AirWatch PoC Technical Architecture

AirWatch PoC Technical Architecture
A guide for selecting an AirWatch PoC Evaluation Architecture
2013 AirWatch, LLC. All Rights Reserved.

This document, as well as the software described in it, is furnished under license. The information in this manual may only be used in accordance
with the terms of the license. This document should not be reproduced, stored or transmitted in any form, except as permitted by the license or by
the express permission of AirWatch, LLC.
Other product and company names referenced in this document are trademarks and/or registered trademarks of their respective companies.
AirWatch PoC Technical Architecture | v.2013.06 | June 2013

Copyright 2013 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Table of Contents
Overview.....................................................................................................................................2
Option 1: Pure Cloud...................................................................................................................4
Option 2: Integrated Cloud .........................................................................................................6
Integrated Cloud AirWatch Cloud Connector ......................................................................................................................... 8
Integrated Cloud No DMZ ..................................................................................................................................................... 11
Integrated Cloud DMZ Relay ................................................................................................................................................. 14
Integrated Cloud Reverse Proxy ........................................................................................................................................... 17
Option 3: On-Premise Single Server Deployment ......................................................................20

Option 4: On-Premise Multiple Server Deployment ..................................................................23
Appendix...................................................................................................................................26

Page 1 of 29
Overview
The AirWatch Enterprise Mobility Management (EMM) software can be deployed through a variety of cloud or onpremise options to meet an organizations security requirements and IT strategy. This document will outline each of the
supported configurations and help determine the ideal AirWatch architecture for a successful PoC evaluation.
The below diagram displays four deployment options including both cloud and on-premise architectures.
Cloud
On Premise
Benefits
Fastest implementation with minimal client effort
No significant investment in technology or services
Minimal or no network changes required
Automatic software updates
Benefits
Comply with corporate on-premise security polices
Direct integration with corporate systems
Leverage existing infrastructure investments
Physical and virtual environments supported
Considerations
Integration with corporate resources
Security / datacenter requirements
Considerations
Network firewall changes required
Multiple software and hardware required on-premise
Option 1: Cloud
Option 2: Integrated Cloud
All devices and admin users point

to AirWatchs cloud for device
management. No software
installed onsite
All components in the cloud.

Lightweight integration
component installed on-premise
for backend integration
Ideal for
Ideal for
Rapid Deployment
No corporate infrastructure
required
Cloud clients requiring

enterprise integration for
o LDAP / PKI
o Exchange
o Content repositories
o Etc
Does not integrate with

corporate resources
Pages 4-5
Option 3: Single Server
On-premise deployment with a

single AirWatch server installed in
the DMZ or internal network
Ideal for
Page 8-19
Leveraging existing
infrastructure
On-premise is required
Enterprise integration
Page 20-22
Option 4: Multi Server
On-premise deployment with

multiple servers in the DMZ and
internal network for multi-tier
firewall architectures
Ideal for
Multi-tier networks
Resources not available to DMZ
Special security policy
compliance
Server scalability via tier 1-3
deployments
Page 23-25
*Note POC fees may apply for On-Premise Deployment

Page 2 of 29
The remainder of this document defines the requirements for the architecture options described above. After choosing
a deployment option from the descriptions above, review the following items for the desired deployment choice:
1. Architecture Diagram high level design of all level data flow.
2. Prerequisite Checklist complete list of all software and hardware
preparations required.
Architecture
Diagram
Prerequisite
Checklist
Network
Requirements
3. Network Requirements a listing of any port and firewall requirements.

Page 3 of 29
Option 1: Pure Cloud

Cloud configurations are best suited for clients who want to minimize effort and lead times for evaluating the software.
This evaluation architecture can be setup in minutes but typically does not offer integration with backend resources due
to client security requirements. Integration can easily be added later by installing the AirWatch Cloud Connector and /or
Mobile Access Gateway (see Option 2: Integrated Cloud).
Architecture Diagram
Cloud Integration (Optional)
SAML
Office 365
Google Apps for Business
Prerequisite Checklist
There are no prerequisites necessary for this deployment option.

Page 4 of 29
Network Requirements
Pure Cloud
Source
Component
Source
Host
{ADMIN_IP}
Destination
Component
Destination Host
Destination IP
any
*for a list of IP
ranges of AW
Datacenters click
Protocol
Port
Ref
Diagram
HTTP/HTTPS
80/443
AirWatch SaaS
*.airwatchportals.com
*.awmdm.com
Apple iTunes
Cloud
itunes.apple.com
ax.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
*phobos.apple.com.edges
uite.net
any
HTTP/HTTPS
80/443
N/S
play.google.com
any
HTTP/HTTPS
80/443
N/S
*.virtualearth.net
any
HTTP/HTTPS
80/443
N/S
17.0.0.0/8
TCP
5223
any
HTTP/HTTPS
80/443
any
TCP
5228
HTTP/HTTPS
80/443
Yes
No
N/A
Administrators
/ User Self
Service
Devices
{ADMIN_IP}
{ADMIN_IP}
{ADMIN_IP}
Google Play
Store
Virtual Earth
(GPS Maps)
Apple APNs
Cloud
{Device_IP}
{Device_IP}
Apple iTunes
Cloud
{Device_IP}
Android C2DM
Cloud
{Device_IP}
AirWatch SaaS
#-courier.push.apple.com
gateway.push.apple.com
phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
mtalk.google.com
*.awmdm
any
*for a list of IP
ranges of AW
Datacenters click
Checklist
here
here

Page 5 of 29
Option 2: Integrated Cloud

This configuration is recommended for clients who wish to leverage the simplicity of cloud deployments but still
integrate existing backend resources. Connecting to corporate resources is made simple with the
AirWatch Cloud Connector (ACC), which can be installed on a small VM or physical server onpremise. The AirWatch Mobile Access Gateway (MAG) provides a secure gateway allowing
devices to access corporate network resources. The ACC and MAG are not co-dependent and
should be considered optional components, however most all MAG deployments include ACC.
AirWatch Integration Options

ACC
Certificates and PKI
MAG
Directory Services
Email Infrastructure
SIEM
Content Repositories
++
Corporate Intranet Access
Corporate App Tunnel (App VPN)
+ AirWatchs email attachment encryption feature requires the MAG (SEG component)
++ AirWatchs content repository sync with the Administrative Console requires the ACC.

Page 6 of 29
AirWatch Cloud Connector
Ideal for
Fast implementation
Minimal hardware / software on-site

Pages 8-10
Integrated Cloud No DMZ
Integrated Cloud DMZ Relay
Integrated Cloud Reverse Proxy
Ideal for
Clients without a DMZ
infrastructure
Ideal for
Ideal For
Clients with an existing DMZ

architecture
Clients with an existing reverse proxy

or WAF architecture
Limited connections through DMZ

firewall
Pages 11-13
Pages 14-16
Page 17-19

Page 7 of 29
Integrated Cloud - AirWatch Cloud Connector

AirWatch Internal Server Includes:

Page 8 of 29
Integrated Cloud AW Cloud Connector
Hardware
Title
AirWatch Internal
Server
Windows OS
.NET Framework 3.5

&4
Internal Certs (Trust)
Firewall
Changes
Client Firewall Rules
Service
Accounts
Enterprise Service
Accounts
(Optional)
Software
Description / Purpose
Yes
No
N/A
Windows Server
Minimum specification:
- 1 CPU core ( > 2.0 GHz)
- 2 GB RAM
-1 GB Disk Space (if logging is being done 5 GB)
(physical or virtual)
Windows Server 2008 R2
A windows update is required for .NET 4 after installation to update additional
software components.
Client may need to generate internal certs for the traffic between the external
internet interface for the EAS traffic and the Reverse Proxy, F5, SEG, and CAS
servers. Details to be determined by the Client architect team.
See Below Firewall Change Requests
Checklist
Source
If implementing enterprise services, services accounts will need to be created and

given specific permissions to allow integration. See Appendix.

Page 9 of 29
Integrated Cloud AW Cloud Connector
Source
Component
A
Source Host
Destination
Component
Destination Host
Destination IP
Protocol
Port
Ref
Diagram
{InternalServer_IP}
Client EAS/CAS
Server(s)
{InternalURL_CAS}
{InternalIP_CAS}
HTTP/HTTPS
80,443
{InternalServer_IP}
Domain
Controller
{InternalURL_DC}
{InternalIP_DC}
LDAP/LDAPS
{InternalServer_IP}
Enterprise
Services
(Optional)
{InternalURL_ES}
{InternalIP_ES}
HTTP/HTTPS
/SMTP
{InternalServer_IP}
Certificate
Authority
(Optional)
{InternalURL_CA}
{InternalIP_CA}
DCOM
AirWatch
Internal Server
{InternalServer_IP}
AirWatch SaaS
*.awmdm.com
any
*for a list of IP
ranges of AW
Datacenters click
389,
636,
3268,
3269
80,443
, 25,
465
135,
10255000,
4915265535
Yes
No
N/A
HTTPS
443
HTTP/HTTPS
80/443
{ADMIN_IP}
any
*for a list of IP
ranges of AW
Datacenters click
AirWatch SaaS
*.awmdm.com
any
HTTP/HTTPS
80/443
N/S
here
{ADMIN_IP}
Apple iTunes
Cloud
*.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
uite.net
{ADMIN_IP}
Google Play
Store
play.google.com
any
HTTP/HTTPS
80/443
N/S
{ADMIN_IP}
Virtual Earth
(GPS Maps)
*.virtualearth.net
any
HTTP/HTTPS
80/443
N/S
{Device_IP}
Apple APNs
Cloud
17.0.0.0/8
TCP
5223
{Device_IP}
Apple iTunes
Cloud
any
HTTP/HTTPS
80/443
{Device_IP}
Android C2DM
Cloud
any
TCP
5228
HTTP/HTTPS
80/443
Administrators
/ User Self
Service
Devices
{Device_IP}
AirWatch SaaS
phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
mtalk.google.com
*.awmdm.com
any
*for a list of IP
ranges of AW
Datacenters click
Checklist
here
here

Page 10 of 29


AirWatch Secure Email Gateway
AirWatch Mobile Access Gateway

Page 11 of 29
#
Title
AirWatch Internal
Server
Windows OS
IIS 7 Server
.NET Framework 3.5

&4

Microsoft Messaging
Queue (MSMQ)
Enabled on all AirWatch servers.
Java
External URL
Internal CAS URL
Public SSL Certificate
10
Load
Balancer
11
Load Balancer Setup

(Optional)
Firewall
Changes
12
Service
Accounts
13
Enterprise Service
Accounts
(Optional)
Hardware
Software
DNS
Certificates
Yes
No
N/A
Windows Server
- 4 GB RAM
IIS Server must also have additional role services installed.
Installed on MAG server.

External URL (DNS Record) resolving to the internal AirWatch server
Internal URL to relay Exchange ActiveSync traffic from the AirWatch server
Checklist
Source
Public trusted SSL Certificate to match the External DNS for the AirWatch SEG/EIS
server.
If installing the SEG/MAG behind a network load balancer, client will need to setup
load balancer configuration. Persistence should be set on the SSL session for 15
minutes. See Appendix for more details.

Page 12 of 29
Source
Component
A
Source Host
Destination
Component
Destination Host
Destination IP
Protocol
Port
Ref
Diagram
{InternalServer_IP}
Client EAS/CAS
Server(s)
{InternalURL_CAS}
{InternalIP_CAS}
HTTP/HTTPS
80,443
{InternalServer_IP}
Domain
Controller
{InternalURL_DC}
{InternalIP_DC}
LDAP/LDAPS
{InternalServer_IP}
Enterprise
Services
(Optional)
{InternalURL_ES}
{InternalIP_ES}
HTTP/HTTPS
/SMTP
{InternalServer_IP}
Certificate
Authority
(Optional)
{InternalURL_CA}
{InternalIP_CA}
DCOM
AirWatch
Internal Server
{InternalServer_IP}
AirWatch SaaS
*.awmdm.com
any
*for a list of IP
ranges of AW
Datacenters click
389,
636,
3268,
3269
80,443
, 25,
465
135,
10255000,
4915265535
Yes
No
N/A
HTTPS
443
HTTP/HTTPS
80/443
here
F
{ADMIN_IP}
any
*for a list of IP
ranges of AW
Datacenters click
AirWatch SaaS
*.awmdm.com
any
HTTP/HTTPS
80/443
N/S
{ADMIN_IP}
Apple iTunes
Cloud
{ADMIN_IP}
Google Play
Store
play.google.com
any
HTTP/HTTPS
80/443
N/S
{ADMIN_IP}
Virtual Earth
(GPS Maps)
*.virtualearth.net
any
HTTP/HTTPS
80/443
N/S
AW Public URL
AW Public IP
HTTPS
443
17.0.0.0/8
TCP
5223
any
HTTP/HTTPS
80/443
any
TCP
5228
HTTP/HTTPS
80/443
10
HTTPS
443
2010
2020
11
Administrators
/ User Self
Service
AirWatch SaaS
See IP list
here
AirWatch
Server
Apple APNs
Cloud
phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
{Device_IP}
{Device_IP}
Apple iTunes
Cloud
{Device_IP}
Android C2DM
Cloud
mtalk.google.com
{Device_IP}
AirWatch SaaS
*.awmdm.com
{Device_IP}
AirWatch
Internal Server
Devices
N
any
*for a list of IP
ranges of AW
Datacenters click
Checklist
here
*.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
uite.net
here
O
AW Public URL
AW Public IP

Page 13 of 29

AirWatch DMZ Server Includes:

AirWatch Mobile Access Gateway Relay

AirWatch Mobile Access Gateway Endpoint

Page 14 of 29
#
Title
AirWatch DMZ
Server
Windows OS
IIS 7 Server
.NET Framework 3.5

&4

Microsoft Messaging
Queue (MSMQ)
Java
AirWatch Software
External URL
Internal CAS URL
10
Internal URL
11

(AirWatch DMZ)
12
Load
Balancer
13
Load Balancer Setup

(Optional)
Firewall
Changes
14
Service
Accounts
15
Enterprise Service
Accounts
(Optional)
Hardware
Software
DNS
Certificates
Yes
No
N/A
Windows Server
- 4 GB RAM

Available through the administrative console.
External URL (DNS Record) resolving to the AirWatch DMZ server
Internal URL to relay traffic from the AirWatch SEG/EIS.
Checklist
Source
Internal URL (DNS Record) resolving to the AirWatch Internal server

Public trusted SSL Certificate to match the External DNS for the AirWatch DMZ
server. Required if using SEG / MAG
If installing the SEG/MAG behind a network load balancer, client will need to setup
load balancer configuration. Persistence should be set on the SSL session for 15
minutes. See Appendix for more details.

Page 15 of 29
Source
Component
Source Host
A
{DMZ_Server_IP}
{DMZ_Server_IP}
{DMZ_Server_IP}
AirWatch DMZ
Server
Destination
Component
Client EAS/CAS
Server(s)
AirWatch
Internal Server
Destination Host
{InternalURL_CAS}
{InternalURL_AWInternal}
Destination IP
Protocol
Port
Ref
Diagram
{InternalIP_CAS}
HTTP/HTTPS
80,443
HTTP/HTTPS
443
2010
HTTPS
443
389,636,
3268,
3269,
135,443,
25
{InternalIP_AWInt
ernal}
any
*for a list of IP
ranges of AW
Datacenters click
AirWatch SaaS
*.awmdm.com
{InternalURL_DC}
{Internal_BES}
{Internal_ADCS}
{Internal_SMTP}
{Internal_SharePoint}
{InternalURL_CA}
{InternalIP_IP}
DCOM
HTTPS
LDAP/LDAPS
SMTP
AW Public IP
HTTPS
443
HTTP/HTTPS
80/443
Yes
No
N/A
here
{InternalServer_IP}
Internal
Network
{InternalServer_IP}
AirWatch DMZ
Server
AW Public URL
AirWatch SaaS
*.awmdm.com
any
HTTP/HTTPS
80/443
N/S
AirWatch
Internal Server
{ADMIN_IP}
any
*for a list of IP
ranges of AW
Datacenters click
{ADMIN_IP}
Apple iTunes
Cloud
{ADMIN_IP}
Google Play
Store
play.google.com
any
HTTP/HTTPS
80/443
N/S
{ADMIN_IP}
Virtual Earth
(GPS Maps)
*.virtualearth.net
any
HTTP/HTTPS
80/443
N/S
AW Public URL
AW Public IP
HTTPS
443
17.0.0.0/8
TCP
5223
any
HTTP/HTTPS
80/443
any
TCP
5228
10
HTTP/HTTPS
80/443
11
HTTPS
443
2010
2020
12
Administrators
/ User Self
Service
AirWatch SaaS
See IP list
here
AirWatch DMZ
Server
Apple APNs
Cloud
{Device_IP}
{Device_IP}
Apple iTunes
Cloud
{Device_IP}
Android C2DM
Cloud
phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
mtalk.google.com
Devices
N
{Device_IP}
AirWatch SaaS
*.awmdm.com
any
*for a list of IP
ranges of AW
Datacenters click
Checklist
here
itunes.apple.com
ax.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
uite.net
here
O
{Device_IP}
AirWatch DMZ
Server
AW Public URL
AW Public IP

Page 16 of 29
Integrated Cloud Reverse Proxy



Page 17 of 29
Cloud with Integration DMZ Reverse Proxy
#
Title
AirWatch Internal
Server
Windows OS
IIS 7 Server
.NET Framework 3.5

&4

Microsoft Messaging
Queue (MSMQ)
Java
AirWatch Software
External URL
Internal CAS URL
10
11
12
MAG SSL Cert
Load
Balancer
13
Load Balancer Setup

(Optional)
Firewall
Changes
14
Service
Accounts
15
Enterprise Service
Accounts
(Optional)
Hardware
Software
DNS
Certificates
Yes
No
N/A
Windows Server
- 4 GB RAM
Installed on MAG.
Will be provided to Client during install.
External URL (DNS Record) resolving to the AirWatch Internal server
Internal URL to relay Exchange ActiveSync traffic from the AirWatch server
Checklist
Source
Public trusted SSL Certificate to match the External DNS for the AirWatch Internal
server address
The MAG SSL certificate must be installed on the reverse proxy.
If installing AirWatch behind a network load balancer, client will need to setup load
balancer configuration. Persistence should be set on the SSL session for 15 minutes.
See Appendix for more details.

Page 18 of 29
Integrated Cloud DMZ Reverse Proxy
Source
Component
A
AirWatch
Internal Server
Source Host
Destination
Component
Destination Host
Destination IP
Protocol
Port
Ref
Diagram
{InternalServer_IP}
Client EAS/CAS
Server(s)
(Optional)
{InternalURL_CAS}
{InternalIP_CAS}
HTTP/HTTPS
80,443
Enterprise
Services
(Optional)
{InternalURL_DC}
{Internal_BES}
{Internal_ADCS}
{Internal_SMTP}
{InternalURL_CA}
{InternalIP_IP}
DCOM
HTTPS
LDAP/LDAPS
/SMTP
389,636
3268,
3269,
135,443,
25
HTTPS
443
HTTP/HTTPS
80/443
{InternalServer_IP}
{InternalServer_IP}
AirWatch SaaS
*.awmdm.com
any
*for a list of IP
ranges of AW
Datacenters click
Yes
No
N/A
here
D
{ADMIN_IP}
any
*for a list of IP
ranges of AW
Datacenters click
AirWatch SaaS
*.awmdm.com
any
HTTP/HTTPS
80/443
N/S
{ADMIN_IP}
Apple iTunes
Cloud
{ADMIN_IP}
Google Play
Store
play.google.com
any
HTTP/HTTPS
80/443
N/S
{ADMIN_IP}
Virtual Earth
(GPS Maps)
*.virtualearth.net
any
HTTP/HTTPS
80/443
N/S
AW Public URL
AW Public IP
HTTPS
443
17.0.0.0/8
TCP
5223
any
HTTP/HTTPS
80/443
any
TCP
5228
HTTP/HTTPS
80/443
HTTPS
443
2010
2020
10
Administrators
/ User Self
Service
AirWatch SaaS
See IP list
here
AirWatch
Internal Server
Apple APNs
Cloud
{Device_IP}
{Device_IP}
Apple iTunes
Cloud
{Device_IP}
Android C2DM
Cloud
phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
mtalk.google.com
Devices
L
{Device_IP}
AirWatch SaaS
{Device_IP}
AirWatch
Internal Server
*.awmdm.com
any
*for a list of IP
ranges of AW
Datacenters click
Checklist
here
*.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
uite.net
here
M
AW Public URL
AW Public IP

Page 19 of 29
Option 3: On-Premise Single Server Deployment

This configuration allows for simplified installation and maintenance for smaller deployments, while allowing future
scalability and flexibility for high availability. A single-server deployment allows for easy integration to enterprise
services, as well as simplified control and validation over the entire environment. Single Server configurations are
commonly deployed in DMZ architectures where the entire solution is installed on one physical or virtual server. The
use of WAF or TMG solutions are also commonly used to proxy internet facing endpoints.
AirWatch Console
AirWatch Device Services

Page 20 of 29
On-Premise Single Server
Source
Title
AirWatch Internal
Server
Reverse Proxy Server

Optional
Windows OS
SQL Server
SQL Server Reporting

Services
IIS 7 Server
.NET Framework 3.5

&4

Microsoft Messaging
Queue (MSMQ)
Java
10
External Public URL
Hardware
Yes
No
N/A
Windows Server to install the AirWatch Server Software

-6 GB RAM
~100 GB Drive
Client may choose an existing server to use for the reverse proxy or install a
dedicated server that meets their specifications
Microsoft SQL Server 2008 (2008 R2 Recommended) Required on Database server
11
DNS
12
13
Certificates
Internal CAS URL

(optional)
Internal DC URL
(optional)
Internal CA Host
(optional)
14
15
16
MAG SSL Cert
Firewall
Changes
17
Load
Balancer
18
Load Balancer Setup

(Optional)
Service
Accounts
19
Enterprise Service
Accounts
(Optional)

External URL (DNS Record) for AirWatch Server public internet facing
(https://company.mdm.com)
Internal URL to relay traffic from the AirWatch SEG to the ActiveSync CAS server.
Checklist
Software
Microsoft SQL Server Reporting Services 2008 (2008 R2 Recommended)
Client Internal Domain (AD) DNS to use to connect from the AirWatch server to the
AD for authenticating users
Internal hostname and CA issuing name of the CA or SCEP endpoint.
Public trusted SSL Certificate to match the External DNS for the AirWatch SEG/EIS
server. (If applicable)
The MAG SSL certificate must be installed on the reverse proxy.

Page 21 of 29
On-Premise Single Server
AirWatch
Internal Server
Source Host
Destination
Component
Destination IP
Protocol
Port
Ref
Diagram
{Internal_IPs}
DCOM
HTTPS
LDAP/LDAPS
SMTP
389,636,
3268,
3269,
135,
443, 25,
465
17.0.0.0/8
TCP
2195,
2196
any
HTTP/HTTPS
80,443
play.google.com
any
HTTP/HTTPS
80,443
N4S
Destination Host
{InternalURL_DC}
{Internal_CAS}
Internal_BES}
{Internal_ADCS}
{Internal_SMTP}
gateway.push.apple.co
m
feedback.push.apple.co
m
*.itunes.apple.com
*.phobos.apple.com
{InternalServer_IP}
Internal
Network
{InternalServer_IP}
Apple APNs
Cloud
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
Android C2DM
Cloud
android.googleapis.com
android.apis.google.com
www.google.com
google.com
any
HTTPS
443
{InternalServer_IP}
CellTrusts SMS
Gateyway
(optional)
gateway.celltrust.net
162.42.205.0/24
HTTPS
443
N/S
{InternalServer_IP}
AirWatch
Certificate
Portal
HTTPS
443
N/S
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{ADMIN_IP}
Apple iTunes
Cloud
Google Play
Store
awcp.air-watch.com
any
*for a list of IP
ranges of AW
Datacenters click
here
Administrators
/ User Self
Service
Devices
SSL Signing
Cert CRL
SQL Server
SQL Server
Reporting Svc
AW
Autodiscovery
Server
Ex.ocsp.verisign.com
TBD
HTTP
80
N/S
{SQLServer_Name}
{SQLServer_IP}
TCP
1433
{SSRS_Name}
{SSRS_IP}
HTTP
80
discovery.awmdm.com
209.208.230.100
HTTPS
443
AirWatch
Internal Server
{InternalServer}
{InternalServer_IP}
HTTP/HTTPS
80,443
{ADMIN_IP}
Virtual Earth
(GPS Maps
*.virtualearth.net
any
HTTP/HTTPS
80,443
N/S
{Device_IP}
Apple APNs
Cloud
17.0.0.0/8
TCP
5223
10
{Device_IP}
Apple iTunes
Cloud
any
HTTP/HTTPS
80,443
11
{Device_IP}
Android C2DM
Cloud
any
TCP
5228
12
13
14
#courier.push.apple.com
gateway.push.apple.co
m
phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
mtalk.google.com
{Device_IP}
AirWatch
Server
AW Public URL
AW Public IP
HTTP/HTTPS
80,443,
2001,
2010,
2020
{Device_IP}
AirWatch
Autodiscovery
Server
discovery.awmdm.com
209.208.230.100
HTTPS
443
Yes
No
N/A
Checklist
Source
Component

Page 22 of 29
Option 4: On-Premise Multiple Server Deployment

A multi-server deployment is recommended for organizations managing a larger number of devices and/or those
wanting to utilize a DMZ. In a setup using a DMZ, any of the AirWatch components actively communicating with devices
should be placed outside of the organizations internal network. Several advantages of this configuration include:
Increased security of external-facing services, such as the AirWatch Device Services component, Secure Email
Gateway, and Mobile Access Gateway, by placing them in the networks DMZ to quarantine incoming traffic
while preventing external visibility to internal resources.
AirWatch DMZ Server Includes:
AirWatch Device Services

AirWatch Console Services


Page 23 of 29
On-Premise Multi Server
Source
Title
AirWatch Internal
Server
(Internal)
AirWatch DMZ
Server
Windows OS
SQL Server
SQL Server Reporting

Services
IIS 7 Server
.NET Framework 3.5

&4

Microsoft Messaging
Queue (MSMQ)
Java
10
External URL
11
Internal CAS URL
11
Internal URL
12

(AirWatch DMZ)
13
SSL Certificate
(AirWatch Internal)
Load
Balancer
14
Load Balancer Setup

(Optional)
Firewall
Changes
15
Service
Accounts
16
Enterprise Service
Accounts
(Optional)
Hardware
Yes
No
N/A
Windows Server to install the AirWatch Server Software

-6 GB RAM
~100 GB Drive
Windows Server to install Enterprise Integration Software
- 4 GB RAM
Microsoft SQL Server 2008 (2008 R2 Recommended) Required on Database server
DNS
Certificates
Checklist
Software
Microsoft SQL Server Reporting Services 2008 (2008 R2 Recommended)

External URL (DNS Record) resolving to the AirWatch DMZ server
Internal URL to relay traffic from the AirWatch SEG server.
Internal URL (DNS Record) resolving to the AirWatch Internal server
Public trusted SSL Certificate to match the External DNS for the AirWatch DMZ
server.
SSL certificate to match the Internal URL for the AirWatch Internal server.

Page 24 of 29
Network Changes
On-Premise Multi Server
AirWatch
Internal Server
AirWatch DMZ
Server
Source Host
Destination Host
Internal
Network
{InternalURL_DC}
{Internal_CAS}
Internal_BES}
{Internal_ADCS}
{Internal_SMTP}
{Internal_IPs}
DCOM
HTTPS
LDAP/LDAPS
SMTP
SQL Server
SQL Server
Reporting Sync
{SQLServer_Name}
{SQLServer_IP}
TCP
389,63
6,
3268,
3269,
135,
443,
25,
465
1433
{SQLServer_Name}
{SQLServer_IP}
HTTP/HTTPS
80,443
Apple APNs
Cloud
feedback.push.apple.com
17.0.0.0/8
TCP
2195,
2196
Apple iTunes
Cloud
Google Play
Store
*.itunes.apple.com
*.phobos.apple.com
any
HTTP/HTTPS
80,443
play.google.com
any
HTTP/HTTPS
80,443
Destination IP
Protocol
Port
Ref
Diagram
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}
Google Cloud
Messaging
www.google.com
google.com
any
TCP
443
N/S
{InternalServer_IP}
CellTrust SMS
gateway.celltrust.net
162.42.205.0/2-4
HTTPS
443
N/S
{InternalServer_IP}
AW DMZ
Server
{DMZServer_Name}
{DMZServer_IP}
TCP
443,
2001
{InternalServer_IP}
AirWatch
autodiscovery
Server
discovery.awmdm.com
209.208.230.100
HTTPS
443
{DMZ_Server_IP}
(SEG only)
Client CAS
Server(s)
{InternalURL_EAS}
{InternalIP_EAS}
HTTPS
443
{DMZ_Server_IP}
Apple APNs
Cloud
17.0.0.0/8
TCP
2195,
2196
{DMZ_Server_IP}
Google Cloud
Messaging
any
TCP
443
10
{DMZ_Server_IP}
any
HTTP
N/S
{DMZ_Server_IP}
{InternalServer_URL}
{InternalServer_IP}
HTTPS
80
443,
2010
{DMZ_Server_IP}
{SQLServer_Name}
{SQLServer_IP}
TCP
1433
discovery.awmdm.com
209.208.230.100
HTTPS
443
17
*.virtualearth.net
any
HTTP/HTTPS
80,443
N/S
{InternalServer_URL}
{InternalServer_IP}
HTTP/HTTPS
80,443
12
{DMZ_Server_URL}
{DMZ_Server_IP}
HTTP/HTTPS
80,443
N/S
17.0.0.0/8
TCP
5223
13
any
HTTP/HTTPS
80,443
14
any
TCP
5228
15
16
18
SSL Cert CRL

AirWatch
Internal Server
SQL Server
AirWatch
autodiscovery
Server
Virtual Earth
(GPS Maps)
AirWatch
Internal Server
{DMZ_Server_IP}
{ADMIN_IP}
{ADMIN_IP}
{USER_IP}
AirWatch DMZ
Server
{Device_IP}
Apple APNs
Cloud
{Device_IP}
Apple iTunes
Cloud
{Device_IP}
Android C2DM
Cloud
Administrators
Self Service
Portal
Destination
Component
www.google.com
google.com
TBD
phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
mtalk.google.com
Devices
X
{Device_IP}
AirWatch
Server
{DMZ_Server_URL}
Public IP
HTTP/HTTPS
80,
443,
2001,
2010,
2020
{Device_IP}
AirWatch
autodiscovery
Server
discovery.awmdm.com
209.208.230.100
HTTPS
443
Yes
No
N/A
Checklist
Source
Component
11

Page 25 of 29
Appendix
The table below lists the required service accounts needed to integrate with backend enterprise services.
Service Accounts
Source
Title
SQL Service Account
LDAP Binding
Account
Enterprise
Integration Service
Account
Yes
No
N/A
SQL service account to install the AirWatch database.

Requires the System Administrator Permission.
Client LDAP service account to authenticate binding requests into the Client LDAP
directory for all users in the desired OU.
If implementing SCEP, CA, BES, Exchange 2010 PowerShell or SMTP authentication.
An AirWatch service account will need to be created and assigned to the AirWatch
Enterprise Integration Server. This account requires the Remote Services Permission
in AirWatch.
AirWatch Enterprise Integration Service Guide
Client CA service account to issue and revoke certificates from the CA.
Requires these permissions on the CA:
Issue and Manage Certificates
Certificate Authority
Service Account
Request Certificates
Requires these permissions on the Certificate Template:
Read
Enroll
AirWatch Certificate Managment
Exchange 2010 and Office 365 permissions:
Service
Accounts
Organization Client Access

5
PowerShell Service
Account
Mail Recipients
Recipient Policies (only if deploying Windows Phone Devices)
AirWatch PowerShell Email Configuration Guide
BES Service Account
SharePoint Service
Account
Installation Admin
Rights
SMTP
10
SCCM
AirWatch BES Integration Guide

Service Account permissions can be found in Appendix A1.
Account with read rights to the content repository to view and index content.
The Browse Directories permission must be enabled on SharePoint.
AirWatch SharePoint Integration Guide
An account to run the AirWatch software installation with administrative rights on
the AirWatch servers and SA permissions on the database to setup maintenance
scripts.
SMTP account to relay emails from the system
AirWatch SCCM Integration Guide

Page 26 of 29
Additional Notes
Apple APNs
From a device the following has to occur for a successful APNs connection: NSLookup gateway.push.apple.com for the TXT record; open
connection to #-courier.push.apple.com on port 5223 where # is the result returned from the TXT record on gateway.push.apple.com
Load Balancer
Load balancers are to be configured with a round robin load balancing mechanism and SSL session persistence of 15 minute sessions
Load balancers are also recommended to redirect all HTTP requests to HTTPS
SSL offloading supported for all services except API services. If offloading SSL, load balancer must forward secure cookies to and from the
AirWatch servers.
Public DNS
External DNS needed for email proxy server
External DNS needed for AirWatch Device Services
Public Trusted SSL Cert

Matching public trusted SSL certs for the public DNS setup for the email proxy server and Device Services Server are required. These certs
must be issued from a valid issuing authority (e.g. VeriSign, GeoTrust, GoDaddy, etc.)
Public IP
A public IP address to access the AirWatch email proxy server from the Internet (HTTPS)
A public IP address to access the AirWatch Device Services server from the Internet (HTTPS)
Proxy
The AirWatch servers can be configured with a proxy / PAC file for outbound internet access. Apple APNs traffic, however, is not HTTP
traffic, and cannot be proxied through traditional HTTP proxies. This traffic must go straight out to the internet, or through an
application/SOCKS proxy.
Kerberos Delegation
If using client certificates for email authentication the SEG server must be joined to the same domain as the backend CAS server and
Kerberos Delegation must be setup in AD between the AirWatch SEG and the CAS server(s). In addition, valid SPNs must be set in AD for
the URL used by the public URL used by the SEG server.
HTTP PUT
iOS MDM requires the support of HTTP PUT commands from the iOS device to the AirWatch MDM server (Device Services)

Page 27 of 29
A1 BES Service Account

BES service account permissions required for integration:
User and Device
Note Topology and Blackberry Administration Service setup permissions not necessary.

Page 28 of 29

AirWatch PoC Technical Architecture

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AirWatch PoC Technical Architecture

Uploaded by

Copyright:

Available Formats

AirWatch PoC Technical Architecture

A guide for selecting an AirWatch PoC Evaluation Architecture

2013 AirWatch, LLC. All Rights Reserved.

AirWatch PoC Technical Architecture | v.2013.06 | June 2013

Option 3: On-Premise Single Server Deployment ......................................................................20

AirWatch PoC Technical Architecture | v.2013.06 | June 2013

Option 2: Integrated Cloud

All devices and admin users point

All components in the cloud.

Cloud clients requiring

Does not integrate with

Option 3: Single Server

On-premise deployment with a

Option 4: Multi Server

On-premise deployment with

*Note POC fees may apply for On-Premise Deployment

AirWatch PoC Technical Architecture | v.2013.06 | June 2013

3. Network Requirements a listing of any port and firewall requirements.

AirWatch PoC Technical Architecture | v.2013.06 | June 2013

Option 1: Pure Cloud

Cloud Integration (Optional)

AirWatch PoC Technical Architecture | v.2013.06 | June 2013

AirWatch PoC Technical Architecture | v.2013.06 | June 2013

Option 2: Integrated Cloud

AirWatch Integration Options

Corporate Intranet Access

Corporate App Tunnel (App VPN)

AirWatch PoC Technical Architecture | v.2013.06 | June 2013

AirWatch Cloud Connector

Minimal hardware / software on-site

Integrated Cloud No DMZ

Integrated Cloud DMZ Relay

Integrated Cloud Reverse Proxy

Clients with an existing DMZ

Clients with an existing reverse proxy

Limited connections through DMZ

AirWatch PoC Technical Architecture | v.2013.06 | June 2013

Integrated Cloud - AirWatch Cloud Connector

AirWatch Internal Server Includes:

AirWatch Cloud Connector

AirWatch PoC Technical Architecture | v.2013.06 | June 2013

.NET Framework 3.5

Internal Certs (Trust)

Client Firewall Rules

If implementing enterprise services, services accounts will need to be created and

AirWatch PoC Technical Architecture | v.2013.06 | June 2013

AirWatch PoC Technical Architecture | v.2013.06 | June 2013

Integrated Cloud No DMZ

AirWatch Internal Server Includes:

AirWatch Cloud Connector

AirWatch PoC Technical Architecture | v.2013.06 | June 2013

.NET Framework 3.5

A windows update is required for .NET 4 after installation to update additional

Enabled on all AirWatch servers.

Internal CAS URL

Public SSL Certificate

Internal Certs (Trust)

Load Balancer Setup

Client Firewall Rules

Installed on MAG server.

AirWatch PoC Technical Architecture | v.2013.06 | June 2013

AirWatch PoC Technical Architecture | v.2013.06 | June 2013

Integrated Cloud DMZ Relay

AirWatch DMZ Server Includes: