Troubleshooting MDM Gateway Server Issues

2/9/2009

This section lists common issues encountered with Mobile Device Manager Gateway Server. The MDMsetup.log file does not record the installation of MDM Gateway Server or other MSI-based installations, such as prerequisite applications. However, MDM Gateway Server installation creates a VpnGateway.log file in the Temp directory on the MDM Gateway Server if launched from the MDM Setup menu. Or you can create it using the /L or /L*v parameters at the command line.

MDM Gateway Server installation consists of the following steps:

1. Configure the MDM Gateway Server certificates (manual process).
2. Install MDM Gateway Server.
3. Set the MDM Gateway Server URI; not for MDM Gateway Server installation, but for devices to connect to MDM Gateway Server after enrollment.
4. Configure MDM Gateway Server in the Add New Gateway Wizard.

General MDM Gateway Server Troubleshooting

Look for errors, warnings, and informational events in MDM Gateway Server and MDM Device Management Server system event logs. All MDM gateway events are logged in the MDM Mobile VPN Connections event log and MDM Mobile VPN Policy Engine event log.

By using MDM Console, you can view the following MDM Gateway Server properties:

• The name of the computer that is running MDM Gateway Server 
• The state of the MDM Mobile VPN Policy Manager service (Running or Stopped)
• The state of synchronization (Unreachable, Error, Initializing, or Up to date)
• The list of blocked devices by MDM Gateway Server 

To isolate an issue with the MDM Gateway Server, you need to identify whether the issue is specific to the client (the managed device) or to MDM Gateway Server. Issues with MDM Gateway Server often manifest themselves as symptoms on the client. For example, an error message may occur when the device attempts to connect to the MDM Gateway Server.

Logging information from the device may be helpful because the logs may identify an issue with the VPN server.

The following sections contain steps to help you isolate issues.

Client-Side Connectivity

MDM manages network traffic from wireless wide area network (WWAN) and Wi-Fi connections only. It does not manage remote network driver interface specification (RNDIS) connections, or personal area network (PAN) connections, such as Bluetooth or Infrared Data Association (IrDA). Also, Desktop Pass-through is not supported.

Check the following items to troubleshoot issues with client-side connectivity to MDM Gateway Server:

• Check that the date and time are set correctly. The device validates its certificate date against its system clock that can reset incorrectly if you remove and then reinsert the device battery.
• Some Access Point Networks (APNs) have filtered the VPN ports, Internet Key Exchange (IKE) and Internet Protocol Security Encapsulating Security Payload (IPsec ESP). If your device uses a filtered APN, the VPN will fail.
• Before you start to enroll a device, make sure that you configure the device to use one of the supported APNs.
• Make sure that before you test the connection that you delete all unnecessary General Packet Radio Service (GPRS) profiles.
• Make sure the firewall on the external firewall server is running, and the service is started.

MDM Device Management Server Connectivity

In these steps, you will determine whether the connectivity issue is with the client VPN connection, or whether the VPN connection succeeds but no connection is established with the MDM Device Management Server.

If the ‘V’ icon is on the device, the VPN is connected. In this case, the device has a VPN tunnel to the MDM Gateway Server, but something is wrong with the rest of the path to or from the MDM Device Management Server. If VPN is not working, see Enrolled Device Cannot Connect that follows.

If VPN is working but the client cannot connect to the MDM Device Management Server, the client will not receive Group Policy settings, software or Wipe Now requests. The device remains with a pending enrollment status until the device can contact the MDM Device Management Server and become managed.

Troubleshooting MDM Device Management Server Connectivity

Verify that you can reach the URL for the MDM Device Management Server from the client and the MDM Device Management Server. To do this, perform the following steps:

1. On the device, type \Deviceupdate.log to determine if logging is enabled.

2. Find the URL in the SCMDM2008DeviceManagement Active Directory service connection point (SCP) under "keywords" > "url=" on the administrative server.

3. Enter the URL on the device or a test computer by using the format:
   https://DMServer.Mydomain.com:8443/MDM/TEE/handler.ashx

   Note

   If you enter this in Outlook Mobile on the device, a Choose a certificate warning appears.

If you cannot connect to the URL from the device, you can test the URL on the MDM Device Management Server to determine whether the issue is with connectivity or a problem with the MDM Device Management Server.

As an example, if the MDM Device Management Server can connect to the URL by using the localhost address, you know Internet Information Services (IIS) and the server-side MDM services are working. Therefore, the issue is with the network, firewall, or Domain Name System (DNS).

The following shows some reasons why the device might fail to contact the MDM Device Management Server and provides some possible solutions:

• The device cannot resolve the fully qualified domain name (FQDN) of the MDM Device Management Server in the DNS.
  Make sure the DNS server has a correct A record for the MDM Device Management Server. Depending on the network topology, the DNS may be configured in different ways. If using the DNS server on the internal network, you must allow DNS traffic on the internal firewall so that the device can query the DNS server. If the DNS server is in the perimeter network, it must be configured to resolve the MDM Device Management Server FQDN to the internal IP address of the MDM Device Management Server.

• The company firewall is blocking port 8443.
  For a list of ports required by MDM on the firewall, see the MDM Planning Guide.

• The company proxy blocks TCP port 8443 to the MDM Device Management Server.
  This scenario only occurs if the device connected successfully and received a proxy policy. Tunneling must be allowed on this port so that the device can contact the MDM Device Management Server. For more information, including resolution steps, see Error 2147467259 When Synchronizing Policy in Troubleshooting MDM Group Policy Issues.

• There is no persistent route between the MDM Gateway Server and the company network.
  There must be a persistent route from the MDM Gateway Server through the internal firewall to the company network, and from the internal firewall to the VPN client address pool subnet on the MDM Gateway Server.
  Depending on your topology requirements, you may be able to configure the routes on the MDM Gateway Server and internal firewall servers as follows:
  On the MDM Gateway Server, add the route to the company network through the internal firewall as follows:

  route –p add <corporate subnet> mask <subnet mask> <Firewall IP>
  

  On the internal firewall server, add a route to the MDM client network through the MDM Gateway Server as follows:

  route –p add <Client pool subnet> mask <subnet mask> < Gateway IP>”
  

  This adds a route to the client network through the MDM Gateway Server.

  Note

  MDM Gateway Server prioritizes local persistent routes that are configured to specific destinations even if a redirection default gateway is configured. If there is no persistent route for the destination, the packet is forwarded to the redirection default gateway.

• The internal DNS server cannot access the client VPN address pool on MDM Gateway Server.
  To forward resolved queries back to the devices, the DNS server must be able to access the client VPN address pool.

If the IP address for the default gateway is not the same as the address for the DNS server default gateway, you may need to configure a persistent (static) route. The following example shows how you would configure the route if the default gateway address is the internal IP address of the internal firewall:

route –p add <Client pool subnet> mask <subnet mask> < Firewall IP>

These scenarios vary, but the principles are the same:

• Devices must have access to a DNS server to resolve the FQDN of the MDM Device Management Server.
• There must be a route from the client VPN address pool on the MDM Gateway Server to the internal network
• There must be a route from the internal network to the client VPN address pool on the MDM Gateway Server.
• The internal DNS server must have access to the client VPN address pool subnet for a response.

OMA DM Logging

You can use the MDM Connect Now Tool to enable Open Mobile Alliance Device Management (OMA DM) logging on the device. For more information about the Connect Now Tool, see the MDM Resource Kit Tools at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=127030.

The Connect Now Tool logs issues with contacting the MDM Device Management Server in \deviceupdate.log. The log uses Wininet error codes. The following list shows some of the common error codes.

• Fail (-2147012889)
  This error means that there is no connection to the company network or the Internet.

  Make sure routing and the DNS are configured properly. Also make sure port 8443 and Protocol 50 (IPsec ESP) are allowed both ways on the external firewall and the Windows firewall on the MDM Gateway Server, if it is enabled. Protocol 50 allows browsing of internal and external Web sites.

• Failed sending an HTTP request to the server (0x80072f7d).
  This error can be caused by a problem with the certificate on the Device Management Web site. Usually the log shows a successful connection to the server followed by the failure. As an example:

  2008-07-17 15:58:38omadmclient.exe: Establishing connection to https://dm.mdm.com:8443/MDM/TEE/Handler.ashx
  2008-07-17 15:58:39omadmclient.exe: [PID = 0x9e0b15d2] + Attempting to establish connection
  2008-07-17 15:58:39omadmclient.exe: [PID = 0x9e0b15d2] - Establishing connection
  2008-07-17 15:58:39omadmclient.exe: [PID = 0x9e0b15d2] + Transmitting package data
  2008-07-17 15:58:41omadmclient.exe: Failed sending an HTTP request to the server (0x80072f7d).
  2008-07-17 15:58:41omadmclient.exe: [PID = 0x9e0b15d2] - Transmitting package data FAILED (hr = 0x80072f7d)
  

  Check the Web certificate on the MDM Device Management Server and verify the following:

  • The subject name matches the MDM Device Management Server FQDN.
  • The URL matches the value in the SCMDM2008DeviceManagement SCP.
  • The certificate is valid.

  You can use the CertUtil Tool to verify that all certificates are correctly deployed. For more information, see https://go.microsoft.com/fwlink/?LinkId=136427.

  To replace the certificate with a new one, see Manual Certificate Procedures.

The Device Cannot Establish a VPN Connection to the Gateway

You can use the MDM VPN Diagnostics Tool to troubleshoot VPN connection issues. To download the tools, see MDM Client Tools at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=127030. For more information about how to use the tool, view the MDM VPN Diagnostics Tool Guide that is included when you download the tool.

To give you time to troubleshoot MDM, you can set the expiration of the enrollment request to 10 days as follows:

Set-EnrollmentConfig –PasswordExpiresAfter 10.0:0:0

You can also set the enrollment configuration to reset to eight hours (the default) after generating the enrollment request. All requests created after that will expire after eight hours:

Set-EnrollmentConfig –PasswordExpiresAfter 8:00:00

Tracing the MDM Gateway

If Windows PowerShell 1.0 technology and the MDM Administrator Tools (which includes MDM Shell) are installed on the MDM Gateway Server, you can run cmdlets on the MDM Gateway Server.

You can enable logging for specific components, which can be useful in getting verbose debug logging on one object while simultaneously getting less verbose logging on others.

Example:

Enable-MDMTrace -Global -Components Everything -Level ErrorEnable-MDMTrace -Server DM.Vdomain.com -Components OMAProxyEngine -Level Debug 

You can trace errors for MDM Enrollment Server and MDM Device Management Server and can still trace the OMA Proxy Engine on the server DM.Vdomain.com at the debug level.

The following table shows the objects that can be traced.

Object	Description
ADConfig	Setup tool to create MDM Active Directory objects.
AdgpCommon	Common methods used by Group Policy settings.
AdgpReportService	Reporting Web service used to: Generate Resultant Set of Policy (RSoP) reports from the completed task results. Configure the Group Policy engine.
AdgpServiceDriver	Group Policy engine.
AdminDataAccess	Data access layer for AdminServicesDatabase.
AdminWebHost	Host IIS class used by Web services. AdminWebHost provides configuration and authorization methods.
AdminWebService	Web service for enumerating devices and servers.
AlerterCore	Library used by the Wipe service to submit sync now requests to the Mobile Device Manager Gateway Central Management for transport to AlerterGateway.
AlerterGateway	Service handles submitting sync now messages to connected devices. Used for Wipe Now scenarios.
CertificateManager	Creation and management of certificates and certificate templates.
Cmdlets	PowerShell cmdlets. These are useful for finding the full exception text when a cmdlet fails.
CommonDataAccess	Data access layer used by the VPN Admin Service and enrollment.
Data	Data types used on by cmdlets and Web services.
DeviceRegistry	Data access for device and user information.
Diagnostics	Diagnostic Dll contains events, performance counters, tracing, and Watson.
EnrollmentAdminWebService	Administrative Web services that process administrative tasks and enrollment requests.
EnrollmentServer	Windows NT service that handles all communications to your Active Directory Domain Service and PKI infrastructure.
EnrollmentServerAdminCommon	All enrollment activities, including Enrollment Admin Service failures, such as failed to create, query, or delete an enrollment request; or failed to enroll a device.
EnrollmentServerCommon	Failed to enroll a device.
EnrollmentServerManagingService	Service that manages enrollment and other requests made by cmdlets.
EnrollmentWebService	Web service that is hosted by Internet Information Services (IIS). This service manages incoming requests from mobile devices to enroll them in the managed infrastructure.
GcmService	Service for MDM Gateway Server that sends gateway configuration information, including the list of blocked devices.
InventoryWebService	Web service interface for enabling and configuring inventory and history.
IPSecVPN	Gateway VPN driver.
IPSecVPNPM	Gateway VPN driver.
OmaProxyAPI	OMA DM Proxy API and data access layer.
OMAProxyConfiguration	Web service for configuring the OMA Proxy engine.
OMAProxyEngine	OMA DM Proxy Engine.
PinResetDriver	NT Service for the PIN reset driver.
PinResetWebService	Administrative Web service for the PIN reset driver.
ProxyHost	Methods for validating the device identity for the Proxy engine.
RefreshKerberosCache	Tool for refreshing the Kerberos.
Remoting	Classes for instantiating remote interfaces.
RSoPReportCCW	RSoP reporting user interface.
SecurityManager	Authorization checking.
ServiceDriverHost	The host process for NT services.
SoftwareDistribution	All software distribution classes.
Syncml	Syncml parsing and generation.
SystemManager	System Manager user interface.
TestStressSetupLib	Test library.
TestSyncmlClientLib	Test library.
TimeoutDetectionService	Service to help devices detect network address translation (NAT) timeout values. TimeoutDetectionService also caches previously calculated values to speed future responses.
TimeoutDetectionServiceCache	Persistence layer for the TimeoutDetectionService.
TraceLog	Logging classes for the Active Directory Configuration Tool (ADConfig).
TracingTest	Unit test used for tracing and Events.
Utility	Common tools used to convert exceptions, search for Active Directory objects, calculate expiration, and other common functions used by many components.
VPNAdminService	Administrative Web service for MDM Gateway Server and VPN.
VPNAgent	Service handles receiving configuration messages from the VPNAdminService through the MDM GCM, and applies the messages to the VPN.
VPNCommon	Contains common utility routines, such as verification of IP addresses, the IP subnet, and so forth.
VPNManagementAPI	The management API on the MDM Gateway Server.
WipeCommon	Common portions of the wipe driver.
WipeServiceDriver	The NT Service portion of the Wipe service. WipeServiceDriver handles blocking and unenrollment of completed wipes.
WipeWebService	The Web service portion of the Wipe service.  WipeWebService handles creating, removing, and enumerating wipe requests.
Everything	All of the components listed above

For more information about logging, see Enable-MDMTrace.

MDM Client Tools

MDM Resource Kit Tools includes the MDM Client Tools to help troubleshoot issues on Windows Mobile devices.

MDM VPN Diagnostics Tool is a utility that helps troubleshoot and determine potential VPN connection issues with managed Windows Mobile devices. Use this tool for testing only. For more information about how to use the tool, view the MDM VPN Diagnostics Tool Guide that is included when you download the tool.

MDM VPN Diagnostics Tool provides Status, Diagnosis, and Configuration screens and lets you save and send VPN status reports. It lets you view the MDM VPN Diagnostics Tool log file (Ipsecvpnpm.txt) in the Program Files directory.

MDM Connect Now Tool, which is also included in the MDM Client Tools, synchronizes a device with MDM Device Management Server through MDM Gateway Server. By default, synchronization sessions are initially five to 15 minutes apart, and thereafter, eight hours apart. You can modify this setting to suit your requirements and environment. Running MDM Connect Now Tool forces an immediate synchronization.

To download the tools, see MDM Client Tools at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=127030.

Enable Mobile VPN Logging on a Device

To enable and disable Mobile VPN logging on your Windows Mobile device, run MDM VPN Diagnostics Tool and follow these steps:

1. On the Start page, select Menu.
2. Select Logging.
3. Select Enable or Disable.

MDM VPN Diagnostics Tool includes a Log Browser for viewing the VPN Service log file located at \Application Data\Logs\ipsecvpnpm.txt.

Using the Windows Mobile Network Analyzer PowerToy with MDM

To capture the network traffic (NetMon) log for analysis, run the start analyzer script in the Program directory. Run the stop analyzer script to stop the network logging. The log is stored in the NetworkLogs directory, or the Storage Card\NetworkLogs directory if using a storage card. For more information, view the readme file that accompanies the Windows Mobile Network Analyzer PowerToy.

To troubleshoot VPN issues on a Windows Mobile device:

1. Install the Windows Mobile Network Analyzer PowerToy from this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=115657.
2. Install MDM VPN Diagnostics Tool from this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=127030.
3. Start MDM VPN Diagnostics Tool, select Menu, and then disable VPN.
4. Make sure that you can browse the Internet using Internet Explorer Mobile, and that the data connection is working.
5. Start the Windows Mobile Network Analyzer PowerToy to capture network traffic on the device.
6. Enable VPN using MDM VPN Diagnostics Tool.
7. When the VPN connection fails, stop capturing network traffic, and save the trace file.
8. View the VPNDiag report and the ipsecvpnpm.txt file from the device. For more instructions, see the guide that is downloaded with MDM VPN Diagnostics Tool.

Invalid Certificates Installed on Enrolled Device

MDM installs a device certificate when a device enrolls with MDM. You cannot see this certificate in the Certificates CPL UI. But you can see it using the MDM VPN Diagnostics Tool in diagnosis mode. Select Certificates, and then select Validate certificate chain.

You can also query all of the certificates installed on the device using the CertificateStore configuration service provider. For information about this configuration service provider, please visit https://go.microsoft.com/fwlink/?LinkId=115659. For an example on how to query the Certificate Store configuration service provider, please visit https://go.microsoft.com/fwlink/?LinkId=115660.

Certification Authority does not meet MDM Requirements

The server on which you install Certificate Services must meet the requirements listed in System Requirements for MDM Servers and Managed Devices.

MDM does not support installing the certification authority on Windows Server 2008; doing so may cause VPN connection issues with devices.

MDM Gateway Server Certificates

The intranet-facing Domain Name System (DNS) name for MDM Gateway Server must exactly match the subject name of the certificate used by MDM Gateway Server. Make sure there is a private key associated with the certificate. Also make sure that the certificate chains appropriately. The intermediate and root certification authority certificates must be installed appropriately.

Replacing the MDM Gateway Server Certificate

If it is determined that the MDM Gateway Server certificate is suspect, for example corrupted, expired, or has been manually replaced, a new certificate can be created and imported.

To replace the MDM Gateway Server certificate

1. Create a new certificate request and certificate as described in the MDM Deployment Guide topic Step 5a: Creating the MDM Gateway Certificate Request and Certificate. This step will also import the newly created certificate into the Personal Certificate Store on the MDM Gateway Server.

2. On the MDM Gateway Server, open Control Panel, choose Add or Remove Programs, and then choose Microsoft System Center Mobile Device Manager-Gateway Server.

3. Choose the Change option to open the installation wizard.

4. Proceed through the installation wizard until you reach the Gateway Server Certificates page.

5. On the Gateway Server Certificates page, choose Browse next to Gateway authentication certificate, and locate your new MDM Gateway Server certificate. This certificate is found in the local Personal Certificate Store.

6. Complete the installation wizard.

Validating the Gateway Server IP Address

During MDM Gateway Server installation, MDM does not validate if the specified IP and port combination corresponds to a valid socket on the computer. MDM Gateway Server installation might succeed, but the Web sites are not configured appropriately.

Gateway Installation Rolls Back with Certificate Error

This issue occurs if MDM Gateway Server Setup cannot find a certification authority. It can also occur for the following reasons:

• Setup provided an intermediate certification authority. A root certification authority must also be stored on the server.
• More than one certification authority is used. MDM only supports one certification authority. All certificates issued must chain to the same root certification authority. The root certification authority does not have to be a Microsoft certification authority. However, the issuing certification authority must be a Microsoft certification authority.

To resolve this issue, follow these steps:

• Make sure all certificates issued for MDM components chain to the same root certification authority.
• Put the appropriate certification authority certificates in the correct certificate stores on MDM Gateway Server. This includes the certification authority certificate in the Trusted Root Certification Authorities store, and the intermediate certification authority certificates in the Intermediate Certification Authorities store. For more information, see Manual Certificate Procedures in the MDM Deployment Guide.

Setting the Gateway Server URI

The Set-EnrollmentConfig cmdlet enters the DNS name that maps to the IP Address for MDM Gateway Server into the database. If you use DNS load balancing for multiple computers that are running MDM Gateway Server, you should map all external IP addresses for all computers that are running MDM Gateway Server to the DNS name. Mobile devices enrolled with the incorrect MDM Gateway Server URI will try to contact that URI, but MDM cannot manage the device until you correct the URI or re-enroll the device.

To set the enrollment configuration for the MDM Gateway Server URI, run the following cmdlet in MDM Shell:

Set-EnrollmentConfig -GatewayURI [External Gateway DNS

Gateway Sync Status Shows Error or None

This synchronization status error indicates that either MDM Device Management Server is unable to contact MDM Gateway Server, or that MDM Gateway Server received the configuration settings but cannot process them. To resolve this issue, follow these steps:

• Check the MDM event log on MDM Device Management Server, and the MDM Mobile VPN Policy engine or MDM Mobile VPN Connection settings on MDM Gateway Server.
• If the event log on MDM Gateway Server contains no data, MDM Device Management Server could not access MDM Gateway Server. Check the MDM event log on MDM Device Management Server for errors.
• If the event log on MDM Gateway Server contains data that is time-stamped to match MDM Gateway Server configuration, MDM Device Management Server can access MDM Gateway Server. However, this means that MDM Gateway Server properties have configuration problems. Check the MDM Mobile VPN Policy engine event log on MDM Gateway Server for errors. Common errors include entering invalid device IP address pools, or an incorrect or an FQDN or IP address that cannot be resolved for the MDM Gateway Server interface.

If MDM Device Management Server cannot reach the VPN internal interface, try the following:

• Check the firewall log for traffic from MDM Device Management Server to MDM Gateway Server.
• From MDM Device Management Server, ping the MDM Gateway Server IP address and FQDN.
• From MDM Device Management Server, test the URL for MDM Gateway Server: https://<VPNServerName>.<domain>.com:443/Vpn/ApplyConfig.ashx. You should receive a certificate warning if the connection succeeds. Close the warning.

If the VPN external interface has errors, test the access to the interface from MDM Gateway Server and resolve any networking issues.

Gateway Sync Status Shows Unreachable

An error or a status of unreachable may appear after you add a new MDM Gateway Server:

• Unreachable indicates that the gateway could not be contacted. This could indicate a problem with the network or DNS name resolution.
• Error generally indicates a problem with the configuration of the MDM Gateway Server or an invalid MDM GCM certificate on the MDM Device Management Server.

You might also see events 5257 and 5258 in your event logs. For more information about these events, see the MDM Error and Event Messages topic in the MDM Operations Guide.

To troubleshoot these issues, perform the following steps.

To troubleshoot with the Best Practices Analyzer Tool

1. Download and install the MDM Best Practices Analyzer (BPA) Tool from this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=127030.
2. Run the BPA tool on the MDM Device Management Server and check for the following issues:
   • Network configuration between the MDM Device Management Server and MDM Gateway Server 
   • Issues with the MDM GCM certificate

To troubleshoot network configuration issues

1. On the MDM Console, stop the MDM Gateway Server, and then start it again to reproduce the error. This tests the connectivity from the MDM Device Management Server to the MDM Gateway Server.

2. Verify that the MDM Gateway Server is functioning:

   1. Make sure that the server is running.
   2. Verify that the MDM Mobile VPN Services are running on the MDM Gateway Server.
   3. Verify that the MDM Mobile VPN Policy Engine is running on the MDM Gateway Server.

3. On the MDM Gateway Server, check the event log and the MDM Mobile VPN Policy Engine event log.
   If the event log on the MDM Gateway Server contains no data, the MDM Device Management Server could probably not access the MDM Gateway Server.

4. On the MDM Device Management Server, check the event log for errors.
   The following example shows that the MDM Device Management Server cannot reach the VPN internal interface.

   Event Type:Warning
   Event Source:Device Manager
   Event Category:None
   Event ID:5252
   Date:1/4/2008
   Time:11:22:06 AM
   User:N/A
   Computer:CSS-SERVER
   Description:
   Gateway Central Management service did not connect to Gateway Server https://css-gw.mydomain.com:443/Vpn/ApplyConfig.ashx
   

5. To make sure that the MDM Device Management Server can reach the MDM Gateway Server and can resolve the DNS names, do the following:

   • On the MDM Device Management Server, ping the IP address and FQDN of the MDM Gateway Server.

     Note

     This may fail if strict filtering is done at the internal firewall.

   • On the MDM Device Management Server, test the URL for the MDM Gateway Server: https://<VPNServerName>.<domain>.com:443/Vpn/ApplyConfig.ashx. If the connection succeeds, a certificate warning appears. Close the warning.

6. Check the event log on the MDM Gateway Server. If it contains data that is timestamped the same as the MDM Gateway Server configuration, then the MDM Device Management Server can access the MDM Gateway Server.

7. Check the Mobile VPN Policy Engine event log on the MDM Gateway Server for errors:

   1. Verify that the MDM Gateway Server properties are correctly configured. Common errors include an invalid device IP address pool or an incorrect FQDN or IP address for the MDM Gateway Server.
   2. In the MDM Console, correct the properties based on the error in the MDM Gateway Server event log.
   3. If the error is about the external IP address or FQDN, test access to the interface from the MDM Gateway Server and resolve any networking issues.

8. In MDM Shell, run Get-MDMGatewayServer, and then do the following:

   1. Check the value in VPNAddress to verify that the IP address is the external interface address.
   2. If needed, correct this value by running Set-MDMGatewayServer with VPNAddress <IPAddressParameter>.
   3. Check the value in AdminInterface and make sure the server name in the URL matches the published FQDN of the MDM Gateway Server.

9. On MDM Gateway Server, open IIS and view the internal and external IP addresses that are bound to the Gateway Management Web site in IIS. To make sure that the external IP address matches the one in the previous step, do the following:

   1. On the MDM Gateway Server, open Control Panel, choose Add or Remove Programs, and then choose Microsoft System Center Mobile Device Manager-Gateway Server.
   2. Choose the Change option to open the installation wizard.
   3. Proceed through the installation wizard until you can verify that the internal IP address matches the internal IP address on the Gateway Management Web site in IIS.
   4. Cancel the installation wizard.

10. Verify IIS is set up properly.
    If you have connectivity, but IIS returns 404 or 500, there may be an issue with IIS or the Web site configuration. Error 403 usually indicates certificate issues, but it could be caused by IIS or the Web site configuration.
    Verify that IIS is configured to require client certificates as follows:

    1. Verify that the certificate is set up properly. Look for trust errors in the Mobile Device Management Server event log.
    2. Make sure that gateway host name matches the subject name of its certificate.
    3. Make sure that the certificate on the MDM Gateway Server chains to a trusted root certificate and that all MDM servers chain to the same root.
    4. If an intermediate certificate authority is used, make sure that the Root certificate and Intermediate certificate are placed in their respective stores in the Certificates snap-in on the MDM Gateway Server.

    MDM supports intermediate certification authorities that chain to the same root authority. MDM does not support multiple root certification authorities.

To check for issues with the MDM GCM certificate

If MDM Device Management Server is able to establish an SSL connection to MDM Gateway Server, and is able to resolve the server name through DNS from MDM Device Management Server, then this issue might be the MDM GCM certificate that is installed in the local computer certificate store. To troubleshoot this issue, perform the following steps:

1. In the MDM Device Management Server event log, the following event indicates an issue with the MDM GCM certificate or its private key on the MDM Device Management Server:

   Event Type:    Error
   Event Source:   Device Manager
   Event Category:  None
   Event ID:     5257
   Date:       11/5/2007
   Time:       2:15:08 PM
   User:       N/A
   Computer:     MDMDM2
   Description:
   Gateway Central Management service cannot find a valid certificate to authenticate with the Gateways. The service can automatically detect a valid installed certificate issued with the Gateway Central Management template. Install a valid certificate and then restart the service.
   This error could indicate the GCM certificate chain is invalid, that the private key for the GCM certificate has not been ACLd to the Network Service, or that the CA cannot locate a CDP (CRL Distribution Point), which will cause validation to fail.
   

2. Use the MDM Certificate Tool to check the validity of the MDM GCM certificate and private key. To download this tool, see the MDM Server Tools in the MDM Resource Kit at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=127030.

3. Some common issues with the MDM GCM certificate and private key are:

   • The MDM GCM certificate private key requires Read permissions for the Network Service.
   • The certificate is not validated by the certification authority.
   • The certificate chain is not valid.

   These scenarios and steps to resolve the issues are described in detail below.

4. On the MDM Device Management Server, use -Level Debug to enable tracing for MDM GCM or Everything. After tracing runs for about 10 minutes, collect the logs.
   Convert the logs into plain text first before you give them to someone else.

5. Check the Firewall log for traffic from the MDM Device Management Server to the MDM Gateway Server.

   Note

   This step may not be possible in your environment.

The MDM GCM certificate private key requires Read permissions for NETWORK SERVICE

1. At a command prompt, go to the following directory; this is the directory that has the private keys for client certificates issued to the computer account:
   C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\rsa\machine keys\

2. Type dir /as /od, and then press ENTER.
   A list of private keys appears with the most recent key appearing last. Try to line up the Date Modified value with the Valid from properties in the certificate viewer to locate the MDM GCM private key.

3. Copy the string for the MDM GCM private key to Notepad for future reference. The format should resemble the following: 8aeda5eb81555f14f8f9960745b5a40d_38f7de48-5ee9-452d-8a5a-92789d7110b1.

4. To set an access control list (ACL) for the key that corresponds to the MDM GCM certificate, run the following command:

   Note

   Typically, the ACL is set automatically during Setup to allow access to NETWORK SERVICE. However, this may not have occurred if the service or certificate is not installed correctly.

   cacls “C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\<hash for private key>” /E /G “Network Service”:R 
   

5. On the MDM Device Management Server, restart the MDM GCM service for changes to take effect.

6. If the NETWORK SERVICE has permissions to the MDM GCM private key, you verified that the certificate chain is valid, and the status of the gateway remains unreachable, manually create a new MDM GCM certificate as described in the Manual Certificate Procedures, in the section Issuing Certificates by Using MDM Templates.

7. Restart the MDM GCM service.

The certificate is not validated by the certification authority

To troubleshoot this issue, perform the following steps:

1. On the certification authority, check the event log for errors.
2. Verify that the certification authority is configured to issue Web certificates.
3. Verify that the certificate templates for MDM are enabled.

You can use the Certutil command-line tool, certul.exe, to verify that certificates are correctly deployed. For more information about Certutil, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=135975

To determine whether there is an issue with the certificate revocation lists (CRLs) or CRL revocation, perform the following steps:

1. Copy the public portion of the MDM GCM certificate to another location.
2. On the MDM Device Management Server, perform the following steps:
   1. Open the local computer personal certificates store.
   2. Sort the certificates by intended purpose.
   3. Find a certificate with the intended purpose of 1.3.6.1.4.1.311.65.1.1, Client Authentication. These are MDM GCM certificates.
   4. Double-click one of these certificates
   5. On the Details tab, select Copy to File.
   6. The Certificate Export Wizard appears. Click Next.
      The Certificate Export Wizard appears.
   7. On the Welcome to the Certificate Export Wizard page, choose Next.
   8. On the Export File Format page, make sure that DER encoded binary X.509 (.CER) is selected, and then choose Next.
   9. On the File to Export page, save it to an accessible place such as C:\ and give it a name; for example, gcmcert.cer. Choose Next.
   10. On the Completing the Certificate Export Wizard page, choose Finish.
   11. In the Certificate Export Wizard dialog box informing you that the export was successful, choose OK.
   12. Make sure that the proxy settings are correct in the computer context, or proxycfg.exe.
3. Use certutil.exe to verify that client certificate is valid; Certutil provides information as to why certification validation failed:

   1. If Certutil shows a URL failure, test the URL from Internet Explorer on the MDM Device Management Server.

   2. To help find deployment problems where certificate revocation lists (CRLs) are unreachable, be sure to tell Certutil to resolve remote URLs. At a command prompt, run the following command, using the ">" parameter to write the output to a file:

      Certutil -urlfetch -verify c:\gcmcert.cer > c:\gcmcert.txt
      

   3. In the output, look for the line that says the following:

      Leaf certificate revocation check passed
      

      Also look for statements similar to the following:

      Expired "Delta CRL (1633)" Time: 0
      [0.0.1] <crl location>
      

      You may also see errors similar to the following:

          Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007)
          https://www.contoso.com/certdata/Contoso%20Test%20Root%20Certification%20Authority.crl
      

   4. To troubleshoot connectivity to the server hosting the CRL, test the URL from the certification authority server. If this fails, republish the delta CRLs as follows.

Republish the CRL

1. From the Start menu, point to All Programs, point to Administrative Tools, and then choose Certification Authority.
2. In Certification Authority, expand the certification authority server name, right-click Revoked Certificates, point to All Tasks, and then choose Publish.
3. In the Publish CRL dialog box, choose Delta CRL only, and then choose OK.

Alternatively, you can place the CRLs in the appropriate folder in the CRL publishing location.

The certificate chain is not valid

Verify the full chain of the MDM GCM certificate.

You can then save the chain so that you can send it to Support. To save the chain, perform the following steps:

1. In Internet Explorer, open the MDM GCM certificate.
2. On the Details tab, select Copy to file and step through the wizard.
3. When asked for export file format, select .P7B, and then select Include all certificates in the certification path.

Support personnel can open this file and verify the chain to the certification authority. Support personnel can also open the Details tab of the certificate properties to see a list of CDPs (CRL Distribution Points).

Enrolled Device Cannot Connect

After you try to enroll a device, the device connection status shows that the device is enrolled. However, the device is not in the All Managed Devices node in MDM Console.

After the device finishes its session with MDM Enrollment Server, it tries to attach to MDM Gateway Server. However, in MDM Console, the device is not in the All Managed Devices list because it is not yet managed.

This issue indicates a problem with the device connection to MDM Device Management Server. Until the device can contact MDM Device Management Server and become managed, it will not appear in All Managed Devices.

To resolve issues where the managed device cannot contact MDM Device Management Server:

• On the managed device, check that the date and time are set correctly. The device validates its certificate date against its system clock that can reset incorrectly if you remove and then reinsert the device battery.

• On the managed device, ping the URL to check MDM Gateway Server DNS name resolution.

• Check that the necessary ports are not blocked by a cellular network or any company firewalls. For example, an internal firewall might be blocking TCP port 8443 to MDM Device Management Server.

• Check network connectivity because a persistent route is needed from MDM Gateway Server to the company network through the internal firewall. You must have an additional route from the firewall server to the MDM client network through MDM Gateway Server. For example:

  • Route #1 (on the gateway): To add a route to the company network through the internal firewall, run the following command at a command prompt.

    route –p add <corporate subnet> mask <subnet mask> <Firewall IP>”.
    

  • Route #2 (on the firewall): To add a route to the MDM client network through MDM Gateway Server, run the following command at a command prompt.

    route –p add <Client pool subnet> mask <subnet mask> < Gateway IP>”.
    

• Check that UDP port 500, UDP port 4500, and IP Protocol ID 50 are enabled on the external company firewall for both inbound and outbound filters. For more information about protocol 50 and enabling IPsec traffic through a firewall, see the following Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=111867.
  To resolve this issue, open UDP ports 500 and 4500, and enable IP Protocol ID 50 on the Windows Firewall of MDM Gateway Server and any external firewalls or routers. All these ports and protocols should be bi-directional. For more information about the necessary ports and protocols to enable, see MDM Deployment Worksheets.

• Check that modified service connection point (SCP) still matches the information provisioned on the device. If you have manually updated the Active Directory SCP information for the SCP for the MDM instance, the updated information in the SCP must match the information provisioned on the device.
  During enrollment, the device receives a provisioning .xml file that contains information about the location of the device management and VPN server. At a command prompt, run the following cmdlet to retrieve this information.

  Get-EnrollmentServiceLog | out-file C:\enrollmentservice.txt
  

  Compare the values, such as FQDN and port number, to the values in the keywords attribute in the SCP, and then make any necessary corrections to the SCP values.
  For example, the provisioning .xml file from the MDM Enrollment Server log has the following information for TEE and VPN:

  TEE: "ADDR" value="SCMDMServer.test.Mydomain.com:8443/SCMDM2008/TEE/bin"VPN: "VPNServerName" value="192.168.0.98"
  

  However, the SC keyword value changed at some point to the following:

  SCMDMServer.test.Mydomain.com:8909/SCMDM2008/TEE/bin
  

  To resolve this issue, change the port number back to 8443 in the SCP. For information about how to locate and modify an MDM SCP, see Modify an MDM Active Directory Service Connection Point in the MDM Planning Guide.

Performance Counters do not Update on MDM Gateway Server

Performance counters and Windows Task Manager do not reflect Mobile VPN tunneled traffic on MDM Gateway Server. When MDM Gateway Server is simply forwarding network traffic that is not related to MDM Gateway Server itself, where MDM Gateway Server is neither the source nor the destination of this network traffic, the network interface performance counters will not be updated. Windows Task Manager also does not update the traffic data on the Networking tab. This is because the NDIS IM Driver IPSecVPN.sys that MDM Gateway Server installs is located below the TCP/IP stack.

ISA Server Denies Device Connection with Spoofing Packet Dropped Error

If the address range assigned to MDM Gateway Server is not routable in the intranet, then ISA Server does not allow these addresses to be forwarded. Instead, Microsoft Internet Security and Acceleration (ISA) Server returns the error Denied Connection - FWX_E_FWE_SPOOFING_PACKET_DROPPED.

To resolve this issue, add the address range to the internal-facing network adapter so that one address in the address range (which is on the same subnet) is added to one of the network adapters on the ISA Server. Thereafter, ISA Server checks for the address, finds it on the network adapter of the server, and allows the traffic through without the error.

Cannot Disable IP Address Assigned by Gateway Server

You cannot disable the IP address assignment functionality of the MDM Gateway Server while maintaining the functionality of the Mobile VPN tunnel. For example, you cannot use a different Dynamic Host Configuration Protocol (DHCP) server to assign IP addresses.

You can disable the Mobile VPN connection portion only for the device, but MDM Device Management Server must be reachable from the device connection point (for example, Wi-Fi access point or other access point network). This configuration is particularly useful for devices connected to a Wi-Fi company network. However, you should not disable the Mobile VPN connections for Internet-connected devices because the Mobile VPN connections help to increase the security of your deployment.

Routing Mobile VPN-Connected Clients to Internal Servers

You must configure a router for the network traffic from MDM Gateway Server to the servers in the internal network. The IP address pool for the Mobile VPN connections must be on a unique subnet, where the IP address range does not overlap with existing subnets in your network.

To validate that network traffic is able to pass between MDM Gateway Server and MDM Device Management Server, download and run MDM Best Practices Analyzer tool from this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=127030. For information on configuring the IP address pool for MDM, see the MDM Operations Guide at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=115901.

Reinstall After Changing Network Interface Card

When you install MDM Gateway Server, Setup identifies the network interface card (NIC) installed on the computer. If you change the NIC after MDM Gateway Server is installed, then you must uninstall and reinstall MDM Gateway Server. If you are upgrading MDM Gateway Server from MDM 2008 to MDM 2008 SP1, then Setup will also recognize the new NIC during the upgrade.

Changing Gateway Server Internal IP Address

If you change the internal IP address of the computer running MDM Gateway Server, then you must change the IP address maintained by Internet Information Services (IIS) Manager for this server.

To change the MDM Gateway Server IP address in IIS, perform the following steps:

1. In IIS Manager, in the left pane, expand Web Sites, right-click Gateway Management Web Site, and select Properties.
2. In the Web Site tab, click Advanced.
3. Under Multiple SSL identities for this Web site, select the IP address and click Edit.
4. Enter the new IP address and then click OK.
5. Click OK.