Standalone Sentry deployment scenarios
In a MobileIron deployment, Standalone Sentry works with the MobileIron EMM platform secures access to backend resources by preventing wrongful access from devices. The EMM can be MobileIron Core on a Physical or Virtual Appliance or it can be a MobileIron Cloud deployment. This section provides various deployment scenarios with Standalone Sentry.
These deployments include:
| • | Deployment with Standalone Sentry in the DMZ |
| • | Deployment with multiple Standalone Sentry servers |
| • | Deployment with Standalone Sentry behind a proxy |
| • | Deployment with multiple ActiveSync servers or backend resources |
Deployment with Standalone Sentry in the DMZ
The following illustration shows Standalone Sentry in a configuration in which Standalone Sentry is located in the DMZ along with MobileIron EMM:
Figure 1. Standalone Sentry and EMM located in the DMZ
Standalone Sentry can be located in the DMZ, along with MobileIron EMM, but this configuration is not required. You can alternatively:
| • | Put Standalone Sentry in the DMZ and put EMM behind the corporate firewall. |
| • | Put EMM in the DMZ and put Standalone Sentry behind the corporate firewall. |
| • | Put both Standalone Sentry and EMM behind the corporate firewall. |
Deployment with multiple Standalone Sentry servers
Use multiple Standalone Sentrys in the following situations:
| • | Standalone Sentry and Integrated Sentry for High Availability |
Multiple Standalone Sentrys and Integrated Sentrys can back each other up to provide High Availability access to ActiveSync Servers or backend resources. In this configuration, each Sentry points to the same server or server cluster. Contact MobileIron Professional Services to set up this configuration.
| • | Your ActiveSync server has more users than one Standalone Sentry can support. |
A Standalone Sentry has an upper limit for the number of registered ActiveSync devices that it can support, depending on its configuration. If your ActiveSync server supports more devices than this limit, use multiple Standalone Sentrys. Configure each Standalone Sentry to point to the same ActiveSync server (or servers if multiple ActiveSync servers back each other up).
For more information about Standalone Sentry capacity, see the MobileIron Standalone Sentry On-Premise Installation Guide.
Figure 2. Deployment with multiple Standalone Sentrys
| • | You have multiple ActiveSync or backend resources, each of which supports a different organization. |
Use one Standalone Sentry for each organization. Configure the Standalone Sentry to point to the server (or servers if multiple servers back each other up) for that organization.
| • | You have ActiveSync or backend resources in different locations. |
If you have ActiveSync or backend resources in different locations, use a Standalone Sentry for each location. By co-locating the Standalone Sentry with the ActiveSync or backend resource, you minimize latency between Sentry and the server. Configure each Sentry to point to its co-located server (or servers if multiple servers back each other up).
Figure 3. Sentry in different locations
| NOTE: | Typically, you use load balancers when using multiple Standalone Sentrys. For information about using load balancers with Standalone Sentry, contact MobileIron Professional Services. |
For more information about deploying Standalone Sentry for high availability and load balancing, see the following knowledge base articles:
| • | Sentry HA Networking Overview and Recommendations at https://community.mobileiron.com/docs/DOC-1807 |
| • | Mail Server Resource Consumption at https://community.mobileiron.com/docs/DOC-2305 |
Deployment with Standalone Sentry behind a proxy
You can configure the Standalone Sentry to be deployed behind a proxy, for example, an Apache or an F5 server. This allows for SSL termination to occur in front of Sentry even when using certificate based authentication.
By terminating SSL in the DMZ, Standalone Sentry enables an added layer of security, as well as accommodates the DMZ firewall policies.
Leveraging this configuration requires:
| • | Setting up an Apache or F5 proxy to front-end the Standalone Sentry. |
| • | Enabling this feature on Sentry via the MobileIron EMM UI. |
| • | Additional minor changes to references to hostname in some profiles. |
Contact MobileIron Professional Services or a MobileIron certified partner to set up this deployment.
Deployment with multiple ActiveSync servers or backend resources
You can configure one Standalone Sentry to work with multiple ActiveSync servers or backend resources that are backing each other up. You control when Standalone Sentry switches to another ActiveSync Server or backend resource by setting parameters involving communication failures between Standalone Sentry and the active ActiveSync servers or backend resource.