1. WIN-911 Mobile Security Overview
WIN-911 Mobile provides remote access to WIN-911 systems with iOS and Android mobile devices by leveraging. Microsoft's Azure cloud services that provide a secure connection between the WIN-911 system and mobile devices.
WIN-911 Mobile requires a connection to the internet to access Azure cloud services. You have two options for deploying WIN-911 Mobile, standalone, or distributed. A standalone deployment requires internet access on the system where WIN-911 is running. A distributed deployment makes use of the WIN-911 Mobile Hub which acts as a proxy to the Azure cloud services.
This document details the deployment of WIN-911 Mobile for standalone and distributed installations using the WIN-911 Mobile Hub.
A. WIN-911 Mobile Components
|WIN-911 Mobile Module||The WIN-911 Mobile module is used to configure Mobile Contacts and set their permissions within WIN-911.|
The Mobile Module is installed with other WIN-911 modules, e.g. Dispatcher, Source and Notifier modules.
|WIN-911 Mobile Hub||The WIN-911 Mobile Hub is used to add a layer of separation between the control network, where WIN-911 is running, and the Internet, functioning much like a proxy server.|
The Mobile Hub can also aggregate multiple WIN-911 systems to the WIN-911 Mobile Web API.
|WIN-911 Mobile Web API||The Mobile Web API is a cloud-hosted web service that allows communication between WIN-911 and mobile devices. WIN-911 and mobile devices do not directly communicate, rather the Mobile Web API serves as a proxy for all communications.|
|Azure WCF Relay||Establishes a secure channel that allows the WIN-911 Mobile API to communicate with the WIN-911 Mobile Module/Hub|
|Azure Active Directory (Azure AD)|
|Azure Active Directory serves as the identity provider for authentication when accessing the WIN-911 Mobile Web API.|
|WIN-911 Mobile Apps||Mobile apps that run on iOS and Android devices.|
B. WIN-911 Mobile Web API Authentication
The WIN-911 Mobile Web API facilitates the connection between the WIN-911 Mobile Module and WIN-911 Mobile apps, this is important because mobile devices DO NOT require direct access to your network. Both the WIN-911 Mobile Runtime and WIN-911 Mobile apps communicate with the Web API, no traffic from mobile devices passes through the Mobile Web API to your network.
WIN-911 Software hosts the Mobile Web API using Azure Cloud Services with Azure Active Directory serving as the identity provider. An identity provider is responsible for verifying the identity of users prior to accessing the Mobile Web API. The two components which access the Web API must be authenticated are the WIN-911 Mobile Module and the WIN-911 Mobile apps.
B.1 WIN-911 Mobile Gateway Account
When you purchase or demo WIN-911 Mobile, you will be provided with an Azure AD account belonging to our win911mobile.com tenant. This is the WIN-911 Mobile Gateway account which is used by the WIN-911 Mobile Module to access the WIN-911 Mobile Web API. When you receive the credentials for this account, you will need to change its temporary password before using it with WIN-911. You can do this by signing-in to http://login.microsoftonline.com.
Once the WIN-911 Mobile Module is connected to the Mobile Web API, you can begin adding Mobile app users to the WIN-911 configuration.
B.2 WIN-911 Mobile App Accounts
Mobile app accounts differ from Mobile Module accounts in that they're owned by the users of the app. Rather than receiving a win911mobile.com Azure AD account, users must create their own Microsoft account. In some cases, the user may already have a Microsoft account, for example, if they're using their work email which is tied to an Office 365 account.
We leverage Azure B2C (business-to-consumer) to extend access to the Mobile Web API to users invited to consume resources on our Azure tenant. You can learn more about Azure B2C through Microsoft's official documents.
When creating mobile app users in WIN-911 Workspace, an email address must be entered for each user. Azure AD will send an invitation to the specified email address to create a Microsoft account. If the email entered already belongs to a Microsoft account, e.g. an Office 365 account, then they'll receive a prompt to authorize access to the WIN-911 Mobile Web API.
Before the WIN-911 Mobile Module or Mobile apps can access the Mobile Web API, they must first authenticate with Azure AD. Once authenticated, a token is returned which the Module and apps use to execute methods on the Mobile Web API. The WIN-911 Mobile apps follow the same process which is illustrated below.
C. Network Architecture
Two deployment options are available when setting up WIN-911 Mobile on your network, Standalone or Distributed.
A Standalone configuration requires internet access on your WIN-911 system, which is typically installed on a process network, while a distributed deployment does not. A Distributed deployment makes use of the WIN-911 Mobile Hub which is a separate application that internet traffic can be routed through, much like a proxy server, adding a layer of separation from the internet. The Mobile Hub can be installed on a separate network layer from the WIN-911 installation, for example, the DMZ or business network.
All network traffic, regardless of the deployment, is outbound initiated which means you can communicate with the WIN-911 Mobile Web API/Azure AD without opening a port on your firewall, or making intrusive changes to your corporate network infrastructure.
Table details network connections.
|WIN-911 Mobile Runtime||Azure Active Directory||HTTPS||443||login.microsoftonline.com|
|WIN-911 Mobile Runtime||WIN-911 Web API||HTTPS||443|
|WIN-911 Mobile Runtime||Azure WCF Relay||TCP w/TLS||5671/9350 - 9353||win911mobileproductionrelay.servicebus.windows.net|
* see Azure WCF Relay note below
|Distributed with Hub Deployment|
|WIN-911 Mobile Runtime||WIN-911 Mobile Hub||TCP||59111 (default)||NA|
|WIN-911 Mobile Hub||Azure Active Directory||HTTPS||443||login.microsoftonline.com|
|WIN-911 Mobile Hub||Web API||HTTPS||443|
|WIN-911 Mobile Hub||Azure WCF Relay||TCP w/TLS||5671/9350 - 9353||win911mobileproductionrelay.servicebus.windows.net|
* see Azure WCF Relay note below
Azure WCF Relay
We make use of an Azure WCF Relay to create a secure communication channel between the WIN-911 Web API and the WIN-911 Mobile Module/Hub running in your network. The relay allows users to request alarms/reports and acknowledge alarms from mobile devices without the need for polling while maintaining an entirely outbound initiated architecture.
The flow of the connection is as follows:
- WIN-911 Mobile Module/Hub connects to the relay service through an outbound port.
- It creates a bi-directional socket for communication.
- The WIN-911 Mobile Web API can then communicate with the on-premises WIN-911 Mobile Module/Hub by sending traffic to the relay service.
- The relay service relays data to the on-premises WIN-911 Mobile Module/Hub through the bi-directional socket dedicated to the WIN-911 Mobile Web API.
If you do not block outbound traffic, you won't need to make firewall changes for the Azure Relay to function correctly. If you do block outbound traffic, you will need to allow outbound traffic to the relay service gateways, of which there are 64. The gateway IP addresses are not static; Microsoft states that 20% of the IPs will change over a month. Microsoft recommends whitelisting the domain names of the gateways, if possible.
Domain Name Whitelist
See attached CSV for the 64 domain names.
IP Address Whitelist
We do not recommend this method as the IP addresses will change over time. Unfortunately, we cannot change the behavior of the relay service. If you'd like to discover which IP addresses are currently in use, you will need to run a Powershell script from Microsoft, which you can download from here. We've included the IP address in the CSV file attached to this article, but they may be out of date by the time you are reading this article.
When you run the script, you will need to enter the namespace for our relay, which is win911mobileproductionrelay. The script will discover all the IPs currently in use and display them.
A gateway address will look like this, g0-prod-dm2-004-sb.servicebus.windows.net. They will increment to g63-prod-dm2-004-sb.servicebus.windows.net.
C.1 Standalone Deployment Architecture
C.2 Distributed Deployment Architecture
We store the WIN-911 Site and Connection names in our database. The WIN-911 site name is the user-defined name of a WIN-911 system. For example, if you log into the WIN-911 Mobile demo, the site name is "Demo Site."
The Connection names are the names of the Contacts in a WIN-911 user's configuration. Using the example of the WIN-911 Mobile demo again, you will see a connection name is "Demo User 01." We also store the Gateway email address (the @win911mobile.com account we provide users) and Connection email addresses. Our web app hashes these addresses, meaning they're anonymized. If our database was ever compromised, the attacker could not be able to view them.
We don't store passwords as Azure AD handles account management.
E. Testing open ports from Mobile Module or Mobile Hub
Attached is a PowerShell script that you can run from your Mobile Module machine or Mobile Hub machine to test if outgoing traffic is allowed on the WCF ports listed in section C (and 64 domain name CSV file). The WIN-911_Mobile_Port_Check script will test your machine's connectivity to a random 5 of the 64 domain names and create a CSV file in the same location as the script with a pass/fail message (True or False). Running the script twice may be needed if the first run results in all fails, as not all 64 domains are reachable at any given time.
CSV example below: