3.1 Planning a Mobility System

You can use the GroupWise Mobility Service Installation Worksheet to gather the information you need, so that you are prepared to provide the information requested by the Mobility Service Installation program.

The topics in this section present the required information in a convenient planning sequence. The Installation Worksheet organizes the information in the order in which you need it during the installation process.

3.1.1 Planning the Configuration of Your Mobility System

A Mobility system can consist of a single Mobility server or multiple Mobility servers. For planning guidelines, review the following sections as needed:

MOBILITY SERVICE INSTALLATION WORKSHEET

Print one copy of the GroupWise Mobility Service Installation Worksheet for each Mobility server that you are planning for your Mobility system.

If you plan to install the Mobility Service on multiple servers, you can proceed through the planning sections server by server, or you can apply each planning section to all planned servers, and then proceed to the next planning section.

IMPORTANT:For best security, plan to install the Mobility Service software on servers inside your DMZ.

3.1.2 Selecting Mobility Servers

Each server where you install the Mobility Service must meet the system requirements listed in Section 2.0, GroupWise Mobility Service System Requirements. The Mobility Service requires a static IP address.

MOBILITY SERVICE INSTALLATION WORKSHEET

Under Mobility Service Server Information, specify the IP address or DNS hostname of the server where you plan to install the Mobility Service software.

3.1.3 Gathering GroupWise Information

Mobility requires a GroupWise license to run. Mobility automatically connects to GroupWise to get the license information. During the install, you need to specify information for Mobility to connect to GroupWise.

MOBILITY SERVICE INSTALLATION WORKSHEET

Under GroupWise Server Information, specify the IP address or DNS hostname of the GroupWise server, along with the Admin Port (default is 9710),GroupWise Admin user, and GroupWise Admin password.

3.1.4 Selecting the User Source for Your Mobility System

The GroupWise Mobility Service can obtain information about users and groups of users from an LDAP directory such as Micro Focus eDirectory or from a GroupWise system.

If you use LDAP as your user source, you can do the following:

  • Use your LDAP management tool to manage the users and groups that are added to your Mobility system.

  • Create LDAP groups of users for use in your Mobility system that are not addressable by GroupWise users.

  • You can also use the GroupWise 18 LDAP server to provision and manage users. For information about GroupWise LDAP, see Configuring the LDAP Server Capabilities in the GroupWise 18 Administration Guide. If you decide to use GroupWise LDAP, you must use GroupWise authentication.

If you use GroupWise as your user source, you can do the following:

  • Use the GroupWise Admin console (or ConsoleOne in older GroupWise systems) to manage the users and GroupWise groups (distribution lists in older GroupWise systems) that are added to your Mobility system.

    This keeps user management in a single location for both your GroupWise system and your Mobility system.

  • Configure the GroupWise groups (distribution lists in older GroupWise systems) that are specifically for use in your Mobility system with no visibility, so that they are not easily addressable for GroupWise users.

    For more information, see Controlling Object Visibility in the GroupWise 18 Administration Guide.

MOBILITY SERVICE INSTALLATION WORKSHEET

Under User Source, mark whether you want to use LDAP or GroupWise as the source for users and groups of users.

If you plan to use your GroupWise system, skip to Gathering GroupWise System Information.

3.1.5 Gathering LDAP Information (Optional)

If you plan to use LDAP or GroupWise LDAP as your user source, the Mobility Service Installation program needs access to an LDAP directory. The LDAP information that you provide during installation provides you with access to the Mobility Admin console. It also configures the Mobility Admin console for the initial set of LDAP containers where users and groups are located.

LDAP Server Network Information

In order to communicate with your LDAP directory, the Mobility Service Installation program needs the IP address or DNS hostname of your LDAP server. It also needs the port number that the LDAP server listens on. The LDAP port number depends on whether the LDAP server requires a secure SSL connection. The default secure port number is 636. The default non-secure LDAP port number is 389.

MOBILITY SERVICE INSTALLATION WORKSHEET

Under LDAP Information, specify the IP address or DNS hostname of your LDAP server, and mark whether a secure SSL connection is required. If using GroupWise LDAP, a secure connection is required.

If the LDAP server requires a secure connection, additional setup might be required. See Securing Communication with the LDAP Server in the GroupWise Mobility Service 18 Administration Guide.

IMPORTANT:If there is a firewall between the Mobility server and the LDAP server, be sure to configure the firewall to allow communication on the selected LDAP port (636 or 389).

LDAP Directory Credentials

Depending on the type of LDAP you are planning on using, follow the section below and enter it into the worksheet as follows:

MOBILITY SERVICE INSTALLATION WORKSHEET

Under LDAP Information, specify a fully qualified user name with sufficient rights to read the user and group information in your LDAP directory, along with the password for that user.

LDAP

In order to access the LDAP directory, the Mobility Service Installation program needs the user name and password of an administrator user in the LDAP directory who has sufficient rights to access the user and group information stored there. At least Read rights are required. You can use the admin LDAP user or an admin-equivalent user. For more information about the required rights for the user you choose, see TID 7006841, Rights Needed by the LDAP Administrator for the GroupWise Mobility Service in the Novell Support Knowledgebase.

Provide the user name, along with its context in your LDAP directory tree, in the following format:

cn=user_name,ou=organizational_unit,o=organization

GroupWise LDAP

If you are using GroupWise LDAP for your LDAP source, you need to create an admin app user for Mobility using the GroupWise Admin service. To create the admin app user, run the following curl command on your GroupWise primary domain server:

curl -k --user gw_sys_admin:admin_password -X POST -H "Content-Type:application/json" --data "{\"name\":\"admin_app\",\"password\":\"admin_app_password\",\"description\":\"app_description\"}" https://GW_domain_ip:9710/gwadmin-service/system/adminapps

The following items need to be replaced in the curl command:

  • gw_sys_admin: Specify your GroupWise system admin username.

  • admin_password: Specify the password of your GroupWise system admin.

  • admin_app: Specify a name for your admin app.

  • admin_app_password: Specify a password for your admin app.

  • app_description: Specify the purpose of the admin app. In this case it is for GMS.

  • GW_domain_ip: Specify the IP address of your GroupWise primary domain server.

NOTE:If you are running this command on a Windows server, curl may not be available. You can download curl from here if needed.

The admin app is then used to authenticate to GroupWise LDAP. You need the admin app name and password. The name of the admin app needs to be specified in Mobility as follows:

cn=admin_app_user

LDAP User and Group Containers

During installation, the Mobility Service Installation program configures the Mobility Admin console to search for users and groups in specified containers where you, as the LDAP administrator user, have rights to read the user and group information. The Installation program lets you browse for the user and group containers. It then displays the containers in the following LDAP format:

ou=container_name,ou=organizational_unit,o=organization

Initially, you can add users and groups to your Mobility system from those containers.

If you are using GroupWise LDAP, the base directory will be your GroupWise System Name which can be found in the GroupWise Admin console > System > Information. It is listed at the top of the pop up window as Information - system_name. Using that, the base directory should be specified as follows:

o=system_name

MOBILITY SERVICE INSTALLATION WORKSHEET

Under LDAP Containers, specify a container object and its context in the LDAP directory tree where User objects are located. If Group objects are located in a different container, list that container as well.

After installation, when the Mobility Admin console generates lists of users and groups, it searches the containers you specify, as well as subcontainers. If you want the Mobility Admin console to be able to search multiple and organizationally separate containers for users and groups, you can configure this functionality in the Mobility Admin console. For setup information, see Searching Multiple LDAP Contexts for Users and Groups in the GroupWise Mobility Service 18 Administration Guide.

3.1.6 Gathering GroupWise System Information

In order to configure the GroupWise Sync Agent as you run the Mobility Service Installation program, you need to gather certain information about the GroupWise system where users want to synchronize data to mobile devices.

GroupWise Administration Agent

The GroupWise Administration Agent is used to connect to the primary domain of the GroupWise system. You need to know the DNS name of the primary domain server, the port the admin service uses, and the credentials of a user that has admin privileges in GroupWise.

MOBILITY SERVICE INSTALLATION WORKSHEET

Under GroupWise Administration Agent, specify the DNS name of the primary domain server, the admin service port, and the admin user credentials.

GroupWise Trusted Application

A GroupWise trusted application can log in to a GroupWise Post Office Agent (POA) in order to access GroupWise mailboxes without needing personal user passwords. The GroupWise Sync Agent requires such mailbox access in order to synchronize GroupWise data with mobile devices. In addition, the Device Sync Agent uses trusted application ion through the GroupWise Sync Agent in order to access the GroupWise Address Book. This provides contact lookup beyond the contacts that are downloaded to users’ devices from personal address books.

Before you install the Mobility Service, you must set up the GroupWise Sync Agent as a GroupWise trusted application. You might name the trusted application MobilityService or GroupWiseSyncAgent.

A trusted application uses a key that consists of a long string of letters and numbers to provide ion for the GroupWise POA. The key file is initially created in a location that is accessible to GroupWise. You must transfer the key file to a location that is accessible to the Mobility Service Installation program.

When you set up the GroupWise Sync Agent as a trusted application, you must fill in only these three fields in the New Trusted App Key dialog box in the GroupWise Admin console (or in the Create Trusted Application dialog box in ConsoleOne in older GroupWise systems):

  • Name

  • Location for Key File

  • Name of Key File

IMPORTANT:Do not fill in any other fields.

For more information, see Creating a Trusted Application and Key in the GroupWise 18 Administration Guide.

Copy the key file to a convenient location on the Mobility server. The Installation program automatically transfers the trusted application key from the key file into the configuration of the GroupWise Sync Agent.

IMPORTANT:Do not use an existing trusted application key that is already in use by another application.

MOBILITY SERVICE INSTALLATION WORKSHEET

Under GroupWise Trusted Application, specify the name of the trusted application that you created and the location where the Mobility Service Installation program can access the trusted application key file.

You need to create only one trusted application key for the GroupWise Sync Agent, regardless of the number of servers where you install the Mobility Service, and regardless of the number of domains and post offices in your GroupWise system.

NOTE:If your GroupWise system connects to any external GroupWise domains, the external GroupWise system needs its own Mobility Service installation on an additional Mobility server, along with its own separate trusted application key.

GroupWise Post Office Agent SOAP URL

The GroupWise Sync Agent accesses your GroupWise system by communicating with a Post Office Agent (POA). The selected POA must be configured for SOAP.

The Mobility Service Installation program and the GroupWise Sync Agent need the IP address or DNS hostname of the server where the POA is running. In addition, they need the POA SOAP port. The default POA SOAP port is 7191.

Typically, the same port number is used regardless of whether the POA is configured for a secure SSL SOAP connection. The Mobility Service Installation program and the GroupWise Sync Agent need to know whether the connection is secure because they use one of the following URLs to communicate with the POA:

  • Non-Secure SOAP URL:
  • Secure SOAP URL:
  • http://poa_server_address:soap_port/soap
  • https://poa_server_address:soap_port/soap

MOBILITY SERVICE INSTALLATION WORKSHEET

Under GroupWise Post Office Agent, specify the IP address or DNS hostname of the server where a POA configured for SOAP is running. Specify the SOAP port, and whether or not the POA requires a secure SSL SOAP connection.

IMPORTANT:By default, the POA communicates with the GroupWise Sync Agent using port 4500 on the Mobility server. If there is a firewall between the Mobility server and the POA server, be sure to configure the firewall on the Mobility server to allow communication on port 4500 from the POA server. If necessary, you can configure the GroupWise Sync Agent to listen on a different port number after installation. For setup information, see Changing the GroupWise Sync Agent Listening Port in the GroupWise Mobility Service 18 Administration Guide.

GroupWise Address Book User

The Device Sync Agent needs to be able to access the GroupWise Address Book to obtain user information. The Device Sync Agent establishes this access through the GroupWise Sync Agent.

The Device Sync Agent needs Address Book access that is equivalent to a typical user. You control what users see in the GroupWise Address Book by controlling object visibility. You want the Device Sync Agent to access the GroupWise Address Book with the same visibility that a typical GroupWise user has when viewing the GroupWise Address Book. For more information, see Controlling Object Visibility in the GroupWise 18 Administration Guide.

You need to select a user whose view of the GroupWise Address Book matches what you want the Device Sync Agent to be able to access. You do not need to provide the password for the GroupWise user because the Device Sync Agent accesses the GroupWise Address Book through the GroupWise Sync Agent, which has trusted application status.

As an example, you might have a group of mobile device users who need access to Address Book information about upper-level management in your company and another group of mobile device users who should not have this Address Book information. To meet such needs, you would set up two Mobility servers, one with Address Book visibility that includes upper-level management, and a second one where such Address Book visibility is not provided. You would achieve this by setting up each Mobility server with an Address Book user whose Address Book visibility provides the visibility appropriate for all users on that Mobility server.

MOBILITY SERVICE INSTALLATION WORKSHEET

Under GroupWise Address Book User, specify a valid GroupWise user name that the Device Sync Agent can use to access the GroupWise Address Book to obtain contact information.

3.1.7 Gathering Mobile Device Information

The Device Sync Agent needs certain configuration information about the mobile devices that it synchronizes GroupWise data with.

For device-specific information, see the GroupWise Mobility Service Devices Wiki.

Device Connection Port

By default, the Device Sync Agent uses all available IP addresses on the Mobility server. You can bind the Device Sync Agent to a specific IP address after installation. For setup information, see Binding to a Specific IP Address in the GroupWise Mobility Service 18 Administration Guide.

Typically, the Device Sync Agent uses port 443 for secure SSL HTTP connections with mobile devices and port 80 for non-secure HTTP connections. If mobile devices connect directly to the Device Sync Agent, a secure HTTP connection is strongly recommended. If mobile devices connect to the Device Sync Agent through a security application such as Micro Focus Access Manager or Micro Focus ZENworks Mobile Management, the Device Sync Agent can appropriately be configured with a non-secure HTTP connection. For more information, see Integrating with Mobile Device Management Applications.

MOBILITY SERVICE INSTALLATION WORKSHEET

Under Device Connection Port, mark whether you want to configure the Device Sync Agent to use a secure or non-secure HTTP port to communicate with mobile devices. Specify the port number used by the mobile devices that your Mobility system supports.

IMPORTANT:If there is a firewall between the Mobility server and users’ mobile devices, be sure to configure the firewall to allow communication on the selected HTTP port (443 or 80).

Server Certificate

In order to use a secure SSL HTTP connection between the Device Sync Agent and mobile devices, a server certificate is required. If you do not already have a certificate signed by a certificate authority (CA) for the Mobility server, the Mobility Service Installation program can generate a self-signed certificate for you. However, you should obtain a commercially signed certificate as soon after installation as possible.

IMPORTANT:iOS 13 has new requirements for certificates. You need to make sure your certificates comply with these requirements for iOS 13 devices to connect to Mobility. The list of requirements can be found at https://support.apple.com/en-in/HT210176.

MOBILITY SERVICE INSTALLATION WORKSHEET

Under Mobile Device Port, mark whether you want the Mobility Service Installation program to generate a self-signed certificate for you. If you already have a commercially signed certificate, specify the location of the certificate file. Ensure that the location is accessible to the Mobility Service Installation program on the Mobility server.

For more information about certificates, see Securing Communication between the Device Sync Agent and Mobile Devices in the GroupWise Mobility Service 18 Administration Guide.

3.1.8 Planning the Mobility Database

When you run the Mobility Service Installation program, it creates a PostgreSQL database that is used to store the Mobility system configuration information that you see in the Mobility Admin console. It also stores pending events when synchronization is interrupted.

The Mobility Service database is named datasync, and the user that has access is named datasync_user. You must supply the password for the Mobility Service database user.

IMPORTANT:Choose the password carefully, because you cannot change it. Do not use an asterisk (*) or a semi-colon (;) in the password.

MOBILITY SERVICE INSTALLATION WORKSHEET

Under Mobility Database, specify the password that you want to use for the Mobility Service database.

3.1.9 Establishing Mobility System Security

Configuration and administration of your Mobility system is performed through the Mobility Administration console. From the Mobility Admin console, you can do the following:

  • Add users, groups of users, and resources to your Mobility system

  • Configure and monitor the sync agents

  • Reconfigure the connection to your LDAP server if you are using LDAP as your user source

  • Configure integration with other applications such as ZENworks Mobile Management and KeyShield SSO

To protect your Mobility system operation and configuration, the Mobility Admin console is protected by a user name and password. You log in to the Mobility Admin console by using the root user name and password.

MOBILITY SERVICE INSTALLATION WORKSHEET

Under root Access to Mobility Admin Console, specify the root password on the Mobility server. If you are using LDAP, you can use the root user and password to access the Mobility Admin console if the LDAP server is down.

You can add more users as Mobility administrators after installation. For more information, see Setting Up Multiple Mobility Administrator Users in the GroupWise Mobility Service 18 Administration Guide.