Mobile Enterprise Gateway (MEG) module
IBM® MaaS360® Mobile Enterprise Gateway (MEG) provides simple, seamless, and secure access to behind-the-firewall information resources for device users beyond implementing a new VPN-like technology.
Mobile Enterprise Gateway (MEG) module benefits
- Seamless logon
- Credential caching
- One-time logon across multiple MaaS360 applications
- Single sign-on to protect intranet resources with strong authentication schemes like NTLM, Kerberos, SPNEGO, and identity certificates
How the Mobile Enterprise Gateway (MEG) module works
The Mobile Enterprise Gateway (MEG) module provides maximum security by authenticating users and devices based on corporate directory credentials and MaaS360 Enrollment Identity Certificates, which satisfies two-factor authentication requirements for intranet resources. All communication between mobile devices and Mobile Enterprise Gateway (MEG) is fully encrypted and secured end-to-end, which prevents man-in-the-middle attacks.
- Seamless background reauthentication of users and devices without prompting users for credentials
- Authentication token requirements for every intranet resource
- Proxy access list validation on the gateway
- Seamless integration with MaaS360, including easy and simple configuration
- Strong gateway authentication schemes
- Cross Forest / Cross Domain authentication
- Support for single sign-on (SSO) for gateway across multiple apps on a device
- Support for Kerberos, SPNEGO, and NTLM v2 authentication against sites
- Internal proxy support for sites
- Granular proxy access list
- Seamless High Availability (HA) configuration
- High-scaling up to 100,000 devices
- Regional gateway cluster support and automatic local gateway routing
- Streaming scenarios for large files and videos
- Web Distributed Authoring and Versioning (WebDAV) support for Windows file shares (supports SMB2 and SMB3)
- Relay DR support
About the Mobile Enterprise Gateway (MEG) gateway modes
Mode | Description |
---|---|
Relay access | The gateway establishes outbound access to the MaaS360 relay server. The devices talk only to the relay server and not directly to the gateway. |
Direct | The devices talk directly to the Mobile Enterprise Gateway (MEG) for direct resource access and bypass the MaaS360 hosted relay servers. You can also install the gateway as a standalone gateway for smaller deployments or as a clustered gateway for High Availability (HA). |
Requirements and scaling
Item | Minimum requirement |
---|---|
Hardware component | Physical or virtual machine with Windows Server 2019, 2016, 2012 R2, 2012, 2008 R2, or 2008 Note: Mobile Enterprise Gateway (MEG) does not support
the Server Core installation option for Windows Server
2016, 2012 R2, 2012, 2008 R2, or 2008. Only Full Server Installation, Server Graphical Shell, or
Server with a Desktop Experience installation options are supported.
|
Mobile device clients | iOS 11.0 and later Android 4.2 and later (carrier versions) |
Permissions | A service account that the Mobile Enterprise Gateway (MEG) runs as a member of the Domain User group on your Active Directory and as a member of the Local Administrator group on the server. |
Network - ports | Access to port 443 from the machine that is running Mobile Enterprise Gateway (MEG): The gateway uses this outbound port to communicate with the MaaS360 backend and web services. If you are using Relay access mode, the gateway uses Port 443 to communicate with relay services. No inbound port is used for relay. |
Network - gateway operation modes (relay access and direct) |
|
Network - MaaS360 backend services | For MaaS360 backend services requirements, see the requirements listed for Cloud Extender and Mobile Enterprise Gateway (MEG) module system requirements. |
Scaling | Less than 10,000 devices: CPU: 2 cores (2.8 GHz) Memory: 4 GB Storage: 2 GB |
More than 10,000 devices: CPU (use more gateways in HA mode) | |
Scaling for High Availability | Non-HA gateway less than 10,000 devices: One gateway is sufficient. HA is not available. |
HA gateway for more than 10,000 devices: Two gateways running in clustered
mode. Note: Even if one gateway can handle the load, you should use another gateway instance from an
HA perspective.
|
Possible SQL driver error messages for Mobile Enterprise Gateway (MEG) 2.96
Mobile Enterprise Gateway (MEG) 2.96.000 does not support TLS 1.0 and TLS 1.2 for MSSQL. If you receive the following error message in the MobileGateway.log file:
The driver could not establish a secure connection to SQL Server by using Secure Sockets
Layer (SSL) encryption.
you must upgrade to Mobile Enterprise Gateway (MEG) 2.96.300 or later
and append sslProtocol=TLSv1.2
to the JDBC string to solve the issue:
jdbc:sqlserver://Wdsql2012.fiberlinkqa.local;databaseName=megdb;sslProtocol=TLSv1.2
Mobile Enterprise Gateway (MEG) architecture (Relay access mode)
The following diagram illustrates the architecture for the Mobile Enterprise Gateway (MEG) in Relay access mode:
- The MaaS360 app for iOS and Android, the MaaS360 Secure Mobile Browser, and any enterprise app wrapped within MaaS360 or integrated with the MaaS360 SDK communicates with the Mobile Enterprise Gateway (MEG).
- MaaS360 apps are available from iTunes or Google Play or pushed to devices through the App Catalog.
- The apps connect to the relay services by using HTTPS, post requests, and pick up responses.
- In addition to SSL connections to the relays, the payloads are encrypted with AES-256 bit encryption end-to-end between the app and the gateway.
- Corporate data is secured in the MaaS360 app container and with policy enforcement.
- To preserve network security and isolation, a mobile device is never on the organization's network and MaaS360 apps do not have direct access to the network.
- Windows based server software that runs on a physical host machine or virtual machine (VM) on your organization's internal network or DMZ.
- Packaged along with Cloud Extender® as a module.
- The gateway establishes outbound connections to the MaaS360 relay services in the cloud over port 443.
- Downloads intranet access requests from the relays, fetches the resource, and posts the resulting payloads to the relay services. These payloads are encrypted end-to-end with AES-256 bit encryption. The key is shared only with the device.
- Gateway authenticates users against Active Directory or LDAP servers.
- Supports single sign-on (SSO) for upstream sites that challenge for NTLM, Kerberos, SPNEGO, and Identity Certificate based authentication.
- Gateway activation happens against this service.
- MaaS360 issues an identity certificate to the gateway to uniquely identify and authenticate gateways.
- The devices or apps contact the provisioning server to receive the address of the relay server to use for the respective gateway.
- Web services in the cloud that facilitate communications between the clients and your gateway.
- The Link service can not read the encrypted communication between the clients and the gateway.
Mobile Enterprise Gateway (MEG) architecture (Direct mode)
The following diagram illustrates the architecture for the Mobile Enterprise Gateway (MEG) in Direct mode:
- The MaaS360 app for iOS and Android, MaaS360 Secure Mobile Browser, and any enterprise app wrapped within MaaS360 or integrated with the MaaS360 SDK can communicate with the Mobile Enterprise Gateway (MEG).
- MaaS360 apps are available from iTunes or Google Play or pushed to devices through the App Catalog.
- The apps connect directly to the gateway for intranet resource access.
- Access with HTTPS if an SSL certificate is used.
- In addition to SSL connections to the gateway, the payloads are encrypted with AES-256 bit encryption end-to-end between the app and the gateway.
- Corporate data is secured in the MaaS360 app container and with policy enforcement.
- Windows based server software that runs on a physical host machine or virtual machine (VM) on your organization's internal network or DMZ.
- Packaged along with Cloud Extender as a module.
- Your network must allow inbound traffic to the gateway server with a configurable port.
- Receives intranet access requests from mobile devices, fetches resources, and posts the resulting payloads back to the mobile devices.
- These payloads are encrypted end-to-end with AES-256 bit encryption. The key is shared only with the device.
- Gateway authenticates users against Active Directory / LDAP servers.
- Supports single sign-on (SSO) for upstream sites that challenge for NTLM, Kerberos, SPNEGO, and Identity Certificate based authentication.