Documente Academic
Documente Profesional
Documente Cultură
com
This
asthe
well
as the This
with document,
the terms of
license.
AirWatch
PoC
Technical
Architecture
A
guide
for
selecting
an
PoC
software
described
in
it,
is furnished
document should not be AirWatch
reproduced,
Evaluation
Architecture
2013
AirWatch,
LLC.
All
Rights
under license.
The information
in this
stored
or transmitted
in any form,
Reserved.
manual
may
only
be
used
in
exceptproduct
as permitted
by the license
Other
and company
names or
accordance
by
referenced
in this document are
the express and/or
permission
of AirWatch,
trademarks
registered
LLC.
trademarks of their respective
companies.
AirWatch PoC
Technical
Architecture
Copyright
2013
AirWatch,
LLC. All |
v.2013.06
|
June
2013
rights reserved. Proprietary &
Confidential.
Overview..........................................
Option
1: Pure
Table
of
........................................................
Cloud................................................
Option
2:Contents
Integrated
...................................
2 Cloud
........................................................
Cloud
...............................................
Integrated Cloud AirWatch
...........
4
........................................................
Connector ........................................
Integrated
Cloud No
..
6
........................................................
DMZ
................................................
Integrated Cloud DMZ
.........................
........................................................
Relay
...............................................
Integrated
Cloud 8
Reverse
.............................................
11
........................................................
Proxy
...............................................
..........................................
14
........................................................
Option 3: On-Premise Single Server
....................................
17
Deployment
.....................................
Option 4: On-Premise
Multiple
Server
.................................
20
Deployment
.....................................
Appendix
.........................................
............................. 23
........................................................
..................................
26
AirWatch
PoC
Technical
Architecture
Copyright
2012
AirWatch,
LLC. All |
v.2013.06
| June Proprietary
2013
rights
reserved.
&
Confidential.
Page 1 of 29
Overview
The AirWatch Enterprise Mobility Management (EMM) software can be deployed throug
premise options to meet an organizations security requirements and IT strategy. This
supported configurations and help determine the ideal AirWatch architecture for a suc
The below diagram displays four deployment options including both cloud and on-prem
Cloud On Premise
Benefits
Fastest implementation with minimal client effort
No significant investment in technology or services
Minimal or no network changes required
Automatic software updates
Considerations
Integration with corporate
resources
Security / datacenter requirements
Option 1: Cloud
Option 2: Integrated Cloud
All devices and admin users point
All components in the cloud.
to AirWatchs cloud for device
Lightweight integration
management. No software
component installed on-premise
installed onsite
for backend integration
Ideal for...
Ideal for...
Rapid Deployment
Cloud clients requiring
No corporate infrastructure
enterprise integration for
required
o
Page 1
PDFTables.com
Does not integrate with
corporate resources
o
o
o
Pages 4-5
*Note POC fees may apply for On-Premise Deployment
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 2 of 29
The remainder of this document defines the requirements for the architecture options
a deployment option from the descriptions
above, review
the following
Architecture
Diagram
high levelitems for the d
1.
design of all level
dataflow.
Prerequisite
Checklist
complete list
2.
of all software
and hardware
preparations
required.
Network Requirements a listing of
3.
any port and firewall requirements.
AirWatch PoC Technical Architecture | v.2013.06
Copyright 2012 AirWatch, LLC. All rights reser
Optionconfigurations
1: Pure Cloud are best suited for clients who want to minimize effort
Cloud
and lead
times for
evaluatingcan
thebe
software.
This
evaluation
architecture
setup in minutes but typically does not
offer
integration
backend resources
due
to
client
security with
requirements.
Integration
can easily be added later by
installing the AirWatch Cloud Connector and /or
Mobile Access Gateway (see Option 2: Integrated Cloud).
Architecture Diagram
Cloud Integration (Optional)
SAML
Office 365
Administrators
Page 2
PDFTables.com
/ User Self
2
Service
3
4
5
6
Devices
Directory Services
Email Infrastructure
SIEM
Content Repositories
++
Corporate Intranet Access
Corporate App Tunnel (App VPN)
+
AirWatchs email attachment encryption feature requires the MAG (SEG component)
++ AirWatchs content repository sync with the Administrative Console requires the AC
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 6 of 29
Page 3
PDFTables.com
Ideal for...
Fast implementation
Minimal hardware / software on-site
Integrated Cloud DMZ Relay
Ideal for...
Cloud
Connector
AirWatch PoC
Technical
Architecture
Copyright
2012
AirWatch,
LLC. All |
v.2013.06
|
June
2013
rights reserved. Proprietary &
Confidential.
Page 8 of 29
Prerequisite Checklist
Source
Hardware
2
Software
4
Firewall
Changes
Service
Accounts
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Page 4
PDFTables.com
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 9 of 29
Network Requirements
Source
Component
A
C
AirWatch
Internal Server
D
G
Administrators
/ User Self
Service
H
I
K
L
Devices
Page 5
PDFTables.com
Prerequisite Checklist
Source
Hardware
2
3
Software
DNS
5
6
7
8
9
Certificates
10
Load
Balancer
Firewall
Changes
11
12
Page 6
PDFTables.com
Service
Accounts
13
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 12 of 29
Network Requirements
Source
Component
A
C
AirWatch
Internal Server
D
G
Administrators
/ User Self
Service
H
I
AirWatch SaaS
Page 7
PDFTables.com
K
L
M
Devices
O
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 13 of 29
Integrated Cloud DMZ Relay
Architecture Diagram
AirWatch DMZ Server Includes:
Secure Access
Email Gateway
AirWatch Mobile
Gateway
Relay
Cloud Connector
AirWatch Mobile
Access Gateway
Endpoint
AirWatch PoC
Technical
Architecture
Copyright
2012
AirWatch,
LLC. All |
v.2013.06
| June Proprietary
2013
rights
reserved.
&
Confidential.
Page 14 of 29
Prerequisite Checklist
Source
Hardware
2
3
4
Software
5
6
7
Page 8
PDFTables.com
8
9
10
DNS
11
Certificates
12
Load
Balancer
Firewall
Changes
13
14
Service
Accounts
15
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 15 of 29
Network Requirements
Source
Component
A
B
AirWatch DMZ
Server
C
D
AirWatch
Internal Server
Page 9
PDFTables.com
G
/ User Self
H
I
AirWatch SaaS
J
K
L
M
Devices
O
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 16 of 29
Integrated Cloud Reverse Proxy
Architecture Diagram
AirWatch Internal Server Includes:
Prerequisite Checklist
Source
Page 10
PDFTables.com
Hardware
2
3
4
Software
5
6
7
8
9
DNS
10
Certificates
11
12
Load
Balancer
Firewall
Changes
13
14
Service
Accounts
15
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 18 of 29
Network Requirements
Source
Component
A
B
AirWatch
Internal Server
Page 11
PDFTables.com
E
Administrators
/ User Self
Service
F
G
AirWatch SaaS
H
I
J
K
Devices
M
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 19 of 29
Option
3: On-Premise
Single
Deployment
This
configuration
allows
for Server
simplified
installation and maintenance for
smaller deployments,
while
future A single-server deployment
scalability
and flexibility
for allowing
high availability.
allows
for
easy
integration
to
enterprise
services,
as
well
as
simplified
control
and where
validation
the
entire is
commonly deployed in DMZ architectures
the over
entire
solution
environment.
Single
Server
are
installed
on one
physical
or configurations
virtual server. The
use of WAF or TMG solutions are also commonly used to proxy internet
facing endpoints.
Architecture Diagram
AirWatch Internal Server Includes:
Page 12
PDFTables.com
AirWatch Console
AirWatch Device Services
AirWatch Secure Email Gateway
Mobile
Access
Gateway
AirWatch
Technical
Architecture
CopyrightPoC
2012
AirWatch,
LLC. All |
v.2013.06
| June Proprietary
2013
rights
reserved.
&
Confidential.
Page 20 of 29
Prerequisite Checklist
Source
1
Hardware
2
3
4
5
6
7
8
9
10
11
DNS
12
13
14
Certificates
15
16
Firewall
Changes
17
Load
Balancer
18
Page 13
PDFTables.com
Service
Accounts
19
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 21 of 29
Network Requirements
Source
Component
C
D
E
AirWatch
Internal Server
F
H
I
J
K
Administrators
/ User Self
Service
L
M
Page 14
PDFTables.com
O
Devices
R
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 22 of 29
Option
4: On-Premise
Multiple
Server Deployment
A multi-server
deployment
is recommended
for organizations managing a
larger number
of devices
those
wanting
to utilize
a DMZ. and/or
In a setup
using a DMZ, any of the AirWatch
components
actively
communicating
with
devices
should be placed
outside
of the organizations
internal
network.
Several
Increased
security
of Access
external-facing
Gateway,
and
Mobile
Gateway,
advantages of this configuration include:
services,
such
as
the
AirWatch
Device
by placing them in the networks
DMZ
Services
component,
Secure
Email
to quarantine incoming traffic
while preventing external visibility to
internal resources.
Architecture Diagram
AirWatch DMZ Server Includes:
Cloud
Connector
AirWatch
Technical
Architecture
CopyrightPoC
2012
AirWatch,
LLC. All |
v.2013.06
| June Proprietary
2013
rights
reserved.
&
Confidential.
Page 23 of 29
Prerequisite Checklist
Source
Page 15
PDFTables.com
1
Hardware
3
4
5
6
7
8
9
10
11
11
DNS
Certificates
13
Load
Balancer
Firewall
Changes
14
15
Service
Accounts
16
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 24 of 29
Network Changes
Source
Component
Page 16
PDFTables.com
B
C
D
AirWatch
Internal Server
E
F
G
H
I
J
K
L
M
AirWatch DMZ
Server
N
O
P
Q
R
Administrators
Self Service
Portal
S
T
U
Page 17
PDFTables.com
V
W
Devices
Y
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 25 of 29
Appendix
The table below lists the required service accounts needed to integrate with backend e
Source
#
1
2
Service
Accounts
Page 18
PDFTables.com
8
9
10
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 26 of 29
From a device the following has to
Additional Notes
Page 19
PDFTables.com
Page 20
PDFTables.com
be deployed through a variety of cloud or onnd IT strategy. This document will outline each of the
chitecture for a successful PoC evaluation.
h cloud and on-premise architectures.
Benefits
Comply with corporate on-premise security po
Direct integration with corporate systems
Leverage existing infrastructure investments
Physical and virtual environments supported
Considerations
Network firewall changes required
Multiple software and hardware required on-p
Option 3: Single Server
On-premise deployment with a
single AirWatch server installed in
the DMZ or internal network
mise
LDAP / PKI
Ideal for...
Leveraging existing
infrastructure
On-premise is required
Page 21
PDFTables.com
Exchange
Content repositories
Etc...
Page 8-19
Enterprise integration
Page 20-22
Confidential.
Prerequisite
Diagram
Checklist
tecture | v.2013.06 | June 2013
LLC. All rights reserved. Proprietary & Confidential.
Source
Host
Destination
Component
{ADMIN_IP}
AirWatch SaaS
Page 22
PDFTables.com
Apple iTunes
{ADMIN_IP}
Cloud
{ADMIN_IP}
{ADMIN_IP}
{Device_IP}
Google Play
Store
Virtual Earth
(GPS Maps)
Apple APNs
Cloud
{Device_IP}
Apple iTunes
Cloud
Android C2DM
Cloud
{Device_IP}
AirWatch SaaS
{Device_IP}
Confidential.
SEG component)
sole requires the ACC.
Confidential.
Page 23
PDFTables.com
AirWatch Cloud Connector
Pages 8-10
Integrated Cloud Reverse Proxy
Ideal For...
Clients with an existing reverse
proxy
or WAF architecture
Page 17-19
Confidential.
Title
Windows OS
.NET Framework 3.5
&4
Description / Purpose
Windows Server
Minimum specification:
- 1 CPU core ( > 2.0 GHz)
- 2GB
GBDisk
RAMSpace (if logging is being
-1
done 5 GB)
Client
may
to generate internal
(physical
orneed
virtual)
A
windows
update
required
for
certs
for the
trafficis
between
the
Windows
Server
2008 R2to update
.NET
4
after
installation
external
additional
internet interface for the EAS traffic
software
components.
and the Reverse
Proxy, F5, SEG, and
CAS
servers. Details to be determined by
the Client architect team.
AirWatch Internal
Server
Page 24
PDFTables.com
Confidential.
Source Host
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
Destination
Component
Client EAS/CAS
Server(s)
Domain
Controller
Enterprise
Services
(Optional)
Certificate
Authority
(Optional)
{InternalServer_IP}
AirWatch SaaS
{ADMIN_IP}
AirWatch SaaS
{ADMIN_IP}
Apple iTunes
{ADMIN_IP}
{ADMIN_IP}
{Device_IP}
{Device_IP}
{Device_IP}
Google Play
Store
Virtual Earth
(GPS Maps)
Apple APNs
Cloud
Apple iTunes
Cloud
Android C2DM
Cloud
Page 25
PDFTables.com
{Device_IP}
AirWatch SaaS
Confidential.
Title
AirWatch Internal
Server
Windows OS
IIS 7 Server
.NET Framework 3.5
&4
Microsoft Messaging
Queue (MSMQ)
Java
External URL
Internal CAS URL
Description / Purpose
Windows Server
Minimum specification:
- 2 CPU core ( > 2.0 GHz)
- 4 GB RAM
(physical or virtual)
Windows
2008
R2 additional
IIS
ServerServer
must
also
A windows
update
is have
required
for
role services
installed. to update
.NET
4 after installation
additional
software components.
Page 26
Confidential.
Source Host
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
Destination
Component
Client EAS/CAS
Server(s)
Domain
Controller
Enterprise
Services
(Optional)
Certificate
Authority
(Optional)
{InternalServer_IP}
AirWatch SaaS
{ADMIN_IP}
AirWatch SaaS
{ADMIN_IP}
Apple iTunes
{ADMIN_IP}
{ADMIN_IP}
See IP list
here
Google Play
Store
Virtual Earth
(GPS Maps)
AirWatch
Server
Page 27
PDFTables.com
{Device_IP}
Apple APNs
Cloud
{Device_IP}
Apple iTunes
Cloud
Android C2DM
Cloud
{Device_IP}
AirWatch SaaS
{Device_IP}
AirWatch
Internal Server
{Device_IP}
Confidential.
Title
AirWatch DMZ
Server
Windows OS
IIS 7 Server
.NET Framework 3.5
&4
Microsoft Messaging
Queue (MSMQ)
Java
AirWatch Software
Description / Purpose
Windows Server
Minimum specification:
- 2 CPU core ( > 2.0 GHz)
- 4 GB RAM
(physical or virtual)
Windows
2008
R2 additional
IIS
ServerServer
must
also
A windows
update
is have
required
for
role
services
installed.
.NET 4 after installation to update
additional
software components.
Enabled on all AirWatch servers.
Installed on
MAG server.
Available
through
the administrative
console.
Page 28
PDFTables.com
External URL
Internal CAS URL
Internal URL
Public SSL Certificate
(AirWatch DMZ)
Confidential.
Source Host
{DMZ_Server_IP}
{DMZ_Server_IP}
{DMZ_Server_IP}
Destination
Component
Client EAS/CAS
Server(s)
AirWatch
Internal Server
AirWatch SaaS
Internal
{InternalServer_IP}
Network
{InternalServer_IP}
AirWatch DMZ
Server
{ADMIN_IP}
AirWatch SaaS
Page 29
PDFTables.com
Apple iTunes
{ADMIN_IP}
Cloud
{ADMIN_IP}
{ADMIN_IP}
See IP list
here
{Device_IP}
Google Play
Store
Virtual Earth
(GPS Maps)
AirWatch DMZ
Server
Apple APNs
Cloud
{Device_IP}
Apple iTunes
Cloud
Android C2DM
Cloud
{Device_IP}
AirWatch SaaS
{Device_IP}
AirWatch DMZ
Server
{Device_IP}
Confidential.
Title
Description / Purpose
Windows Server
Page 30
PDFTables.com
AirWatch Internal
Server
Windows OS
IIS 7 Server
.NET Framework 3.5
&4
Microsoft Messaging
Queue (MSMQ)
Java
AirWatch Software
External URL
Internal CAS URL
Minimum specification:
- 2 CPU core ( > 2.0 GHz)
- 4 GB RAM
(physical or virtual)
Windows
2008
R2 additional
IIS
ServerServer
must
also
A windows
update
is have
required
for
role
services
installed.
.NET 4 after installation to update
additional
software components.
CAS
If installing AirWatch behind a
servers.
to be determined
network Details
load balancer,
client will by
the
Client
architect
team.
The
SSL certificate
must be
needMAG
to setup
load
installed
on
the
reverse
proxy.
balancer configuration. Persistence
Confidential.
Source Host
{InternalServer_IP}
{InternalServer_IP}
Destination
Component
Client EAS/CAS
Server(s)
(Optional)
Enterprise
Services
(Optional)
{InternalServer_IP}
AirWatch SaaS
Page 31
PDFTables.com
{ADMIN_IP}
AirWatch SaaS
{ADMIN_IP}
Apple iTunes
{ADMIN_IP}
{ADMIN_IP}
See IP list
here
{Device_IP}
Google Play
Store
Virtual Earth
(GPS Maps)
AirWatch
Internal Server
Apple APNs
Cloud
{Device_IP}
Apple iTunes
Cloud
Android C2DM
Cloud
{Device_IP}
AirWatch SaaS
{Device_IP}
AirWatch
Internal Server
{Device_IP}
Confidential.
Page 32
PDFTables.com
Title
AirWatch Internal
Server
Description
/ Purpose
Windows
Server
to install the
AirWatch Server Software
Minimum specification:
- 2 CPU core ( > 2.0 GHz)
-6
GB RAM
Client
may choose an existing server
~100
to useGB
forDrive
the reverse proxy or install
(physical
or virtual)
a
dedicated server that meets their
specifications
Microsoft SQL Server 2008 (2008 R2
Windows Server2008
R2 on
Recommended)
Required
Database SQL
server
Microsoft
Server Reporting
Services 2008 (2008 R2
Recommended)
IIS
Server must
also
additional
A windows
update
is have
required
for
role
services
installed.
.NET 4 after installation to update
additional
software components.
Enabled
all(DNS
AirWatch
servers.
External on
URL
Record)
for
Installed
on
MAG
server.
AirWatch Server public internet
facing
(https://company.mdm.com)
Internal URL to relay traffic from the
AirWatch
SEG to
the ActiveSync
Client
Internal
Domain
(AD) DNSCAS
to
server.
use to connect from the AirWatch
server to the
AD for authenticating users
Client may need to generate internal
Internal
hostname
and CA issuing
Public
trusted
SSL Certificate
to
certs for
the traffic
between the
name
of
the
CA
or
SCEP
endpoint.
match
the
External
DNS
for
the
external
AirWatch
SEG/EIS for the EAS traffic
internet interface
server.
(If
applicable)
and the Reverse
Proxy, F5, SEG, and
CAS
servers. Details to be determined by
the Client
architect
team.
The
MAG SSL
certificate
must be
If installing AirWatch behind a
installed on the reverse proxy.
network load balancer, client will
need to setup load
See
Below
Firewall Change
Requests
balancer
configuration.
Persistence
should be set on the SSL session for
15 minutes.
See Appendix for more details.
Page 33
Confidential.
Source Host
Destination
Component
{InternalServer_IP}
Internal
Network
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{ADMIN_IP}
{ADMIN_IP}
Apple APNs
Cloud
Apple iTunes
Cloud
Google Play
Store
Android C2DM
Cloud
CellTrusts SMS
Gateyway
(optional)
AirWatch
Certificate
Portal
SSL Signing
Cert CRL
SQL Server
SQL Server
Reporting Svc
AW
Autodiscovery
Server
AirWatch
Internal Server
Virtual Earth
Page 34
PDFTables.com
(GPS Maps
Apple APNs
{Device_IP}
Cloud
{Device_IP}
{Device_IP}
Apple iTunes
Cloud
Android C2DM
Cloud
AirWatch
{Device_IP}
Server
{Device_IP}
AirWatch
Autodiscovery
Server
Confidential.
Title
AirWatch Internal
Description
/ Purpose
Windows
Server
to install the
AirWatch Server Software
Minimum specification:
- 2 CPU core ( > 2.0 GHz)
Page 35
PDFTables.com
Server
(Internal)
AirWatch DMZ
Server
Windows OS
SQL Server
SQL Server Reporting
Services
IIS 7 Server
.NET Framework 3.5
&4
Microsoft Messaging
Queue (MSMQ)
Java
External URL
Internal CAS URL
Internal URL
Public SSL Certificate
(AirWatch DMZ)
SSL Certificate
(AirWatch Internal)
Load Balancer Setup
(Optional)
Client Firewall Rules
Enterprise Service
Accounts
(Optional)
-6 GB RAM
~100 GB Drive
(physical Server
or virtual)
Windows
to install Enterprise
Integration Software
Minimum specification:
- 2 CPU core ( > 2.0 GHz)
- 4 GB RAM
(physical
virtual)
Microsoft or
SQL
Server 2008 (2008 R2
Windows
Server
R2 on
Recommended) 2008
Required
Database
server
Microsoft SQL
Server Reporting
Services 2008 (2008 R2
Recommended)
IIS
Server must
also
additional
A windows
update
is have
required
for
role services
installed. to update
.NET
4 after installation
additional
software components.
Enabled on all AirWatch servers.
Installed
on MAG
server.
External URL
(DNS
Record) resolving
to the AirWatch
DMZ traffic
server from the
Internal
URL to relay
AirWatch
SEG(DNS
server.
Internal
URL
resolving
Public
trusted
SSL Record)
Certificate
to
to
the
AirWatch
Internal
server
match the External DNS for the
AirWatch DMZ
If installing AirWatch behind a
server.
network load balancer, client will
SSL
to match the Internal
needcertificate
to setup load
URL
for
the
AirWatch
Internal
server.
balancer configuration.
Persistence
should be set on the SSL session for
15 minutes.
See Appendix for more details.
If implementing enterprise services,
See
Below
Firewallwill
Change
services
accounts
need Requests
to be
created and
given specific permissions to allow
integration. See Appendix.
Confidential.
Source Host
Destination
Component
{InternalServer_IP}
Internal
Page 36
PDFTables.com
{InternalServer_IP}
Network
SQL Server
SQL Server
Reporting Sync
Apple APNs
Cloud
Apple iTunes
Cloud
Google Play
Store
{InternalServer_IP}
Google Cloud
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{DMZ_Server_IP}
(SEG only)
{DMZ_Server_IP}
{DMZ_Server_IP}
{DMZ_Server_IP}
{DMZ_Server_IP}
{DMZ_Server_IP}
{DMZ_Server_IP}
{ADMIN_IP}
{ADMIN_IP}
{USER_IP}
{Device_IP}
Messaging
CellTrust SMS
AW DMZ
Server
AirWatch
autodiscovery
Server
Client CAS
Server(s)
Apple APNs
Cloud
Google Cloud
Messaging
SSL Cert CRL
AirWatch
Internal Server
SQL Server
AirWatch
autodiscovery
Server
Virtual Earth
(GPS Maps)
AirWatch
Internal Server
AirWatch DMZ
Server
Apple APNs
Cloud
Page 37
PDFTables.com
{Device_IP}
{Device_IP}
Apple iTunes
Cloud
Android C2DM
Cloud
AirWatch
{Device_IP}
Server
{Device_IP}
AirWatch
autodiscovery
Server
Confidential.
Enterprise
Integration Service
Account
Certificate Authority
Service Account
PowerShell Service
Account
Page 38
PDFTables.com
Confidential.
Page 39
PDFTables.com
Page 40
PDFTables.com
required
dware required on-premise
Option 4: Multi Server
On-premise deployment with
multiple servers in the DMZ and
internal network for multi-tier
firewall architectures
Ideal for...
Multi-tier networks
Resources not available to DMZ
Special security policy
Page 41
PDFTables.com
compliance
Server scalability via tier 1-3
deployments
Page 23-25
Network
Requirements
Page 3 of 29
Destination Host
Destination IP
any
*for a list of IP
*.airwatchportals.com
*.awmdm.com
ranges of AW
Datacenters click
here
itunes.apple.com
ax.itunes.apple.com
Page 42
PDFTables.com
*.mzstatic.com
any
*.phobos.apple.com
*phobos.apple.com.edges
uite.net
play.google.com
any
*.virtualearth.net
#-courier.push.apple.com
gateway.push.apple.com
any
phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
mtalk.google.com
17.0.0.0/8
any
any
any
*for a list of IP
*.airwatchportals.com
*.awmdm
ranges of AW
Datacenters click
here
Page 43
PDFTables.com
Page 44
PDFTables.com
Destination Host
Destination IP
{InternalURL_CAS}
{InternalIP_CAS}
{InternalURL_DC}
{InternalIP_DC}
{InternalURL_ES}
{InternalIP_ES}
{InternalURL_CA}
{InternalIP_CA}
*.airwatchportals.com
*.awmdm.com
any
*for a list of IP
ranges of AW
Datacenters click
here
any
*for a list of IP
*.airwatchportals.com
*.awmdm.com
ranges of AW
Datacenters click
here
*.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
*phobos.apple.com.edges
uite.net
any
play.google.com
any
*.virtualearth.net
#-courier.push.apple.com
gateway.push.apple.com
any
17.0.0.0/8
phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
any
mtalk.google.com
any
Page 45
PDFTables.com
any
*for a list of IP
*.airwatchportals.com
*.awmdm.com
ranges of AW
Datacenters click
here
No
Page 46
PDFTables.com
Destination Host
Destination IP
{InternalURL_CAS}
{InternalIP_CAS}
{InternalURL_DC}
{InternalIP_DC}
{InternalURL_ES}
{InternalIP_ES}
{InternalURL_CA}
{InternalIP_CA}
*.airwatchportals.com
*.awmdm.com
any
*for a list of IP
ranges of AW
Datacenters click
here
any
*for a list of IP
*.airwatchportals.com
*.awmdm.com
ranges of AW
Datacenters click
here
*.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
*phobos.apple.com.edges
uite.net
any
play.google.com
any
*.virtualearth.net
any
AW Public URL
AW Public IP
Page 47
PDFTables.com
#-courier.push.apple.com
gateway.push.apple.com
17.0.0.0/8
phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
any
mtalk.google.com
any
any
*for a list of IP
*.airwatchportals.com
*.awmdm.com
ranges of AW
Datacenters click
here
AW Public URL
AW Public IP
No
Page 48
PDFTables.com
Destination Host
Destination IP
{InternalURL_CAS}
{InternalIP_CAS}
{InternalURL_AWInternal}
{InternalIP_AWInt
ernal}
any
*for a list of IP
ranges of AW
Datacenters click
here
*.airwatchportals.com
*.awmdm.com
{InternalURL_DC}
{Internal_BES}
{Internal_ADCS}
{InternalIP_IP}
{Internal_SMTP}
{Internal_SharePoint}
{InternalURL_CA}
AW Public URL
AW Public IP
any
*for a list of IP
*.airwatchportals.com
*.awmdm.com
ranges of AW
Datacenters click
Page 49
PDFTables.com
here
itunes.apple.com
ax.itunes.apple.com
*.mzstatic.com
any
*.phobos.apple.com
*phobos.apple.com.edges
uite.net
play.google.com
any
*.virtualearth.net
any
AW Public URL
#-courier.push.apple.com
gateway.push.apple.com
AW Public IP
phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
mtalk.google.com
17.0.0.0/8
any
any
any
*for a list of IP
*.airwatchportals.com
*.awmdm.com
ranges of AW
Datacenters click
here
AW Public URL
AW Public IP
Page 50
PDFTables.com
Destination Host
Destination IP
{InternalURL_CAS}
{InternalIP_CAS}
{InternalURL_DC}
{Internal_BES}
{Internal_ADCS}
{InternalIP_IP}
{Internal_SMTP}
{Internal_SharePoint}
{InternalURL_CA}
*.airwatchportals.com
any
*for a list of IP
ranges of AW
Page 51
PDFTables.com
*.awmdm.com
Datacenters click
here
any
*for a list of IP
*.airwatchportals.com
*.awmdm.com
ranges of AW
Datacenters click
here
*.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
*phobos.apple.com.edges
uite.net
any
play.google.com
any
*.virtualearth.net
any
AW Public URL
#-courier.push.apple.com
gateway.push.apple.com
AW Public IP
phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
mtalk.google.com
17.0.0.0/8
any
any
any
*for a list of IP
*.airwatchportals.com
*.awmdm.com
ranges of AW
Datacenters click
here
AW Public URL
AW Public IP
Page 52
PDFTables.com
No
Page 53
PDFTables.com
Destination Host
Destination IP
{InternalURL_DC}
{Internal_CAS}
Internal_BES}
{Internal_IPs}
{Internal_ADCS}
{Internal_SMTP}
{Internal_SharePoint}
gateway.push.apple.co
m
feedback.push.apple.co
m
*.itunes.apple.com
*.phobos.apple.com
play.google.com
android.googleapis.com
android.apis.google.com
www.google.com
google.com
gateway.celltrust.net
17.0.0.0/8
any
any
any
162.42.205.0/24
Ex.ocsp.verisign.com
any
*for a list of IP
ranges of AW
Datacenters click
here
TBD
{SQLServer_Name}
{SSRS_Name}
{SQLServer_IP}
{SSRS_IP}
discovery.awmdm.com
209.208.230.100
{InternalServer}
{InternalServer_IP}
*.virtualearth.net
any
awcp.air-watch.com
Page 54
PDFTables.com
#courier.push.apple.com
17.0.0.0/8
gateway.push.apple.co
m
phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
any
mtalk.google.com
any
AW Public URL
AW Public IP
discovery.awmdm.com
209.208.230.100
No
Page 55
PDFTables.com
Destination Host
Destination IP
{InternalURL_DC}
{Internal_CAS}
Internal_BES}
{Internal_IPs}
Page 56
PDFTables.com
{Internal_ADCS}
{Internal_SMTP}
{Internal_SharePoint}
{SQLServer_Name}
{SQLServer_IP}
{SQLServer_Name}
gateway.push.apple.com
feedback.push.apple.com
*.itunes.apple.com
*.phobos.apple.com
{SQLServer_IP}
17.0.0.0/8
play.google.com
android.googleapis.com
android.apis.google.com
www.google.com
google.com
gateway.celltrust.net
{DMZServer_Name}
any
discovery.awmdm.com
209.208.230.100
{InternalURL_EAS}
{InternalIP_EAS}
gateway.push.apple.com
17.0.0.0/8
android.googleapis.com
android.apis.google.com
www.google.com
google.com
TBD
{InternalServer_URL}
any
any
162.42.205.0/2-4
{DMZServer_IP}
any
any
{InternalServer_IP}
{SQLServer_Name}
{SQLServer_IP}
discovery.awmdm.com
209.208.230.100
*.virtualearth.net
any
{InternalServer_URL}
{InternalServer_IP}
{DMZ_Server_URL}
#-courier.push.apple.com
gateway.push.apple.com
{DMZ_Server_IP}
17.0.0.0/8
Page 57
PDFTables.com
phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
any
mtalk.google.com
any
{DMZ_Server_URL}
Public IP
discovery.awmdm.com
209.208.230.100
Service Accounts
Yes
No
Page 58
PDFTables.com
Page 59
PDFTables.com
Page 60
PDFTables.com
Page 61
PDFTables.com
Protocol
Port
HTTP/HTTPS
80/443
Page 62
PDFTables.com
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
TCP
HTTP/HTTPS
5223
80/443
TCP
HTTP/HTTPS
5228
80/443
Page 63
PDFTables.com
N/A
Page 64
PDFTables.com
Protocol
HTTP/HTTPS
LDAP/LDAPS
80,443
389,
636,
3268,
3269
80,443
HTTP/HTTPS
/SMTP
DCOM
, 25,
465
135,
10255000,
4915265535
HTTPS
443
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
TCP
HTTP/HTTPS
5223
80/443
TCP
5228
Page 65
PDFTables.com
HTTP/HTTPS
80/443
N/A
Page 66
PDFTables.com
Protocol
Port
HTTP/HTTPS
LDAP/LDAPS
80,443
389,
636,
3268,
3269
80,443
HTTP/HTTPS
/SMTP
DCOM
, 25,
465
135,
10255000,
4915265535
HTTPS
443
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
HTTPS
443
Page 67
PDFTables.com
TCP
HTTP/HTTPS
5223
80/443
TCP
5228
HTTP/HTTPS
80/443
HTTPS
443
2010
2020
N/A
Page 68
PDFTables.com
Protocol
Port
HTTP/HTTPS
80,443
HTTP/HTTPS
443
2010
HTTPS
DCOM
HTTPS
LDAP/LDAPS
SMTP
443
389,636,
3268,
3269,
135,443,
25
HTTPS
HTTP/HTTPS
443
80/443
Page 69
PDFTables.com
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
HTTPS
443
TCP
HTTP/HTTPS
5223
80/443
TCP
5228
HTTP/HTTPS
80/443
HTTPS
443
2010
2020
N/A
Page 70
PDFTables.com
Protocol
Port
HTTP/HTTPS
80,443
DCOM
HTTPS
389,636
3268,
3269,
LDAP/LDAPS
/SMTP
135,443,
25
HTTPS
443
Page 71
PDFTables.com
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
HTTP/HTTPS
80/443
HTTPS
443
TCP
HTTP/HTTPS
5223
80/443
TCP
5228
HTTP/HTTPS
80/443
HTTPS
443
2010
2020
Page 72
PDFTables.com
N/A
Page 73
PDFTables.com
Protocol
Port
DCOM
HTTPS
389,636,
3268,
3269,
LDAP/LDAPS
SMTP
135,
443, 25,
465
TCP
2195,
HTTP/HTTPS
2196
80,443
HTTP/HTTPS
80,443
HTTPS
443
HTTPS
443
HTTPS
443
HTTP
80
TCP
HTTP
1433
80
HTTPS
443
HTTP/HTTPS
80,443
HTTP/HTTPS
80,443
Page 74
PDFTables.com
TCP
5223
HTTP/HTTPS
80,443
TCP
5228
80,443,
2001,
HTTP/HTTPS
2010,
2020
HTTPS
443
N/A
Page 75
PDFTables.com
Protocol
Port
DCOM
HTTPS
389,63
6,
3268,
3269,
Page 76
PDFTables.com
LDAP/LDAPS
SMTP
TCP
HTTP/HTTPS
TCP
135,
443,
25,
465
1433
80,443
2195,
2196
HTTP/HTTPS
80,443
HTTP/HTTPS
80,443
TCP
HTTPS
TCP
443
443
443,
2001
HTTPS
443
HTTPS
443
TCP
2195,
2196
TCP
HTTP
HTTPS
443
80
443,
2010
1433
TCP
HTTPS
443
HTTP/HTTPS
80,443
HTTP/HTTPS
80,443
HTTP/HTTPS
80,443
TCP
5223
Page 77
PDFTables.com
HTTP/HTTPS
80,443
TCP
5228
80,
443,
HTTP/HTTPS
2001,
2010,
2020
HTTPS
443
N/A
Page 78
PDFTables.com
Page 79
PDFTables.com
Page 80
PDFTables.com
Page 81
PDFTables.com
Ref
Diagram
Yes
Page 82
PDFTables.com
N/S
N/S
N/S
2
3
4
Page 83
PDFTables.com
Page 84
PDFTables.com
Connector
Ref
Diagram
Yes
1
N/S
N/S
N/S
6
7
8
Page 85
PDFTables.com
Page 86
PDFTables.com
Ref
Diagram
1
N/S
N/S
N/S
6
Page 87
PDFTables.com
7
8
9
10
11
Page 88
PDFTables.com
Yes
1
2
Page 89
PDFTables.com
N/S
N/S
N/S
7
8
9
10
11
12
Page 90
PDFTables.com
Page 91
PDFTables.com
N/S
N/S
N/S
5
6
7
8
10
Page 92
PDFTables.com
Page 93
PDFTables.com
Ref
Diagram
3
N4S
N/S
N/S
N/S
6
7
8
9
N/S
Page 94
PDFTables.com
10
11
12
13
14
Page 95
PDFTables.com
Ref
Diagram
Page 96
PDFTables.com
2
2
3
4
5
N/S
N/S
6
7
8
9
10
N/S
11
2
17
N/S
12
N/S
13
Page 97
PDFTables.com
14
15
16
18
Page 98
PDFTables.com
Page 99
PDFTables.com
Page 100
PDFTables.com
Page 101
PDFTables.com
Pure Cloud
No
N/A
Page 102
PDFTables.com
Page 103
PDFTables.com
Page 104
PDFTables.com
No
N/A
Page 105
PDFTables.com
Page 106
PDFTables.com
No
N/A
Page 107
PDFTables.com
Page 108
PDFTables.com
No
N/A
Page 109
PDFTables.com
Page 110
PDFTables.com
No
N/A
Page 111
PDFTables.com
Page 112
PDFTables.com
Page 113
PDFTables.com
No
N/A
Page 114
PDFTables.com
Page 115
PDFTables.com
No
N/A
Page 116
PDFTables.com
Page 117
PDFTables.com
Page 118
PDFTables.com
Page 119
PDFTables.com
Page 120