There appears to be a lack of public information regarding the inner secrets of successfully navigating and configuring the proxy and work exceptions on the Windows Mobile platform. My fellow Enterprise Mobile colleague, Patrick Salmon, has broken through and made some very interesting observations and facts about how to get it all configured correctly. This article contains all of the material and information Patrick has researched.
Most of this boils down to how the Windows Mobile Connection Manager is handling the connections and the decisions it makes to route the traffic. The Connection Manager is well aware of the native L2TP and PPTP connection methods in Windows Mobile, but appears to lack direct support for the Windows Mobile 6.1 Mobile VPN that is used by SCMDM 2008. See more information here: http://msdn.microsoft.com/en-us/library/ms879581.aspx.
This article assumes you are already well familiar with the SCMDM network routing requirements and how to configure Group Policies.
Proxy Issues Today
1. If you set the proxy via the SCMDM 2008 Group Policy you may observe that the necessary connectivity to the SCMDM Device Management server and WSUS services break.
2. Trying to use the Work/Internet capabilities as currently documented breaks the SCMDM VPN.
Although http://technet.microsoft.com/en-us/library/dd261930.aspx does explain some of the necessary steps. Also on http://technet.microsoft.com/en-us/library/dd261921.aspx it also states to make sure that the SCMDM Gateway server is listed.
3. No visibility on the client of what is configured.
The Windows Mobile Connection Manager internally uses something called a URL Mapping Table to decide if a specific URL is destined for the Internet or the corporate network connection. It can use a URL pattern which we will go into in more detail below. Please see http://msdn.microsoft.com/en-us/library/aa455992.aspx.
The solution is to correctly configure the Internet proxy setting and also specify the routing of which URLs go to the “Internet” and through the configured proxy, and which are internal or go through “Work” back through the VPN connection.
Overall best practices
Keeping things as simply as possible will go a long way. The basics are:
1. “Internet” bound traffic = Route via proxy if defined, otherwise use Default Gateway on SCMDM Gateway Server.
2. “Work” bound traffic = Route traffic directly to internal network using local routing tables on SCMDM Gateway Server.
3. If the FQDN of the Proxy is part of an internal domain do not put the FQDN in the Proxy configuration!
This will not work, as it will be detected as an Internet domain, due to the dotted name and you won’t see it working as you think. The solution is to use the direct IP address. Example: instead of “proxy_host.company.com:8080″ use “172.16.1.1:8080″.
Where to configure the specific Internet/Work routing is done through a “hidden” existing Group Policy setting:
The dialog window has two areas. One for the Internet domains (which will be routed to a proxy if configured so) and at the bottom for Work domains (not routed to the proxy if configured). This is what the default values are:
Next we will go into how to configure these entries in more detail.
Connection Manager URL Mapping Pattern
The Windows Mobile Connection Manager uses a general *://*.*/* URL type format. This can be further broken down into these examples:
- “*” & “?” can be used anywhere.:
- “*” = Zero or more of any type of characters.
- “?” = Can take the place for any single character.
- *:// = Any protocol (usually http or https).
- /*.*/ = Any FQDN namespace
- /*/ = Any NetBIOS/WINS name
- *://servername/* = specific NetBIOS server name
- *://*.company.com/* = Any host in a FQDN domain called company.com.
- *://host1.company.com/* = Only host1, any protocol, any website on target.
- *://host?.company.com/* = All traffic to host[a-z, 0-9], any website.
- https://host1.company.com/home = Only https requests to host1′s “home’ directory.
Some things to think about when defining you own URL Mapping table:
- Obey classic firewall rules – most granular is processed first
- Define your targets and know your internal name space
- Put in sequence (most specific first, least specific last)
- Decide whether traffic goes via the “internet” or “work” network routing from your SCMDM Gateway Server
Example and Outcome
Please note the above setting details:
- *://www.company.com/* – Externally hosted Internet site
- *://mdmvpn.company.com/* – Route SCMDM Gateway Server access through Internet
- *://*.company.com/* – Internal work namespace
- *://*.*/* – Catch all for all other Internet requests
- *://*/* – Catch all for all other internal NetBIOS/WINS requests – However, not found to work in testing, and removed so Internet requests are not caught by it!
Outcome with the above setting details:
- SCMDM VPN will connect correctly through the Carrier/MO/ISP on the device
- SCMDM Device Management and WSUS traffic will require no further invention.
- Internal Line-Of-Business application traffic will go direct.
- Internet bound traffic will go to the corporate proxy (if defined in separate Group Policy).
Internal namespace sans WINS
Since most companies are well on their way to totally get rid of WINS and have put in place DNS suffix search order standards. Another solution is to push a default DNS suffix to your Windows Mobile. Brian Puhl from Microsoft IT blogged about this last year here:
So this could ensure proper name resolution to a FQDN for internal names used on the Windows Mobile device. In the example above this could be routed to the “work” side of things by the *://*.company.com/* URL Mapping.
For more information on creating custom ADM templates for use in SCMDM 2008 please see: http://enterprisemobile.com/2008/10/writing-custom-gpos-for-scmdm-2008/.
SCMDM 2008 SP1 Source-based Routing
Another feature that can be used to better assist with the complex nature of network routing, proxies and Internet access is the source-based routing feature present in SCMDM 2008 SP1. Some details can be found here: http://technet.microsoft.com/en-us/library/dd252779.aspx
The source-based routing option on the Gateway Wizard:
One example of how this could work is instead of having the default gateway on the External NIC of the Gateway Server, you place one on the Internal NIC. You can then configure the source-based routing option to an IP address of an external firewall that is accessible from the Internal NIC. Now Internet IPSec traffic will come in and terminate on the external NIC, but return back to the device through the Internal NIC and the IP address of the source-based routing, back to the Internet. Now any traffic from the Windows Mobile devices not configured to the proxy will default out to the Internal NIC gateway. This could be useful for applications that are not proxy aware, or if you won’t want to use any proxy but direct all traffic to the internal side and to be taken care of there for either internal or external Internet routing..
Another idea that could perhaps assist in some architectures is the use of split-DNS. In the Gateway Wizard you can specify the DNS server the Windows Mobile clients will use to resolve hostnames. Many simply use the existing DNS server present internally and make sure connectivity on TCP port 53 is open to it. Another idea could be to use a separate DNS server that contains hostname zone entries that could be similar but resolve to different IP addresses to better resolve network routing or DMZ issues at hand. DNS forwarding could still be used to forward remaining requests to the primary internal DNS servers.
Another Enterprise Mobile colleague, Dave Field, also points out:
“Please note that if you have a proxy setup on the device and you partner the device to a desktop that has “automatic” setup for the Connection setting, it will auto-configure the device proxy and overwrite whatever you have. It will configure it for port 80 automatically too.”.
At this of this writing I’m not sure if the Group Policies will automatically refresh the settings again down to the device. A work around may be to disable the tethering functionality all together if this is a big concern.
The final best advice is to have patience in troubleshooting and testing the proxy and network routing. It can be complex and quite difficult to get setup correctly in a large organization. Logic flow, re-verifying settings, and looking at logs could be your best friends.
Please leave a comment or contact me directly if you have additional findings or feedback on how these settings work and act for you!
Reference links – for additional information:
Default URL Mapping values in Connection Manager:
How Connection Manager works:
How the Mapping Index works and what are some of the high-end catch all values:
Using Connection Manager URL Mapping:
SCMDM Forum thread discussion on these settings:
Updated on May 12, 2009 with some corrections.