Mobile Enterprise Gateway (MEG) module

IBM® MaaS360® Mobile Enterprise Gateway (MEG) provides simple, seamless, and secure access to behind-the-firewall information resources for device users beyond implementing a new VPN-like technology.

Mobile Enterprise Gateway (MEG) module benefits

The Mobile Enterprise Gateway (MEG) module provides the following benefits:
  • Seamless logon
  • Credential caching
  • One-time logon across multiple MaaS360 applications
  • Single sign-on to protect intranet resources with strong authentication schemes like NTLM, Kerberos, SPNEGO, and identity certificates

How the Mobile Enterprise Gateway (MEG) module works

The Mobile Enterprise Gateway (MEG) module provides maximum security by authenticating users and devices based on corporate directory credentials and MaaS360 Enrollment Identity Certificates, which satisfies two-factor authentication requirements for intranet resources. All communication between mobile devices and Mobile Enterprise Gateway (MEG) is fully encrypted and secured end-to-end, which prevents man-in-the-middle attacks.

All data on a mobile device is stored in the MaaS360 container solution fully encrypted and protected from data leakage. The containers are fully controlled by MaaS360 container security policies based on your security requirements. The following extra security benefits apply to Mobile Enterprise Gateway (MEG) implementations:
  • Seamless background reauthentication of users and devices without prompting users for credentials
  • Authentication token requirements for every intranet resource
  • Proxy access list validation on the gateway
The Mobile Enterprise Gateway (MEG) is tightly integrated with the MaaS360 Portal, where you define lockout policies and control access to the gateway based on automated compliance rules. The Mobile Enterprise Gateway (MEG) helps your organization mobilize corporate resources to your ever-growing mobile population while still maintaining control over the data flow and associated data security. The Mobile Enterprise Gateway (MEG) includes the following key features:
  • Seamless integration with MaaS360, including easy and simple configuration
  • Strong gateway authentication schemes
  • Cross Forest / Cross Domain authentication
  • Support for single sign-on (SSO) for gateway across multiple apps on a device
  • Support for Kerberos, SPNEGO, and NTLM v2 authentication against sites
  • Internal proxy support for sites
  • Granular proxy access list
  • Seamless High Availability (HA) configuration
  • High-scaling up to 100,000 devices
  • Regional gateway cluster support and automatic local gateway routing
  • Streaming scenarios for large files and videos
  • Web Distributed Authoring and Versioning (WebDAV) support for Windows file shares (supports SMB2 and SMB3)
  • Relay DR support

About the Mobile Enterprise Gateway (MEG) gateway modes

The Mobile Enterprise Gateway (MEG) operates in one of the following modes:
Mode Description
Relay access The gateway establishes outbound access to the MaaS360 relay server. The devices talk only to the relay server and not directly to the gateway.
Direct The devices talk directly to the Mobile Enterprise Gateway (MEG) for direct resource access and bypass the MaaS360 hosted relay servers. You can also install the gateway as a standalone gateway for smaller deployments or as a clustered gateway for High Availability (HA).

Requirements and scaling

Table 1. Requirements for the Mobile Enterprise Gateway (MEG)
Item Minimum requirement
Hardware component Physical or virtual machine with Windows Server 2019, 2016, 2012 R2, 2012, 2008 R2, or 2008
Note: Mobile Enterprise Gateway (MEG) does not support the Server Core installation option for Windows Server 2016, 2012 R2, 2012, 2008 R2, or 2008. Only Full Server Installation, Server Graphical Shell, or Server with a Desktop Experience installation options are supported.
Mobile device clients iOS 11.0 and later
Android 4.2 and later (carrier versions)
Permissions A service account that the Mobile Enterprise Gateway (MEG) runs as a member of the Domain User group on your Active Directory and as a member of the Local Administrator group on the server.
Network - ports Access to port 443 from the machine that is running Mobile Enterprise Gateway (MEG): The gateway uses this outbound port to communicate with the MaaS360 backend and web services. If you are using Relay access mode, the gateway uses Port 443 to communicate with relay services. No inbound port is used for relay.
Network - gateway operation modes (relay access and direct)
  • Relay access mode
    For Relay access mode, use one of the following relays:
    • US relay
      • Relay URL: https://us01-dv.meg.maas360.com
        Primary Server IP: 169.55.90.26
        DR Server IP: 169.53.30.247
      • Relay URL: https://us01-gw.meg.maas360.com
        Primary Server IP: 169.55.90.27
        DR Server IP: 169.53.30.246
    • EU relay
      • Relay URL: https://eu01-dv.meg.maas360.com
        Primary Server IP: 159.8.170.230
        DR Server IP: 119.81.207.130
      • Relay URL: https://eu01-gw.meg.maas360.com
        Primary Server IP: 159.8.170.231
        DR Server IP: 119.81.207.131
    • APAC-SGP relay
      • Relay URL: https://ap01-dv.meg.maas360.com
        Primary Server IP: 119.81.207.130
        DR Server IP: 169.56.36.218
      • Relay URL: https://ap01-gw.meg.maas360.com
        Primary Server IP: 119.81.207.131
        DR Server IP: 169.56.36.219
    • Tokyo relay
      • Relay URL: https://ap02-dv.meg.maas360.com
        Primary Server IP: 169.56.36.218
        DR Server IP: 119.81.207.130
      • Relay URL: https://ap02-gw.meg.maas360.com
        Primary Server IP: 169.56.36.219
        DR Server IP: 119.81.207.131
    Important: If a catastrophic event occurs at the Primary site, the system fails over to the Secondary DR Server IP addresses that are listed for the various relays.
  • Direct mode

    For direct mode, an inbound connection is required from the internet to the gateway. Configure this port during the Mobile Enterprise Gateway (MEG) installation and configuration process.
Network - MaaS360 backend services For MaaS360 backend services requirements, see the requirements listed for Cloud Extender and Mobile Enterprise Gateway (MEG) module system requirements.
Scaling Less than 10,000 devices:
CPU: 2 cores (2.8 GHz)
Memory: 4 GB
Storage: 2 GB
More than 10,000 devices: CPU (use more gateways in HA mode)
Scaling for High Availability Non-HA gateway less than 10,000 devices: One gateway is sufficient. HA is not available.
HA gateway for more than 10,000 devices: Two gateways running in clustered mode.
Note: Even if one gateway can handle the load, you should use another gateway instance from an HA perspective.

Possible SQL driver error messages for Mobile Enterprise Gateway (MEG) 2.96

Mobile Enterprise Gateway (MEG) 2.96.000 does not support TLS 1.0 and TLS 1.2 for MSSQL. If you receive the following error message in the MobileGateway.log file:

The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption.

you must upgrade to Mobile Enterprise Gateway (MEG) 2.96.300 or later and append sslProtocol=TLSv1.2 to the JDBC string to solve the issue: jdbc:sqlserver://Wdsql2012.fiberlinkqa.local;databaseName=megdb;sslProtocol=TLSv1.2

Mobile Enterprise Gateway (MEG) architecture (Relay access mode)

The following diagram illustrates the architecture for the Mobile Enterprise Gateway (MEG) in Relay access mode:

Mobile Enterprise Gateway (MEG) architecture (Relay access mode)
For the client:
  • The MaaS360 app for iOS and Android, the MaaS360 Secure Mobile Browser, and any enterprise app wrapped within MaaS360 or integrated with the MaaS360 SDK communicates with the Mobile Enterprise Gateway (MEG).
  • MaaS360 apps are available from iTunes or Google Play or pushed to devices through the App Catalog.
  • The apps connect to the relay services by using HTTPS, post requests, and pick up responses.
  • In addition to SSL connections to the relays, the payloads are encrypted with AES-256 bit encryption end-to-end between the app and the gateway.
  • Corporate data is secured in the MaaS360 app container and with policy enforcement.
  • To preserve network security and isolation, a mobile device is never on the organization's network and MaaS360 apps do not have direct access to the network.
For the gateway:
  • Windows based server software that runs on a physical host machine or virtual machine (VM) on your organization's internal network or DMZ.
  • Packaged along with Cloud Extender® as a module.
  • The gateway establishes outbound connections to the MaaS360 relay services in the cloud over port 443.
  • Downloads intranet access requests from the relays, fetches the resource, and posts the resulting payloads to the relay services. These payloads are encrypted end-to-end with AES-256 bit encryption. The key is shared only with the device.
  • Gateway authenticates users against Active Directory or LDAP servers.
  • Supports single sign-on (SSO) for upstream sites that challenge for NTLM, Kerberos, SPNEGO, and Identity Certificate based authentication.
For gateway provision services:
  1. Gateway activation happens against this service.
  2. MaaS360 issues an identity certificate to the gateway to uniquely identify and authenticate gateways.
  3. The devices or apps contact the provisioning server to receive the address of the relay server to use for the respective gateway.
For the relay server:
  1. Web services in the cloud that facilitate communications between the clients and your gateway.
  2. The Link service can not read the encrypted communication between the clients and the gateway.

Mobile Enterprise Gateway (MEG) architecture (Direct mode)

The following diagram illustrates the architecture for the Mobile Enterprise Gateway (MEG) in Direct mode:

Mobile Enterprise Gateway (MEG) architecture (Direct )
For the client:
  • The MaaS360 app for iOS and Android, MaaS360 Secure Mobile Browser, and any enterprise app wrapped within MaaS360 or integrated with the MaaS360 SDK can communicate with the Mobile Enterprise Gateway (MEG).
  • MaaS360 apps are available from iTunes or Google Play or pushed to devices through the App Catalog.
  • The apps connect directly to the gateway for intranet resource access.
  • Access with HTTPS if an SSL certificate is used.
  • In addition to SSL connections to the gateway, the payloads are encrypted with AES-256 bit encryption end-to-end between the app and the gateway.
  • Corporate data is secured in the MaaS360 app container and with policy enforcement.
For the gateway:
  • Windows based server software that runs on a physical host machine or virtual machine (VM) on your organization's internal network or DMZ.
  • Packaged along with Cloud Extender as a module.
  • Your network must allow inbound traffic to the gateway server with a configurable port.
  • Receives intranet access requests from mobile devices, fetches resources, and posts the resulting payloads back to the mobile devices.
  • These payloads are encrypted end-to-end with AES-256 bit encryption. The key is shared only with the device.
  • Gateway authenticates users against Active Directory / LDAP servers.
  • Supports single sign-on (SSO) for upstream sites that challenge for NTLM, Kerberos, SPNEGO, and Identity Certificate based authentication.