Return to home page
Decrease font size by 1 pointChange font to 8 pointChange font to 9 point (default)Change font to 10 pointIncrease font size by 1 point

Log in or log out
Tech Notes

Where to Deploy your Mobility Server

Technical Note 2161

Last Reviewed 13-Jun-2005
Applies To
All versions of Mobility
 Printer-friendly version

Summary

We often receive questions from customers about where they should deploy their Mobility server. This technical note provides a brief overview of the two primary options for server deployment—behind the corporate firewall or in the DMZ.

Location #1: Behind the Corporate Firewall

The most common (and easiest) place to deploy the Mobility server is behind the corporate firewall. This example assumes that your internal network is behind a NAT:

  1. The Mobility server is installed on the trusted network using a single NIC with a static IP address.

  2. The firewall must be configured to forward UDP traffic on port 5008 to the internal address of the Mobility server.

    Note: Mobility can be configured to use a port other than 5008.

  3. The virtual IP addresses assigned by the Mobility server to Mobility clients must be a block of valid IP addresses on the same network subnet as the Mobility server.

  4. The public NAT or firewall address through which clients are configured to connect must be added to the Mobility server's External Server Addresses list in the Mobility server console. (In version 6.01 and earlier, this setting is called Alternate Server Addresses.)

Location #2: In the DMZ

The other place to deploy the Mobility Server is in the DMZ (the "demilitarized zone"):

  1. The Mobility server is installed in the DMZ with a NIC that is assigned a publicly-routable IP address. If there aren't enough publicly-routable IP addresses to assign to the Mobility clients that will connect to the server, we recommend adding a second NIC (or a second IP address on the same NIC) on the server with an IP address that is routable to the trusted network. This approach often makes setting up routing rules between the DMZ and the trusted network much easier.

  2. The firewall must be configured to forward UDP traffic on port 5008 to the internal address of the Mobility server.

    Note: Mobility can be configured to use a port other than 5008.

  3. The virtual IP addresses assigned by the Mobility server to each Mobility client must be on the same subnet as one of the Mobility server's IP addresses. On a server with a public and private address, the virtual IP addresses would typically be on the private IP subnet.

Related Information

2164

Reason 94: External Server Addresses List

9979

NetMotion Mobility Technical Notes

Please comment on this technical note.