locked
Adding a Gateway Server RRS feed

  • Question

  • Hi,

    Currently we have 1 Gatway Server and 1 Management/Enrollment Server that we were using for testing. Now we would like to go Live with the system how easy would it be to add an additional Gatway server for redundacny purposes?

    Do we simply need to add 2 A Name dns records to point to the 2 ip address and then send the updated Gateway address over Group Policy? Or do we need to configure things like Microsoft NLB on the gatway servers?

    Thanks,
    Chris
    Monday, November 23, 2009 11:41 AM

Answers

  • When a device tries to connect to an MDM environment it must perform a DNS lookup. If you have two gateways with the same host name, then two IP addresses are returned from the DNS request. The device will connect to either of the gateways, as part of a sequence or permutation (I’m not sure which). I’m not privy to the implemented MDM algorithm, but it is probably Round Robin. The failover mechanism is all client side, so you can’t make a server side change to instantly prefer one server over the other. You can however; change Group Policy or DNS to make this change slowly. It’s a Catch 22 situation... The devices need to connect-in to get the change! If an MDM gateway is unavailable, the device will try to connect to the next gateway. You can use a Content Delivery Platform to improve the failover mechanism but this is an extra service. Please read the Deploying MDM 2008 SP1 in a Global Enterprise Environment TechNet Document for HA considerations.

    Cheers Wayne
    Airloom

    Monday, November 30, 2009 12:08 AM
    Moderator

All replies

  • There are several ways to do this, which are depending on whether you use a distributed or scaled out topology. Adding multiple (A) resource records for each MDM gateway and updating the Gateway address in group policy is a recommended solution from Microsoft. Check out the MDM Scaled-Out Distributed Configuration Topology document for more information.

    Cheers Wayne
    Airloom
    Wednesday, November 25, 2009 2:12 AM
    Moderator
  • Hi Wayne,

    Thanks for your help.

    I understand this now. Is it also recommended to use different IP pools for each Gateway server? We have a few persistant routes set up so I'm trying to work out how best to configure this. I'm guessing if a server fell over the devices would just pick up an IP from the other server.
    • Proposed as answer by Ameo Wednesday, November 25, 2009 2:20 PM
    Wednesday, November 25, 2009 11:22 AM
  • @ChrisEdg87
    I'm guessing if a server fell over the devices would just pick up an IP from the other server.

    is this statement true or do i need a special powershell command  or something else?

    thanks!
    Wednesday, November 25, 2009 2:25 PM
  • @Wayne Phillips.MVP, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Are you sure that i have to add a second adress for the second mdmgate server in the group policy?

    from my point of view our dns servers should cotain the dns adress for our mobile devices.
    this dns adress contains two adresses. the adress for the first and the adress for the second mdmgate server.

    when one of our gw servers are chrashed the dns server should only contact the gateway server which is running?

    i hope you understand

    thanks!
    Thursday, November 26, 2009 7:03 AM
  • Hi Ameo,

    I think you maybe misunderstanding what we mean by multiple DNS Resource Records.

    The way I understand it if your devices were connecting to mdmgateway.domain.com for example, you would need the following records in your external DNS Server -

    mdmgateway.domain.com - Host(A) - <primary gateway ip>
    mdmgateway.domain.com - Host(A) - <secondary gateway ip>

    DNS would then use 'Round Robin' for Fault Tolerance and Load Balancing.

    Someone please correct me if this isn't correct.

    Thursday, November 26, 2009 1:37 PM
  • of course i understand your answer.

    but wayne philipps wrote that i have to "update the Gateway address in group policy". i think that inst´necessary?



    next question. can anyoune please explain me what happen when the first gateway server will crash?
    all mobile devices which get ip adresses form the first gateway server will disconnect.
    do you know if the mobile devices are able to contact the other, running, gateway server?

    thanks

    ameo


    Thursday, November 26, 2009 4:28 PM
  • It’s nice to see some lively debate. As always the answer is “It depends”. Are you running multiple Instances ? Are your MDM gateways in different geographic locations?  If you have two gateways in the same geographic location then you don’t need to update Group Policy. If you have gateways in different countries then you can configure the local devices to talk to the nearest MDM gateway/s. In this case you will need to edit group policy documents. I’m not familiar with you specific requirements, so I apologies if my comments were misleading.

     

    If you have two MDM gateways that provide VPN access at one specific site, with identical host names, then you don’t need to update Group Policy. ;-)

     

    Cheers Wayne
    Airloom

    Friday, November 27, 2009 12:18 AM
    Moderator
  • play, thanks vor the answer.

    but can anyone please explain what happe when one of my gateway server will chrash? what happen with the mobile devices which get ip adresses from the crash server? do these devices connect automatically to the running gateway sever.

    furthermore are there any possibilities for instance powershell commands whoch allow us to  use only the forst or the second ga server?

    thanks !"

    ameo!
    Sunday, November 29, 2009 6:25 PM
  • When a device tries to connect to an MDM environment it must perform a DNS lookup. If you have two gateways with the same host name, then two IP addresses are returned from the DNS request. The device will connect to either of the gateways, as part of a sequence or permutation (I’m not sure which). I’m not privy to the implemented MDM algorithm, but it is probably Round Robin. The failover mechanism is all client side, so you can’t make a server side change to instantly prefer one server over the other. You can however; change Group Policy or DNS to make this change slowly. It’s a Catch 22 situation... The devices need to connect-in to get the change! If an MDM gateway is unavailable, the device will try to connect to the next gateway. You can use a Content Delivery Platform to improve the failover mechanism but this is an extra service. Please read the Deploying MDM 2008 SP1 in a Global Enterprise Environment TechNet Document for HA considerations.

    Cheers Wayne
    Airloom

    Monday, November 30, 2009 12:08 AM
    Moderator
  • Thanks Wayne.

    I think I may have initially confused things when asking about changing group policy. The only reason for this was (foolishly) the first few devices we enrolled were configured to connect to the Gateway server's FQDN rather than a DNS alias.

    Hopefully after amending this, adding a new server should be fairly straight forward.

    Thanks again,
    Chris

    Monday, November 30, 2009 10:49 AM