wifi connection or its mobile data connection.

Deployment variant 1: Mobile devices only connect over the corporate WLAN or a VPN

Figure 7.107: Deployment variant 1: Mobile devices only connect over the corporate WLAN or a VPN

7.33.2. Accessing the IDERI note Gateway from the internet

Figure 7.108 shows the second deployment variant with mobile clients additionally connecting over the internet to the IDERI note Gateway. Using this variant, the IDERI note Gateway is accessible from clients connected to the internet, but not simply by forwarding a port from a corporate firewall router to a network interface of the computer running the IDERI note Gateway. For a domain joined server exposing services to the internet, the following security measures should be taken, according to Microsoft best practices:

  • The server should be located in a DMZ.
  • The server should have no write connection to the domain controller, it should only ever connect to an RODC (Read Only Domain Controller).
Deployment variant 2: Mobile devices connect over the internet, the |INOTEGW| is located in a DMZ with an RODC

Figure 7.108: Deployment variant 2: Mobile devices connect over the internet, the IDERI note Gateway is located in a DMZ with an RODC