1. WIN-911 Mobile Security Overview
WIN-911 Mobile provides remote access to WIN-911 systems with iOS and Android mobile devices by leveraging. Microsoft's Azure cloud services that provide a secure connection between the WIN-911 system and mobile devices.
WIN-911 Mobile requires a connection to the internet to access Azure cloud services. You have two options for deploying WIN-911 Mobile, standalone and distributed. A standalone deployment requires internet access on the system where WIN-911 is running. A distributed deployment makes use of the WIN-911 Mobile Hub which acts as a proxy to the Azure cloud services.
This document details the deployment of WIN-911 Mobile for standalone and distributed installations using the WIN-911 Mobile Hub.
A. WIN-911 Mobile Components
|WIN-911 Mobile Module||The WIN-911 Mobile module is used to configure Mobile Contacts and set their permissions within WIN-911.|
The Mobile Module is installed with other WIN-911 modules, e.g. Dispatcher, Source and Notifier modules.
|WIN-911 Mobile Hub||The WIN-911 Mobile Hub is used to add a layer of separation between the control network, where WIN-911 is running, and the Internet, functioning much like a proxy server.|
The Mobile Hub can also aggregate multiple WIN-911 systems to the WIN-911 Mobile Web API.
|WIN-911 Mobile Web API||The Mobile Web API is a cloud-hosted web service that allows communication between WIN-911 and mobile devices. WIN-911 and mobile devices do not directly communicate, rather the Mobile Web API serves as a proxy for all communications.|
|Azure Active Directory (Azure AD)|
|Azure Active Directory serves as the identity provider for authentication when accessing the WIN-911 Mobile Web API.|
|WIN-911 Mobile Apps||Mobile apps that run on iOS and Android devices.|
B. WIN-911 Mobile Web API Authentication
The WIN-911 Mobile Web API facilitates the connection between the WIN-911 Mobile Module and WIN-911 Mobile apps, this is important because mobile devices DO NOT require direct access to your network. Both the WIN-911 Mobile Runtime and WIN-911 Mobile apps communicate with the Web API, no traffic from mobile devices passes through the Mobile Web API to your network.
WIN-911 Software hosts the Mobile Web API using Azure Cloud Services with Azure Active Directory serving as the identity provider. An identity provider is responsible for verifying the identity of users prior to accessing the Mobile Web API. The two components which access the Web API must be authenticated are the WIN-911 Mobile Module and the WIN-911 Mobile apps.
B.1 WIN-911 Mobile Gateway Account
When you purchase or demo WIN-911 Mobile, you will be provided with an Azure AD account belonging to our win911mobile.com tenant. This is the WIN-911 Mobile Gateway account which is used by the WIN-911 Mobile Module to access the WIN-911 Mobile Web API. When you receive the credentials for this account, you will need to change its temporary password before using it with WIN-911. You can do this by signing-in to http://login.microsoftonline.com.
Once the WIN-911 Mobile Module is connected to the Mobile Web API, you can begin adding Mobile app users to the WIN-911 configuration.
B.2 WIN-911 Mobile App Accounts
Mobile app accounts differ from Mobile Module accounts in that they're owned by the users of the app. Rather than receiving a win911mobile.com Azure AD account, users must create their own Microsoft account. In some cases, the user may already have Microsoft account, for example, if they're using their work email which is tied to an Office 365 account.
We leverage Azure B2C (business-to-consumer) to extend access to the Mobile Web API to users invited to consume resources on our Azure tenant. You can learn more about Azure B2C through Microsoft's official documents.
When adding mobile app users in the WIN-911 Workspace, an email address must be entered for each user. Azure AD will send an invitation to the specified email address to create a Microsoft account. If the email entered already belongs to a Microsoft account, e.g. an Office 365 account, then they'll receive a prompt to authorize access to the WIN-911 Mobile Web API.
Before the WIN-911 Mobile Module or Mobile apps can access the Mobile Web API, they must first authenticate with Azure AD. Once authenticated, a token is returned which the Module and apps use to execute methods on the Mobile Web API. The WIN-911 Mobile apps follow the same process which is illustrated below.
C. Network Architecture
Two deployment options are available when setting up WIN-911 Mobile on your network, Standalone or Distributed.
A Standalone configuration requires internet access on your WIN-911 system, which is typically installed on a process network, while a distributed deployment does not. A Distributed deployment makes use of the WIN-911 Mobile Hub which is a separate application that internet traffic can be routed through, much like a proxy server, adding a layer of separation from the internet. The Mobile Hub can be installed on a separate network layer from the WIN-911 installation, for example, the DMZ or business network.
All network traffic, regardless of the deployment, is outbound initiated which means you can communicate with the WIN-911 Mobile Web API/Azure AD without opening a port on your firewall, or making intrusive changes to your corporate network infrastructure.
Table details network connections.
|WIN-911 Mobile Runtime||Azure Active Directory||HTTPS||443||login.microsoftonline.com|
|WIN-911 Mobile Runtime||WIN-911 Web API||HTTPS||443|
|WIN-911 Mobile Runtime||Azure WCF Relay||TCP w/TLS||5671/9352||win911mobileproductionrelay.servicebus.windows.net|
|Distributed with Hub Deployment|
|WIN-911 Mobile Runtime||WIN-911 Mobile Hub||TCP||59111 (default)||NA|
|WIN-911 Mobile Hub||Azure Active Directory||HTTPS||443||login.microsoftonline.com|
|WIN-911 Mobile Hub||Web API||HTTPS||443|
|WIN-911 Mobile Hub||Azure WCF Relay||TCP w/TLS||5671/9352||win911mobileproductionrelay.servicebus.windows.net|