Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Guide
Preparing for a successful AirWatch v7.2 implementation
Page 2
Introduction to the On-Premise Technical Architecture Guide
Overview
The purpose of this guide is to help IT administrators prepare for the deployment of an on-premise AirWatch installation.
This document covers general information about supported AirWatch topologies, various hardware, software and
network requirements, and more. Since every on-premise deployment is unique, this document does not cover
customized network configurations. Please consult with your AirWatch representative to schedule a call to discuss any
particular questions or concerns you have regarding your specific deployment.
In This Guide
l Before You Begin – This section covers topics and prerequisites you should familiarize yourself with so you can get
the most out of using this guide.
l Topology – This section outlines each component and gives a short summary of their role.
l Network Requirements – This section details the network requirements required for an on-premise deployment.
l Hardware Requirements – This section details the hardware requirements required for an on-premise deployment.
l Software Requirements – This section details the software requirements required for an on-premise deployment.
l Appendix A: Components of AirWatch – This section details each component of the AirWatch system.
Page 3
Before You Begin
In This Section
l Requirements – See a list of requirements you must meet before proceeding with an on-premise deployment.
l Recommended Reading – See a list of additional guides that contain supplemental information.
l Getting Started – See additional considerations you should know before you begin.
Requirements
Please see the appropriate sections for:
l Network Requirements – This section details the network requirements for the AirWatch Console and Device Services
server that required for an on-premise deployment. For more information about the on-premise requirements for
ACC, MAG or SEG, refer to the AirWatch On-Premise Pre-installation Guide, which includes a comprehensive set of
requirements.
l Hardware Requirements
l Software Requirements
Recommended Reading
l The AirWatch On-Premise Pre-Installation Checklist – This checklist helps prepare you for your scheduled AirWatch
installation by ensuring all of the server and network requirements are in place.
l The AirWatch High Availability and Disaster Recovery Configuration Guide – This guide details the different
deployment scenarios and associated AirWatch solutions.
l The AirWatch On-Premise Monitoring and Maintenance Guide – This guide outlines the various tools and
recommended guidelines for your system.
l The AirWatch Cloud Connector Guide – This guide provides an overview of the benefits and use cases for ACC
integration and details the installation process for this feature.
l The AirWatch Mobile Access Gateway Admin Guide – This guide details the integration options for the MAG and
how to manage it from the AirWatch Admin Console.
l The AirWatch Secure Email Gateway Configuration Guide – This guide walks you step-by-step through installing the
AirWatch SEG to proxy traffic for your email endpoint. Here you will also learn about the necessary requirements for
the proxy server and recommended configurations.
Page 4
Topology
Topology
Overview
The AirWatch software suite is comprised of multiple components that work in conjunction to provide a complete mobile
device solution. The sections below outline each component, as well as give a short summary of their role to aid in the
understanding of the AirWatch architecture.
In This Section
l Required Components – Read more about some of the major components you must have as part of an AirWatch
implementation.
l Optional Components – See some of the optional components you can leverage as part of an AirWatch on-premise
implementation.
Required Components
AirWatch Admin Console
Administrators use the AirWatch Admin Console via web browser to secure, configure, monitor and manage their
corporate device fleet. The Admin Console also contains the AirWatch API, which allows external applications to interact
with the MDM solution; this API provides layered security to restrict access both on an application and user level.
Device Services
Device Services are the components of AirWatch that actively communicate with devices. AirWatch relies on this
component for processing:
l Device enrollment.
l Application provisioning.
l Hosting the AirWatch Self-Service Portal, which device users can access (through a web browser) to monitor and
manage their devices in AirWatch.
SQL Database
AirWatch stores all device and environment data in a Microsoft SQL Server database. Due to the amount of data flowing
in and out of the AirWatch database, proper sizing of the Database server is crucial to a successful deployment.
Additionally, AirWatch utilizes Microsoft SQL Reporting Services to report on data collected by the AirWatch solution.
For more information on the AirWatch Components, see Appendix A .
Page 5
Topology
For more information on additional system configurations, see the AirWatchOn-Premise Pre-Installation Checklist
located in the AirWatch ASK knowledge base or consult with your AirWatch representative.
Optional Components
AirWatch Secure Email Gateway
AirWatch offers advanced email management capabilities such as:
l Detection and Remediation of rogue devices connecting to email.
Note: Email attachment control functionality requires the use of the Secure Email Gateway proxy server regardless of
email server type.
Benefits
AWCM replaces GCM and simplifies device management by:
l Removing the need for third party IDs.
l Delivering AirWatch Console commands directly to Android, Symbian, and Windows Mobile devices.
l Enabling the ability for remote control and file management on Android SAFE and Windows Mobile devices.
Page 6
Topology
l Reducing security concerns by eliminating device communication to public endpoints outside of AirWatch.
l Internal websites and web applications using the AirWatch Secure Browser.
Page 7
Topology
Page 8
Topology
Note: All AirWatch topologies support reverse proxies. A reverse proxy can be used to route incoming traffic from
devices and users on the Internet to the AirWatch servers in your corporate network. Supported reverse proxy
technologies include: Bluecoat, Microsoft, F5 Networks, IBM, and Cisco. Consult your AirWatch representative for
additional support for technologies not listed here, as support is continuously evolving.
Page 9
Topology
Page 10
Topology
IMPORTANT: While these components are combined in the diagrams below for illustrative purposes, they can reside
on a dedicated server. Many configuration combinations exist and may apply to your particular network setup.
Please request a copy of the AirWatch PoC Guide your AirWatch representative and schedule a consultation to
discuss the appropriate server configuration for your on-premise deployment.
Page 11
Prerequisites for Console/Device Services Connectivity for On-Premise Environments
SSL Certificate from trusted Ensure SSL certificate is trusted by all device types being used. (i.e. not all
third party with Subject or Comodo certificates are natively trusted by Android)
Subject Alternative name of See Server Requirements.
DNS
Windows Server 2008 R2 or 64-bit servers needed for AWCM | 64-bit Java
Page 12
Prerequisites for Console/Device Services Connectivity for On-Premise Environments
Status
Requirement Notes
Checklist
Windows Server 2012 or
Windows Server 2012 R2
Install Role from Server IIS 7.0 (Server 2008 R2)
Manager IIS 8.0 (Server 2012 or Server 2012 R2)
IIS 8.5 (Server 2012 R2 only)
Install Role Services from Common HTTP Features: Static Content, Default Document, Directory
Server Manager Browsing, HTTP Errors, HTTP Redirection
Application Development: ASP.NET, .NET Extensibility, ASP, ISAPI Extensions,
ISAPI Filters, Server Side Includes
Health and Diagnostics: HTTP Logging, Logging Tools, Request Monitor,
Tracing
Security: Request Filtering, IP and Domain Restrictions
Performance: Static Content Compression, Dynamic Content Compression
Management Tools: IIS Management Console, IIS 6 Metabase Compatibility
Note: Ensure WebDAV is not installed
Install Features from Server .NET Framework 3.5.1 Features: Entire module (.NET Framework 3.5.1, WCF
Manager Activation)
Message Queuing: Message Queuing Server
Telnet Client
Install 64-bit Java Runtime This is needed for the AWCM server (typically only installed on DS Server or
version 7 or greater separate server).
Download from http://www.java.com/en/download/manual.jsp
Note: Ensure 32-bit Java is not installed
Install .NET Framework 4.0 Download from http://www.microsoft.com/en-
us/download/confirmation.aspx?id=17718
Install SOCKS V5 The SOCKS version supported by AirWatch for the routing of APNs messages
is SOCKS V5. SOCKS V4 and SOCKS V4a are not supported.
Database Requirements
SQL Server Installed SQL Server 2008 R2 or SQL Server 2012 (running in 2008 compatability mode).
It is also recommend that the SQL Servers are 64 bit (OS and SQL Server).
AirWatch does not support Express, Workgroup or Web editions of SQL
Server. These editions do not support all of the features utilized in the
AirWatch Application so at this time only Standard and Enterprise Editions
are supported.
For install, need to be able to create, backup and restore a database.
Create AirWatch Database
Page 13
Prerequisites for Console/Device Services Connectivity for On-Premise Environments
Status
Requirement Notes
Checklist
Page 14
Prerequisites for Console/Device Services Connectivity for On-Premise Environments
Network Requirements
Page 15
Prerequisites for Console/Device Services Connectivity for On-Premise Environments
Page 16
Prerequisites for Console/Device Services Connectivity for On-Premise Environments
Page 17
Prerequisites for Console/Device Services Connectivity for On-Premise Environments
General Requirements
Remote Access to Servers
Ensure that you have remote access to the servers that AirWatch is installed on. Typically, installations are performed
remotely over a web meeting or screen share that an AirWatch consultant provides. Some customers also provide
AirWatch with VPN credentials to directly access the environment as well.
Server Requirements
External DNS Name
The two main components of AirWatch are the Device Services server and the Console server. In a single server
deployment, these reside on the same server, and an external DNS entry needs to be registered for that server.
In a multi-server deployment, these are installed on separate servers, and only the “device services” component requires
an external DNS name, while the “console” component can remain only internally available.
Page 18
Prerequisites for Console/Device Services Connectivity for On-Premise Environments
SSL Certificate
The externally available URL of the AirWatch server must be setup with a trusted SSL certificate. A wildcard or individual
website certificate is required.
1. Obtain SSL certificates for each of your external DNS entries. A list of root certificates natively trusted by iOS can be
found here: http://support.apple.com/kb/HT5012
2. Upload your SSL certificate to the AirWatch server(s). Your certificate provider will have instructions for this process.
3. Once uploaded on your server you can use it to add a 443 binding to the Default Website in IIS. The bindings for a
completed server look like the following. Your SSL certificate should appear in the drop down menu of available
certificates.
4. Validate that you can connect to the server over HTTPS (https://yourAirWatchDomain.com). At this point you
should see the IIS splash page.
Note: If SSL is used for admin console access, ensure FQDN is enabled or host file is configured.
Database Requirements
Microsoft SQL Reporting Services (SSRS)
Page 19
Prerequisites for Console/Device Services Connectivity for On-Premise Environments
2. Verify network connectivity from the SSRS server to your SMTP server (for delivering subscribed reports).
l Telnet SMTP_Server 25
Authentication Credentials
AirWatch can be setup to use a domain service account, or a basic SQL account for authentication to the database.
Please verify you have validated the username and password for the account is working.
The database installer requires a user with SysAdmin privileges but is only used to perform the installation and not for
the connection to the application.
The AirWatch Service Account needs the following access to the AirWatch and msdb databases:
l AirWatch
o db_owner
l msdb
o SQLAgentUserRole
Full-Text Search
The Global search function of the AirWatch Admin Console uses full text search indexes and requires the appropriate
service to be running on the SQL server. Ensure this component is running on your SQL instance.
On-premise customers need the following to install the Full-Text feature:
l Access to the SQL Server installation media.
1. Run the Microsoft SQL Server program from Programs and Features,
Page 20
Prerequisites for Console/Device Services Connectivity for On-Premise Environments
Page 21
Prerequisites for Console/Device Services Connectivity for On-Premise Environments
On Windows Server 2008, the default account assigned to the SQL Full-text Filter Daemon Launcher service is the Local
Service account. SQL Server uses security features available in Windows Server 2008 to provide a high level of security
and isolation for the service. For enhanced security, you should not configure the SQL Full-text Filter Daemon Launcher
service to run under any other account.
Additional Notes
Proxy
The AirWatch servers can be configured with a proxy / PAC file for outbound Internet access. Apple APNs traffic, however,
is not HTTP traffic, and cannot be authorized through traditional HTTP proxies. This traffic must go straight out to the
Internet or through an application/SOCKS proxy.
Apple APNs
For a successful APNs connection, the following has to occur from a device: NSLookup gateway.push.apple.com for the
TXT record, then open connection to #-courier.push.apple.com on port 5223, where # is the result returned from the TXT
record on gateway.push.apple.com.
Load Balancers
l Configure Load Balancers with a Round Robin load balancing mechanism.
Note: If the Enrollment Session Timeout values are modified in AirWatchConsole Settings, then you need to
set the Persistence Timeout values to the same value.
Page 22
Prerequisites for Console/Device Services Connectivity for On-Premise Environments
o Admin Console: Session persistence timeout of one hour is required based on the default configuration of
AirWatch.
Note: If the Idle Session Timeout values are modified in the AirWatchConsole Settings, then you need to set
the Persistence Timeout values to the same value.
o Secure Email Gateway: Session persistence timeout value for the Secure Email Gateway needs to be the same as
the persistence timeout value for your Exchange ActiveSync Servers based on recommendations from the Mail
Solution vendor.
l Load balancers are also recommended to redirect all HTTP requests to HTTPS.
Public IP
l A public IP address is needed to access the AirWatch SEG server from the Internet (HTTPS).
l A public IP address is needed to access the AirWatch Device Services server from the Internet (HTTPS).
Additional Configurations
LDAP / AD Server (Optional)
In order to configure LDAP / AD integration you will need the requested information about your existing LDAP server and
directory structure.
SMTP Server (Optional)
AirWatch can integrate with your existing SMTP server to send email notifications and device activation messages. In
order to configure this integration you will need the requested information about your existing SMTP server.
CellTrust® Account (Optional)
AirWatch leverages CellTrust® as a third party SMS gateway that can be used to send messages to devices directly from
the console. Please refer to the CellTrust SMS Gateway Integration with AirWatch whitepaper for more information.
CellTrust® offers 30-day free trials that provide customers with the necessary credentials to begin sending messages. In
order to configure this integration you will need the requested information about your CellTrust® account.
Reference: http://www.celltrust.com/mobile-aggregation.html
ParlayX Protocol (Optional)
ParlayX 3.0 protocol for sending SMS’s to an SMSC is supported. Requires connection to the SMS gateway along with
necessary credentials for initiating the SMS.
CIMD Protocol (Optional)
CIMD2.0 protocol for sending SMS’s to an SMSC is supported. Requires an on-premise instance of open-source SMS
gateway, Kannel, on a Linux server that AirWatch will issue HTTP POST commands to.
SCEP/CA Server (Optional)
AirWatch integrates with a number of PKI providers for certificate integration for VPN, Wi-Fi, Email, etc. Please contact
AirWatch for specific requirements if certificate integration is requested.
Page 23
Hardware Requirements
Hardware Requirements
Overview
When determining the hardware requirements needed to build out an AirWatch environment, it is important to consider
the number of managed devices, the device transaction frequency, the device check-in interval and also the number of
administrative users that AirWatch will be managing. It may also be beneficial to consider the growth potential of the
organization’s device fleet as well.
The sizing recommendations listed below are written against device transaction data gathered from AirWatch Cloud
deployments. Sizing for an AirWatch environment should begin with an initial assessment of critical factors to provide a
clear view of system usage.
Page 24
Hardware Requirements
‡ Each Application Server needs to be a virtual machine (VM) configured with at least 2 CPU cores and 4GB RAM.
± When using a 1x Application Server for the DB, AirWatch Console, and Device Services, add the total RAM
requirements in the table above for all three and then verify the Application Server has the proper amount of RAM
installed. If using AWCM on the same server as Device Services, add 4GB RAM for each Application Server.
† If a SEG is implemented (optional), for every 2,000 devices, use one CPU core with 2GB of RAM (e.g., 8K devices need
4 CPU cores with 8GB RAM). For every 16K devices you deploy, (e.g., 8 CPU cores with 16GB RAM), AirWatch
recommends you add a SEG (e.g., 40K devices requires three SEGs). For more information, consult the AirWatch
Managing and Protecting Mobile Email overview or the AirWatch Secure Email Gateway Proxy Server
Configuration Guide.
Page 25
Hardware Requirements
1 reporting server
1 reporting server with 1 CPU core/4 GB RAM and 50 with 2 CPU core/8
Reporting Server (SSRS)
GB storage GB RAM and 50
GB storage
2 load-balanced 2 load-balanced
servers with 4 servers with 4
2 load-balanced servers with 2
CPU cores/ CPU cores/
API Server CPU cores/ 4GB RAM each and 50
4GB RAM each 8GB RAM each
GB storage
and 50 and 50
GB storage GB storage
Page 26
Hardware Requirements
General Assumptions
The following are general assumptions that will help you determine if you need to adjust the hardware requirements
shown in the table above based on the hardware needs of your environment.
l High Availability is easily accomplished in AirWatch, however, is outside the scope of this document. Please contact
AirWatch for the relevant High Availability documents for your deployment.
l Sizing estimates include allocation for 1GB of cumulative app storage. Increase the server disk space and DB disk
space to account for increased storage (for example, a 5GB app deployment will require an additional 4GB disk space
for the database and application servers).
l Sizing estimates include allocation for 1GB of cumulative content storage for the content locker. Increase the server
disk space to account for increased storage (for example, 5GB of content requires an additional 4GB disk space for
the application servers).
l If AirWatch is to be installed on a shared database server, AirWatch should be given its own instance with earmarked
resources as defined in the sizing table.
*Windows Server 2008 or Windows Server 2008 R2 (32-bit or 64-bit) with latest service packs and recommended updates from
Microsoft (http://www.update.microsoft.com).
Page 27
Hardware Requirements
Note: Sizing estimates vary based on actual email and attachment usage. Add additional SEG servers as
necessary.
o With content transformation (attachment handling, hyperlinks security, tagging and so on):
n 1 CPU core with 2GB RAM for every 1,000 mobile devices.
n 2GB RAM (min) per SEG CPU core
Note: Sizing estimates vary based on actual email and attachment usage. Add additional SEG servers as
necessary.
l When installing SEG servers in a load balanced configuration, sizing requirements can be viewed as cumulative. For
example, a SEG environment requiring 4 CPU Cores and 8GB of RAM can be supported by either:
o One single SEG server with 4 CPU cores and 8GB RAM
or
o Two load balanced SEG servers with 2 CPU core and 4GB RAM each
l 2 GB RAM or higher
Page 28
Hardware Requirements
Page 29
Software Requirements
Software Requirements
Overview
This section covers the required software setup for each listed server before the installation can occur. Having this
software pre-installed on servers reduces the installation time required to install AirWatch.
Required Software
Server
Software Requirements
Device Services Admin Console Database SEG
Windows Server 2008 R2*/2012 • • • •
.NET Framework 3.5 & 4** • • • •
IIS 7 Server† • • •
Microsoft Message Queues
• • •
(MSMQ)
Microsoft SQL Server 2008 /
R2/2012‡ (in 2008 compatibility •
mode)
* - Windows Server 2008 R2 (32-bit or 64-bit) with latest service packs and recommended updates from Microsoft
(http://www.update.microsoft.com).
** - .NET Framework 4. A Windows update is required after installation to update additional software components.
† - IIS 7 Server must also have additional role services installed.
‡ - SQL Server 2008, 2008 R2, 2012(in 100 compatibility mode) with Client Tools (SQL Management Studio, Reporting Services, Integration Services,
SQL Server Agent, latest service packs). Note that SQL Server 2008 R2 is recommended, because the Standard Edition does not support all reports.
Page 30
Appendix A – Components of AirWatch
Overview
This section details each component of the AirWatch system and indicates whether they are web apps or Windows
services.
Page 31
Appendix A – Components of AirWatch
Page 32
Appendix A – Components of AirWatch
Page 33