Installing the Mobile Bridge

Contents

Installing the Mobile Bridge

The installation of the Mobile Bridge requires the configuration of two different machines:

  • Configure the Exchange Server from which the Mobile Bridge will retrieve information about mobile devices.
  • Set up and configure the Windows server on which the Mobile Bridge will run.

Creating the AD user for the Mobile Bridge

The installation of the Mobile Bridge requires the creation of a new user in your Active Directory. The Mobile Bridge impersonates this user to communicate with Exchange.

  1. Log in as administrator to a Windows server and connect to Active Directory via the Microsoft Management Console.
  2. Create a new user exclusively dedicated to the Mobile Bridge.
    • The user must belong to the View-Only Organization Management role group.
    • Verify that the user has the attribute RemotePowerShellEnabled set to $true (this is the case by default when you create a new user).

Configuring the Exchange Server

Enabling Windows authentication in IIS for PowerShell

First of all, you must configure the IIS in your Exchange server to allow the Mobile Bridge user to connect via PowerShell to it using Windows authentication. If using Exchange 2010, we suggest to use a Client Access Server. To enable Windows authentication in IIS for PowerShell users:

  1. Log in to the Exchange Server as administrator.
  2. Open IIS Manager.
  3. In the left hand-side pane, go to Sites -> Name of your Exchange site -> PowerShell.
  4. Open the Authentication page. All authentication methods are disabled by default.
  5. Right-click the status of Windows Authentication and choose Enable.

Advanced configurations

Configuring the Application Pool of IIS

To limit the performance hit of the Mobile Bridge when it connects to the Exchange Server, set a recycling interval for PowerShell and, optionally, limit the maximum amount of memory that it may use within IIS:

  1. Log in to the Exchange Server as administrator.
  2. Open IIS Manager.
  3. In the Connections pane to the left, select the node Application Pools in the tree.
  4. On the Application Pools page, select the application pool MSExchangePowerShellAppPool.
  5. In the Actions pane to the right, click the option Recycling... under the section Edit Application Pool. This opens the Recycling Conditions dialog:
    1. Tick the option Specific time(s) and set its value to, for instance, 02:00 AM (choose an hour of low activity).
    2. Optional: Tick the option Private memory usage and set it to a sensible value according to the RAM available in your server (e.g. set it to 2 000 000 to limit the memory usage to ~2 GB).
  6. Click Next.
  7. Select the recycling events that you want to log, if any, and click Finish.

Disabling PowerShell logs in IIS

The installation of the Mobile Bridge generates a significant increase in the number of PowerShell requests to the IIS within your Exchange Server. This subsequently causes a significant increase in the size of the logs of IIS (up to 1 GB per day).

Therefore, we recommend that you disable PowerShell logging in IIS after installing the Mobile Bridge. To disable PowerShell logging:

  1. Open IIS Manager and navigate to the PowerShell node.
  2. In the Features View, double-click Logging.
  3. In the Actions pane of the Logging page, click Disable.

Configuring the Mobile Bridge in the Windows server

Software requirements of the Mobile Bridge

Installing the Mobile Bridge requires the following software:

  • Windows Server 2008 R2, 2012 or 2012 R2.
  • .NET Framework 4.5
  • PowerShell 4.0

Higher versions of this software may also be suitable for running the Mobile Bridge, but they have not been tested.

Hardware requirements can be found here.

Installing and running the Mobile Bridge service

To install the Mobile Bridge service with the user interface:

  1. Double-click the installer file Nexthink.Mobile.Bridge.msi that you get from Product Downloads.
  2. Accept the license agreement and click Install.
  3. Once the wizard has ended the installation, click Finish.

The procedure above makes the Mobile Bridge use the default port number 11031 for communicating with the Engine. If you want to communicate with the Engine through a different port, install the Mobile Bridge from the command line:

  1. Open a command line interface with elevated privileges.
  2. Type in the following command to install the Mobile Bridge and, for instance, instruct it to use port number 12 000 for communicating with the Engine:
    msiexec -i Nexthink.Mobile.Bridge.msi PORT=12000
  3. Change the port by default in the Engine configuration as well.

To configure the Mobile Bridge service:

  1. Open the command line interface with elevated privileges.
  2. Configure the service with the address of the Exchange server and the user name(that of the dedicated user for the Mobile Bridge that you created in the Exchange server):
    "c:\Program Files (x86)\Nexthink Mobile Bridge\Nexthink.Mobile.Bridge.exe" ^
    -address myexchangeserver.example.com ^
    -username [email protected]
  3. Enter the password for the Mobile Bridge user. The password is encrypted and stored in the configuration file of the Mobile Bridge along with the address of the Exchange server and the name of the user.

To run the Mobile Bridge service:

  1. From the command line interface, type in:
    sc start NexthinkMobileBridge

At this point, the Mobile Bridge service validates your settings and attempts to connect to the Exchange Server.

Setting the Mobile Bridge velocity

If the Mobile Bridge takes too much time to retrieve the information from the Exchange server, or if at the opposite the Exchange server load due to the Mobile Bridge queries is too high, the throttling can be adjusted.

The throttling is the idle time between to queries of the Mobile Bridge. It default value is 500 ms.

To change it, use the following configuration options:

 <add key="Throttle" value="500" />

Filtering mobile devices based on AD security groups

If the Mobile Bridge should not report information of mobile users belonging to a specific group, use the ExcludedGroupDn option to specify the group whose users must not be monitored. On the other hand, to explicitly include a group for the Mobile Bridge to report information about its users, use the IncludedGroupDn option. The options translate to the following PowerShell filter when retrieving information:

-Filter {(MemberOfGroup -ne ''ExcludedGroupDn'') -and
         (MemberOfGroup -eq ''IncdludedGroupDn'')}


Troubleshooting the Mobile Bridge

The Mobile Bridge service does not start

To check the status of the service, type in the following command:

sc query NexthinkMobileBridge

If the service fails to start, look in the Windows Event logs for error messages indicating the possible reason and take appropriate action. Alternatively, check the log files in:

%ProgramData%\Nexthink Mobile Bridge\logs\
    .\nexthink-mobile-bridge-global.txt
    .\nexthink-mobile-bridge-powershell-errors.txt


Beware that the service may take a long time to start. The Mobile Bridge service needs to validate the connectivity to the Exchange server, the availability of the required PowerShell commands (cmdlets) as well as the version of the Exchange server before reporting a successful start to Windows.

The Mobile Bridge connection to Exchange fails

If PowerShell connectivity to the Exchange server is failing, carry out the following verifications:

  1. Verify that the configured address for the Exchange server is reachable by typing in from the command line:
    ping myexchangeserver.example.com
  2. Verify that the provided credentials are valid by typing in the following two lines in a PowerShell window:
    $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://myexchangeserver.example.com/powershell/"
    Import-Session $session

The Mobile Bridge does not validate the Exchange server certificate for HTTPS

Before production, you may want to deactivate the validation of certificates when the Mobile Bridge connects to the Exchange server. To disable the validation of the certificate common name (CN), the certificate authority (CA) and the certificate status, respectively use the following configuration options:

<add key="SkipCNCheck" value="true"/>
<add key="SkipCACheck" value="true"/>
<add key="SkipRevocationCheck" value="true"/>