CA MDM MOBILE DEVICE MANAGEMENT

CA MDM –MOBILE DEVICE MANAGEMENT

Introduction, Setup and Troubleshooting of the Relay server

and RSOE

CAMDM Versions: 2014Q1, 2014Q1 SP1

Introduction to Relay Server and RSOE (relay server outbound

enabler)

Relay Server

The Relay Server enables secure and load balanced communication between mobile devices and the backend CAMDM servers.

The CAMDM solution supports using a Relay Server to operate as a

reverse proxy for HTTP and HTTPS sessions between the CAMDM Server and its CAMDM

mobile clients. In order to connect mobile devices to a server located within company’s intranet, a Relay Server is a landscape component that is used to add this functionality in a safe and secure way. The Relay Server typically sits in a corporate De-Militarized Zone, often called as DMZ in network terms, which is secured by two layers of Firewalls, internal and external. Using a Relay Server enables you to further secure your enterprise network by moving the session connection point from within your firewall to a location outside of your firewall, to your Demilitarized Zone (DMZ).

The Relay Server serves two purposes:

1. Reverse Proxy – the Sybase Relay Server, “hides” the CAMDM servers from direct access by malicious attackers

2. Load Balancer – the Sybase relay server distributes the load of the incoming traffic over multiple CAMDM nodes

RSOE

Relay Server Outbound Enablers are commonly known as the “RSOE”, and they run on the same computer as the CAMDM server. Its purpose is to open a connection from CAMDM server to the Relay Server running in the DMZ. It forwards requests received from Relay Server to backend server e.g. CAMDM. When the Outbound Enabler starts, it makes an HTTP request to retrieve the list of Relay Servers running in the farm.

Before starting an RSOE you must validate that the Relay Server is started, CAMDM services are started, and that the Relay Server configuration is setup on Relay Server.

The RSOE connects with the Relay Server using the server URL that maps to the web server extension component of the Relay Server.

The Relay Server that receives the request from the Outbound Enabler returns the connection information for all Relay Servers in the farm. The Outbound Enabler then creates two outbound connections, called channels, to each Relay Server returned. One channel, called the up channel, is created using an HTTP request with an essentially infinite response. The response is a continuous stream of client requests from the Relay Server to the Outbound Enabler. The second channel, called the down channel, is created using an HTTP request with an essentially infinite content length. The request is formed by a continuous stream of server responses to client requests.

Simple Architecture of Relay server and CAMDM

As shown in the diagram, the Relay Server is acting as reverse proxy where request comes from the mobile device and lands on to the Relay Server. Next, the RSOE which acts as an agent for the backend MDM server, goes and fetches that request on behalf of MDM server.

Complex Architecture of Relay server and CAMDM

The following diagram shows more complex architecture, where multiple relay servers are working together and acting as both a load balancer and a reverse proxy both:

Installing and configuring Relay server

1. Installing the Relay Server

The following steps summarize the procedure for installing and configuring a Relay Server on an existing Windows Server 2008 R2 (x64) system running IIS 7.5:

a. Login on CA support site and download latest copy of CAMDM that includes relay server binary. The following folder structure includes the relay server install directories (note you may have a different source folder name for the install media): ..\GEN06090156E\relay_server\64 Bit\ias_relay_server\

b. Now copy ias_relay_server directory in root directory of IIS server, for e.g. ..\inetpub\wwwroot

Copy from folder

..\GEN06090156E\relay_server\64 Bit\ias_relay_server

to

C:\inetpub\wwwroot\

c. Create the following directory structure in c:\inetpub\wwwroot\

C:\inetpub\wwwroot\ias_relay_server C:\inetpub\wwwroot\ias_relay_server\Server C:\inetpub\wwwroot\ias_relay_server\Client

3. Make sure following components are installed in IIS 7.X, if not then install them:

a. Open Server Manager to verify both IIS Role and o Web Server Service

o Common HTTP Features o Static Content o Default Document o Directory Browsing o HTTP Errors o ISAPI Extensions o Health and Diagnostics

o HTTP Logging

o Request Monitor o Request Filtering o Performence

o Static Content Compression o Management Tools

o IIS Management Console

o IIS 6 Management Compatibility o IIS 6 Metabase Compatibility o IIS 6 WMI Compatibility o IIS 6 Scripting Tools

o IIS 6 Management Console

b. Install any missing Role Features from the above list. c. Reboot the system if required by Windows.

4. Create an IIS application pool on the Relay Server.

a. Open the internet information server (IIS) Manager. b. Add a new Application Pool with the following attributes:

Name: RelayServer

1. NET Framework Version: .NET Framework v2.0.50727 2. Managed pipeline mode: Integrated

3. Check “Start Application pool immediately”

4. Open the advanced Settings for the new Application Pool and set the following attributes: (General).Queue Length: 65535

(CPU).Limit Interval (minutes): 0

(Process Model).Idle Time-out (minutes): 0 (Process Model).Ping Enabled: false (Process Model).Ping Period (seconds): 30

(Process Model).Ping Maximum Response Time (seconds) 90 (Process Model).Identity: ApplicationPoolIdentity

(Rapid-Fail Protection).Enabled: false

(Recycling).Regular Time Interval (minutes): 0 (Recycling).Disable Overlapped Recycle: True

5. Create an application directory for the server application pool

Open the internet Information Server IIS Manager. There are two default Options 1. User the Default Web Site with the default Port.

2. Create a new Website only for Relay Server with a different port than the Default Web Site.

Highlight the web site you want to use (Default or your own custom web site) and add a new Application with following attributes:

Open the Request Filtering settings and go to “Edit Feature Settings”, and change the following attributes:

Maximum allowed content length (bytes): 2147483647 Maximum query string (bytes): 65536

Note – Make sure only script and Execute are checked.

Open the SSL settings and make sure that “Require SSL” is NOT checked.

6. Configure ISAPI and CGI Restrictions

Highlight the server entry and open the ISAPI and CGI restriction and add two new entries with the following settings:

a. Path: C:\inetpub\wwwroot\ias_relay_server\server\rs_server.dll Description: RS Server DLL

Check “Allow extension path to execute”

b. Path: C:\inetpub\wwwroot\ias_relay_server\client\rs_client.dll Description: RS Client DLL

7. Update IIS configuration for the Relay Server

It is required to run relay server’s IIS adsutil.vbs script, so that IIS configuration can be updated with the application pool changes you have made.

Note: - This must be run from command prompt running with administrative privileges.

Open the command prompt and run the following commands: > cd C:\Inetpub\AdminScripts

The command prompt will return updated value of uploadreadaheadsize.

If you are running a custom named website for the Relay Server (in our case we are

not running custom named site), it is necessary to find out the Web Site ID first before running the above command.

e.g. of Custom named web site and non_custom named website Non custom named site (our case)

Note : - Web site id would change for custom website i.e. 2, as shown in the above diagram.

8. Now install the windows service

Note : - The following commands must be run with administrative privileges: a. cd C:\inetpub\wwwroot\ias_relay_server\server

b. C:\inetpub\wwwroot\ias_relay_server\server> dbsvc -as -s auto -t rshost -w CAMDMRelayServer "C:\inetpub\wwwroot\ias_relay_server\server\rshost.exe" q -qc –f "C:\inetpub\wwwroot\ias_relay_server\server\rs.config" –o "C:\Sybase\rs.log" Now you have a service named “SQL Anywhere – CAMDMRelayServer”. Start this service in the Windows Services Console.

Start > Administrative Tools > services

Note: - It is very important to change service login account to Local Administrator Group or use a Domain Administrator Group.

Use a Domain Administrator account only if all other systems in the CAMDM are using same domain account.

9. The Relay Server is now installed.

We now need to configure it so that the CAMDM server can successfully communicate with it. Configuring a relay server is a very important task which should be done very carefully.

A sample configuration file “rs.config.sample” is provided with the Relay server in the folder: C:\Inetpub\wwwroot\ias_relay_server\server\

Use a text editor (notepad or notepad++) to edit the file. #---

# Relay server with auto start option #---

[options] verbosity = 5

# Note: When auto start is used, the default log file is

# %temp%\ias_relay_server.log while rshost is active and it will

# be renamed using YYMMDDNN.olg filename format upon shutdown. #---

# Relay server peers #--- [relay_server] enable = yes host = 10.2.112.81 http_port = 80 https_port = 443

description = relay server 1 in dmz #--- # Backend farms #--- [backend_farm] enable = yes id = app7

client_security = off backend_security= on

description = app007 camdm for iOS [backend_farm]

enable = yes id = app7a

client_security = off backend_security= off

description = app007a camdm for Android #--- # Backend servers #--- [backend_server] enable = yes farm = app7 id = r3kp mac = 00-50-56-9b-4a-9a token = tkn4iOS [backend_server] enable = yes farm = app7a id = r3kp mac = 00-50-56-9b-4a-9a token = tkn4iAndroid

This sample configuration is for our SAAS CAMDM architecture, where CAMDM server farm and RS server farm is setup. The following screen capture of CAMDM server shows registry where to check for [backend_server] id value:

Note:-

– Please use the exact same server transmitterID as shown in CAMDM’s registry entry.

– The exact same steps should be taken for setting up and configuring CAMDM relay server on another relay server.

10. Relay Server Configuration file (rs.config) section reference

If there is any change to the rs.config file then its mandatory to restart the Relay Server service, so that the changes can take effect.

The Relay server configuration file rs.config consists of several sections, each indicated by the [section]. They are described as follows:

Note – All values here are case sensitive.

[options] — Header for section that sets general options for Relay Server

operations.

start — Set value to “auto” to automatically start the Relay Server engine

when an Afaria Server connects successfully.

- For Windows Server 2008 R2 (IIS7.5) this value is normally set to = NO when the Relay Server is installed as a Windows Service.

This keyword can be removed from the file in this case.

verbosity — Controls the level of logging. Logs always include errors.

The log levels 1-5 always include warnings. 0 = No logging

1 = Session-level logging 2 = Request-level logging

3 = Packet-level logging, terse 4 = Packet-level logging, verbose 5 = Transport-level logging

[relay_server] — Header for section that identifies your Relay Server and its

respective ports for HTTP and HTTPS communications. The Relay Server’s ports must match IIS server’s ports.

enable — Valid values are “yes” or “no”. Set to “yes” to operate the Relay

Server engine and “no” to prohibit Relay Server operations.

host — Relay server’s own IP address or host name.

The IP Address must be the internal IP Address or DNS name which can be reached by the Afaria Server or other Afaria component that is running the Relay Server Outbound Enabler.

http_port — Set value to match the Relay Server’s IIS setting for HTTP

communications.

The TCP Port must be the internal TCP port which can be reached by the Afaria Server or other Afaria component that is running the Relay Server Outbound Enabler.

https_port — Set value to match the Relay Server’s IIS setting for SSL

communications.

description — User-defined description for your own reference.

[backend_farm] — Creates a single, case-sensitive identifier for a single Afaria environment,

regardless of whether you are operating a single Afaria Server or an Afaria Server farm. The farm ID you define in the configuration file must match the farm ID you define in the Afaria Administrator Server configuration Relay Server settings.

[backend_server] — Identifies an Afaria Server to the Relay Server. You must have at least

one.

[backend_server] repeat this section for each Server in your Afaria environment. farm — the case-sensitive farm value is the same for each Afaria Server. Use

the same farm ID as from section [backend_farm].

ID — the ID value is unique for each Afaria Server. The ID value is defined in

each Afaria Server’s registry key

HKLM\Software\Afaria\Afaria\Server\TransmitterId.

token — the token is any string that you create. Use the same token value for

each Afaria Server in a farm. The farm token you define in the configuration file must match the farm token you define in the Afaria Administrator Server configuration Relay Server settings.

This value is optional. But we have configured SI environment using this value.

11. Restarting Relay Server (from the command line)

It is required by the Relay Server to restart any time there is a change made to the relay server configuration file.

It is possible to restart the relay server without restarting IIS and without causing any disruption to other IIS applications.

Note: -

This service must be started from command prompt running with Administrative privileges. C:\inetpub\wwwroot\ias_relay_server\server\rshost.exe –u –qc –f

C:\inetpub\wwwroot\ias_relay_server\server\rs.config

Installing and configuring RSOE (Relay Server Outbound Enabler)

The intent of this section is to outline the communication between the Relay Server Outbound Enabler (RSOE) and the CAMDM component server.

The Relay Server Outbound Enabler is a special connector which facilitates all connection between the backend server and the Relay server using HTTP or HTTPS.

Given that all of the communication with the Relay Server is established on an outbound

connection from within the internal corporate firewall, there are no required ports to be open on the internal corporate firewall.

This provides increased security as the internal corporate firewall remains intact, without the requirement of opening inbound ports for communication.

Prerequisites before installing the RSOE

o The CAMDM server should be installed o The Relay Server should be installed

o The rs.config file should be created and farm ID’s are known

Relay server Configuration within CAMDM

By default an RSOE gets installed with CAMDM, which can be configured and started by using the CAMDM admin console.

If “Start the outbound enabler with the CA MDM service” option is selected, an rsoe.config file is created within the <CAMDMInstallDir>\bin\RSOutboundEnabler folder on the CAMDM server. Each CAMDM component (i.e. Provisioning server, Package server etc.) should have its own RSOE instance locally on the machine where the component is installed.

There are two ways to start an RSOE:

1. Through MDM Console – Example of starting RSOE through admin console is shown in a diagram.

2. Through Window service – Id we don’t want to start RSOE through admin console, we can create a windows Service to Start RSOE.

e.g. scenario – When we have multiple RS’s to connect, the Admin console does not allow

you to enter multiple RS addresses through the admin console.

Before starting the RSOE as a windows service, it is necessary to install the RSOE on the MDM server.

Steps for Installing RSOE

- Create a directory named “RSOutboundEnabler” in C:\.

- Copy the content from ..\GEN06090156E\relay_server\64 Bit\RSOutboundEnabler to the c:\ drive of your CAMDM machine.

o Open Internet Information Services (IIS) Manager

o Open Request Filtering option Then Click on Edit Request Filtering Settings.

o Change maximum query string (bytes) value to 8192. - Now system is ready for starting RSOE as windows service.

- Start two RSOE services on each MDM server 1. “CAMDMRSOEMaster” for iOS devices, and 2. “CAMDMRSOEMasterAndroid” for Android devices.

Sample command for setting up RSOE as windows service for iOS

device:

dbsvc -as -s auto -t rsoe -w CAMDMRSOEMaster "C:\RSOutboundEnabler\rsoe.exe" -cr

"host=10.2.112.81;port=443;https=1;url_suffix=/ias_relay_server/server/rs_server.dll" ,"host=10.2.112.80;port=443;https=1;url_suffix=/ias_relay_server/server/rs_server.dll " -cs "host=10.2.116.12;port=443;https=1" -f app7 -id r3kp -t test1 -o

"C:\Sybase\rsoe.log" -v 5

Sample command for setting up RSOE as windows service for Android

device:

dbsvc -as -s auto -t rsoe -w CAMDMRSOEMasterAndroid "C:\RSOutboundEnabler\rsoe.exe" -cr

"host=10.2.112.81;port=80;url_suffix=/ias_relay_server/server/rs_server.dll","host=1 0.2.112.80;port=80;url_suffix=/ias_relay_server/server/rs_server.dll" -cs

"host=10.2.116.12;port=8001;" -f app7a -id r3kp -t test1a -o "C:\Sybase\rsoe_masterAndroid.log" -v 5

Description of RSOE service parameters

-cr parameters –

- host > Relay server IP - port > Relay server port

- url_suffix > relay server’s service -cr parameters

- host > CAMDM server or any other components - port > CAMDM server port

–f – server component farm ID, as defined in the Relay Server configuration file (rs.config) –id – unique ID identifying the server component, as defined in the Relay Server configuration file.

–cs – parameter for the backend server (CAMDM component server) connection.

Configuring relay server for Enrollment server

There are two items here:

1. Use Relay server – This will enable RS settings. Under this checkbox we have to provide exact farm id that we have given in the rs.config file.

2. Server address* - Here we have to provide server address of relay server. Where devices will be hitting.

Configure Package server

1. Use Relay Server – This will enable RS settings and under this checkbox we have to

provide exact farm id that we have given in RS config file.

2. Server address – In server address box we have to provide external rs url through which

device will connect RS.

Testing Relay Server and RSOE

A Windows IIS will be used to host the Sybase Relay Server solution. The executable and dll’s that make up the Sybase Relay Server solution are served up by this IIS.

rs_client.dll : this is the dll that mobile devices will connect to when communicating with

the Relay Server

rs_server.dll : this is the dll that CAMDM nodes will connect to when communicating with

the Relay Server

rshost.exe : the executable that runs the Sybase Relay Server functionality

The Relay Server Windows Service: the aforementioned rshost.exe will be run as a Windows Service that can be configured to start up manually or automatically when the Windows host server starts. After installing CAMDM, RS, and RSOE, following two links can be used for testing the configuration of

RS and RSOE.

# --- For RSOE connection

https://<hostname or fqdn>/ias_relay_server/server/rs_server.dll

If this link is put in browser and try to be accessed from outside the RS machine User should see of

For MDM Device Client

https://<hostname or fqdn>/ias_relay_server/client/rs_client.dll

If this link is put in browser and try to be accessed from outside the RS machine User should see of

Overall availability: Full

Note : - If RS server is supposed to communicate on secure ports, then SSL certificate is needed to be set in IIS server.

Refer : Setup https on IIS 7.5.docx

Setup https on IIS 7.5

Open IISManager (Start > Run > type ‘inetmgr’, Hit Enter)

Setup https on IIS 7.5

Open IISManager (Start > Run > type ‘inetmgr’, Hit Enter)

IISManager > Select <SERVERNAME> on left pane, select Server Certificates on middle pane.

Troubleshooting the Relay Server and Relay Server Outbound Enabler

The troubleshooting process consists of a sequence of steps: 1. Verify

First verify if the Relay Server was installed correctly as a plug-in in IIS. 2. Test

Next, perform some basic tests which should give already an idea if there is a problem with the Relay Server installation, the communication between the device and the Relay Server or the communication between the MDM server and the Relay Server

3. Check Logs

The Relay Server and Relay Server Outbound Enabler logs will provide the most useful information when troubleshooting the Relay Server. It is advised to check the logs before and after each test. If you followed the instructions earlier in this document, the log files will be under “C:\Sybase\” on the Relay and MDM Servers.

4. Check Settings

Some settings can be validated in addition to the installation settings checked in the first phase.

5. Run Traces

As a final resort, trace the mobile data as it travels from the device to the Relay Server to the MDM server on the internal network.

VERIFY TEST CHECK LOGS CHECK SETTINGS

RUN TRACES

DEVICE Test IIS Home Page.

Test URL: rs_client.dll. MDM Logs. RELAY SERVER Verify IIS Components. Verify Application Pool.

Verify ISAPI and CGI Check IIS

Configuration.

Test IIS Home Page. Test URL rs_client.dll. Test URL: rs_server.dll rs.log. IIS Logs. MS Event Logs. Check Firewall / Antivirus. Check DEP. Check Account. Check Application Host. Check RS Version. Check Multiple NIC cards.

Run Wireshark. Run netstat.

MDM Test IIS Home Page. Test URL rs_server.dll. RSOE Log. MDM Log. MS Event Logs. Check Firewall / Antivirus.

Check RSOE version.

Run Wireshark. Run netstat.

NETWORK Firewall logs. Check Firewall ports

and proxies.

Verify

Before starting the troubleshooting, verify the configuration of the Relay Server in IIS. The configuration in this section assumes you have already viewed the other product documentation and the earlier sections of this document.

Relay Server: Verify required IIS Components

On the host of the Sybase Relay Server, open the Server Manager and open the Features Dialog. You don't need any Features installed for the native Sybase Relay Server function, but if features are selected here, make sure they follow the guidelines below:

 Net Framework 3.5.1  Non-HTTP Activation

 Windows Process Activation Service  Process Model

 NET Environment  Configuration APIs

Open the Server Manager and verify that both the Web Server (IIS) IIS Role and the following IIS Role Features are at least installed:

 Common HTTP Features

 Static Content

 Default Document

 HTTP Errors

Important: Make sure WebDAV Publishing is not installed.  Application Development

 Health and Diagnostics o HTTP Logging o Request Monitor  Security o Request Filtering  Performance

o Static Content Compression  Management Tools

o IIS Management Console

o IIS Management Scripts and Tool o IIS 6 Management Compatibility o IIS 6 Metabase Compatibility o IIS 6 WMI Compatibility o IIS 6 Scripting Tools

o IIS 6 Management Console

Relay Server: Verify IIS Application Pool

Open the Internet Information Services (IIS) Manager

Check that an Application Pool is present with the following attributes:

Relay Server: Verify the IIS Application

Note: When installing the Sybase Relay Server, you can choose to install it as part of the Default Web Site (of IIS) or you can create a new web site for the Sybase Relay Server. This guide covers the first option (use the Default Web Site)

In the IIS Manager, select the Relay Server application, called ias_relay_server (under the node Default Web Site) and check the properties:

Note: The Physical path might be different in your environment.

Now, with the “ias_relay_server” application still selected, open the “Request Filtering” settings and go to “Edit Feature Settings”.

Now, with the “ias_relay_server” application still selected, open the “Handler Mappings” and go to “Edit Feature Permissions”.

Validate the following attributes and verify that only the “Script and Execute” are checked.

Now, with the ias_relay_server application still selected, open the SSL Settings and make sure, if applicable, “Require SSL” is not checked and “Ignore Client Certificates” is selected.

Relay Server : Verify ISAPI and CGI restrictions

In the IIS Manager, highlight the Server Entry and open the ISAPI and CGI Restrictions. Check if following 2 entries are available:

 RS Server dll

o Path: C:\inetpub\wwwroot\ias_relay_server\server\rs_server.dll o Description: RS Server DLL

 RS Client dll

o Path: C:\inetpub\wwwroot\ias_relay_server\client\rs_client.dll o Description: RS Client DLL

o Check “Allow extension path to execute”

Relay Server : Update IIS Configuration

During the installation, some application pool changes were made on the IIS.

To update the IIS server configuration, the adsutil.vbs must be run. To verify that the script was run, you can run this script again here. First, in the IIS Manager, verify the web site ID of the Site that runs the Sybase Relay Server.

For example, the web site ID of this installation is 1

Now, on the Sybase Relay Server host, open a command

prompt as an Administrator. Look for the adsutil.vbs and execute this script. Script location example: C:\Inetpub\AdminScripts

Script command: cscript adsutil.vbs set w3svc/1/uploadreadaheadsize 0 The command returns the current value of the uploadreadaheadsize variable

Test

In order to focus the troubleshooting process, start with some basic tests.

The tests that are included in this section should give you an idea if the problem is on the Relay Server itself or in the communication between the mobile device and the Relay Server or in the communication between the SUP server and the Relay Server.

Relay Server: Test IIS Home Page

On the Relay Server, validate that the default homepage of the IIS can be reached via a web browser. In the browser, navigate to http://localhost/ and see if following image is displayed:

If this image does not show, there’s a problem with the IIS. Continue with concentrating troubleshooting on the IIS.

Relay Server: Test URL with rs_server.dll

On the Relay Server, navigate to the following URL;

http://<Relay Server IIS host>/ias_relay_server/server/rs_server.dll You should see a screen like this:

Note: The “Overall availability” can also be “Partial” or “None”. In that case validate if all of the RSOE’s are properly running and connected to the Relay Server.

If this page does not show, but rather displays an error; there’s a problem with the setup of the Sybase Relay Server on the IIS.

Continue with concentrating troubleshooting on the IIS or check the Relay Server Windows Service. Tip: To get more information about the cause of the error, turn off “Show friendly HTTP Error Messages” in the settings of Internet Explorer, for example.

One possible reason for errors can be the authorization level of the Windows account that is used to run the IIS service.

Validate that this account has proper authorizations to read the folders where the Sybase Relay Server executable and dll’s are located.

Relay Server : Test URL with rs_client.dll

On the Relay Server, navigate to the following URL;

http://<Relay Server IIS host>/ias_relay_server/client/rs_client.dll You should see a screen like this:

If this does not display, proceed with the suggestions in the previous section for the rs_server.dll test.

Mobile Device : Test IIS Home Page

It is also important to run the same tests above on the Mobile Device web browser. If this image does not show, there is a problem.

Possible reasons could be:

 Some network setting on the mobile device is blocking access to the homepage of IIS.  Port 80 on the outside firewall in front of the Relay Server is blocked (port 80 is the default

port).

 Some rule on the outside firewall is not granting access to the mobile device that is trying to connect over port 80 on the firewall.

Mobile Device : Test URL with rs_client.dll

Perform the same steps outlined above for accessing the “rs_client.dll” using the Mobile Device’s web browser.

MDM Server : Test connection to rs_server.dll and rs_client.dll

Be sure to perform the same tests using the web browser on the MDM server.

Check Logs

Before and after each test, it is recommended to check the Relay Server and RSOE Log files.

Relay Server : Check Relay Server log

The Sybase Relay Server logs events in a log file called the rs.log.

The location of the rs.log is defined during installation of the Sybase Relay Server.

(if you don’t know where the rs.log is located, just perform a search for “rs.log” on the IIS host). For the troubleshooting process it’s a good idea to elevate the log level of the Sybase Relay Server. This can be done by changing a setting in the rs.config

file; this is the configuration file of the Sybase Relay Server.

(if you don’t know where the rs.config is located, just perform a search for “rs.config” on the IIS host). In the rs.config, make sure the verbosity is set to 5.

Note: If you change the “verbosity” level, recycle the “Sybase Relay Windows Service” in the Windows Services console. It should usually be called “Relay Server” or

“SQLAnywhere_RelayServer” or something similar.

In the rs.log file, look for the following information:  Error lines start with an “E.”

 Other important information may still be logged as an Informational message: “I.”  Also, please consider sections of information regarding incoming communication in the

rs.log file; for example when a device sends a message to the Sybase Relay Server, this message will be logged in the rs.log file (when verbosity is set to 5).

Look for entries like the following:

When testing the Relay Server with a mobile device, check if these kind of communication chunks appear in the rs.log-file. If not, there could be a problem with the outside firewall or the (external) network of the IIS Host.

Relay Server: Check IIS log

If the rs.log file does not contain helpful information, check the logs of the IIS itself. Two log files are of interest;

 The W3SVC log; for IIS 7 this file is located in the C:\inetpub\logs\LogFiles\W3SVC- folder. This file will give an overview of HTTP requests that came in, the IP of the sender and the HTTP response code to the request.

 The HTTPErr log; for IIS 7 this fileis located in the C:\Windows\System32\LogFiles\HTTPERR- folder

This file will give an overview of errors that occurred in the HTTP communication with the IIS.

Note: When the mobile device connects with the Relay Server it will connect to the following URL, which is hosted on the Relay Server:

http://<relay server hostname>/ias_relay_server/rs_client.dll

Relay Server: Check Microsoft Event Logs

Other log files of interest on the Windows host of the Sybase Relay Server are the Microsoft Event logs.

The following logs are of interest here:  Application

 Security  System

Verify if these logs show useful information about errors that occurred at the time of testing of the Sybase Relay Server with a mobile device

MDM Server: Check RSOE Log

In the RSOE log file, look for following information;  Error lines, starting with an E.

 Remember that lines that start with an “I.” may also have important information.

 Also look for chunks of communication in the RSOE.log-file; when a device ends a message to the Sybase Relay Server, the Sybase Relay Server will communicate this message to the SUP server. This message will be logged in the RSOE log (with verbosity set to 5). Look for entries like the following:

When testing the Sybase Relay Server with a mobile device, check if these kinds of

communication chunks appear in the RSOE log file. If not, then there is no communication between the Sybase Relay Server and the MDM Server.

Possible causes could be;

o The configuration of the RSOE and Relay Server is wrong; for example, mismatches in server node names, farm names, tokens,...

o The firewall between the Sybase Relay Server and the SUP blocks traffic on port 80 o There’s HTTP packet filtering on the port 80 of the firewall which drops the Sybase

mobile traffic

o The DNS host name of the Relay Server cannot be resolved when communicating from the SUP to the Relay Server

MDM Server: Check MDM logs in the Admin Console

Login to the CA MDM Admin Portal page: http://hostname/CAM

Use the search filter if needed to change the Date/Time, Type to “Error”, etc… as needed.

Please do not overlook informational messages which may be very important, despite the fact that they do not appear as an error.

Check the Log Option Configuration in the MDM Admin Console

You may need to validate that all of the appropriate logging options are enabled.

MDM Server – Relay Server Configuration in the MDM Admin Console

Enrollment Server

In the configuration below, the “Server Address” under the Relay Server should be set

Package Server

In the configuration below, the “Indirect Access (Relay Server)” should be set appropriately. Please see the earlier sections of this document for “Package Server” setup.

MDM Enrollment Policies – Validate the Enrollment Policies

Validate that each of the MDM Enrollment Policies (for each device type). Open the policy detail. Click the checkbox next to the enrollment code.

Click the “Inspect” button.

As we can see from the screenshot above, the address included the Relay Server address. If a Relay Server was not configured, this would typically show the MDM address.

Additional Troubleshooting tools:

1- Fiddler: http://www.telerik.com/fiddler

This tool can trace HTTP traffic on a desktop or server machine if there is an issue accessing the Relay Server URL in a web browser. The data can show more than what a web browser alone might show. For example, in the case below, it shows a better error than the web browser:

While fiddler shows:

2- Wireshark from http://wireshark.org/

The following CA Technical document TEC602292 shows how it can be used:

https://support.ca.com/irj/portal/anonymous/kbtech?docid=602292&searchID=TEC602292 &intcmp=searchresultclick&resultnum=1

Additional Documentation:

o CA MDM Product Documentation on wiki.ca.com: https://wiki.ca.com/

o Sybase Relay Server Documentation:

http://dcx.sybase.com/index.html#sa160/en/relayserver/relayserver16.html

o Internet Search: Relay Server Error codes can be searched on the internet. This will search the CA Knowledge Base and Sybase documentation.

Important CA Knowledge Base articles on the Relay Server:

Note: These can be searched from http://support.ca.com

TEC609742 Introduction to Relay Server and RSOE (relay server outbound enabler)

TEC602298 When starting a Relay Server, the system errors stating "Failed to attach to Relay Server 'ias_relay_server_host' shared memory.

TEC602220 What are the different "Overall availability" status of the Relay Server?

TEC612015 CA MDM Client connections may time out when using the Relay Server installed under a site other than the "Default Web Site"

TEC602118 When attempting to install a Profile on an iOS device the process fails while attempting to enroll the certificate with the message "The SCEP Server returned an invalid response".

TEC612060 Is it possible to create a Windows Service for the Relay Server?

TEC612014 How can point the Relay Server to a different web site in IIS (not the "Default Web Site")?

TEC602116 Receive error: "Profile Failed to Install. The profile "Config Payload" could not be installed" or Enrollment failed message received on the iOS devices when attempting to enroll iOS devices.