AirWatch PoC Technical Architecture

PDFTables.
com
This
asthe
well
as the This
with document,
the terms of
license.
AirWatch
PoC
Technical
Architecture
A
guide
for
selecting
an
PoC
software
described
in
it,
is furnished
document should not be AirWatch
reproduced,
Evaluation
Architecture
2013
AirWatch,
LLC.
All
Rights
under license.
The information
in this
stored
or transmitted
in any form,
Reserved.
manual
may
only
be
used
in
exceptproduct
as permitted
by the license
Other
and company
names or
accordance
by
referenced
in this document are
the express and/or
permission
of AirWatch,
trademarks
registered
LLC.
trademarks of their respective
companies.
AirWatch PoC
Technical
Architecture
Copyright
2013
AirWatch,
LLC. All |
v.2013.06
|
June
2013
rights reserved. Proprietary &
Confidential.
Overview..........................................
Option
1: Pure
Table
of
........................................................
Cloud................................................
Option
2:Contents
Integrated
...................................
2 Cloud
........................................................
Cloud
...............................................
Integrated Cloud AirWatch
...........
4
........................................................
Connector ........................................
Integrated
Cloud No
..
6
........................................................
DMZ
................................................
Integrated Cloud DMZ
.........................
........................................................
Relay
...............................................
Integrated
Cloud 8
Reverse
.............................................
11
........................................................
Proxy
...............................................
..........................................
14
........................................................
Option 3: On-Premise Single Server
....................................
17
Deployment
.....................................
Option 4: On-Premise
Multiple
Server
.................................
20
Deployment
.....................................
Appendix
.........................................
............................. 23
........................................................
..................................
26
AirWatch
PoC
Technical
Architecture
Copyright
2012
AirWatch,
LLC. All |
v.2013.06
| June Proprietary
2013
rights
reserved.
&
Confidential.
Page 1 of 29
Overview
The AirWatch Enterprise Mobility Management (EMM) software can be deployed throug
premise options to meet an organizations security requirements and IT strategy. This
supported configurations and help determine the ideal AirWatch architecture for a suc
The below diagram displays four deployment options including both cloud and on-prem
Cloud On Premise
Benefits
Fastest implementation with minimal client effort
No significant investment in technology or services
Minimal or no network changes required
Automatic software updates
Considerations
Integration with corporate
resources
Security / datacenter requirements
Option 1: Cloud
Option 2: Integrated Cloud
All devices and admin users point
All components in the cloud.
to AirWatchs cloud for device
Lightweight integration
management. No software
component installed on-premise
installed onsite
for backend integration
Ideal for...
Ideal for...
Rapid Deployment
Cloud clients requiring
No corporate infrastructure
enterprise integration for
required
o
Page 1
PDFTables.com
Does not integrate with
corporate resources
o
o
o
Pages 4-5
*Note POC fees may apply for On-Premise Deployment
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 2 of 29
The remainder of this document defines the requirements for the architecture options
a deployment option from the descriptions
above, review
the following
Architecture
Diagram
high levelitems for the d
1.
design of all level
dataflow.
Prerequisite
Checklist
complete list
2.
of all software
and hardware
preparations
required.
Network Requirements a listing of
3.
any port and firewall requirements.
AirWatch PoC Technical Architecture | v.2013.06
Copyright 2012 AirWatch, LLC. All rights reser
Optionconfigurations
1: Pure Cloud are best suited for clients who want to minimize effort
Cloud
and lead
times for
evaluatingcan
thebe
software.
This
evaluation
architecture
setup in minutes but typically does not
offer
integration
backend resources
due
to
client
security with
requirements.
Integration
can easily be added later by
installing the AirWatch Cloud Connector and /or
Mobile Access Gateway (see Option 2: Integrated Cloud).
Architecture Diagram
Cloud Integration (Optional)
SAML
Office 365
Google Apps for Business

Prerequisite Checklist
There are no prerequisites necessary for this deployment option.
AirWatch
Technical
Architecture
| v.2013.06
| JuneProprietary
2013
CopyrightPoC
2012
AirWatch,
LLC. All rights
reserved.
&
Confidential.
Page 4 of 29
Network Requirements
Source
Component
Administrators
Page 2
PDFTables.com
/ User Self
2
Service
3
4
5
6
Devices

Page 5 of 29
Option 2: Integrated Cloud

This configuration is recommended for clients who wish to leverage the simplicity of cl
integrate existing backend resources. Connecting to corporate resources is made simp
AirWatch Cloud Connector (ACC), which can be installed on a small VM or physical serv
premise. The AirWatch Mobile Access Gateway (MAG) provides a secure gateway allow
devices to access corporate network resources. The ACC and MAG are not co-dependen
should be considered optional components, however most all MAG deployments includ
AirWatch Integration Options
ACC
Certificates and PKI
Directory Services
Email Infrastructure
SIEM
Content Repositories
++
Corporate Intranet Access
Corporate App Tunnel (App VPN)
+
AirWatchs email attachment encryption feature requires the MAG (SEG component)
++ AirWatchs content repository sync with the Administrative Console requires the AC
Page 6 of 29
Page 3
PDFTables.com
Ideal for...
Integrated Cloud No DMZ

Ideal for...
Clients without a DMZ

infrastructure
Fast implementation
Minimal hardware / software on-site
Integrated Cloud DMZ Relay
Ideal for...
Clients with an existing DMZ

architecture
Limited connections through DMZ
firewall
Pages 11-13
Pages 14-16
Page 7 of 29
Integrated Cloud - AirWatch Cloud
Connector
AirWatch Internal Server Includes:
Cloud
Connector
AirWatch PoC
Technical
Architecture
Copyright
2012
AirWatch,
LLC. All |
v.2013.06
|
June
2013
Confidential.
Page 8 of 29
Source
Hardware
2
Software
4
Firewall
Changes
Service
Accounts
Page 4
PDFTables.com
Page 9 of 29
Source
Component
A
C
AirWatch
Internal Server
D
G
Administrators
/ User Self
Service
H
I
K
L
Devices
Page 5
PDFTables.com

Page 10 of 29
AirWatch Cloud Connector

AirWatch Secure Email Gateway
Mobile
Access
Gateway
AirWatch PoC
Technical
Architecture
Copyright
2012
AirWatch,
LLC. All |
v.2013.06
|
June
2013
Confidential.
Page 11 of 29
Source
Hardware
2
3
Software
DNS
5
6
7
8
9
Certificates
10
Load
Balancer
Firewall
Changes
11
12
Page 6
PDFTables.com
Service
Accounts
13
Page 12 of 29
Source
Component
A
C
AirWatch
Internal Server
D
G
Administrators
/ User Self
Service
H
I
AirWatch SaaS
Page 7
PDFTables.com
K
L
M
Devices
O
Page 13 of 29
AirWatch DMZ Server Includes:
Secure Access
Email Gateway
AirWatch Mobile
Gateway
Relay
Cloud Connector
AirWatch Mobile
Access Gateway
Endpoint
AirWatch PoC
Technical
Architecture
Copyright
2012
AirWatch,
LLC. All |
v.2013.06
| June Proprietary
2013
rights
reserved.
&
Confidential.
Page 14 of 29
Source
Hardware
2
3
4
Software
5
6
7
Page 8
PDFTables.com
8
9
10
DNS
11
Certificates
12
Load
Balancer
Firewall
Changes
13
14
Service
Accounts
15
Page 15 of 29
Source
Component
A
B
AirWatch DMZ
Server
C
D
AirWatch
Internal Server
Page 9
PDFTables.com
G
/ User Self
H
I
AirWatch SaaS
J
K
L
M
Devices
O
Page 16 of 29
Integrated Cloud Reverse Proxy

Mobile
Access
Gateway
AirWatch
Technical
Architecture
CopyrightPoC
2012
AirWatch,
LLC. All |
v.2013.06
| June Proprietary
2013
rights
reserved.
&
Confidential.
Page 17 of 29
Source
Page 10
PDFTables.com
Hardware
2
3
4
Software
5
6
7
8
9
DNS
10
Certificates
11
12
Load
Balancer
Firewall
Changes
13
14
Service
Accounts
15
Page 18 of 29
Source
Component
A
B
AirWatch
Internal Server
Page 11
PDFTables.com
E
Administrators
/ User Self
Service
F
G
AirWatch SaaS
H
I
J
K
Devices
M
Page 19 of 29
Option
3: On-Premise
Single
Deployment
This
configuration
allows
for Server
simplified
installation and maintenance for
smaller deployments,
while
future A single-server deployment
scalability
and flexibility
for allowing
high availability.
allows
for
easy
integration
to
enterprise
services,
as
well
as
simplified
control
and where
validation
the
entire is
commonly deployed in DMZ architectures
the over
entire
solution
environment.
Single
Server
are
installed
on one
physical
or configurations
virtual server. The
use of WAF or TMG solutions are also commonly used to proxy internet
facing endpoints.
Page 12
PDFTables.com
AirWatch Console
AirWatch Device Services
Mobile
Access
Gateway
AirWatch
Technical
Architecture
CopyrightPoC
2012
AirWatch,
LLC. All |
v.2013.06
| June Proprietary
2013
rights
reserved.
&
Confidential.
Page 20 of 29
Source
1
Hardware
2
3
4
5
6
7
8
9
10
11
DNS
12
13
14
Certificates
15
16
Firewall
Changes
17
Load
Balancer
18
Page 13
PDFTables.com
Service
Accounts
19
Page 21 of 29
Source
Component
C
D
E
AirWatch
Internal Server
F
H
I
J
K
Administrators
/ User Self
Service
L
M
Page 14
PDFTables.com
O
Devices
R
Page 22 of 29
Option
4: On-Premise
Multiple
Server Deployment
A multi-server
deployment
is recommended
for organizations managing a
larger number
of devices
those
wanting
to utilize
a DMZ. and/or
In a setup
using a DMZ, any of the AirWatch
components
actively
communicating
with
devices
should be placed
outside
of the organizations
internal
network.
Several
Increased
security
of Access
external-facing
Gateway,
and
Mobile
Gateway,
advantages of this configuration include:
services,
such
as
the
AirWatch
Device
by placing them in the networks
DMZ
Services
component,
Secure
Email
to quarantine incoming traffic
while preventing external visibility to
internal resources.
AirWatch DMZ Server Includes:
AirWatch Device Services
AirWatch Mobile Access Gateway

AirWatch Console Services
Cloud
Connector
AirWatch
Technical
Architecture
CopyrightPoC
2012
AirWatch,
LLC. All |
v.2013.06
| June Proprietary
2013
rights
reserved.
&
Confidential.
Page 23 of 29
Source
Page 15
PDFTables.com
1
Hardware
3
4
5
6
7
8
9
10
11
11
DNS
Certificates
13
Load
Balancer
Firewall
Changes
14
15
Service
Accounts
16
Page 24 of 29
Network Changes
Source
Component
Page 16
PDFTables.com
B
C
D
AirWatch
Internal Server
E
F
G
H
I
J
K
L
M
AirWatch DMZ
Server
N
O
P
Q
R
Administrators
Self Service
Portal
S
T
U
Page 17
PDFTables.com
V
W
Devices
Y
Page 25 of 29
Appendix
The table below lists the required service accounts needed to integrate with backend e
Source
#
1
2
Service
Accounts
Page 18
PDFTables.com
8
9
10
Page 26 of 29
From a device the following has to
Additional Notes
occur for a successful

APNs
connection
to #connection:
NSLookup
courier.push.apple.com on port 5223
Apple
APNs
gateway.push.apple.com
for the
TXT
where
# is the result returned
from
record;
open
the
TXT
record
on
Load balancers are to be configured
with
a round robin
load balancing
SSL offloading
supported
for all
Load
Balancer
mechanism
and
SSL
session If
Load balancers
services
except are
API also
services.
persistence
of 15
minute
sessions
recommended
to
redirect
all HTTP
offloading
SSL,
load
balancer
must
requestssecure
to HTTPS
forward
cookies to and from
the
AirWatch servers.
Public DNS
External
DNS needed for email proxy
server
External DNS
needed
forSSL
AirWatch
Matching
public
trusted
certs for
Device
Services
the public DNS setup for the email
Public
Trusted
SSL
Cert
proxybe
server
and
Device
Services
must
issued
from
a valid
issuing
Server are(e.g.
required.
These
certs
authority
VeriSign,
GeoTrust,
GoDaddy,
A
public IPetc.)
address to access the
Public
IP
AirWatch
email
proxy
A public IP address
to server
accessfrom
the the
Internet
(HTTPS)
AirWatch
Device
Services
from
The AirWatch
servers
can server
be
the
Internet
(HTTPS)
configured
a proxy
/ PAC file for
traffic,
and with
cannot
be proxied
Proxy
outbound
internet access.
Apple
through
traditional
HTTP proxies.
APNs
traffic,
however,
is
not
HTTP
This traffic must go straight out
to
the
internet,
or
through
an
If using client certificates for email
application/SOCKS
authentication
the proxy.
SEG
server
must in
Kerberos
Delegation
must
be setup
Kerberos
Delegation
be
joined
to
the
same
domain
as
the
AD between
AirWatch SEG and
backend
CAS server
the
CAS server(s).
Inand
addition, valid
SPNs
must
be
set
in
AD
for URLofused
the
URL
used
by
the
public
iOS MDM requires the support
by thePUT
SEGcommands
server.
HTTP
from the iOS
HTTP
PUT
device to the AirWatch MDM server
(Device Services)
AirWatch
PoC
Technical
Architecture
Copyright
2012
AirWatch,
LLC. All |
v.2013.06
|
June
2013
Confidential.
Page 27 of 29
A1 BES Service Account
Page 19
PDFTables.com
BES service account permissions

required
for integration:
Note Topology
and Blackberry
User and DeviceService setup
Administration
permissions
necessary.
AirWatch
PoC
Technical
Architecture
Copyright
not
2012
AirWatch,
LLC. All |
v.2013.06
| June Proprietary
2013
rights
reserved.
&
Confidential.
Page 28 of 29
Page 20
PDFTables.com
be deployed through a variety of cloud or onnd IT strategy. This document will outline each of the
chitecture for a successful PoC evaluation.
h cloud and on-premise architectures.
Benefits
Comply with corporate on-premise security po
Direct integration with corporate systems
Leverage existing infrastructure investments
Physical and virtual environments supported
Considerations
Network firewall changes required
Multiple software and hardware required on-p
Option 3: Single Server
On-premise deployment with a
single AirWatch server installed in
the DMZ or internal network
mise
LDAP / PKI
Ideal for...
Leveraging existing
infrastructure
On-premise is required
Page 21
PDFTables.com
Exchange
Content repositories
Etc...
Page 8-19
Enterprise integration
Page 20-22
Confidential.
rchitecture options described above. After choosing

wing items for the desired deployment choice:
Architecture
Prerequisite
Diagram
Checklist
tecture | v.2013.06 | June 2013
LLC. All rights reserved. Proprietary & Confidential.
Source
Host
Destination
Component
{ADMIN_IP}
AirWatch SaaS
Page 22
PDFTables.com
Apple iTunes
{ADMIN_IP}
Cloud
{ADMIN_IP}
{ADMIN_IP}
{Device_IP}
Google Play
Store
Virtual Earth
(GPS Maps)
Apple APNs
Cloud
{Device_IP}
Apple iTunes
Cloud
Android C2DM
Cloud
{Device_IP}
AirWatch SaaS
{Device_IP}
Confidential.
the simplicity of cloud deployments but still

urces is made simple with the
VM or physical server oncure gateway allowing
re not co-dependent and
deployments include ACC.
MAG
SEG component)
sole requires the ACC.
Confidential.
Page 23
PDFTables.com
Pages 8-10
Integrated Cloud Reverse Proxy
Ideal For...
Clients with an existing reverse
proxy
or WAF architecture
Page 17-19
Confidential.
Title
Windows OS
.NET Framework 3.5
&4
Description / Purpose
Windows Server
Minimum specification:
- 1 CPU core ( > 2.0 GHz)
- 2GB
GBDisk
RAMSpace (if logging is being
-1
done 5 GB)
Client
may
to generate internal
(physical
orneed
virtual)
A
windows
update
required
for
certs
for the
trafficis
between
the
Windows
Server
2008 R2to update
.NET
4
after
installation
external
additional
internet interface for the EAS traffic
software
components.
and the Reverse
Proxy, F5, SEG, and
Internal Certs (Trust)
CAS
servers. Details to be determined by
the Client architect team.
AirWatch Internal
Server
Client Firewall Rules

Enterprise Service
Accounts
(Optional)
If implementing enterprise services,

See
Below
Firewallwill
Change
services
accounts
need Requests
to be
created and
given specific permissions to allow
integration. See Appendix.
Page 24
PDFTables.com
Confidential.
Source Host
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
Destination
Component
Client EAS/CAS
Server(s)
Domain
Controller
Enterprise
Services
(Optional)
Certificate
Authority
(Optional)
{InternalServer_IP}
AirWatch SaaS
{ADMIN_IP}
AirWatch SaaS
{ADMIN_IP}
Apple iTunes
{ADMIN_IP}
{ADMIN_IP}
{Device_IP}
{Device_IP}
{Device_IP}
Google Play
Store
Virtual Earth
(GPS Maps)
Apple APNs
Cloud
Apple iTunes
Cloud
Android C2DM
Cloud
Page 25
PDFTables.com
{Device_IP}
AirWatch SaaS
Confidential.
Title
AirWatch Internal
Server
Windows OS
IIS 7 Server
.NET Framework 3.5
&4
Microsoft Messaging
Queue (MSMQ)
Java
External URL
Internal CAS URL
Windows Server
- 4 GB RAM
(physical or virtual)
Windows
2008
R2 additional
IIS
ServerServer
must
also
A windows
update
is have
required
for
role services
installed. to update
.NET
4 after installation
additional
software components.
Load Balancer Setup

(Optional)
Enabled on all AirWatch servers.

Installed
on MAG
server.
External URL
URL
(DNS
Record)
resolving
Internal
to
relay
Exchange
Client
may
need
to
generate
internal
to
the
internal
AirWatch
server
ActiveSync
traffic
from
the
AirWatch
Public
trusted
SSL Certificate
to
certs for
the traffic
between the
server
match
the
External
DNS
for
the
external
AirWatch
SEG/EIS for the EAS traffic
internet
interface
If
installing
the SEG/MAG behind a
server.
and
the Reverse
Proxy, client
F5, SEG,
network
load balancer,
willand
CAS
need to setup
servers.
Details
to be determined by
load balancer
configuration.
the
Client
architect
team.
Persistence should be
set on the SSL
session for 15
minutes. See Appendix for more
details.
See Below Firewall Change Requests
Public SSL Certificate
Page 26

PDFTables.com
Enterprise Service
Accounts
(Optional)
services accounts will need to be

created and
Confidential.
Source Host
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
Destination
Component
Client EAS/CAS
Server(s)
Domain
Controller
Enterprise
Services
(Optional)
Certificate
Authority
(Optional)
{InternalServer_IP}
AirWatch SaaS
{ADMIN_IP}
AirWatch SaaS
{ADMIN_IP}
Apple iTunes
{ADMIN_IP}
{ADMIN_IP}
See IP list
here
Google Play
Store
Virtual Earth
(GPS Maps)
AirWatch
Server
Page 27
PDFTables.com
{Device_IP}
Apple APNs
Cloud
{Device_IP}
Apple iTunes
Cloud
Android C2DM
Cloud
{Device_IP}
AirWatch SaaS
{Device_IP}
AirWatch
Internal Server
{Device_IP}
Confidential.
Title
AirWatch DMZ
Server
Windows OS
IIS 7 Server
.NET Framework 3.5
&4
Microsoft Messaging
Queue (MSMQ)
Java
AirWatch Software
Windows Server
- 4 GB RAM
Windows
2008
R2 additional
IIS
ServerServer
must
also
A windows
update
is have
required
for
role
services
installed.
.NET 4 after installation to update
additional
Installed on
MAG server.
Available
through
the administrative
console.
Page 28
PDFTables.com
External URL
Internal CAS URL
Internal URL
(AirWatch DMZ)

Load Balancer Setup
(Optional)
Enterprise Service
Accounts
(Optional)
External URL (DNS Record) resolving

to
the AirWatch
DMZ traffic
server from the
Internal
URL to relay
Client
may
need
to
generate
internal
AirWatch
SEG/EIS.
Internal
URL
(DNS
resolving
Public
trusted
SSL Record)
Certificate
to
certs for
the traffic
between the
to the AirWatch
Internal
server
match
the
External
DNS
for
the
external
AirWatch
DMZ
internet
interface
for the behind
EAS traffic
If
installing
the SEG/MAG
a
server.
Required
if
using
SEG
/ MAG
and
the
Reverse
Proxy,
F5,
SEG,
and
network load balancer, client will
CAS
need to setup
servers.
Details
to be determined by
load balancer
configuration.
the
Client
architect
team.
Persistence should be
set on the SSL
session for 15
minutes. See Appendix for more
details.
See
Below
Firewallwill
Change
services
accounts
need Requests
to be
created and
Confidential.
Source Host
{DMZ_Server_IP}
{DMZ_Server_IP}
{DMZ_Server_IP}
Destination
Component
Client EAS/CAS
Server(s)
AirWatch
Internal Server
AirWatch SaaS
Internal
{InternalServer_IP}
Network
{InternalServer_IP}
AirWatch DMZ
Server
{ADMIN_IP}
AirWatch SaaS
Page 29
PDFTables.com
Apple iTunes
{ADMIN_IP}
Cloud
{ADMIN_IP}
{ADMIN_IP}
See IP list
here
{Device_IP}
Google Play
Store
Virtual Earth
(GPS Maps)
AirWatch DMZ
Server
Apple APNs
Cloud
{Device_IP}
Apple iTunes
Cloud
Android C2DM
Cloud
{Device_IP}
AirWatch SaaS
{Device_IP}
AirWatch DMZ
Server
{Device_IP}
Confidential.
Title
Windows Server
Page 30
PDFTables.com
AirWatch Internal
Server
Windows OS
IIS 7 Server
.NET Framework 3.5
&4
Microsoft Messaging
Queue (MSMQ)
Java
AirWatch Software
External URL
Internal CAS URL
- 4 GB RAM
Windows
2008
R2 additional
IIS
ServerServer
must
also
A windows
update
is have
required
for
role
services
installed.
additional

Installed
on MAG.to Client during
Will
be provided
install.
External URL
URL to
(DNS
Record)
resolving
Internal
relay
Exchange
Client
may
need Internal
to generate
internal
to
the
AirWatch
server
ActiveSync
traffic
from
the
AirWatch
Public
trusted
SSL Certificate
to
certs for
the traffic
between the
server the External DNS for the
match
external
AirWatch
Internal for the EAS traffic
internet interface
server
and theaddress
Reverse Proxy, F5, SEG, and

MAG SSL Cert
CAS
If installing AirWatch behind a
servers.
to be determined
network Details
load balancer,
client will by
the
Client
architect
team.
The
SSL certificate
must be
needMAG
to setup
load
installed
on
the
reverse
proxy.
balancer configuration. Persistence
Load Balancer Setup

(Optional)
should be set on the SSL session for

15 minutes.
See Appendix for more details.

Enterprise Service
Accounts
(Optional)

See
Below
Firewallwill
Change
services
accounts
need Requests
to be
created and
Confidential.
Source Host
{InternalServer_IP}
{InternalServer_IP}
Destination
Component
Client EAS/CAS
Server(s)
(Optional)
Enterprise
Services
(Optional)
{InternalServer_IP}
AirWatch SaaS
Page 31
PDFTables.com
{ADMIN_IP}
AirWatch SaaS
{ADMIN_IP}
Apple iTunes
{ADMIN_IP}
{ADMIN_IP}
See IP list
here
{Device_IP}
Google Play
Store
Virtual Earth
(GPS Maps)
AirWatch
Internal Server
Apple APNs
Cloud
{Device_IP}
Apple iTunes
Cloud
Android C2DM
Cloud
{Device_IP}
AirWatch SaaS
{Device_IP}
AirWatch
Internal Server
{Device_IP}
Confidential.
Page 32
PDFTables.com
Title
AirWatch Internal
Server
Reverse Proxy Server

Optional
Windows OS
SQL Server
SQL Server Reporting
Services
IIS 7 Server
.NET Framework 3.5
&4
Microsoft Messaging
Queue (MSMQ)
Java
External Public URL
Internal CAS URL
(optional)
Internal DC URL
(optional)
Internal CA Host
(optional)

MAG SSL Cert
Load Balancer Setup
(Optional)
Description
/ Purpose
Windows
Server
to install the
AirWatch Server Software
-6
GB RAM
Client
may choose an existing server
~100
to useGB
forDrive
the reverse proxy or install
(physical
or virtual)
a
dedicated server that meets their
specifications
Microsoft SQL Server 2008 (2008 R2
Windows Server2008
R2 on
Recommended)
Required
Database SQL
server
Microsoft
Server Reporting
Services 2008 (2008 R2
Recommended)
IIS
Server must
also
additional
A windows
update
is have
required
for
role
services
installed.
additional
Enabled
all(DNS
AirWatch
servers.
External on
URL
Record)
for
Installed
on
MAG
server.
AirWatch Server public internet
facing
(https://company.mdm.com)
Internal URL to relay traffic from the
AirWatch
SEG to
the ActiveSync
Client
Internal
Domain
(AD) DNSCAS
to
server.
use to connect from the AirWatch
server to the
AD for authenticating users
Client may need to generate internal
Internal
hostname
and CA issuing
Public
trusted
SSL Certificate
to
certs for
the traffic
between the
name
of
the
CA
or
SCEP
endpoint.
match
the
External
DNS
for
the
external
AirWatch
SEG/EIS for the EAS traffic
internet interface
server.
(If
applicable)
and the Reverse
Proxy, F5, SEG, and
CAS
servers. Details to be determined by
the Client
architect
team.
The
MAG SSL
certificate
must be
installed on the reverse proxy.
need to setup load
See
Below
Firewall Change
Requests
balancer
configuration.
Persistence
15 minutes.
Page 33

PDFTables.com
Enterprise Service
Accounts
(Optional)
services accounts will need to be

created and
Confidential.
Source Host
Destination
Component
{InternalServer_IP}
Internal
Network
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{ADMIN_IP}
{ADMIN_IP}
Apple APNs
Cloud
Apple iTunes
Cloud
Google Play
Store
Android C2DM
Cloud
CellTrusts SMS
Gateyway
(optional)
AirWatch
Certificate
Portal
SSL Signing
Cert CRL
SQL Server
SQL Server
Reporting Svc
AW
Autodiscovery
Server
AirWatch
Internal Server
Virtual Earth
Page 34
PDFTables.com
(GPS Maps
Apple APNs
{Device_IP}
Cloud
{Device_IP}
{Device_IP}
Apple iTunes
Cloud
Android C2DM
Cloud
AirWatch
{Device_IP}
Server
{Device_IP}
AirWatch
Autodiscovery
Server
Confidential.
Title
AirWatch Internal
Description
/ Purpose
Windows
Server
to install the
AirWatch Server Software
Page 35
PDFTables.com
Server
(Internal)
AirWatch DMZ
Server
Windows OS
SQL Server
SQL Server Reporting
Services
IIS 7 Server
.NET Framework 3.5
&4
Microsoft Messaging
Queue (MSMQ)
Java
External URL
Internal CAS URL
Internal URL
(AirWatch DMZ)
SSL Certificate
(AirWatch Internal)
Load Balancer Setup
(Optional)
Enterprise Service
Accounts
(Optional)
-6 GB RAM
~100 GB Drive
(physical Server
or virtual)
Windows
to install Enterprise
Integration Software
- 4 GB RAM
(physical
virtual)
Microsoft or
SQL
Server 2008 (2008 R2
Windows
Server
R2 on
Recommended) 2008
Required
Database
server
Microsoft SQL
Server Reporting
Services 2008 (2008 R2
Recommended)
IIS
Server must
also
additional
A windows
update
is have
required
for
role services
installed. to update
.NET
4 after installation
additional
Installed
on MAG
server.
External URL
(DNS
Record) resolving
to the AirWatch
DMZ traffic
server from the
Internal
URL to relay
AirWatch
SEG(DNS
server.
Internal
URL
resolving
Public
trusted
SSL Record)
Certificate
to
to
the
AirWatch
Internal
server
match the External DNS for the
AirWatch DMZ
server.
SSL
to match the Internal
needcertificate
to setup load
URL
for
the
AirWatch
Internal
server.
balancer configuration.
Persistence
15 minutes.
See
Below
Firewallwill
Change
services
accounts
need Requests
to be
created and
Confidential.
Source Host
Destination
Component
{InternalServer_IP}
Internal
Page 36
PDFTables.com
{InternalServer_IP}
Network
SQL Server
SQL Server
Reporting Sync
Apple APNs
Cloud
Apple iTunes
Cloud
Google Play
Store
{InternalServer_IP}
Google Cloud
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{DMZ_Server_IP}
(SEG only)
{DMZ_Server_IP}
{DMZ_Server_IP}
{DMZ_Server_IP}
{DMZ_Server_IP}
{DMZ_Server_IP}
{DMZ_Server_IP}
{ADMIN_IP}
{ADMIN_IP}
{USER_IP}
{Device_IP}
Messaging
CellTrust SMS
AW DMZ
Server
AirWatch
autodiscovery
Server
Client CAS
Server(s)
Apple APNs
Cloud
Google Cloud
Messaging
SSL Cert CRL
AirWatch
Internal Server
SQL Server
AirWatch
autodiscovery
Server
Virtual Earth
(GPS Maps)
AirWatch
Internal Server
AirWatch DMZ
Server
Apple APNs
Cloud
Page 37
PDFTables.com
{Device_IP}
{Device_IP}
Apple iTunes
Cloud
Android C2DM
Cloud
AirWatch
{Device_IP}
Server
{Device_IP}
AirWatch
autodiscovery
Server
Confidential.
rate with backend enterprise services.

Title
SQL Service Account
LDAP Binding
Account
Enterprise
Integration Service
Account
Certificate Authority
Service Account
PowerShell Service
Account
SQL service account to install the

Description
/service
Purpose
AirWatch
database.
Client LDAP
account to
Requires the System
authenticate
binding Administrator
requests into
Permission.
the
Client LDAP
directory
for all users
the
desired
If
implementing
SCEP, in
CA,
BES,
OU.AirWatch
Exchange
2010
PowerShell
orwill
SMTP
An
service
account
need
authentication.
to be created
and assigned
to This
the
Enterprise
Integration
Server.
AirWatchrequires the Remote Services
account
Permission
in AirWatch.
AirWatch
Enterprise Integration
Service
Guide
Client
CA
service account to issue and
revoke certificates
from the on
CA.the
Requires
these permissions
CA:
Issue and Manage Certificates
Request Certificates
Requires these permissions on the
Certificate Template:
Read
Enroll
AirWatch Certificate
Managment
Exchange
2010 and Office
365
permissions:
Organization Client Access
Recipients
Mail
Recipient
Policies (only if
deploying Windows Phone Devices)
Page 38
PDFTables.com
BES Service Account

SharePoint Service
Account
Installation Admin
Rights
SMTP
SCCM
AirWatch PowerShell Email

Account with read rights to the
Configuration
Guide
AirWatch
BES Integration
content repository
to viewGuide
and index
Service
Account
permissions
can be
content.
found
in Appendix
A1. permission
The
Browse
Directories
An account
to
run the AirWatch
must
be enabled
on SharePoint.
software
installation
with
AirWatch
SharePoint
administrative rights Integration
on
Guide
the AirWatch servers and SA
permissions on the database to setup
maintenance
scripts.
SMTP account to relay emails from
the system
AirWatch SCCM Integration Guide
Confidential.
Page 39
PDFTables.com
Page 40
PDFTables.com
premise security polices

porate systems
ucture investments
nments supported
required
dware required on-premise
Option 4: Multi Server
On-premise deployment with
multiple servers in the DMZ and
internal network for multi-tier
firewall architectures
Ideal for...
Multi-tier networks
Resources not available to DMZ
Special security policy
Page 41
PDFTables.com
compliance
Server scalability via tier 1-3
deployments
Page 23-25
Network
Requirements
Page 3 of 29
Destination Host
Destination IP
any
*for a list of IP
*.airwatchportals.com
*.awmdm.com
ranges of AW
Datacenters click
here
itunes.apple.com
ax.itunes.apple.com
Page 42
PDFTables.com
*.mzstatic.com
any
*.phobos.apple.com
*phobos.apple.com.edges
uite.net
play.google.com
any
*.virtualearth.net
#-courier.push.apple.com
any
phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
mtalk.google.com
17.0.0.0/8
any
any
any
*for a list of IP
*.awmdm
ranges of AW
Datacenters click
here
Page 43
PDFTables.com
Integrated Cloud AW Cloud Connector

Yes
No
Page 44
PDFTables.com
Destination Host
Destination IP
{InternalURL_CAS}
{InternalIP_CAS}
{InternalURL_DC}
{InternalIP_DC}
{InternalURL_ES}
{InternalIP_ES}
{InternalURL_CA}
{InternalIP_CA}
*.awmdm.com
any
*for a list of IP
ranges of AW
Datacenters click
here
any
*for a list of IP
*.awmdm.com
ranges of AW
Datacenters click
here
*.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
uite.net
any
play.google.com
any
*.virtualearth.net
any
17.0.0.0/8
phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
any
mtalk.google.com
any
Page 45
PDFTables.com
any
*for a list of IP
*.awmdm.com
ranges of AW
Datacenters click
here

Yes
No
Page 46
PDFTables.com
Destination Host
Destination IP
{InternalURL_CAS}
{InternalIP_CAS}
{InternalURL_DC}
{InternalIP_DC}
{InternalURL_ES}
{InternalIP_ES}
{InternalURL_CA}
{InternalIP_CA}
*.awmdm.com
any
*for a list of IP
ranges of AW
Datacenters click
here
any
*for a list of IP
*.awmdm.com
ranges of AW
Datacenters click
here
*.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
uite.net
any
play.google.com
any
*.virtualearth.net
any
AW Public URL
AW Public IP
Page 47
PDFTables.com
17.0.0.0/8
phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
any
mtalk.google.com
any
any
*for a list of IP
*.awmdm.com
ranges of AW
Datacenters click
here
AW Public URL
AW Public IP

Yes
No
Page 48
PDFTables.com
Destination Host
Destination IP
{InternalURL_CAS}
{InternalIP_CAS}
{InternalURL_AWInternal}
{InternalIP_AWInt
ernal}
any
*for a list of IP
ranges of AW
Datacenters click
here
*.awmdm.com
{InternalURL_DC}
{Internal_BES}
{Internal_ADCS}
{InternalIP_IP}
{Internal_SMTP}
{Internal_SharePoint}
{InternalURL_CA}
AW Public URL
AW Public IP
any
*for a list of IP
*.awmdm.com
ranges of AW
Datacenters click
Page 49
PDFTables.com
here
itunes.apple.com
ax.itunes.apple.com
*.mzstatic.com
any
*.phobos.apple.com
uite.net
play.google.com
any
*.virtualearth.net
any
AW Public URL
AW Public IP
phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
mtalk.google.com
17.0.0.0/8
any
any
any
*for a list of IP
*.awmdm.com
ranges of AW
Datacenters click
here
AW Public URL
AW Public IP
Cloud with Integration DMZ Reverse Proxy

Yes
No
Page 50
PDFTables.com
Destination Host
Destination IP
{InternalURL_CAS}
{InternalIP_CAS}
{InternalURL_DC}
{Internal_BES}
{Internal_ADCS}
{InternalIP_IP}
{Internal_SMTP}
{InternalURL_CA}
any
*for a list of IP
ranges of AW
Page 51
PDFTables.com
*.awmdm.com
Datacenters click
here
any
*for a list of IP
*.awmdm.com
ranges of AW
Datacenters click
here
*.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
uite.net
any
play.google.com
any
*.virtualearth.net
any
AW Public URL
AW Public IP
phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
mtalk.google.com
17.0.0.0/8
any
any
any
*for a list of IP
*.awmdm.com
ranges of AW
Datacenters click
here
AW Public URL
AW Public IP
Page 52
PDFTables.com
On-Premise Single Server

Yes
No
Page 53
PDFTables.com
Destination Host
Destination IP
{InternalURL_DC}
{Internal_CAS}
Internal_BES}
{Internal_IPs}
{Internal_ADCS}
{Internal_SMTP}
gateway.push.apple.co
m
feedback.push.apple.co
m
*.itunes.apple.com
*.phobos.apple.com
play.google.com
android.googleapis.com
android.apis.google.com
www.google.com
google.com
gateway.celltrust.net
17.0.0.0/8
any
any
any
162.42.205.0/24
Ex.ocsp.verisign.com
any
*for a list of IP
ranges of AW
Datacenters click
here
TBD
{SQLServer_Name}
{SSRS_Name}
{SQLServer_IP}
{SSRS_IP}
discovery.awmdm.com
209.208.230.100
{InternalServer}
{InternalServer_IP}
*.virtualearth.net
any
awcp.air-watch.com
Page 54
PDFTables.com
#courier.push.apple.com
17.0.0.0/8
gateway.push.apple.co
m
phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
any
mtalk.google.com
any
AW Public URL
AW Public IP
discovery.awmdm.com
209.208.230.100
On-Premise Multi Server

Yes
No
Page 55
PDFTables.com
Destination Host
Destination IP
{InternalURL_DC}
{Internal_CAS}
Internal_BES}
{Internal_IPs}
Page 56
PDFTables.com
{Internal_ADCS}
{Internal_SMTP}
{SQLServer_Name}
{SQLServer_IP}
{SQLServer_Name}
feedback.push.apple.com
*.itunes.apple.com
*.phobos.apple.com
{SQLServer_IP}
17.0.0.0/8
play.google.com
www.google.com
google.com
gateway.celltrust.net
{DMZServer_Name}
any
discovery.awmdm.com
209.208.230.100
{InternalURL_EAS}
{InternalIP_EAS}
17.0.0.0/8
www.google.com
google.com
TBD
{InternalServer_URL}
any
any
162.42.205.0/2-4
{DMZServer_IP}
any
any
{InternalServer_IP}
{SQLServer_Name}
{SQLServer_IP}
discovery.awmdm.com
209.208.230.100
*.virtualearth.net
any
{InternalServer_URL}
{InternalServer_IP}
{DMZ_Server_URL}
{DMZ_Server_IP}
17.0.0.0/8
Page 57
PDFTables.com
phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
any
mtalk.google.com
any
{DMZ_Server_URL}
Public IP
discovery.awmdm.com
209.208.230.100
Service Accounts
Yes
No
Page 58
PDFTables.com
Page 59
PDFTables.com
Page 60
PDFTables.com
Page 61
PDFTables.com
Protocol
Port
HTTP/HTTPS
80/443
Page 62
PDFTables.com
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
TCP
HTTP/HTTPS
5223
80/443
TCP
HTTP/HTTPS
5228
80/443
Page 63
PDFTables.com
N/A
Page 64
PDFTables.com
Protocol
Integrated Cloud AW Cloud Connector

Port
HTTP/HTTPS
LDAP/LDAPS
80,443
389,
636,
3268,
3269
80,443
HTTP/HTTPS
/SMTP
DCOM
, 25,
465
135,
10255000,
4915265535
HTTPS
443
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
TCP
HTTP/HTTPS
5223
80/443
TCP
5228
Page 65
PDFTables.com
HTTP/HTTPS
80/443
N/A
Page 66
PDFTables.com
Protocol
Port
HTTP/HTTPS
LDAP/LDAPS
80,443
389,
636,
3268,
3269
80,443
HTTP/HTTPS
/SMTP
DCOM
, 25,
465
135,
10255000,
4915265535
HTTPS
443
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
HTTPS
443
Page 67
PDFTables.com
TCP
HTTP/HTTPS
5223
80/443
TCP
5228
HTTP/HTTPS
80/443
HTTPS
443
2010
2020
N/A
Page 68
PDFTables.com
Protocol
Port
HTTP/HTTPS
80,443
HTTP/HTTPS
443
2010
HTTPS
DCOM
HTTPS
LDAP/LDAPS
SMTP
443
389,636,
3268,
3269,
135,443,
25
HTTPS
HTTP/HTTPS
443
80/443
Page 69
PDFTables.com
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
HTTPS
443
TCP
HTTP/HTTPS
5223
80/443
TCP
5228
HTTP/HTTPS
80/443
HTTPS
443
2010
2020
N/A
Page 70
PDFTables.com
Protocol
Port
HTTP/HTTPS
80,443
DCOM
HTTPS
389,636
3268,
3269,
LDAP/LDAPS
/SMTP
135,443,
25
HTTPS
443
Page 71
PDFTables.com
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
HTTPS
443
TCP
HTTP/HTTPS
5223
80/443
TCP
5228
HTTP/HTTPS
80/443
HTTPS
443
2010
2020
Page 72
PDFTables.com
N/A
Page 73
PDFTables.com
Protocol
Port
DCOM
HTTPS
389,636,
3268,
3269,
LDAP/LDAPS
SMTP
135,
443, 25,
465
TCP
2195,
HTTP/HTTPS
2196
80,443
HTTP/HTTPS
80,443
HTTPS
443
HTTPS
443
HTTPS
443
HTTP
80
TCP
HTTP
1433
80
HTTPS
443
HTTP/HTTPS
80,443
HTTP/HTTPS
80,443
Page 74
PDFTables.com
TCP
5223
HTTP/HTTPS
80,443
TCP
5228
80,443,
2001,
HTTP/HTTPS
2010,
2020
HTTPS
443
N/A
Page 75
PDFTables.com
Protocol
Port
DCOM
HTTPS
389,63
6,
3268,
3269,
Page 76
PDFTables.com
LDAP/LDAPS
SMTP
TCP
HTTP/HTTPS
TCP
135,
443,
25,
465
1433
80,443
2195,
2196
HTTP/HTTPS
80,443
HTTP/HTTPS
80,443
TCP
HTTPS
TCP
443
443
443,
2001
HTTPS
443
HTTPS
443
TCP
2195,
2196
TCP
HTTP
HTTPS
443
80
443,
2010
1433
TCP
HTTPS
443
HTTP/HTTPS
80,443
HTTP/HTTPS
80,443
HTTP/HTTPS
80,443
TCP
5223
Page 77
PDFTables.com
HTTP/HTTPS
80,443
TCP
5228
80,
443,
HTTP/HTTPS
2001,
2010,
2020
HTTPS
443
N/A
Page 78
PDFTables.com
Page 79
PDFTables.com
Page 80
PDFTables.com
Page 81
PDFTables.com
Ref
Diagram
Yes
Page 82
PDFTables.com
N/S
N/S
N/S
2
3
4
Page 83
PDFTables.com
Page 84
PDFTables.com
Connector
Ref
Diagram
Yes
1
N/S
N/S
N/S
6
7
8
Page 85
PDFTables.com
Page 86
PDFTables.com

Yes
Ref
Diagram
1
N/S
N/S
N/S
6
Page 87
PDFTables.com
7
8
9
10
11
Page 88
PDFTables.com

Ref
Diagram
Yes
1
2
Page 89
PDFTables.com
N/S
N/S
N/S
7
8
9
10
11
12
Page 90
PDFTables.com
Integrated Cloud DMZ Reverse Proxy

Ref
Yes
Diagram
1
Page 91
PDFTables.com
N/S
N/S
N/S
5
6
7
8
10
Page 92
PDFTables.com
Page 93
PDFTables.com
On-Premise Single Server

Yes
Ref
Diagram
3
N4S
N/S
N/S
N/S
6
7
8
9
N/S
Page 94
PDFTables.com
10
11
12
13
14
Page 95
PDFTables.com
On-Premise Multi Server

Yes
Ref
Diagram
Page 96
PDFTables.com
2
2
3
4
5
N/S
N/S
6
7
8
9
10
N/S
11
2
17
N/S
12
N/S
13
Page 97
PDFTables.com
14
15
16
18
Page 98
PDFTables.com
Page 99
PDFTables.com
Page 100
PDFTables.com
Page 101
PDFTables.com
Pure Cloud
No
N/A
Page 102
PDFTables.com
Page 103
PDFTables.com
Page 104
PDFTables.com
No
N/A
Page 105
PDFTables.com
Page 106
PDFTables.com
No
N/A
Page 107
PDFTables.com
Page 108
PDFTables.com
No
N/A
Page 109
PDFTables.com
Page 110
PDFTables.com
No
N/A
Page 111
PDFTables.com
Page 112
PDFTables.com
Page 113
PDFTables.com
No
N/A
Page 114
PDFTables.com
Page 115
PDFTables.com
No
N/A
Page 116
PDFTables.com
Page 117
PDFTables.com
Page 118
PDFTables.com
Page 119
PDFTables.com
Page 120

AirWatch PoC Technical Architecture

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

AirWatch PoC Technical Architecture

Încărcat de

Drepturi de autor:

Formate disponibile

PDFTables.

Google Apps for Business

AirWatch PoC Technical Architecture | v.2013.06 | June 2013

Option 2: Integrated Cloud

Integrated Cloud No DMZ

Clients without a DMZ

Clients with an existing DMZ

AirWatch PoC Technical Architecture | v.2013.06 | June 2013

AirWatch Cloud Connector

AirWatch Internal Server Includes:

AirWatch Cloud Connector

AirWatch Device Services

AirWatch Secure Email Gateway

AirWatch Mobile Access Gateway

AirWatch Console Services

occur for a successful

A1 BES Service Account

BES service account permissions

rchitecture options described above. After choosing

the simplicity of cloud deployments but still

Internal Certs (Trust)

Client Firewall Rules

If implementing enterprise services,

Load Balancer Setup

Enabled on all AirWatch servers.

Client Firewall Rules

See Below Firewall Change Requests

Public SSL Certificate

Internal Certs (Trust)

If implementing enterprise services,

services accounts will need to be

Internal Certs (Trust)

External URL (DNS Record) resolving

Public SSL Certificate

Enabled on all AirWatch servers.

Internal Certs (Trust)

Load Balancer Setup

should be set on the SSL session for

Client Firewall Rules

If implementing enterprise services,

Reverse Proxy Server

Internal Certs (Trust)

If implementing enterprise services,

services accounts will need to be

rate with backend enterprise services.

SQL service account to install the

BES Service Account

AirWatch PowerShell Email

premise security polices

Integrated Cloud AW Cloud Connector

Integrated Cloud No DMZ

Integrated Cloud DMZ Relay

Cloud with Integration DMZ Reverse Proxy

On-Premise Single Server

On-Premise Multi Server

Integrated Cloud AW Cloud Connector

Integrated Cloud No DMZ

Integrated Cloud DMZ Relay

Integrated Cloud DMZ Reverse Proxy

On-Premise Single Server

On-Premise Multi Server

S-ar putea să vă placă și