Product Documentation

Enabling Secure Mobile Gateway Filtering by Configuring Forefront Threat Management Gateway

Sep 27, 2015

To enable Secure Mobile Gateway to perform the XenMobile Device Manager Exchange email filtering and blocking features, you configure Microsoft Forefront Threat Management Gateway (TMG) running on Windows Server 2008. You then install Secure Mobile Gateway on the server running Forefront TMG as an ISAPI plug-in. The installer for the Secure Mobile Gateway is a Windows Installer .msi file that will place all the necessary components on the server.

After installation, you create a firewall policy access rule on Forefront TMG to allow Secure Mobile Gateway to connect to Device Manager and then request and retrieve the dynamic rules, restrictions, and device information managed Device Manager. You configure a new access rule by using a wizard in the management console for Forefront TMG.

When you configure the access rule, in Forefront TMG, be sure to configure the following settings:

  • Give the rule a name that references the purpose of the rule, such as XenMobile Device Manager.
  • Select Allow as the action to take when the rule conditions are met.
  • Add the HTTPS protocol.
  • Add the Local Host network as the access rule source.
  • Create a destination for the rule by creating a computer set with a recognizable name, such as XenMobile computers.
  • Make sure the All Users object is included in the user sets.
After you configure and apply the rule, do the following to connect the Secure Mobile Gateway with the Device Manager server.
  1. From the Start menu, click All Programs and then click SMG Controller Configuration.
  2. On the Config Providers tab, click Add and then enter the Web address for the Device Manager in the following format: https://zdmserver.domain.com/zdm/services/MagConfigService and the administrator account credentials for Device Manager.
    Note: Be sure to enter the fully qualified domain name (FQDN) or DNS name of the server used by the devices and web console connections. For SSL connections, you must use the DNS name of the server (and not the IP address).
  3. Select the Events Enabled check box if you want to able Device Manager Automated Actions, which sends a notification when Secure Mobile Gateway blocks a user device.
  4. Click Test Connectivity to validate that the connection works through the new access rule.