3.1 Planning a Mobility System

You can use the GroupWise Mobility Service Installation Worksheet to gather the information you need so that you are prepared to provide the information requested by the Mobility Service Installation program.

The topics in this section present the required information in a convenient planning sequence. The Installation Worksheet organizes the information in the order in which you need it during the installation process.

3.1.1 Planning the Configuration of Your Mobility System

A Mobility system can consist of a single Mobility server or multiple Mobility servers. For planning guidelines, review the following sections as needed:

MOBILITY SERVICE INSTALLATION WORKSHEET

Print one copy of the GroupWise Mobility Service Installation Worksheet for each Mobility server that you are planning for your Mobility system.

If you plan to install the Mobility Service on multiple servers, you can proceed through the planning sections server by server, or you can apply each planning section to all planned servers, and then proceed to the next planning section.

IMPORTANT:For best security, plan to install the Mobility Service software on servers inside your DMZ.

3.1.2 Selecting Mobility Servers

Each server where you install the Mobility Service must meet the system requirements listed in GroupWise Mobility Service System Requirements. The Mobility Service requires a static IP address.

MOBILITY SERVICE INSTALLATION WORKSHEET

Under Mobility Service Server Information, specify the IP address or DNS hostname of the server where you plan to install the Mobility Service software.

3.1.3 Gathering GroupWise Information

Mobility requires a GroupWise license to run. Mobility automatically connects to GroupWise to get the license information. During the install, you need to specify information for Mobility to connect to GroupWise.

MOBILITY SERVICE INSTALLATION WORKSHEET

Under GroupWise Server Information, specify the IP address or DNS hostname of the GroupWise server, along with the Admin Port (default is 9710), GroupWise Admin user, and GroupWise Admin password.

3.1.4 Preparing GroupWise as the User Source for Your Mobility System

The GroupWise Mobility Service obtains information about users and groups of users from a GroupWise system.

Use the GroupWise Admin console to manage the users and GroupWise groups that are added to your Mobility system.

This keeps user management in a single location for both your GroupWise system and your Mobility system.

3.1.5 Gathering GroupWise System Information

In order to configure the GroupWise Sync Agent as you run the Mobility Service Installation program, you need to gather certain information about the GroupWise system where users want to synchronize data to mobile devices.

GroupWise Administration Agent

The GroupWise Administration Agent is used to connect to the primary domain of the GroupWise system. You need to know the DNS name of the primary domain server, the port the admin service uses, and the credentials of a user that has admin privileges in GroupWise.

MOBILITY SERVICE INSTALLATION WORKSHEET

Under GroupWise Administration Agent, specify the DNS name of the primary domain server, the admin service port, and the admin user credentials.

GroupWise Trusted Application

A GroupWise trusted application can log in to a GroupWise Post Office Agent (POA) in order to access GroupWise mailboxes without needing personal user passwords. The GroupWise Sync Agent requires such mailbox access in order to synchronize GroupWise data with mobile devices. In addition, the Device Sync Agent uses trusted application ion through the GroupWise Sync Agent in order to access the GroupWise Address Book. This provides contact lookup beyond the contacts that are downloaded to users’ devices from personal address books.

Before you install the Mobility Service, you must set up the GroupWise Sync Agent as a GroupWise trusted application. You might name the trusted application MobilityService or GroupWiseSyncAgent.

A trusted application uses a key that consists of a long string of letters and numbers to provide ion for the GroupWise POA. The key file is initially created in a location that is accessible to GroupWise. You must transfer the key file to a location that is accessible to the Mobility Service Installation program.

When you set up the GroupWise Sync Agent as a trusted application, you must fill in only these three fields in the New Trusted App Key dialog box in the GroupWise Admin console (or in the Create Trusted Application dialog box in ConsoleOne in older GroupWise systems):

  • Name

  • Location for Key File

  • Name of Key File

IMPORTANT:Do not fill in any other fields.

For more information, see Creating a Trusted Application and Key in the GroupWise 18 Administration Guide.

Copy the key file to a convenient location on the Mobility server. The Installation program automatically transfers the trusted application key from the key file into the configuration of the GroupWise Sync Agent.

IMPORTANT:Do not use an existing trusted application key that is already in use by another application.

MOBILITY SERVICE INSTALLATION WORKSHEET

Under GroupWise Trusted Application, specify the name of the trusted application that you created and the location where the Mobility Service Installation program can access the trusted application key file.

You need to create only one trusted application key for the GroupWise Sync Agent, regardless of the number of servers where you install the Mobility Service, and regardless of the number of domains and post offices in your GroupWise system.

NOTE:If your GroupWise system connects to any external GroupWise domains, the external GroupWise system needs its own Mobility Service installation on an additional Mobility server, along with its own separate trusted application key.

GroupWise Post Office Agent SOAP URL

The GroupWise Sync Agent accesses your GroupWise system by communicating with a Post Office Agent (POA). The selected POA must be configured for SOAP.

The Mobility Service Installation program and the GroupWise Sync Agent need the IP address or DNS hostname of the server where the POA is running. In addition, they need the POA SOAP port. The default POA SOAP port is 7191.

Typically, the same port number is used regardless of whether the POA is configured for a secure SSL SOAP connection. The Mobility Service Installation program and the GroupWise Sync Agent need to know whether the connection is secure because they use one of the following URLs to communicate with the POA:

  • Non-Secure SOAP URL:
  • Secure SOAP URL:
  • http://poa_server_address:soap_port/soap
  • https://poa_server_address:soap_port/soap

MOBILITY SERVICE INSTALLATION WORKSHEET

Under GroupWise Post Office Agent, specify the IP address or DNS hostname of the server where a POA configured for SOAP is running. Specify the SOAP port, and whether or not the POA requires a secure SSL SOAP connection.

IMPORTANT:By default, the POA communicates with the GroupWise Sync Agent using port 4500 on the Mobility server. If there is a firewall between the Mobility server and the POA server, be sure to configure the firewall on the Mobility server to allow communication on port 4500 from the POA server. If necessary, you can configure the GroupWise Sync Agent to listen on a different port number after installation. For setup information, see Changing the GroupWise Sync Agent Listening Port in the GroupWise Mobility Service 18 Administration Guide.

GroupWise Address Book User

The Device Sync Agent needs to be able to access the GroupWise Address Book to obtain user information. The Device Sync Agent establishes this access through the GroupWise Sync Agent.

The Device Sync Agent needs Address Book access that is equivalent to a typical user. You control what users see in the GroupWise Address Book by controlling object visibility. You want the Device Sync Agent to access the GroupWise Address Book with the same visibility that a typical GroupWise user has when viewing the GroupWise Address Book. For more information, see Controlling Object Visibility in the GroupWise 18 Administration Guide.

You need to select a user whose view of the GroupWise Address Book matches what you want the Device Sync Agent to be able to access. You do not need to provide the password for the GroupWise user because the Device Sync Agent accesses the GroupWise Address Book through the GroupWise Sync Agent, which has trusted application status.

As an example, you might have a group of mobile device users who need access to Address Book information about upper-level management in your company and another group of mobile device users who should not have this Address Book information. To meet such needs, you would set up two Mobility servers, one with Address Book visibility that includes upper-level management, and a second one where such Address Book visibility is not provided. You would achieve this by setting up each Mobility server with an Address Book user whose Address Book visibility provides the visibility appropriate for all users on that Mobility server.

MOBILITY SERVICE INSTALLATION WORKSHEET

Under GroupWise Address Book User, specify a valid GroupWise user name that the Device Sync Agent can use to access the GroupWise Address Book to obtain contact information.

3.1.6 Gathering Mobile Device Information

The Device Sync Agent needs certain configuration information about the mobile devices that it synchronizes GroupWise data with.

Device Connection Port

By default, the Device Sync Agent uses all available IP addresses on the Mobility server. You can bind the Device Sync Agent to a specific IP address after installation. For setup information, see Binding to a Specific IP Address in the GroupWise Mobility Service 18 Administration Guide.

Typically, the Device Sync Agent uses port 443 for secure SSL HTTP connections with mobile devices and port 80 for non-secure HTTP connections. If mobile devices connect directly to the Device Sync Agent, a secure HTTP connection is strongly recommended. If mobile devices connect to the Device Sync Agent through a security application such as Micro Focus Access Manager or Micro Focus ZENworks Mobile Management, the Device Sync Agent can appropriately be configured with a non-secure HTTP connection. For more information, see Integrating with Mobile Device Management Applications.

MOBILITY SERVICE INSTALLATION WORKSHEET

Under Device Connection Port, mark whether you want to configure the Device Sync Agent to use a secure or non-secure HTTP port to communicate with mobile devices. Specify the port number used by the mobile devices that your Mobility system supports.

IMPORTANT:If there is a firewall between the Mobility server and users’ mobile devices, be sure to configure the firewall to allow communication on the selected HTTP port (443 or 80).

Server Certificate

In order to use a secure SSL HTTP connection between the Device Sync Agent and mobile devices, a CA-signed server certificate is required. If you do not already have a certificate signed by a certificate authority (CA) for the Mobility server, the Mobility Service Installation program can generate a self-signed certificate for you. However, you must obtain and install a commercially signed certificate in order for iOS 13 and later devices to connect to the Mobility Service.

IMPORTANT:The list of certificate requirements for iOS 13 and later devices is found at https://support.apple.com/en-in/HT210176.

If you have the installation program generate a temporary self-signed certificate, you must replace it as soon as possible with a CA-signed replacement by doing the following.

  1. On the Mobility server, navigate to /var/lib/datasync.

  2. Rename the gms_mobility.pem certificate file to gms_mobility.pem.old.

  3. Copy the CA-signed replacement certificate file to /var/lib/datasync.

  4. Rename the CA-signed file to gms_mobility.pem.

    IMPORTANT:Do not modify or replace the gms_server.pem file. This is used only within the GMS server itself

  5. At the terminal prompt, enter gms restart.

    All devices should now be able to connect to the Mobility server.

MOBILITY SERVICE INSTALLATION WORKSHEET

Under Mobile Device Port, specify the location of the CA-signed certificate file. Ensure that the location is accessible to the Mobility Service Installation program on the Mobility server.

For more information about certificates, see Securing Communication between the Device Sync Agent and Mobile Devices in the GroupWise Mobility Service 18 Administration Guide.

3.1.7 Planning the Mobility Database

When you run the Mobility Service Installation program, it creates a PostgreSQL database that is used to store the Mobility system configuration information that you see in the Mobility Admin console. It also stores pending events when synchronization is interrupted.

The Mobility Service database is named datasync, and the user that has access is named datasync_user. You must supply the password for the Mobility Service database user.

IMPORTANT:Choose the password carefully, because you cannot change it. Do not use an asterisk (*) or a semi-colon (;) in the password.

MOBILITY SERVICE INSTALLATION WORKSHEET

Under Mobility Database, specify the password that you want to use for the Mobility Service database.

3.1.8 Establishing Mobility System Security

Configuration and administration of your Mobility system is performed through the Mobility Administration console. From the Mobility Admin console, you can do the following:

  • Add users, groups of users, and resources to your Mobility system

  • Configure and monitor the sync agents

  • Configure integration with other applications such as ZENworks Mobile Management and KeyShield SSO

To protect your Mobility system operation and configuration, the Mobility Admin console is protected by a user name and password. You log in to the Mobility Admin console by using the root user name and password.

MOBILITY SERVICE INSTALLATION WORKSHEET

Under root Access to Mobility Admin Console, specify the root password on the Mobility server.

You can add more users as Mobility administrators after installation. For more information, see Adding GroupWise Users as Mobility Administrators in the GroupWise Mobility Service 18 Administration Guide.