In a deployment, Standalone Sentry works with the UEM platform secures access to backend resources by preventing wrongful access from devices. The UEM can be Core on a Physical or Virtual Appliance or it can be a Ivanti Neurons for MDM deployment. This section provides various deployment scenarios with Standalone Sentry.
These deployments include:
The following illustration shows Standalone Sentry in a configuration in which Standalone Sentry is located in the DMZ along with UEM:
Figure 1. Standalone Sentry and UEM located in the DMZ
Standalone Sentry can be located in the DMZ, along with UEM, but this configuration is not required. You can alternatively:
•Put Standalone Sentry in the DMZ and put UEM behind the corporate firewall.
•Put UEM in the DMZ and put Standalone Sentry behind the corporate firewall.
•Put both Standalone Sentry and UEM behind the corporate firewall.
Use multiple Standalone Sentrys in the following situations:
•Standalone Sentry and Integrated Sentry for High Availability
Multiple Standalone Sentrys and Integrated Sentrys can back each other up to provide High Availability access to ActiveSync Servers or backend resources. In this configuration, each Sentry points to the same server or server cluster. Contact Professional Services to set up this configuration.
•Your ActiveSync server has more users than one Standalone Sentry can support.
A Standalone Sentry has an upper limit for the number of registered ActiveSync devices that it can support, depending on its configuration. If your ActiveSync server supports more devices than this limit, use multiple Standalone Sentrys. Configure each Standalone Sentry to point to the same ActiveSync server (or servers if multiple ActiveSync servers back each other up).
For more information about Standalone Sentry capacity, see the Standalone Sentry On-Premise Installation Guide.
Figure 2. Deployment with multiple Standalone Sentrys
•You have multiple ActiveSync or backend resources, each of which supports a different organization.
Use one Standalone Sentry for each organization. Configure the Standalone Sentry to point to the server (or servers if multiple servers back each other up) for that organization.
•You have ActiveSync or backend resources in different locations.
If you have ActiveSync or backend resources in different locations, use a Standalone Sentry for each location. By co-locating the Standalone Sentry with the ActiveSync or backend resource, you minimize latency between Sentry and the server. Configure each Sentry to point to its co-located server (or servers if multiple servers back each other up).
Figure 3. Sentry in different locations
Typically, you use load balancers when using multiple Standalone Sentrys. For information about using load balancers with Standalone Sentry, contact Professional Services.
For more information about deploying Standalone Sentry for high availability and load balancing, see the following knowledge base articles:
You can configure the Standalone Sentry to be deployed behind a proxy, for example, an Apache or an F5 server. This allows for SSL termination to occur in front of Sentry even when using certificate based authentication.
By terminating SSL in the DMZ, Standalone Sentry enables an added layer of security, as well as accommodates the DMZ firewall policies.
Leveraging this configuration requires:
•Setting up an Apache or F5 proxy to front-end the Standalone Sentry.
•Enabling this feature on Sentry via the UEM UI.
•Additional minor changes to references to hostname in some profiles.
Contact Professional Services or a certified partner to set up this deployment.
You can configure one Standalone Sentry to work with multiple ActiveSync servers or backend resources that are backing each other up. You control when Standalone Sentry switches to another ActiveSync Server or backend resource by setting parameters involving communication failures between Standalone Sentry and the active ActiveSync servers or backend resource.