connect 2016 - ibm mobile connect - real world usage scenarios

MakeEvery

MomentCount

2016ConnectThe Premier Social Business and Digital Experience Conference

#ibmconnect

1130 – IBM Mobile Connect Real World Usage Scenarios René Winkelmeyer, midpoints GmbH Sun, 31 Jan 2016


Ma

ke Every Mom

ent Coun

t

Agenda

•  IBM Mobile Connect at a glance •  Scenario “Configuration for IBM Traveler (and others)” •  Security considerations – Certificate based authentication •  Security considerations – MDM integration


Ma

ke Every Mom

ent Coun

t

About me

IBM Advanced Business Partner IBM Design Partner (Notes Domino, Mobile, Verse)

Apple Enterprise Developer and MDM Group Member Samsung Enterprise Alliance Partner

Worldwide Service Offerings - Enterprise Mobility - Mobile Device and Application Management - IBM Traveler and IBM Mobile Connect implementation + custom addon products

René Winkelmeyer Head of Development


Ma

ke Every Mom

ent Coun

t

About me Reach out any time

Skype / Twitter / LinkedIn => muenzpraeger

Web https://blog.winkelmeyer.com http://www.midpoints.de

Mail [email protected] [email protected]

René Winkelmeyer Head of Development


Ma

ke Every Mom

ent Coun

t

What is this session about? •  Enhancements and new configurations of IBM Mobile connect

to make your live easier.

•  If you look for a starter guide please check out my slides from Lotusphere 2012 and 2013.

MakeEvery

MomentCount


#ibmconnect

IBM Mobile Connect at a glance

Latest version of this slidedeck is available on https://slideshare.net/muenzpraeger


Ma

ke Every Mom

ent Coun

t

IBM Mobile Connect – Specifications •  Current version:

§  6.1.5.2

•  Server §  Windows - 2003/2008/2012 Server §  Linux – Red Hat Enterprise & SuSE Enterprise Server §  AIX


Ma

ke Every Mom

ent Coun

t

IBM Mobile Connect – Specifications •  Mobility (VPN) Clients

§  Microsoft Windows 2000, XP, Vista, 7 §  OS X §  Linux (Red Hat, SuSE, Novell) §  Windows Mobile inkl. 6.5, Symbian (ausgewählte Devices), Palm §  Android

•  Browser §  IE, Firefox, Safari, Chrome


Ma

ke Every Mom

ent Coun

t

IBM Mobile Connect – Capabilities •  VPN gateway

§  Clients are available for Windows, Mac, Linux, Android

•  WiFi gateway

•  Clientless gateway §  HTTP access, like browsers or mobile apps Focus


Ma

ke Every Mom

ent Coun

t

Reverse Proxy – why and how? •  A Reverse Proxy acts as a tier between a requester (i. e.

browser) and a backend system.

•  In contrast to a Forwarding Proxy a Reverse Proxy acts on behalf of the web server.

•  The Reverse Proxy forwards the incoming request to the backend system and sends the response back to the user.


Ma

ke Every Mom

ent Coun

t

Reverse Proxy – why and how?

Backend system Reverse Proxy


Ma

ke Every Mom

ent Coun

t

What is a Secure Reverse Proxy? •  Defined endpoint for encrypted communication between

external clients and internal systems.

•  Central authentication and Single-Sign-On for all connected backend systems.

•  Access authorisation for the connected backend systems.


Ma

ke Every Mom

ent Coun

t

IBM Mobile Connect as Secure Reverse Proxy •  Single-Sign-On using username/password or certificates for

IBM backend systems

•  Authentication sources are Domino LDAP or Active Directory

•  Single URL access

•  Automatic IBM Traveler Pool assignment


Ma

ke Every Mom

ent Coun

t

Infrastructure scenarios

Traveler

Sametime

Connections

HTTPS HTTP(S)

External URL: https://mobile.midpoints.net /traveler

/chat /social Backend

systems

Secure Reverse Proxy


Ma

ke Every Mom

ent Coun

t

Infrastructure scenarios

Domino Mail

Domino Mail

Domino Mail

Traveler 1

Traveler 2

Traveler 3

HTTPS

Notes

HTTP(S)

External URL: https://mobile.midpoints.net/traveler

IBM DB2 / MS SQL

IBM DB2 / MS SQL

DB2/SQL

Traveler HA Service Pool

Secure Reverse Proxywith Load Balancing

and Failover


Ma

ke Every Mom

ent Coun

t

Why IBM Mobile Connect – and not others? •  Native integration for all IBM Collaboration products

•  Up-to-date TLS stack

•  Scaling – one server can handle 10k parallel accesses

•  MDM integration

•  IBM support


Ma

ke Every Mom

ent Coun

t

Remember Domino and SHA2?


Ma

ke Every Mom

ent Coun

t

IBM Mobile Connect – Components •  Connection Manager

§  The IMC Connection Manager is the main component. He forwards the client requests to the backend systems.

•  Gatekeeper §  A Java-based administration client for IMC. Can be installed on

the same or another system as the Connection Manager.


Ma

ke Every Mom

ent Coun

t

IBM Mobile Connect – Components •  Access Manager

§  Gets installed with the Connection Manager on the server. It is responsible for pushing the configuration changes (from the Gatekeeper) to the internal used database. It also updates the Connection Manager dynamically.

MakeEvery

MomentCount


#ibmconnect

Scenario “Configuration for IBM Traveler (and others)”


Ma

ke Every Mom

ent Coun

t

IBM Traveler and IBM Mobile Connect •  Mobile mail access is a critical component nowadays in every

environment. So is Traveler.

•  Different environment setups are possible for Traveler §  Standalone setup §  High Availability with one or multiple pools


Ma

ke Every Mom

ent Coun

t

IBM Traveler – Pool definition / challenges •  A “Traveler pool” is the logical combination of multiple Traveler

servers that share the same backend database. §  A single pool can serve up to 10k devices. §  The Traveler servers handle load balancing internally.

•  Different setups are possible, like splitting pools by device type, user region and more. §  Without a centralized proxy all will have different entrypoint

URLs.


Ma

ke Every Mom

ent Coun

t

IBM Traveler – How IBM Mobile Connect helps •  IMC has four main features that improve the Traveler

experience. §  Defined proxy rules for Traveler access §  Session assignment §  Single URL support §  Automatic Server/Pool assignment


Ma

ke Every Mom

ent Coun

t


Ma

ke Every Mom

ent Coun

t

IMC workflow (simplified) Authenticated user connects

Check if Pool assignment is active

Validate user LDAP attribute

set not set

assign don‘t assign


Ma

ke Every Mom

ent Coun

t

Automatic Server/Pool assignment configuration •  Define within a http-access service which LDAP attribute

should be queried


Ma

ke Every Mom

ent Coun

t

Automatic Server/Pool assignment configuration •  An “Application server pool” is a dedicated resource type


Ma

ke Every Mom

ent Coun

t

Automatic Server/Pool assignment configuration •  A “Pool configuration” contains one or multiple backend host

names.


Ma

ke Every Mom

ent Coun

t

Automatic Server/Pool assignment configuration •  One or multiple strings can be added for the automatic pool

assignment. The value must match the content of the LDAP field.


Ma

ke Every Mom

ent Coun

t

Automatic Server/Pool assignment configuration •  Multiple server pools can be defined.


Ma

ke Every Mom

ent Coun

t

Automatic Server/Pool assignment configuration •  Activate the application server pool usage in the http-access

service


Ma

ke Every Mom

ent Coun

t

Adding more apps •  Besides Traveler all ESS backend systems are supported with

specialized URL and content handling §  i. e. URL rewriting of transmitted content

•  Delivers perfect integration including SSO capabilities §  IBM Connections §  IBM Connections Chat §  IBM Domino


Ma

ke Every Mom

ent Coun

t

Adding more apps •  Simplified by application specific identifier.


Ma

ke Every Mom

ent Coun

t

Summary •  The built-in capabilities help to deliver a streamlined

administrative experience.

•  Hassle-free connection to IBM ESS backend systems. §  LTPA1 and LTPA2

MakeEvery

MomentCount


#ibmconnect

Security considerations – Certificate based authentication


Ma

ke Every Mom

ent Coun

t

Certificates? Certificates! •  A high level of security can be achieved by using certificates for

authentication.

•  Certificates are a common practice for verifying clients and servers. The latter one is mostly known as “SSL hostname authentication”. §  Companies are moving more and more to client certificate based

authentication for different services. §  Domino companies should be familiar with that… ;-)


Ma

ke Every Mom

ent Coun

t

Why to setup IBM Mobile Connect for this? •  Achieve a higher level of security by using certificate based

authentication for your critical data. §  Different setup scenarios are available.

•  Remove the need of using passwords – make it easier for your users. But only if you want.


Ma

ke Every Mom

ent Coun

t

IMC workflow (simplified)

Client presents certificate

2FA

IMC validates public key and validity

LDAP

Subject string check

SSO


Ma

ke Every Mom

ent Coun

t

Configuring Certificate based authentication •  The standard authentication process leverages an username/

password combination.


Ma

ke Every Mom

ent Coun

t

Configuring Certificate based authentication •  Add 2-Factor-Authentication by enforcing additional password

usage. §  Can be enriched with user id check


Ma

ke Every Mom

ent Coun

t

Configuring Certificate based authentication •  Trust your certificates and resolve the username based on

certificate criteria.


Ma

ke Every Mom

ent Coun

t

Configuring Certificate based authentication •  Additional security/alternatives can be added using a custom

string match.


Ma

ke Every Mom

ent Coun

t

Summary •  Certificate based authentication enhances your backend

applications security.

•  Different setups allow to leverage it as you need it.

•  Certificate deployment options need to be revisited. §  Not all IBM ESS apps support certificate based authentication

(yet).

MakeEvery

MomentCount


#ibmconnect

Security considerations – MDM integration


Ma

ke Every Mom

ent Coun

t

What is MDM? •  Mobile Device Management (MDM) is used to manage devices

and applications in your mobile workforce §  Lots of companies still don’t use a MDM. And you?

•  Allows remote device configuration, data and device deletion, app deployment and much more.


Ma

ke Every Mom

ent Coun

t

Why MDM integration for IBM Mobile Connect? •  A Reverse Proxy authenticates only the user – not the device.

So no control if “unmanaged” devices can access internal resources. §  Jailbroken/rooted devices §  Data Loss Prevention


Ma

ke Every Mom

ent Coun

t

IMC / MDM integration infrastructure

Domino Mail

Domino Mail

Domino Mail

IBM Notes Traveler MDM

HTTPS

Notes

HTTP(S)

External URL: https://mobile.midpoints.net/traveler https://mobile.midpoints.net/connections

Services

IBM Mobile Connect IBM Connections


Ma

ke Every Mom

ent Coun

t

How does the MDM integration work? •  Depending on the incoming request different values are

evaluated. §  Traveler identification is determined by the submitted sync device

id in the URL call. §  IBM ESS apps are sending custom headers with their

authorization requests. Those headers are set via MDM.

•  Custom access definitions, like “allow” or “deny”, are then applied.


Ma

ke Every Mom

ent Coun

t

IMC workflow (simplified)

User is authenticated

allowed

Device information is extracted

not allowed

Device is validated via MDM interface

access no access


Ma

ke Every Mom

ent Coun

t

Configuring MDM integration •  “MDM Integration” is a separate resource type


Ma

ke Every Mom

ent Coun

t

Configuring MDM integration •  Validation results (and outcome) are configurable.


Ma

ke Every Mom

ent Coun

t

Configuring MDM integration •  Enhanced checks are available like compliance re-validation

and user mapping.


Ma

ke Every Mom

ent Coun

t

Configuring MDM integration •  Custom “tokens” can be used for different setups on the same

vendor.


Ma

ke Every Mom

ent Coun

t

IBM Mobile Connect configuration •  Besided tight security you can also go a little bit loose.

§  Great for migration scenarios.


Ma

ke Every Mom

ent Coun

t

Available MDM integrations


Ma

ke Every Mom

ent Coun

t

Summary •  MDM integration enhances the security by adding an additional

layer of security.

•  Different setup scenarios are available to fit your organizations needs.


Ma

ke Every Mom

ent Coun

t

57

MakeEvery

MomentCount


#ibmconnect


Ma

ke Every Mom

ent Coun

t

Acknowledgements and Disclaimers Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates.

The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.

All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.


Ma

ke Every Mom

ent Coun

t

Acknowledgements and Disclaimers cont. © Copyright IBM Corporation 2015. All rights reserved.

•  U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

•  IBM, the IBM logo, ibm.com, IBM Domino, IBM Sametime, IBM Connections are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml

“Maas360” is a trademark of Fiberlink Communications Corporation.

Other company, product, or service names may be trademarks or service marks of others.

connect 2016 - ibm mobile connect - real world usage scenarios

Technology