AirWatch On-Premise Technical Architecture Guide v7 - 2

AirWatch On-Premise Technical Architecture
Guide
Preparing for a successful AirWatch v7.2 implementation
© 2014 VMware, Inc. All rights reserved.

This document, as well as the software described in it, is furnished under license. The information in this manual may only be used in accordance with the terms of the license. This
document should not be reproduced, stored or transmitted in any form, except as permitted by the license or by the express permission of AirWatch, LLC.
All other marks and names mentioned herein may be trademarks or trade names of their respective companies.
AirWatch On-Premise Technical Architecture Guide | v.2014.06 | June 2014

Copyright © 2014 VMware, Inc. All rights reserved. Proprietary & Confidential.
Table of Contents
Introduction to the On-Premise Technical Architecture Guide 3
Overview 3
In This Guide 3
Before You Begin 4
In This Section 4
Requirements 4
Recommended Reading 4
Topology 5
Overview 5
In This Section 5
Required Components 5
Optional Components 6
AirWatch On-Premise Configurations 9
Prerequisites for Console/Device Services Connectivity for On-Premise Environments 12
Hardware Requirements 24
Overview 24
Sizing for 100 to 25,000 Devices 24
Sizing for 50,000 to 250,000+ Devices 26
Software Requirements 30
Overview 30
Required Software 30
Appendix A – Components of AirWatch 31
Overview 31
AirWatch Device Services 31
AirWatch Admin Console 32
AirWatch Secure Email Gateway 32
AirWatch Mobile Access Gateway 33
AirWatch Cloud Messaging 33

Page 2
Introduction to the On-Premise Technical Architecture Guide
Introduction to the On-Premise Technical Architecture

Guide
Overview
The purpose of this guide is to help IT administrators prepare for the deployment of an on-premise AirWatch installation.
This document covers general information about supported AirWatch topologies, various hardware, software and
network requirements, and more. Since every on-premise deployment is unique, this document does not cover
customized network configurations. Please consult with your AirWatch representative to schedule a call to discuss any
particular questions or concerns you have regarding your specific deployment.
In This Guide
l Before You Begin – This section covers topics and prerequisites you should familiarize yourself with so you can get
the most out of using this guide.
l Topology – This section outlines each component and gives a short summary of their role.
l Network Requirements – This section details the network requirements required for an on-premise deployment.
l Hardware Requirements – This section details the hardware requirements required for an on-premise deployment.
l Software Requirements – This section details the software requirements required for an on-premise deployment.
l Appendix A: Components of AirWatch – This section details each component of the AirWatch system.

Page 3
Before You Begin
Before You Begin

This section covers topics and prerequisites you should familiarize yourself with so you can get the most out of using this
guide.
In This Section
l Requirements – See a list of requirements you must meet before proceeding with an on-premise deployment.
l Recommended Reading – See a list of additional guides that contain supplemental information.
l Getting Started – See additional considerations you should know before you begin.
Requirements
Please see the appropriate sections for:
l Network Requirements – This section details the network requirements for the AirWatch Console and Device Services
server that required for an on-premise deployment. For more information about the on-premise requirements for
ACC, MAG or SEG, refer to the AirWatch On-Premise Pre-installation Guide, which includes a comprehensive set of
requirements.
l Hardware Requirements
l Software Requirements
Recommended Reading
l The AirWatch On-Premise Pre-Installation Checklist – This checklist helps prepare you for your scheduled AirWatch
installation by ensuring all of the server and network requirements are in place.
l The AirWatch High Availability and Disaster Recovery Configuration Guide – This guide details the different
deployment scenarios and associated AirWatch solutions.
l The AirWatch On-Premise Monitoring and Maintenance Guide – This guide outlines the various tools and
recommended guidelines for your system.
l The AirWatch Cloud Connector Guide – This guide provides an overview of the benefits and use cases for ACC
integration and details the installation process for this feature.
l The AirWatch Mobile Access Gateway Admin Guide – This guide details the integration options for the MAG and
how to manage it from the AirWatch Admin Console.
l The AirWatch Secure Email Gateway Configuration Guide – This guide walks you step-by-step through installing the
AirWatch SEG to proxy traffic for your email endpoint. Here you will also learn about the necessary requirements for
the proxy server and recommended configurations.

Page 4
Topology
Topology
Overview
The AirWatch software suite is comprised of multiple components that work in conjunction to provide a complete mobile
device solution. The sections below outline each component, as well as give a short summary of their role to aid in the
understanding of the AirWatch architecture.
In This Section
l Required Components – Read more about some of the major components you must have as part of an AirWatch
implementation.
l Optional Components – See some of the optional components you can leverage as part of an AirWatch on-premise
implementation.
l AirWatch On-premise Configurations – See some sample on-premise configurations.
Required Components
AirWatch Admin Console
Administrators use the AirWatch Admin Console via web browser to secure, configure, monitor and manage their
corporate device fleet. The Admin Console also contains the AirWatch API, which allows external applications to interact
with the MDM solution; this API provides layered security to restrict access both on an application and user level.
Device Services
Device Services are the components of AirWatch that actively communicate with devices. AirWatch relies on this
component for processing:
l Device enrollment.
l Application provisioning.
l Delivering device commands and receiving device data.
l Hosting the AirWatch Self-Service Portal, which device users can access (through a web browser) to monitor and
manage their devices in AirWatch.
SQL Database
AirWatch stores all device and environment data in a Microsoft SQL Server database. Due to the amount of data flowing
in and out of the AirWatch database, proper sizing of the Database server is crucial to a successful deployment.
Additionally, AirWatch utilizes Microsoft SQL Reporting Services to report on data collected by the AirWatch solution.
For more information on the AirWatch Components, see Appendix A .

Page 5
Topology
For more information on additional system configurations, see the AirWatchOn-Premise Pre-Installation Checklist
located in the AirWatch ASK knowledge base or consult with your AirWatch representative.
Optional Components
AirWatch Secure Email Gateway
AirWatch offers advanced email management capabilities such as:
l Detection and Remediation of rogue devices connecting to email.
l Advanced controls of Mobile Mail access.
l Advanced access control for administrators.
l Integration with the AirWatch compliance engine.
l Enhanced traffic visibility through interactive email dashboards.
l Certificate integration for advanced protection.
l Email attachment control (available in AirWatch 6.3+).

Enterprises using certain types of email server(s), such as Exchange 2003/2007 or Lotus Traveler, should use the AirWatch
Secure Email Gateway (SEG) server in order to take advantage of these advanced email management capabilities. The
SEG acts as a proxy, handling all Exchange Active Sync traffic between devices and an enterprise’s existing ActiveSync
endpoint.
Enterprises using Exchange 2010+, Office 365 BPOS, or Google Apps for Business should not need the Secure Email
Gateway server. For these email infrastructures, a different deployment model can be used that does not require a proxy
server, such as Microsoft Powershell Integration or Google password management techniques.
Note: Email attachment control functionality requires the use of the Secure Email Gateway proxy server regardless of
email server type.
AirWatch Cloud Messaging (AWCM)

AirWatch Cloud Messaging (AWCM) streamlines the delivery of messages and commands from the Console and
eliminates the need for end users to access public Internet and procure Google IDs. AWCM also serves as a
comprehensive substitute for Google Cloud Messaging (GCM) for Android devices. AWCM is the only option to provide
MDM capabilities for Windows Mobile and Symbian devices.
Benefits
AWCM replaces GCM and simplifies device management by:
l Removing the need for third party IDs.
l Delivering AirWatch Console commands directly to Android, Symbian, and Windows Mobile devices.
l Enabling the ability for remote control and file management on Android SAFE and Windows Mobile devices.

Page 6
Topology
l Reducing security concerns by eliminating device communication to public endpoints outside of AirWatch.
l Increasing functionality of internal Wi-Fi only devices.
AirWatch Cloud Connector (ACC)

AirWatch Cloud Connector (ACC) provides organizations the ability to integrate AirWatch with their back-end enterprise
systems. AirWatch Cloud Connector runs in the internal network, acting as a proxy that securely transmits requests from
AirWatch to the organization's critical enterprise infrastructure components. This allows organizations to leverage the
benefits of AirWatch's Mobile Device Management (MDM), running in any configuration, together with those of their
existing LDAP, certificate authority, email, and other internal systems.
ACC integrates with the following internal components:
l Email Relay (SMTP)
l Directory Services (LDAP / AD)
l Microsoft Certificate Services (PKI)
l Simple Certificate Enrollment Protocol (SCEP PKI)
l Email Management Exchange 2010 (PowerShell)
l BlackBerry Enterprise Server (BES)
l Third-party Certificate Services (On-premise only)
l Lotus Domino Web Service (HTTPS)
l Syslog (Event log data)
AirWatch Mobile Access Gateway (MAG)

The AirWatch Mobile Access Gateway (MAG) provides a secure and effective method for individual applications to access
corporate sites and resources. When your employees access internal content from their mobile devices, the MAG acts as
a secure relay between the device and enterprise system. The MAG is able to authenticate and encrypt traffic from
individual applications on compliant devices to the back-end site/resources they are trying to reach.
Use the MAG to access:
l Internal document repositories and content using the AirWatch Secure Content Locker.
l Internal websites and web applications using the AirWatch Secure Browser.
AirWatch App Wrapping

AirWatch Application Wrapping, or app wrapping, allows organizations to secure enterprise applications without code
changes. It can add an extra layer of security and data loss prevention while offering a consistent user experience.
Consistency comes from using AirWatch options such as branding, single sign on (SSO), and authentication.
Modifying your internal applications with app wrapping reduces time and expenses from development on management
and security. It lets you access tools already available with AirWatch by simply adding a layer of features over the
application. Once the advanced features are applied, deploy the application to your enterprise application catalog for
end users to access.

Page 7
Topology
Android Market integration ( Apache server )

This feature is available for on-premise customers only. It serves as a connection between the AirWatch MDM and the
Google Play Store, this needs to be configured before a user can use the Search App Store feature for Android apps.

Page 8
Topology
AirWatch On-Premise Configurations

When deployed within an organization's network infrastructure, AirWatch can adhere to strict corporate security policies
by storing all data onsite. In addition, AirWatch has been designed to run on virtual environments, which allows for
seamless deployments on a number of different setups.
AirWatch can be deployed in a variety of configurations to suit diverse business requirements. Common deployment
topologies include single-server, multi-server, and hybrid models. The primary difference between these deployment
models are how AirWatch components (Admin Console, Device Services, Database Server, Secure Email Gateway, ACC,
and MAG) are grouped, and how they are positioned within the corporate network. Three common permutations are
further detailed below.
For information on other configuration types, such as high availability and disaster recovery configurations, please
consult your AirWatch representative or the AirWatch ASK knowledge base for the appropriate documentation.
For more information on hardware sizing, see Hardware Requirements.
Note: All AirWatch topologies support reverse proxies. A reverse proxy can be used to route incoming traffic from
devices and users on the Internet to the AirWatch servers in your corporate network. Supported reverse proxy
technologies include: Bluecoat, Microsoft, F5 Networks, IBM, and Cisco. Consult your AirWatch representative for
additional support for technologies not listed here, as support is continuously evolving.
Basic/Single App Server Deployment

This delivery model can be used for organizations managing less than 1,000 devices. This configuration allows for
simplified installation and maintenance, while allowing future scalability and flexibility as deployments grow. A single-
server deployment allows for easy integration to enterprise services, as well as simplified control and validation over the
entire environment.

Page 9
Topology
Hybrid Server Deployment

A hybrid-server deployment model is recommended for organizations managing between 1,000 and 5,000 devices,
however it can be used even for deployments of less than 1,000 devices. This configuration differs from the single server
model by separating the Secure Email Gateway (SEG) and the Database Server each onto separate servers.
The advantage of this topology comes in segregating the email management infrastructure to be maintained and scaled
independently, as well as isolating the database server for ease of troubleshooting and future scale.

Page 10
Topology
Multiple Server Deployment

A multi-server deployment model is recommended for organizations managing 5,000 or more devices and/or those
wanting to utilize a DMZ architecture to segment the administrative console server into the internal network for
increased security. This deployment model allows for increased resource capacity by allowing each server to be dedicated
to AirWatch components. The following diagrams illustrate how to leverage ACC and MAG in an on-premise
environment.
IMPORTANT: While these components are combined in the diagrams below for illustrative purposes, they can reside
on a dedicated server. Many configuration combinations exist and may apply to your particular network setup.
Please request a copy of the AirWatch PoC Guide your AirWatch representative and schedule a consultation to
discuss the appropriate server configuration for your on-premise deployment.
Multi Server with ACC and MAG

Page 11
Prerequisites for Console/Device Services Connectivity for On-Premise Environments
Prerequisites for Console/Device Services Connectivity for

On-Premise Environments
Status
Requirement Notes
Checklist
Hardware Requirements
VM or Physical Server See the AirWatch On-Premise Technical Architecture Guide for more
information.
General Requirements
Remote access to Windows Recommended to setup Remote Desktop Connection Manager for multiple
Servers available to AirWatch server management, installer can be downloaded from
and Administrator rights http://www.microsoft.com/en-us/download/confirmation.aspx?id=21101
See General Requirements.
Installation of Notepad++ Installer can be downloaded from
(Recommended) http://download.tuxfamily.org/notepadplus/6.5.1/npp.6.5.1.Installer.exe
Services accounts for Validate AD connectivity method using LDP.exe tool
authentication to backend (http://www.computerperformance.co.uk/ScriptsGuy/ldp.zip)
systems LDAP, BES, PowerShell, etc. Note: This can be one service account that has all
required access.
Create a corporate Apple ID If your deployment includes Apple iOS devices, you must generate an APNs
certificate on behalf of your company. This Certificate can be generated easily
Post-Installation but requires an Apple ID.
Because this certificate must be renewed, it is recommended that an Apple ID
is created with an email address in which multiple users have access. This
way, your company does not have to rely on one person in order to renew
the certificate.
If you need to create a new Apple ID, please follow the link below and select
Create an Apple ID:
https://appleid.apple.com
Create a corporate Google ID Needed for ability to search the Play Store for applications to push to devices
Software Requirements
Externally registered DNS See Server Requirements.
SSL Certificate from trusted Ensure SSL certificate is trusted by all device types being used. (i.e. not all
third party with Subject or Comodo certificates are natively trusted by Android)
Subject Alternative name of See Server Requirements.
DNS
Windows Server 2008 R2 or 64-bit servers needed for AWCM | 64-bit Java

Page 12
Status
Requirement Notes
Checklist
Windows Server 2012 or
Windows Server 2012 R2
Install Role from Server IIS 7.0 (Server 2008 R2)
Manager IIS 8.0 (Server 2012 or Server 2012 R2)
IIS 8.5 (Server 2012 R2 only)
Install Role Services from Common HTTP Features: Static Content, Default Document, Directory
Server Manager Browsing, HTTP Errors, HTTP Redirection
Application Development: ASP.NET, .NET Extensibility, ASP, ISAPI Extensions,
ISAPI Filters, Server Side Includes
Health and Diagnostics: HTTP Logging, Logging Tools, Request Monitor,
Tracing
Security: Request Filtering, IP and Domain Restrictions
Performance: Static Content Compression, Dynamic Content Compression
Management Tools: IIS Management Console, IIS 6 Metabase Compatibility
Note: Ensure WebDAV is not installed
Install Features from Server .NET Framework 3.5.1 Features: Entire module (.NET Framework 3.5.1, WCF
Manager Activation)
Message Queuing: Message Queuing Server
Telnet Client
Install 64-bit Java Runtime This is needed for the AWCM server (typically only installed on DS Server or
version 7 or greater separate server).
Download from http://www.java.com/en/download/manual.jsp
Note: Ensure 32-bit Java is not installed
Install .NET Framework 4.0 Download from http://www.microsoft.com/en-
us/download/confirmation.aspx?id=17718
Install SOCKS V5 The SOCKS version supported by AirWatch for the routing of APNs messages
is SOCKS V5. SOCKS V4 and SOCKS V4a are not supported.
Database Requirements
SQL Server Installed SQL Server 2008 R2 or SQL Server 2012 (running in 2008 compatability mode).
It is also recommend that the SQL Servers are 64 bit (OS and SQL Server).
AirWatch does not support Express, Workgroup or Web editions of SQL
Server. These editions do not support all of the features utilized in the
AirWatch Application so at this time only Standard and Enterprise Editions
are supported.
For install, need to be able to create, backup and restore a database.
Create AirWatch Database

Page 13
Status
Requirement Notes
Checklist
SQL collation is SQL_Latin1_

General_CP1_Cl_AS
Validate SQL Account l db_owner on the AirWatch database
Permissions
l db_datareader, Public, and SQLAgentUserRole on msdb
Ensure Full-Text Search is Run the following query on database to validate if installed:
installed on SQL database SELECT FullTextServiceProperty('IsFullTextInstalled'); if 1 returned then it is
installed and if 0 returned it needs to be installed.
See Database Requirements for instructions.
Reporting Services Requirements (OPTIONAL)
Reporting services installed See Database Requirements.
and configured in SQL
Management Studio
(typically on DB Server)
Reporting Services See Database Requirements.
configured with user,
password, and database
Web Service URL is reachable Verify by entering http://<ReportServerURL>/ReportServer (varies based on
port and configured URL) in a browser and seeing if it loads
Report Manager URL is Verify by entering http://<ReportServerURL>/Reports (varies based on port
reachable and configured URL) in a browser and seeing if it loads
Web Service URL is reachable Verify by entering http://<ReportServerURL>/ReportServer on the Console
from Console Server Server (varies based on port and configured URL)

Page 14
Network Requirements
Source Component Destination Component Protocol Port Notes

Admin Console discovery.awmdm.com HTTPS 443 Optional
Hostname
Admin Console awcp.air-watch.com HTTPS 443 Optional
Hostname
Admin Console gem.awmdm.com HTTPS 443 AirWatch
Hostname Analytics in
myAirWatch
Admin Console appwrap04.awmdm.com/awappwrap HTTPS 443 AirWatch Cloud
Hostname iOS App Wrapping
Service
Admin Console gateway.push.apple.com TCP 2195 Apple iOS and
Hostname (17.0.0.0/8) Mac OS X only
Admin Console feedback.push.apple.com TCP 2196 Apple iOS and
Hostname (17.0.0.0/8) Mac OS X only
Admin Console appwrapandroid.awmdm.com/awappwrap HTTPS 443 AirWatch Cloud
Hostname Android App
Wrapping Service
Admin Console android.googleapis.com HTTPS 443 Android only
Hostname
Admin Console play.google.com HTTPS 443 Android only
Hostname
Admin Console android.clients.google.com TCP 80 Android
Hostname App Management
only
Admin Console *notify.live.net HTTP/HTTPS 80 or Windows Phone 8
Hostname 443 and Windows
8/RT only
Admin Console BES Server HTTPS 443 Blackberry only
Hostname
Admin Console Apple iTunes HTTP 80 Apple iOS and
Hostname itunes.apple.com Mac OS X only
*.mzstatic.com
*.phobos.apple.com
*.phobos.apple.com.edgesuite.net
Admin Console gateway.celltrust.net HTTPS 443 Only requires the
Hostname (162.42.205.0/24) use of 443 when
utilizing SMS

Page 15

messaging
Admin Console SSL Cert CRL* (Example: ocsp.verisign.com) HTTP/HTTPS 80 or
Hostname 443
Admin Console All AirWatch Servers HTTPS 443
Hostname
Admin Console AWCM (typically Device Services server) HTTPS 2001
Hostname
Admin Console SQL SSRS Reporting HTTP 80
Hostname
Admin Console Database Server SQL 1433
Hostname
Admin Console Active Directory domain controller LDAP(S) 389 or
Hostname 636 or
3268 or
3269
Admin Console SMTP Mail Relay SMTP 25 or
Hostname 465
Admin Console Internal PKI HTTPS/ 443
Hostname DCOM (HTTPS)
or
135 or
1025-
5000 or
49152-
65535
(DCOM)
Device Services discovery.awmdm.com HTTPS 443 Optional – For

Hostname auto discovery
functionality
Device Services gateway.push.apple.com TCP 2195 Apple only
Hostname
Device Services feedback.push.apple.com TCP 2196 Apple only
Hostname
Device Services android.googleapis.com HTTP/HTTPS 80 and Android only
Hostname 443
Device Services play.google.com HTTPS 443 Android only
Hostname
Device Services android.clients.google.com TCP 80 Android app

Page 16

Hostname management only
Device Services awcp.air-watch.com/ HTTPS 443
Hostname
Device Services *notify.live.net HTTP/HTTPS 80 or Windows Phone 8
Hostname 443 and WIndows
8/RT only
Device Services Apple iTunes HTTP 80 Apply only
Hostname itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
*.phobos.apple.com.edgesuite.net
Device Services SSL Cert CRL* (Example: ocsp.verisign.com) HTTP/HTTPS 80 or
Hostname 443
Device Services All AirWatch Servers HTTPS 443
Hostname
Device Services Database Server SQL 1433
Hostname
Device Services Active Directory domain controller LDAP(S) 389 or [OPTIONAL] if you
Hostname 636 or don't use EIS or
3268 or ACC
3269
Device Services SMTP Mail Relay SMTP 25 or [OPTIONAL] if you
Hostname 465 do not use EIS or
ACC
Device Services Internal PKI HTTPS/ 443 [OPTIONAL] if you
Hostname DCOM (HTTPS) do not use EIS or
or ACC
135 or
1025-
5000 or
49152-
65535
(DCOM)
SSRS Server SMTP Mail Relay SMTP 25 or For reports

(Reports Server) 465 subscriptions
Devices Device Services Hostname HTTPS 443

(Internet/Wi-Fi)

Page 17

Devices SEG Hostname HTTPS 443
(Internet/Wi-Fi)
Devices #-courier.push.apple.com TCP 5223 Apple only. '#' is a
(Internet/Wi-Fi) (17.0.0.0/8) and 443 random
number from 0 to
200.
Devices phobos.apple.com HTTP/HTTPS 80 or Apple only
(Internet/Wi-Fi) ocsp.apple.com 443
ax.itunes.apple.com
Devices mtalk.google.com TCP 5228 Android only
(Internet/Wi-Fi)
Devices *notify.live.net HTTP/HTTPS 80 or Windows Phone 8
(Internet/Wi-Fi) 443 and
Windows 8/RT
only
Devices AWCM Server HTTP/HTTPS 2001 WinMo, Android,
(Internet/Wi-Fi) MAC OS X, Win32
(PCs) only
Apache Tomcat Android Market Integration HTTP/HTTPS 80 or Internet and

Server localhost/9001 443 proxy connection
needs to be
established.
Apache Tomcat Android App Wrapping
Server localhost/9001
General Requirements
Remote Access to Servers
Ensure that you have remote access to the servers that AirWatch is installed on. Typically, installations are performed
remotely over a web meeting or screen share that an AirWatch consultant provides. Some customers also provide
AirWatch with VPN credentials to directly access the environment as well.
Server Requirements
External DNS Name
The two main components of AirWatch are the Device Services server and the Console server. In a single server
deployment, these reside on the same server, and an external DNS entry needs to be registered for that server.
In a multi-server deployment, these are installed on separate servers, and only the “device services” component requires
an external DNS name, while the “console” component can remain only internally available.

Page 18
SSL Certificate
The externally available URL of the AirWatch server must be setup with a trusted SSL certificate. A wildcard or individual
website certificate is required.
1. Obtain SSL certificates for each of your external DNS entries. A list of root certificates natively trusted by iOS can be
found here: http://support.apple.com/kb/HT5012
2. Upload your SSL certificate to the AirWatch server(s). Your certificate provider will have instructions for this process.
3. Once uploaded on your server you can use it to add a 443 binding to the Default Website in IIS. The bindings for a
completed server look like the following. Your SSL certificate should appear in the drop down menu of available
certificates.
4. Validate that you can connect to the server over HTTPS (https://yourAirWatchDomain.com). At this point you
should see the IIS splash page.
Note: If SSL is used for admin console access, ensure FQDN is enabled or host file is configured.
Database Requirements
Microsoft SQL Reporting Services (SSRS)

Page 19
AirWatch leverages Microsoft SQL Reporting Services for generating reports.

1. Please verify that you have SSRS installed on your DB server (or a separate Reporting server of your choice). Double-
check by launching your browser to (http://localhost/ReportServer/) or the equivalent URL based on your setup.
Also ensure that you have access to the Report Manager URL found in the Reporting Services Configuration
Manager.
2. Verify network connectivity from the SSRS server to your SMTP server (for delivering subscribed reports).
l Telnet SMTP_Server 25
Authentication Credentials
AirWatch can be setup to use a domain service account, or a basic SQL account for authentication to the database.
Please verify you have validated the username and password for the account is working.
The database installer requires a user with SysAdmin privileges but is only used to perform the installation and not for
the connection to the application.
The AirWatch Service Account needs the following access to the AirWatch and msdb databases:
l AirWatch
o db_owner
l msdb
o SQLAgentUserRole
Full-Text Search
The Global search function of the AirWatch Admin Console uses full text search indexes and requires the appropriate
service to be running on the SQL server. Ensure this component is running on your SQL instance.
On-premise customers need the following to install the Full-Text feature:
l Access to the SQL Server installation media.
l Windows rights to run the media on the server.
1. Run the Microsoft SQL Server program from Programs and Features,
2. Choose Add to add features.

Page 20
3. Select the SQL instance in the SQL Server Setup wizard,.
4. Check the Full-Text Search feature in the Feature Selection screen.

Page 21
On Windows Server 2008, the default account assigned to the SQL Full-text Filter Daemon Launcher service is the Local
Service account. SQL Server uses security features available in Windows Server 2008 to provide a high level of security
and isolation for the service. For enhanced security, you should not configure the SQL Full-text Filter Daemon Launcher
service to run under any other account.
Additional Notes
Proxy
The AirWatch servers can be configured with a proxy / PAC file for outbound Internet access. Apple APNs traffic, however,
is not HTTP traffic, and cannot be authorized through traditional HTTP proxies. This traffic must go straight out to the
Internet or through an application/SOCKS proxy.
Apple APNs
For a successful APNs connection, the following has to occur from a device: NSLookup gateway.push.apple.com for the
TXT record, then open connection to #-courier.push.apple.com on port 5223, where # is the result returned from the TXT
record on gateway.push.apple.com.
Load Balancers
l Configure Load Balancers with a Round Robin load balancing mechanism.
l Configure Persistence for each of the components below:

o Device Services: Session persistence timeout of 10 minutes is required based on the default configuration of
AirWatch.
Note: If the Enrollment Session Timeout values are modified in AirWatchConsole Settings, then you need to
set the Persistence Timeout values to the same value.

Page 22
o Admin Console: Session persistence timeout of one hour is required based on the default configuration of
AirWatch.
Note: If the Idle Session Timeout values are modified in the AirWatchConsole Settings, then you need to set
the Persistence Timeout values to the same value.
o Secure Email Gateway: Session persistence timeout value for the Secure Email Gateway needs to be the same as
the persistence timeout value for your Exchange ActiveSync Servers based on recommendations from the Mail
Solution vendor.
l Load balancers are also recommended to redirect all HTTP requests to HTTPS.
Public IP
l A public IP address is needed to access the AirWatch SEG server from the Internet (HTTPS).
l A public IP address is needed to access the AirWatch Device Services server from the Internet (HTTPS).
Additional Configurations
LDAP / AD Server (Optional)
In order to configure LDAP / AD integration you will need the requested information about your existing LDAP server and
directory structure.
SMTP Server (Optional)
AirWatch can integrate with your existing SMTP server to send email notifications and device activation messages. In
order to configure this integration you will need the requested information about your existing SMTP server.
CellTrust® Account (Optional)
AirWatch leverages CellTrust® as a third party SMS gateway that can be used to send messages to devices directly from
the console. Please refer to the CellTrust SMS Gateway Integration with AirWatch whitepaper for more information.
CellTrust® offers 30-day free trials that provide customers with the necessary credentials to begin sending messages. In
order to configure this integration you will need the requested information about your CellTrust® account.
Reference: http://www.celltrust.com/mobile-aggregation.html
ParlayX Protocol (Optional)
ParlayX 3.0 protocol for sending SMS’s to an SMSC is supported. Requires connection to the SMS gateway along with
necessary credentials for initiating the SMS.
CIMD Protocol (Optional)
CIMD2.0 protocol for sending SMS’s to an SMSC is supported. Requires an on-premise instance of open-source SMS
gateway, Kannel, on a Linux server that AirWatch will issue HTTP POST commands to.
SCEP/CA Server (Optional)
AirWatch integrates with a number of PKI providers for certificate integration for VPN, Wi-Fi, Email, etc. Please contact
AirWatch for specific requirements if certificate integration is requested.

Page 23
Overview
When determining the hardware requirements needed to build out an AirWatch environment, it is important to consider
the number of managed devices, the device transaction frequency, the device check-in interval and also the number of
administrative users that AirWatch will be managing. It may also be beneficial to consider the growth potential of the
organization’s device fleet as well.
The sizing recommendations listed below are written against device transaction data gathered from AirWatch Cloud
deployments. Sizing for an AirWatch environment should begin with an initial assessment of critical factors to provide a
clear view of system usage.
Sizing for 100 to 25,000 Devices

Up to how many devices? 100 500 1,000 2,500 5,000 10,000 25,000
Requirements
CPU Cores 1 1 2 2 2 4 8
RAM (GB) 4 4 4 8 8 16 32
DB Size (GB) 10 20 25 50 100 175 250
Trans Log Size (GB)
(Log backups every 3 5 10 20 40 50 100
Database Server 15 minutes)
Temp DB (GB) 3 5 10 20 40 50 100
Avg IOPS
30 30 30 75 150 300 750
(DB & Temp DB)
Peak IOPS
40 50 60 150 300 600 1500
(DB & Temp DB)
1x Application Server per 50
Admin Console
concurrent admin users ‡ ±
1x Application 2x Application
Device Services 1x Application Server ‡ ±
Server ‡ ± Servers * ‡
1x Application 2x Application
Device Services and AWCM
Server ‡ ± Servers* ‡
SEG Proxy Server † See Secure Email Gateway Server Hardware Assumptions on page 28 below
MAG See Mobile Access Gateway Server Hardware Assumptions below

Page 24
‡ Each Application Server needs to be a virtual machine (VM) configured with at least 2 CPU cores and 4GB RAM.
± When using a 1x Application Server for the DB, AirWatch Console, and Device Services, add the total RAM
requirements in the table above for all three and then verify the Application Server has the proper amount of RAM
installed. If using AWCM on the same server as Device Services, add 4GB RAM for each Application Server.
† If a SEG is implemented (optional), for every 2,000 devices, use one CPU core with 2GB of RAM (e.g., 8K devices need
4 CPU cores with 8GB RAM). For every 16K devices you deploy, (e.g., 8 CPU cores with 16GB RAM), AirWatch
recommends you add a SEG (e.g., 40K devices requires three SEGs). For more information, consult the AirWatch
Managing and Protecting Mobile Email overview or the AirWatch Secure Email Gateway Proxy Server
Configuration Guide.
* Load Balancing provided by customer.

Page 25
Sizing for 50,000 to 250,000+ Devices

Up to how many devices? 50,000 100,000 150,000 200,000
Requirements
CPU Cores 8 16 32 48
RAM (GB) 64 128 192 256
DB Size (GB) 500 1 TB 1.5 TB 2 TB
Trans Log Size (GB)
200 400 600 800
(Log backups every 15 minutes)
Database Server
Temp DB (GB) 200 400 600 800
Avg IOPS
1500 3000 4500 6000
(DB & Temp DB)
Peak IOPS
3000 6000 9000 12000
(DB & Temp DB)
2 load-balanced 2 load-balanced
application application
2 load-balanced application
servers with 2 servers with 4
Admin Console servers with 2 CPU cores/4GB
CPU cores/8GB CPU cores/8GB
RAM each and 50 GB storage
RAM each and 50 RAM each and 50
GB storage GB storage
2 load-balanced 2 load-balanced 2 load-balanced 2 load-balanced

application application application application
servers with 2 servers with 2 servers with 4 servers with 4
Device Services
CPU cores/4GB CPU cores/8GB CPU cores/8GB CPU cores/16GB
RAM each and RAM each and RAM each and 50 RAM each and 50
50 GB storage 50 GB storage GB storage GB storage

application application application application
Device Services with AWCM
CPU cores/8GB CPU cores/12GB CPU cores/12GB CPU cores/20GB
RAM each and RAM each and RAM each and 50 RAM each and 50
50 GB storage 50 GB storage GB storage GB storage
1 reporting server
1 reporting server with 1 CPU core/4 GB RAM and 50 with 2 CPU core/8
Reporting Server (SSRS)
GB storage GB RAM and 50
GB storage
2 load-balanced 2 load-balanced
servers with 4 servers with 4
2 load-balanced servers with 2
CPU cores/ CPU cores/
API Server CPU cores/ 4GB RAM each and 50
4GB RAM each 8GB RAM each
GB storage
and 50 and 50
GB storage GB storage

SEG Proxy Server † CPU cores/16 CPU cores/16 CPU cores/16 CPU cores/16
GB RAM each GB RAM each GB RAM each GB RAM each and
and 50 and 50 and 50 50 GB storage

Page 26
GB storage GB storage GB storage
General Assumptions
The following are general assumptions that will help you determine if you need to adjust the hardware requirements
shown in the table above based on the hardware needs of your environment.
l High Availability is easily accomplished in AirWatch, however, is outside the scope of this document. Please contact
AirWatch for the relevant High Availability documents for your deployment.
l Sizing estimates include allocation for 1GB of cumulative app storage. Increase the server disk space and DB disk
space to account for increased storage (for example, a 5GB app deployment will require an additional 4GB disk space
for the database and application servers).
l Sizing estimates include allocation for 1GB of cumulative content storage for the content locker. Increase the server
disk space to account for increased storage (for example, 5GB of content requires an additional 4GB disk space for
the application servers).
l Servers should be set up in English, if possible.
Application Server Hardware Assumptions

Unless otherwise specified, the following assumptions are made regarding server hardware used to host the AirWatch
application(s):
l The AirWatch application may be installed on virtual or physical hardware.
l Servers should provide, at minimum:

o 1x 64-bit Dual Core Processor, 4GB RAM, 40GB free space for AirWatch application
o Microsoft Windows Server 2008 / R2*
Database Server Hardware Assumptions

Unless otherwise specified, the following assumptions are made regarding server hardware used to host the AirWatch
database:
l AirWatch recommends using physical hardware for the database server.
o AirWatch may be deployed using a virtualized database layer given the I/O requirements can be met and the
overall virtual architecture will support AirWatch’s requirements.
l If AirWatch is to be installed on a shared database server, AirWatch should be given its own instance with earmarked
resources as defined in the sizing table.
*Windows Server 2008 or Windows Server 2008 R2 (32-bit or 64-bit) with latest service packs and recommended updates from
Microsoft (http://www.update.microsoft.com).

Page 27
Secure Email Gateway Server Hardware Assumptions

The following assumptions are made regarding server hardware used to host the Secure Email Gateway (SEG) application:
l The AirWatch SEG server should be sized in accordance with the enterprise mail server:
o Without content transformation (attachment handling, hyperlinks security, tagging and so on):
n 1 CPU core with 2GB RAM for every 2,000 mobile devices
n 2GB RAM (min) per SEG CPU core
n Maximum 8 CPUs, 16GB RAM per SEG (16,000 mobile devices)
Note: Sizing estimates vary based on actual email and attachment usage. Add additional SEG servers as
necessary.
o With content transformation (attachment handling, hyperlinks security, tagging and so on):
n 1 CPU core with 2GB RAM for every 1,000 mobile devices.
n 2GB RAM (min) per SEG CPU core
n Maximum 8 CPUs, 16GB RAM per SEG (8,000 mobile devices)
Note: Sizing estimates vary based on actual email and attachment usage. Add additional SEG servers as
necessary.
l When installing SEG servers in a load balanced configuration, sizing requirements can be viewed as cumulative. For
example, a SEG environment requiring 4 CPU Cores and 8GB of RAM can be supported by either:
o One single SEG server with 4 CPU cores and 8GB RAM
or
o Two load balanced SEG servers with 2 CPU core and 4GB RAM each
Mobile Access Gateway Server Hardware Assumptions

The following assumptions are made regarding server hardware used to host the Mobile Access Gateway (MAG):
Hardware Requirements per MAG

l Virtual machine (VM) or physical server
l 1 CPU Core (2.0+ GHz)
l 2 GB RAM or higher
l 1 GB Disk (approximate application footprint)
Sizing for up to 100,000 Devices

Page 28
Number of Devices Up to 5,000 10,000 to 50,000 50,000 to 100,000 100,000+

4 or 2 load-balanced w/ 2 4 or 2 load-balanced w/ 2 2 load-balanced with 4
CPU Cores 1
CPU Cores CPU Cores CPU Cores
RAM (GB) 4 4 8 16

Page 29
Overview
This section covers the required software setup for each listed server before the installation can occur. Having this
software pre-installed on servers reduces the installation time required to install AirWatch.
Required Software
Server
Device Services Admin Console Database SEG
Windows Server 2008 R2*/2012 • • • •
.NET Framework 3.5 & 4** • • • •
IIS 7 Server† • • •
Microsoft Message Queues
• • •
(MSMQ)
Microsoft SQL Server 2008 /
R2/2012‡ (in 2008 compatibility •
mode)
* - Windows Server 2008 R2 (32-bit or 64-bit) with latest service packs and recommended updates from Microsoft
(http://www.update.microsoft.com).
** - .NET Framework 4. A Windows update is required after installation to update additional software components.
† - IIS 7 Server must also have additional role services installed.
‡ - SQL Server 2008, 2008 R2, 2012(in 100 compatibility mode) with Client Tools (SQL Management Studio, Reporting Services, Integration Services,
SQL Server Agent, latest service packs). Note that SQL Server 2008 R2 is recommended, because the Standard Edition does not support all reports.

Page 30
Appendix A – Components of AirWatch
Overview
This section details each component of the AirWatch system and indicates whether they are web apps or Windows
services.
AirWatch Device Services

The Device Services server acts as the interface for the AirWatch system to all managed devices. This server is responsible
for receiving check-ins and information updates, while also delivering any queued commands to managed devices. This
server is almost always made available to the public Internet to be accessible by devices with WAN access. Consisting of
an IIS application and multiple Windows Services, the Device Services server can be hardware load balanced across
multiple servers to allow for high availability and distributed load.
Components Description Web App Windows Service

Device The web endpoint used for device communication, usually
•
Services over HTTPS
Device The web endpoint used for registration and authentication
•
Management of users and devices
Enroll The web endpoint used to redirect devices to enrollment •
AirWatch The web endpoint used for the Enterprise App Catalog to
App Catalog render the appropriate applications per device by passing •
the device UDID as a parameter within the URL
AirWatch Log Processes incoming data samples from Windows Mobile
Manager Devices
•
Queue
Monitor
AirWatch Processes samples from devices that have been stored in
Interrogator various queues, and writes those samples to the database
•
Queue
Monitor
AirWatch Handles incoming samples from devices and stores them
Interrogator in a common queue to be processed later •
Service
AirWatch Processes inbound samples from a device in an
Master intermediate queue, and distributes to individual batch
•
Queue sample queues
Service
AirWatch This service sends push messages (e.g., device lock, install •

Page 31

Messaging profile, etc.) to APNs and cloud messaging services to be
Service delivered to devices
AirWatch Admin Console

The AirWatch Admin Console serves as the central portal where administrators log in to view and manage devices. This
server(s) can be made available to the public Internet, but often are only internally (inside a corporate network) available.
Consisting of an IIS application and multiple Windows Services, the web console can be hardware load balanced across
multiple servers to allow for high availability and distributed load.

AirWatch Console The web application for the administrative front-end •
AirWatch Bulk This service manages bulk imports such as User
•
Import Service Imports, Profile Imports, etc
AirWatch SMS This service is used by the web console to send
•
Service messages to devices
AirWatchMessaging This service sends push messages (e.g., device lock,
Service install profile, etc.) to APNs and cloud messaging •
services to be delivered to devices
AirWatch Secure Email Gateway

The AirWatch Secure Email Gateway (SEG) can be made available externally to allow compliant devices to sync mail while
on a WAN connection. This optional component consists of multiple IIS applications and a Windows Services, the SEG
server can be hardware load balanced across multiple servers to allow for high availability and distributed load.
Microsoft- The web endpoint used for device communication,
Server- usually over HTTPS* •
ActiveSync
SEG Console A panel to see traffic statistics on the Secure Email
•
Gateway
AirWatch EAS Processes mail requests routed through the Secure
Integration Email Gateway and writes this info to the Admin Console •
Service via the AirWatch API
*The SEG can be used to redirect other mail traffic. In this scenario there would be other endpoints (OWA, Exchange, RPC, etc) that redirect that
traffic to the corresponding page on the mail server.

Page 32
AirWatch Mobile Access Gateway

AirWatch Mobile Adds Proxy to all your internal
•
Access Gateway resources.
Content Allows access to all Content endpoints
•
through the MAG
AirWatch Cloud Messaging

AirWatch Acts as a message hub for all communication between
Cloud the Console and other AirWatch components,
•
Messaging including devices.
Service

Page 33

AirWatch On-Premise Technical Architecture Guide v7 - 2

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

AirWatch On-Premise Technical Architecture Guide v7 - 2

Caricato da

Copyright:

Formati disponibili

AirWatch On-Premise Technical Architecture

© 2014 VMware, Inc. All rights reserved.

AirWatch On-Premise Technical Architecture Guide | v.2014.06 | June 2014

AirWatch On-Premise Technical Architecture Guide | v.2014.06 | June 2014

Introduction to the On-Premise Technical Architecture

AirWatch On-Premise Technical Architecture Guide | v.2014.06 | June 2014

Before You Begin

AirWatch On-Premise Technical Architecture Guide | v.2014.06 | June 2014

l AirWatch On-premise Configurations – See some sample on-premise configurations.

l Delivering device commands and receiving device data.

AirWatch On-Premise Technical Architecture Guide | v.2014.06 | June 2014

l Advanced controls of Mobile Mail access.

l Advanced access control for administrators.

l Integration with the AirWatch compliance engine.

l Enhanced traffic visibility through interactive email dashboards.

l Certificate integration for advanced protection.

l Email attachment control (available in AirWatch 6.3+).

AirWatch Cloud Messaging (AWCM)

AirWatch On-Premise Technical Architecture Guide | v.2014.06 | June 2014

l Increasing functionality of internal Wi-Fi only devices.

AirWatch Cloud Connector (ACC)

l Directory Services (LDAP / AD)

l Microsoft Certificate Services (PKI)

l Simple Certificate Enrollment Protocol (SCEP PKI)

l Email Management Exchange 2010 (PowerShell)

l BlackBerry Enterprise Server (BES)

l Third-party Certificate Services (On-premise only)

l Lotus Domino Web Service (HTTPS)

l Syslog (Event log data)

AirWatch Mobile Access Gateway (MAG)

AirWatch App Wrapping

AirWatch On-Premise Technical Architecture Guide | v.2014.06 | June 2014

Android Market integration ( Apache server )

AirWatch On-Premise Technical Architecture Guide | v.2014.06 | June 2014

AirWatch On-Premise Configurations

Basic/Single App Server Deployment

AirWatch On-Premise Technical Architecture Guide | v.2014.06 | June 2014

Hybrid Server Deployment

AirWatch On-Premise Technical Architecture Guide | v.2014.06 | June 2014

Multiple Server Deployment

Multi Server with ACC and MAG

AirWatch On-Premise Technical Architecture Guide | v.2014.06 | June 2014

Prerequisites for Console/Device Services Connectivity for

AirWatch On-Premise Technical Architecture Guide | v.2014.06 | June 2014

AirWatch On-Premise Technical Architecture Guide | v.2014.06 | June 2014

SQL collation is SQL_Latin1_

AirWatch On-Premise Technical Architecture Guide | v.2014.06 | June 2014

Source Component Destination Component Protocol Port Notes

AirWatch On-Premise Technical Architecture Guide | v.2014.06 | June 2014

Source Component Destination Component Protocol Port Notes

Device Services discovery.awmdm.com HTTPS 443 Optional – For

AirWatch On-Premise Technical Architecture Guide | v.2014.06 | June 2014

Source Component Destination Component Protocol Port Notes

SSRS Server SMTP Mail Relay SMTP 25 or For reports

Devices Device Services Hostname HTTPS 443

AirWatch On-Premise Technical Architecture Guide | v.2014.06 | June 2014

Source Component Destination Component Protocol Port Notes

Apache Tomcat Android Market Integration HTTP/HTTPS 80 or Internet and

AirWatch On-Premise Technical Architecture Guide | v.2014.06 | June 2014

AirWatch On-Premise Technical Architecture Guide | v.2014.06 | June 2014

AirWatch leverages Microsoft SQL Reporting Services for generating reports.

l Windows rights to run the media on the server.

2. Choose Add to add features.