During the initial setup of a NetMotion Mobility gateway server, the administrator must choose to allow either Secure (HTTPS) or Non-secure (HTTP) connections when using the web-based Mobility Console.
Configuring HTTPS
Security best practices dictate HTTPS should be enabled to protect credentials used to log on to the gateway remotely. Immediately after selecting the Secure (https:) option, the administrator is prompted to enter server certificate information. Enter this information and click OK to continue and complete the rest of the configuration as necessary.
Self-Signed Certificate
When logging in to the Mobility console, the administrator is presented with a certificate error indicating there is a problem with the website’s security certificate. This is because the certificate is self-signed by the NetMotion Mobility gateway server and is not trusted.
PKI Issued Certificate
The recommended way to resolve this is to request a certificate from a trusted certification authority (CA). To do this, open the Mobility Management Tool on the Mobility gateway server and click on the Web Server tab.
Click on the Server Certificate button and then click New in the Certificate Request section.
In the SAN (subject alternative name) field of the Optional Extension section enter the Fully Qualified Domain Name (FQDN) of the server using the syntax dns:fqdn. Include both the FQDN and the single-label hostname (short name) separated by a comma to ensure both names work without issue. For example:
dns:nm1.lab.richardhicks.net,dns:nm1
Before requesting a certificate from a CA, the root and any intermediate CA certificates must first be imported. Click the Import button next to each, as required.
Click Copy in the Certificate Request section to copy the Certificate Signing Request (CSR) to the clipboard and then save it to a text file. Now submit the CSR to be signed by the CA using the certreq.exe command. Open an elevated command or PowerShell window and enter the following commands.
certreq.exe -attrib “CertificateTemplate:[TemplateName]” -submit [Path_to_CSR_file]
For example:
certreq.exe -attrib “CertificateTemplate:LabWebServer” -submit certreq.txt
Select a CA from the list and click OK, then save the certificate response when prompted.
Click Response and specify the location of the certificate response file saved in the previous step.
Once complete, the newly issued certificate will be in place. Click Close to complete the process.
Click Yes when prompted to restart the Mobility console.
Trusted Certificate
Opening the Mobility Console no longer produces a certificate error message with a certificate installed from a trusted CA.
In addition, if you followed the guidance above and included the single-label hostname in the SAN field, accessing the server using the short name will also work without issue.
Summary
Always select the option to use HTTPS to ensure the highest level of security and protection of credentials when remotely administering a NetMotion Mobility gateway server. For optimal security and to provide the best user experience, use a certificate issued and managed by a trusted CA to prevent certificate errors when opening the Mobility console.
Additional Information
NetMotion Mobility as an Alternative to DirectAccess
NetMotion Mobility Device Tunnel Configuration
Comparing NetMotion Mobility and DirectAccess Part 1 – Security
Comparing NetMotion Mobility and DirectAccess Part 2 – Performance
DirectAccess and NetMotion Mobility Webinar
DirectAccess connections are bidirectional, allowing administrators to remotely connect to clients and manage them when they are out of the office. DirectAccess clients use IPv6 exclusively, so any communication initiated from the internal network to remote DirectAccess clients must also use IPv6. If IPv6 is not deployed natively on the internal network, the Intrasite Automatic Tunnel Addressing Protocol (ISATAP) IPv6 transition technology can be used to enable manage out.
