VMware Workspace ONE Community
AhmedA2_
Enthusiast
Enthusiast
Jump to solution

why all the connections is unidirectional outbound?

why all the connections is unidirectional outbound?

for example the connection from the device's mobile to UEM.

how the connections moves on ? from device to uem and to SEG. 

Reply
0 Kudos
1 Solution

Accepted Solutions
Yajimad13
Enthusiast
Enthusiast
Jump to solution

Because all connection are comming from devices, we only need outbound connection from devices.
Although not strictly accurate, I will describe my understanding below.

  1. On the device, a user install Intelligent Hub app.
    This won't need inbound connection from UEM, like as we do not need inbound connection while we install other mobile apps on our mobile device by connecting wi-fi in our home.
  2. User enrolls a device by using Intelligent Hub app and obtains the MDM profile from UEM.
    This won't need inbound connection from UEM, like as we do not need inbound connection while accessing internet web pages and downloading contents on web blowser by connecting wi-fi in our home.
  3. Enrolled devices will access their Push Notification Service Servers(e.g. APNs for Apple devices) to check if they need to access the Device Service server of UEM to obtain command or configuration for them.
    If there are commands or configuration on Device Service server of UEM, the Push Service servers will push the messages to devices back.
  4. If Boxer app is configured to deploy device fleet on UEM console, UEM console tells "hey there is a new app for devices" to Device Service server, and Device Service server tells Push Notification Services.
    Push Notification Service server will wait for the next access from the devices.
    This won't need inbound connection from UEM to device.
  5. The device will install Boxer, following steps like below.
    The device will access Push Notification Server and will get a message saying "hey, there is a new app for you, go to the device service server"
    Then the device will access Device service server and will get a message saying "hey, there is an app config for you, here you are. next, you will have to install Boxer app at app store"
    Last, the device will access app store and will get Boxer app installed.
    This won't need inbound connection from UEM to device.
  6. The device reads "app config" that was provided from Device Service server.
    And the config says that "hey, your SEG server URL is here, access with Boxer and get your e-mail".
    Then the device will connect SEG.
    This won't need inbound connection from UEM to device.

Hope this helps

View solution in original post

4 Replies
Yajimad13
Enthusiast
Enthusiast
Jump to solution

Because all connection are comming from devices, we only need outbound connection from devices.
Although not strictly accurate, I will describe my understanding below.

  1. On the device, a user install Intelligent Hub app.
    This won't need inbound connection from UEM, like as we do not need inbound connection while we install other mobile apps on our mobile device by connecting wi-fi in our home.
  2. User enrolls a device by using Intelligent Hub app and obtains the MDM profile from UEM.
    This won't need inbound connection from UEM, like as we do not need inbound connection while accessing internet web pages and downloading contents on web blowser by connecting wi-fi in our home.
  3. Enrolled devices will access their Push Notification Service Servers(e.g. APNs for Apple devices) to check if they need to access the Device Service server of UEM to obtain command or configuration for them.
    If there are commands or configuration on Device Service server of UEM, the Push Service servers will push the messages to devices back.
  4. If Boxer app is configured to deploy device fleet on UEM console, UEM console tells "hey there is a new app for devices" to Device Service server, and Device Service server tells Push Notification Services.
    Push Notification Service server will wait for the next access from the devices.
    This won't need inbound connection from UEM to device.
  5. The device will install Boxer, following steps like below.
    The device will access Push Notification Server and will get a message saying "hey, there is a new app for you, go to the device service server"
    Then the device will access Device service server and will get a message saying "hey, there is an app config for you, here you are. next, you will have to install Boxer app at app store"
    Last, the device will access app store and will get Boxer app installed.
    This won't need inbound connection from UEM to device.
  6. The device reads "app config" that was provided from Device Service server.
    And the config says that "hey, your SEG server URL is here, access with Boxer and get your e-mail".
    Then the device will connect SEG.
    This won't need inbound connection from UEM to device.

Hope this helps

AhmedA2_
Enthusiast
Enthusiast
Jump to solution

and for the VMware tunnel and user authentication too.as I know the tunnel is mutual authentication. and the seg how the user will send the email if the connections are outbound from SEG.

Reply
0 Kudos
Yajimad13
Enthusiast
Enthusiast
Jump to solution

As you saied as "mutial authentication", VMware Tunnel server and Client Devices will check their certificate each other.

When a client device access to a VMware Tunnel server, the client will say "hey, pls show me your certificate".
Then the VMware Tunnel server replys "ok, here you are, and after checking my certificate, pls show me your certificate".
This communication will be started from the client device, so the client device does not need inbound connection allowed on firewall.

SEG is a kind of email proxy server. IMHO, an usual email proxy server does not generate a new outbound connection from itself to its email client apps and client devices. An email proxy server just waiting access from its email client apps and client devices.

Sincerely

AhmedA2_
Enthusiast
Enthusiast
Jump to solution

Therefore both of them are not unidirectional, right?

i do not get it,how the server will reply with I need your certificate and the connection is unidirectional outbound only?

how the user authenticate with exchange  user or AD server with outbound only? 

how the user will send an email and get an email with outbound. 

 

 

 

Reply
0 Kudos