Cloud Extender architecture
Cloud Extender® is a small Windows application that you install behind the firewall with network access to the appropriate internal systems.
How the Cloud Extender works
Cloud Extender makes an outbound connection to the IBM® MaaS360® Cloud or On-Premises instance over port 443.
Cloud Extender includes a Configuration Tool that you use to configure proxy settings either manually, PAC, or automatically. Cloud Extender also accepts credentials to traverse through authenticated proxies. When you configure proxy settings, Cloud Extender connects to the MaaS360 Cloud to establish two-way communication between the MaaS360 Cloud and the Cloud Extender - from the MaaS360 Cloud to the Cloud Extender and action responses back from Cloud Extender to the MaaS360 Cloud.
Cloud Extender uses a modular architecture with multiple services (like Exchange Integration, User Visibility, User Authentication). You enable the corresponding service (or module) on Cloud Extender for integration and configuration.
If a new feature is enabled, the related module and the associated configuration elements are automatically updated for all Cloud Extender instances. All updates are automatic unless otherwise configured. The modular architecture provides mechanisms for module versioning and limited release of modules to support pre-production testing.
Resilience and scalability
You can install multiple instances of Cloud Extender to provide scale and resilience. The MaaS360 Cloud acknowledges all Cloud Extender instances for a specific customer and uses those instances to maximize performance and reliability. Cloud Extender provides self-monitoring and usage statistics to the MaaS360 Cloud to facilitate viewing, monitoring, and alerting on Cloud Extender activity.
MaaS360 real-time notification services
Using the outbound connection from the customer premises to MaaS360 facilitated by Cloud Extender, MaaS360 administrators can send commands to appropriate systems to achieve a specific result. Since Cloud Extender does not require an inbound connection, you can place Cloud Extender on the internal network.
For example, the MaaS360 administrator issues a Block command for a specific device to block that device from syncing email. The MaaS360 Portal issues an action response through an explicit device action or an automated compliance rule. This command is sent to the appropriate customer Cloud Extender instance in real-time, Cloud Extender issues the appropriate command, and then reports back the action status (Success/Failure/Pending) to the MaaS360 Cloud.
Cloud Extender modules
A Cloud Extender module is a package of scripts and actions that integrate with one component of your on-premises infrastructure and provides full integration service with that component. You can enable multiple Cloud Extender modules to integrate with various on-premises components.
The MaaS360 Cloud platform provides extra management capabilities based on the type of modules that are enabled on Cloud Extender and configured to integrate with your environment. You can enable these modules with each other, but make sure that you have enough system resources available to use those modules.
| Module | Description |
|---|---|
| Exchange Integration module | The Exchange Integration module interacts with the Exchange Server to
automatically discover ActiveSync-connected devices, and uploads that device information to the
MaaS360
Cloud. The Exchange Integration module automatically quarantines devices, allows only MaaS360 enrolled devices, carries out actions (such as Approve, Block, or Remove device from the Mailbox) sent from MaaS360, and applies ActiveSync device policies. This module supports MS Exchange 2010, 2013, 2016, and Office 365. |
| Email Notification module | The Email Notification module sends a notification alert to all iOS devices
for new email messages if you are using Secure Mail as the email
client. Due to iOS architecture, the OS can suspend third-party apps when the user is not actively using the app. For the Secure Mail app, this OS restriction results in users not being notified when new mails are received. The Email Notification module allows Cloud Extender to directly subscribe to these notifications with Exchange, and then notifies the device with the APNS notification alert, which bypasses the OS limitation. |
| IBM Traveler Integration module | The IBM
Traveler Integration module
interacts with information received from IBM
Traveler and IBM SmartCloud® about
ActiveSync-connected devices, and uploads device information to the MaaS360
Cloud. The IBM Traveler module automatically quarantines devices that are connected to your mail infrastructure (selected versions) and facilitates actions that are sent from the MaaS360 Portal. |
| User Authentication module | The User Authentication module interacts with Active Directory and LDAP
directories to provide user authentication service for various MaaS360 functions, such as self-service device enrollment with corporate credentials, MaaS360
Portal login, and user
management portal. Cloud Extender supports integration with LDAP implementations, including Active Directory, Domino® LDAP, Oracle LDAP, Novell eDirectory LDAP, and OpenLDAP. |
| User Visibility module | The User Visibility module uses the corporate directory groups to allow for
the assignment and distribution of policies, apps, and content to mobile devices. These groups are imported by the MaaS360 Administrator to control administrator access to manage a subset of devices. LDAP filters are used to limit the groups and organizations imported. Devices are managed based on corporate directory structure. |
| Certificate Integration module | The Certificate Integration module facilitates automatic provisioning,
distribution, and renewal of digital identity certificates to managed mobile devices by using an
existing Microsoft CA, Symantec CA, or Entrust Admin
Services and Identity Guard. You can also use these identity certificates for user or device authentication for corporate wifi, VPN, or email (both native and MaaS360 Secure Mobile Mail) solutions. |
| Mobile Enterprise Gateway (MEG) module | The Mobile Enterprise Gateway (MEG) module provides
gateway and relay functions by providing secure mobile application access to behind-the-firewall
information and resources such as SharePoint, internal websites, Windows file shares, and IBM
Connections. The Mobile Enterprise Gateway (MEG) module provides a more efficient and targeted approach than traditional VPNs. |