AirWatch (v8.0) - MAG Install Guide For Windows

AirWatch Mobile Access Gateway Installation
Guide for Windows

Installing the MAG for your AirWatch environment
AirWatch v8.0
© 2015 VMware, Inc. All rights reserved.

This document, as well as the software described in it, is furnished under license. The information in this manual may only be used in accordance with the terms of the license. This
document should not be reproduced, stored or transmitted in any form, except as permitted by the license or by the express permission of AirWatch, LLC.
All other marks and names mentioned herein may be trademarks or trade names of their respective companies.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Table of Contents
What's New 3
Introduction to Mobile Access Gateway Installation for Windows 4
In This Guide 4
Terminology 4
Before You Begin 5
In This Section 5
Requirements 5
Recommended Reading 5
Getting Started 5
Prerequisites for MAG Proxy/Content Connectivity for SaaS Environments 6
Prerequisites for MAG Proxy/Content Connectivity for On-Premise Environments 10
Installation Preparation 15
Overview 15
Performing Preliminary Installation Steps 15
Configure MAG Proxy/Content 17
MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows 20
Overview 20
Installing the MAG 20
MAG Proxy/Content Installation for a Basic (Endpoint only) Configuration on Windows 29
Overview 29
Installing MAG for Basic (Endpoint only) Configurations 29
Appendix: SSL Offloading 35
Overview 35
SSL Offloading Traffic Flow 35
Enabling SSL Offloading 36
Appendix: Upgrading the Component 37
Upgrading the MAG for Windows Proxy/Content Components 37
Appendix: Kerberos KDC Proxy Support 38
How to Access Logs 40
Appendix: Outbound Proxies using PAC Files 41
For Windows 41
Finding Additional Documentation 43
Page 2
What's New
What's New
This guide has been updated with the latest features and functionality from the most recent release of AirWatch v8.0. The
list below includes these new features and the sections and pages on which they appear.
l The MAG configuration process now lets you use enterprise CA certificates to authenticate devices against the
MAG Proxy component. See Configure MAG Proxy/Content on Windows for more information.
Page 3
Introduction to Mobile Access Gateway Installation for Windows
Introduction to Mobile Access Gateway Installation for

Windows
This document describes the Windows installation process for the AirWatch Mobile Access Gateway (MAG), which is an
enterprise integration component that provides a secure and effective method for individual applications to access
corporate resources. For more information about how you can leverage MAG, architecture and security information, and
AirWatch Admin Console settings to manage the MAG's functionality, please refer to the AirWatch Mobile Access
Gateway Admin Guide, available via AirWatch Resources.
A separate version of this guide exists with instructions on the AirWatch Tunnel for Linux installation process. Please
search AirWatch Resources for the Mobile Access Gateway Installation Guide for Linux to view it.
In This Guide
l Before You Begin – Ensure your deployment meets the necessary hardware, sizing, software and firewall
requirements before attempting to install the MAG.
l MAG Installation Preparation – Perform some preliminary steps to ensure a smooth installation of the MAG.
l MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows – Run the MAG installer for a relay-
endpoint configuration.
l MAG Proxy/Content Installation for a Basic Configuration on Windows – Run the MAG installer for a basic (endpoint
only) configuration.
l Appendix – SSL Offloading – Read more about how to enable SSL Offloading for the MAG.
l Appendix – Upgrading the MAG – Read more about how to upgrade the MAG from one version to the next.
l Appendix – Kerberos KDC Proxy Support – Read more about enabling Kerberos authentication functionality.
l Appendix – Outbound Proxies using PAC Files – Read more about steps you should follow if you are accessing
outbound proxies through the MAG that use a PAC file and also require authentication.
Terminology
Reading over the following terminology as it relates to the various components of the MAG will help aid your
understanding of the technology.
l MAG – Mobile Access Gateway. The generic term for the two components that comprise it: Proxy and Content.
l Proxy – The MAG component that handles securing traffic between an end-user device and a website via the
AirWatch Browser mobile app.
l Content – The MAG component that handles securing end-user access to corporate resources such as a file server via
the AirWatch Content Locker mobile app.
l App Wrapping – Functionality that lets you secure enterprise applications without code changes. It can add an extra
layer of security and data loss prevention while offering a consistent user experience.
Page 4
Before You Begin
Before You Begin

This section covers topics and prerequisites you should familiarize yourself with so you can get the most out of using this
guide.
In This Section
l Requirements – See a list of requirements you must meet before installing the MAG.
l Recommended Reading – See a list of additional guides that contain supplemental information about MAG.
l Getting Started – See additional considerations you should know before you begin.
Requirements
l For a complete listing of all requirements for installing MAG in a SaaS environment, refer to Prerequisites for
MAG Proxy/Content Connectivity for SaaS Environments.
l For a complete listing of all requirements for installing MAG in an on-premise environment, refer to Prerequisites for
MAG Proxy/Content Connectivity for On-Premise Environments.
Recommended Reading
l AirWatch Cloud Messaging (AWCM) Guide – This guide walks on-premise customers through setting up the AWCM
service, which is required for using MAG.
l AirWatch Mobile Access Gateway Admin Guide – This guide provides an overview of the MAG and how to enable
MAG functionality within the AirWatch Admin Console.
l AirWatch On-Premise Configuration Guide – This guide details the various aspects of an on-premise deployment,
including hardware sizing, high availability, monitoring/maintenance, and so on.
Getting Started
l Note the following distinction between on-premise and SaaS deployments:
o On-premise refers to AirWatch deployments where your organization hosts all AirWatch components and
servers on its internal networks.
o SaaS refers to AirWatch deployments where certain AirWatch components, such as the Console and API servers,
are hosted in the cloud by AirWatch.
l Before continuing with MAG installation, ensure AWCM is configured and operational. If you are an on-premise
customer, refer to the AWCM Guide, available via AirWatch Resources, for instructions on how to configure AWCM
before installing the MAG.
l Ensure you have performed all the necessary preliminary steps in MAG Installation Preparation.
Page 5
Prerequisites for MAG Proxy/Content Connectivity for SaaS Environments
Prerequisites for MAG Proxy/Content Connectivity for

SaaS Environments
Status
Requirement Notes
Checklist
Hardware Requirements
VM or Physical Server (64- 1 CPU Core (2.0+ GHz)*
bit) *An Intel processor is required.
2 GB RAM or higher
5 GB Disk Space
Sizing for up to 100,000 Devices
Number of Devices Up to 5,000 5,000 to 50,000 50,000 to 100,000 100,000+
4 or 2 load-balanced w/ 2 4 or 2 load-balanced w/ 2 2 load-balanced with 4
CPU Cores 1
CPU Cores CPU Cores CPU Cores
RAM (GB) 4 4 8 16
General Requirements
Remote access to Windows Recommended to setup Remote Desktop Connection Manager for
Servers available to multiple server management, installer can be downloaded from
AirWatch and http://www.microsoft.com/en-us/download/confirmation.aspx?id=21101
Administrator rights
Installation of Notepad++ Installer can be downloaded from
(Recommended) http://download.tuxfamily.org/notepadplus/6.5.1/npp.6.5.1.Installer.exe
Software Requirements
Windows Server 2008 R2 or
Windows Server 2012 or
Windows Server 2012 R2
Install Role from Server IIS 7.0 (Server 2008 R2)
Manager IIS 8.0 (Server 2012 or Server 2012 R2)
IIS 8.5 (Server 2012 R2 only)
Install .NET Framework The installer will install this version of .NET provided the server has Internet
4.5.2 access. Otherwise, download and manually install it.
Install 64-bit Java Runtime Download from https://java.com/en/download/index.jsp
Environment version 7 or Note: Ensure 32-bit Java is not installed.
greater
Internally registered DNS Register the MAG relay (If Relay-Endpoint) or register the MAG Endpoint (If
Endpoint only)
Page 6
Status
Requirement Notes
Checklist
Externally registered DNS Register the MAG relay (If Relay-Endpoint) or register the MAG Endpoint (If
Endpoint only)
SSL Certificate from trusted Ensure SSL certificate is trusted by all device types being used. (i.e. not all
third party with Subject or Comodo certificates are natively trusted by Android)
Subject Alternative name
of DNS
IIS 443 Binding with the Validate that you can connect to the server over HTTPS
same SSL certificate (https://yourAirWatchDomain.com). At this point, you should see the IIS
splash page.
Ensure the AWCM SSL Use the Command Line Utility on the MAG server to enter the following:
certificates Intermediate keytool -list -v -keystore $JAVA_HOME\jre \lib\security\cacerts
and Root CA certificate are OR
in the Java CA Keystore on
Use the GUI tool (free) here: http://portecle.sourceforge.net/
the MAG server
Note: For configuring the ports listed below, all traffic is uni-directional (outbound) from the source component to the
destination component.
Network Requirements
Source Component Destination Component Protocol Port Verification Note

Devices (from AirWatch MAG HTTPS 2020 by Once MAG starts correctly, it
Internet and Wi-Fi) default should be listening on the
(for HTTPS port by default. To make
Browser) sure, you can open browser and
check the following:
https://<MAG_Host>:<port> – 1
You should see an untrusted
certificate screen unless there is a
trusted SSL certificate and in that
case you should see 407 MAG
Authentication Failed!
Devices (from AirWatch MAG HTTPS 443 (for Telnet from Internet to MAG
1
Internet and Wi-Fi) Content) server on port
MAG – Basic-Endpoint Configuration
AirWatch AirWatch Cloud HTTPS 443 Verify by entering https://<AWCM
MAG Endpoint Messaging Server* URL>:
443/awcm/status in browser and 2
ensure there is no certificate trust
error
Page 7

AirWatch Web-based content HTTP or 80 or
Tunnel Endpoint repositories (SharePoint HTTPS 443 4
/ WebDAV / CMIS / etc.)
AirWatch Tunnel Internal websites / web HTTP or 80 or
5
Endpoint apps HTTPS 443
AirWatch Internal System Any Any
6
MAG Endpoint
AirWatch AirWatch REST API HTTPS 443 Verify by entering
MAG Endpoint https://asXXX.awmdm. https://APIServerUrl/API/help in
com or browser. If you are prompted for
7
credentials, enter AirWatch admin
https://asXXX.airwatch
credentials and an API help page
portals.com
should display.
AirWatch Network Share-based CIFS or 137-139 Telnet from AirWatch Tunnel
Tunnel Endpoint repositories (Windows SMB or 445 endpoint to CIFS/SMB endpoint. 8
file shares)
MAG – Relay-Endpoint Configuration
AirWatch AirWatch Cloud HTTP or 443 Verify by entering https://<AWCM
MAG Relay Messaging Server HTTPS URL>:443/awcm/status in browser
2
and ensure there is no certificate
trust error
AirWatch AirWatch MAG Endpoint HTTPS 2010 (for Telnet from MAG Relay to MAG
3
MAG Relay Browser) Endpoint server on port
3
MAG Relay Content) Endpoint server on port
AirWatch Web-based content HTTP or 80 or
Tunnel Endpoint repositories (SharePoint HTTPS 443 4
AirWatch Tunnel Internal websites / web HTTP or 80 or
5
Endpoint apps HTTPS 443
6
MAG Endpoint
AirWatch AirWatch REST API HTTP or 80 or Verify by entering
MAG Relay https://asXXX.awmdm. HTTPS 443 https://APIServerUrl/API/help in
com or browser. If you are prompted for
7
credentials, enter AirWatch admin
https://asXXX.airwatch
credentials and an API help page
portals.com
should display.
Page 8

file shares)
Note: If you plan on using the MAG/AirWatch Tunnel to connect to network file shares, then it is required that either
the Endpoint be on the same domain as the NFS or, if the MAG/AirWatch Tunnel is on a different domain, it must
have domain trust with the domain of the NFS.
* For SaaS customers, see https://airwatch.zendesk.com/entries/21419683-What-are-the-AirWatch-IP-ranges-for-SaaS-

data-centers- to view an ASK article that provides the most up-to-date IP ranges.
1. For devices attempting to access internal resources.
2. For the MAG to query the AirWatch Admin Console for compliance and tracking purposes.
3. For MAG Relay topologies to forward device requests to the internal MAG endpoint only.
4. For devices with the AirWatch Content Locker to access internal content.
5. For devices with the AirWatch Browser to access internal websites/web applications.
6. For devices with app tunnel; enables applications to communicate with internal systems.
Note: If a firewall resides between the MAG Endpoint and an internal system you are trying to reach, then you will
have to open the corresponding port depending on the traffic. For example, Windows Network Files Shares
require ports 135 through 139 and 445 to be open in order to access content on Windows fileshares.
7. The MAG needs to communicate with the API for initialization. Ensure there is connectivity between the REST API and
the MAG server.
Page 9
Prerequisites for MAG Proxy/Content Connectivity for On-Premise Environments
Prerequisites for MAG Proxy/Content Connectivity for On-

Premise Environments
Status
Requirement Notes
Checklist
Hardware Requirements
VM or Physical Server (64- 1 CPU Core (2.0+ GHz)*
bit) *An Intel processor is required.
2 GB RAM or higher
5 GB Disk Space
Note: The requirements listed here support basic data query. You may
require additional server space if your use case involves the
transmission of large encrypted files from a content repository.
Sizing for up to 100,000 Devices

Number of Devices Up to 5,000 5,000 to 50,000 50,000 to 100,000 100,000+
4 or 2 load-balanced w/ 2 4 or 2 load-balanced w/ 2 2 load-balanced with 4
CPU Cores 1
CPU Cores CPU Cores CPU Cores
RAM (GB) 4 4 8 16
General Requirements
Remote access to Windows Recommended to setup Remote Desktop Connection Manager for
Servers available to multiple server management; you can download the installer from:
AirWatch and http://www.microsoft.com/en-us/download/confirmation.aspx?id=21101
Administrator rights
Installation of Notepad++ You can download the installer from:
(Recommended) http://download.tuxfamily.org/notepadplus/6.5.1/npp.6.5.1.Installer.exe
Software Requirements
Windows Server 2008 R2 or
Windows Server 2012 or
Windows Server 2012 R2
Install Role from Server IIS 7.0 (Server 2008 R2)
Manager IIS 8.0 (Server 2012 or Server 2012 R2)
IIS 8.5 (Server 2012 R2 only)
Install .NET Framework The installer will install this version of .NET provided the server has Internet
4.5.2 access. Otherwise, download and manually install it.
Page 10
Status
Requirement Notes
Checklist
Install 64-bit Java Runtime Download from https://java.com/en/download/index.jsp
Environment version 7 or Note: Ensure 32-bit Java is not installed.
greater
Internally registered DNS Register the MAG relay (If Relay-Endpoint) or register the MAG Endpoint (If
Endpoint only)
Externally registered DNS Register the MAG relay (If Relay-Endpoint) or register the MAG Endpoint (If
Endpoint only)
SSL Certificate from trusted Ensure SSL certificate is trusted by all device types being used. (i.e. not all
third party with Subject or Comodo certificates are natively trusted by Android)
Subject Alternative name
of DNS
IIS 443 Binding with the Validate that you can connect to the server over HTTPS
same SSL certificate (https://yourAirWatchDomain.com). At this point, you should see the IIS
splash page.
Ensure the AWCM SSL Use the Command Line Utility on the MAG server to enter the following:
certificates Intermediate keytool -list -v -keystore $JAVA_HOME\jre \lib\security\cacerts
and Root CA certificate are OR
in the Java CA Keystore on
Use the GUI tool (free) here: http://portecle.sourceforge.net/
the MAG server
Note: For configuring the ports listed below, all traffic is uni-directional (outbound) from the source component to the
destination component.
Network Requirements

Devices (from AirWatch MAG HTTPS 2020 by Once MAG starts correctly, it
Internet and Wi-Fi) default should be listening on the
(for HTTPS port by default. To make
Browser) sure, you can open browser and
check the following:
https://<MAG_Host>:2020 – You 1
should see an untrusted
certificate screen unless there is a
trusted SSL certificate and in that
case you should see 407 MAG
Authentication Failed!
Devices (from AirWatch MAG HTTPS 443 (for Telnet from Internet to MAG
1
Internet and Wi-Fi) Content) server on port
Page 11

AirWatch Device AirWatch Tunnel HTTP or 80 or 443
8
Services HTTPS
AirWatch Console AirWatch Tunnel HTTP or 80 or 443
9
HTTPS
MAG – Basic-Endpoint Configuration
AirWatch AirWatch Cloud HTTP or 2001 or a Verify by entering
MAG Endpoint Messaging Server HTTPS port you https://<AWCM URL>:
configure <port>/awcm/status in browser 2
and ensure there is no certificate
trust error
AirWatch Web-based content HTTP or 80 or 443
Tunnel Endpoint repositories (SharePoint HTTPS 3
AirWatch Tunnel Internal websites / web HTTP or 80 or 443
4
Endpoint apps HTTPS
6
MAG Endpoint
AirWatch MAG AirWatch REST API HTTP or 80 or 443 Verify by entering
Endpoint (DS or CN server) HTTPS https://APIServerUrl/API/help in
browser and ensure there is no
certificate trust error (cannot be a 7
self-signed certificate). If you are
prompted for credentials, enter
Airwatch admin credentials
file shares)
MAG – Relay-Endpoint Configuration
AirWatch AirWatch Cloud HTTP or 2001 or a Verify by entering
MAG Relay Messaging Server HTTPS port you https://<AWCM
configure URL>:<port>/awcm/status in 2
certificate trust error
AirWatch Web-based content HTTP or 80 or 443
Tunnel Endpoint repositories (SharePoint HTTPS 3
AirWatch Tunnel Internal websites / web HTTP or 80 or 443
4
Endpoint apps HTTPS
Page 12

5
MAG Endpoint
6
MAG Relay Browser) Endpoint server on port
6
MAG Relay Content) Endpoint server on port
AirWatch AirWatch REST API HTTP or 80 or 443 Verify by entering
MAG Relay (DS or CN server) HTTPS https://APIServerUrl/API/help in
certificate trust error (cannot be a 7
self-signed certificate). If you are
prompted for credentials, enter
Airwatch admin credentials
file shares)
Note: If you plan on using the MAG/AirWatch Tunnel to connect to network file shares, then it is required that either
the Endpoint be on the same domain as the NFS or, if the MAG/AirWatch Tunnel is on a different domain, it must
have domain trust with the domain of the NFS.
1. For devices attempting to access internal resources.
2. For the MAG to query the AirWatch Admin Console for compliance and tracking purposes.
3. For devices with the AirWatch Content Locker to access internal content from websites, such as SharePoint.
4. For devices with the AirWatch Browser to access internal websites/web applications.
5. For devices with app tunnel; enables applications to communicate with internal systems.
Note: If a firewall resides between the MAG Endpoint and an internal system you are trying to reach, then you will
have to open the corresponding port depending on the traffic. For example, Windows Network Files Shares
require ports 135 through 139 and 445 to be open in order to access content on Windows file shares.
6. For MAG Relay topologies to forward device requests to the internal MAG endpoint only.
7. The MAG needs to communicate with the API for initialization. The API server is generally hosted on the AirWatch
Admin Console Server or can be a separate server. Ensure there is connectivity between this server and the MAG
server.
8. For the Device Services server to enumerate the repositories via the content relay and convert them into a format
devices can use.
9. For the Console server to enumerate the repositories via the content relay for viewing in the AirWatch Admin
Page 13
Console.
10. For devices with the AirWatch Content Locker to access internal content from Network Shares.
Page 14
Installation Preparation
Overview
Before installing the server within your network, you must ensure your environment meets all the requirements, and
then prepare for installation by downloading the installation files.
Notes:
l Steps 1 through 3 are applicable for on-premise customers only. If you are a SaaS customer, begin with step 4.
l Before you begin installing AirWatch Tunnel, ensure that AWCM is installed correctly, running, and
communicating with AirWatch without any errors. For more information about configuring AWCM refer to the
AirWatch AWCM Guide.
l AirWatch recommends you do not configure AirWatch Tunnel at the Global organization group level.
Performing Preliminary Installation Steps

Prepare for the installation by performing the following steps.
1. Navigate to Groups & Settings ► All Settings

► System ► Advanced ► Site URLs in the
AirWatch Admin Console.
2. Ensure the URLs highlighted above are

correct:
REST API URL – Should be in the format
"https://<url>/api".
AWCM Server External URL – Should be in
the format "server.acme.com" and not
include a protocol such as https.
AWCM Service Internal URL – Should be in
the format "https://server.acme.com".
3. Select Save.
Page 15
4. Navigate to Groups & Settings ► All Settings ► System ► Advanced ► Device Root Certificate and verify the device
root certificate exists. If it does not exist, click the Override radio button and generate the root device certificate.
5. Navigate to Groups & Settings ► All Settings ► System ► Advanced ► API ► REST API and click the Override radio
button.
6. Ensure the Enable API Access check box is selected and an API Key is displayed in the field highlighted above.
7. Click Save.
Page 16
Configure MAG Proxy/Content
Perform the following configuration procedure to access the MAG Windows installer, which will let you download and
install the MAG Content and Proxy components.
1. Navigate to Groups & Settings ► All Settings ► System ► Enterprise Integration ► Mobile Access Gateway.
If this is your first time configuring MAG, then select Configure and follow the configuration wizard screens.
Otherwise, select the Override radio button, ensure the Enable Mobile Access Gateway check box is selected, and
then select Configure to configure the following settings. In either case, select Configure MAG for Windows.
a. Select either Basic or Relay-Endpoint as your Configuration Type. Select Next.
You can find more info on these configuration types in the MAG Admin Guide, available via AirWatch Resources.
b. Enter the following information for the Details section:

Proxy (App Wrapping / Browser / SDK Configuration):
l Host Name – The name given to the server where the MAG will be installed. If you plan to install the MAG on
an SSL offloaded server, enter the name of that server in place of the Host Name.
Note: When entering the Host Name, do not include protocol (http://, https://, etc.).
l Default HTTPS Port – The port number automatically assigned for HTTPS communication with the MAG.
Note: By default AirWatch Tunnel utilizies a single HTTPS Port for HTTPS Tunneling. If you want to define
an HTTP Port and use HTTP Tunneling you can do so on the Advanced settings page after configuration.
Refer to the HTTP and HTTPS Tunneling section of the AirWatch Mobile Access Gateway Admin Guide,
available via AirWatch Resources for more information.
l Use Kerberos Proxy – Enabling Kerberos proxy support will allow access to Kerberos authentication,
typically only available inside the corporate network, for target backend web services. Note that this does
not currently support Kerberos Constrained Delegation (KCD).
Note: The Endpoint server needs to be on the same domain as KDC for the Kerberos Proxy to
successfully communicate with the KDC.
For more information, see Appendix – Kerberos KDC Proxy Support.

If using a Relay-Endpoint setup, then also enter the Endpoint Details as follows:
l MAG Endpoint Host Name – Enter the FQDN (absolute domain name) of the MAG endpoint.
l Relay-Endpoint Port – This is the port used for traffic between the MAG relay and MAG endpoint. Note that
you should not use port 80, because IIS, which is required for MAG installation, will already be bound to port
80.
Content Configuration:
Page 17
l Content Repository URL – The URL used to access the MAG Content Repository Relay from the Internet.
Typically the same as the hostname field but with an HTTP/HTTPS protocol. For
example: HTTPS://magrelay.acme.com.
Note: If using a Relay-Endpoint setup, enter both the Relay and Endpoint URLs.
c. Click Next to advance to the SSL section. Enter the following information:
App Wrapping / Browser / SDK SSL Certificate:
l Select the Use Public SSL Certificate check box if you are using third party public SSL certificates for
authentication between AirWatch applications and the MAG. Select Upload to browse for and upload your
certificate file (.pfx or .p12). This file must contain both your public and private key pair.
Content SSL Certificate:
l Ignore SSL Errors – Select to ignore SSL errors that occur during communication between the AirWatch
Admin Console and the content repository.
d. Click Next to advance to the Authentication section, where you can select to use an enterprise CA in place of
AirWatch issued certificates. Select Default to use AirWatch issued certificates. Select Enterprise CA to display
drop-downs for your certificate authority and certificate template that you have uploaded into AirWatch. Also
upload your root certificate of your CA.
Note: The CA template must contain the following field in the subject name: CN=UDID. Supported CAs are
ADCS, RSA and SCEP. For more information about integrating with your certificate provider, please see the
certificate management documentation for your CA, available via AirWatch Resources in the Certificate
Management section.
e. Click Next to display the Summary section. Review the summary of your MAG configuration and select Save. You
are navigated back to the MAG Configuration page.
2. Select the Advanced tab and then select Generate Certificates to enable MAG Authentication. If you plan to install
the MAG on an SSL offloaded server, click Export MAG Certificate from the AirWatch Admin Console once the
certificate has been generated. Then, import the certificate on the server performing SSL offload. (This server can be a
load balancer or reverse proxy.)
Page 18
Note: The other settings on this Advanced tab are explained in the AirWatch MAG Admin Guide, available via
AirWatch Resources.
3. Select the General tab and then select the Download Windows Installer hyperlink.
4. Enter and confirm a certificate password and then click Download.
Note: The MAG password must contain a minimum of six characters.
5. Click Save.
6. Continue with the steps for MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows or
MAG Proxy/Content Installation for a Basic (Endpoint only) Configuration on Windows, depending on the
configuration you selected.
Page 19
MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows
MAG Proxy/Content Installation for a Relay-Endpoint

Configuration on Windows
Overview
Perform the following steps to install the MAG for a Relay-Endpoint configuration, which you can view below. Verify the
presence of IIS and install Java on the MAG server as needed, as noted in the Requirements section.
Note: Before you begin, ensure the server you are installing MAG on can reach AWCM by browsing to "https://
{url}:<port>/awcm/status", where <port> is the configurable external port for AWCM. You should see the status of
the AWCM with no SSL errors. If there are errors, resolve them before continuing or the MAG will not properly
function.
Example of a Relay-Endpoint Configuration
For more information about the supported MAG configurations and deployment models, refer to the AirWatch Mobile
Access Gateway Admin Guide, available via AirWatch Resources.
Installing the MAG

The process below walks you through installing the MAG on the Relay server first. Immediately afterward, follow the
instructions for installing the MAG on the Endpoint server as well.
Relay Server
1. Open the installer executable on the Relay MAG server and then click Next. For Relay-Endpoint configurations, you
must perform MAG installation on both the Relay and Endpoint servers. The steps below assume you are first
Page 20
installing it on the Relay server.
Note: If a previous version of MAG is installed, the installer auto-detects it and offers the option to upgrade to the
latest version.
2. Accept the End User License Agreement and then click Next.
3. Specify the destination for the downloaded MAG installation files and then click Next.
4. Select the Relay button to first install MAG on the Relay server.
Page 21
5. Select Is this server SSL Offloaded? if you are setting up a reverse proxy configuration with SSL Offloading. For more
information see the Appendix B – SSL Offloading section.
6. Select Next.
7. Enter the Certificate Password you created in the AirWatch Admin Console and then click Next.
8. Select the Target Site in which the AirWatch application should be installed using the drop-down menu and then click
Next.
Page 22
If Windows Firewall is turned on, you may receive the following dialog indicating that certain profiles are enabled. In
this case, please ensure the necessary MAG ports – which include both the ones you configured in the AirWatch
Admin Console and the default IIS website port you are using to access content – are allowed in the Windows Firewall
settings.
9. Click Install to begin MAG installation on the server.
Page 23
10. Click Finish to close the MAG installer.

Review the activity found in the .log file created by the MAG installer to verify successful MAG installation. The file can be
found in the same destination folder where the installer executable was initially downloaded.
Next, you will install the MAG on the Endpoint server.
Endpoint Server
1. Open the installer executable on the Endpoint MAG server and then click Next.
latest version.
Page 24
4. Select the Endpoint button to install MAG on the Endpoint server.
5. Select the check box to indicate if MAG will use an outbound proxy. If so, enter the address of the Proxy Host and
Proxy Port number to be used for communication. If the proxy requires authentication, first select the Does the
proxy require authentication credentials? checkbox, then select whether it uses Basic or NTLM authentication, then
specify the Username and Password credentials.
6. Specify whether you are using Proxy auto-configuration (PAC) files as part of your MAG installation. A PAC file is a
set of rules that a browser checks to determine where traffic gets routed. For MAG, traffic is checked against the PAC
file to determine if it has to go through an outbound proxy. If you have authentication for PAC files, then the MAG
must know username and password of the proxy. You can reference a PAC file on a remote server by providing the
PAC URL or Upload a PAC file directly.
Page 25
Note: If you are accessing outbound proxies through the MAG that use a PAC file and also require authentication,
then refer to Appendix: Outbound Proxies using PAC Files.
When you are finished, click Next.
Next.
Page 26
settings.
Page 27
Verify Installation
found in the same destination folder where the installer executable was initially downloaded. Additionally, select Test
Connection on the MAG configuration page (Groups & Settings ► All Settings ► System ► Enterprise Integration ►
Mobile Access Gateway) in the AirWatch Admin Console to verify the installation. This page will tell you MAG version
info, connectivity to the MAG via HTTP/S, and certificate chain and content endpoint validation.
Note for on-premise customers: If you are an on-premise customer and your AirWatch Console server is installed on
the internal network, then you may see fail connection for the Console To line items. This is the expected behavior
when the Console server does not have access to the MAG Relay server in the DMZ and will not affect
MAG functionality.
Page 28
MAG Proxy/Content Installation for a Basic (Endpoint only) Configuration on Windows
MAG Proxy/Content Installation for a Basic (Endpoint

only) Configuration on Windows
Overview
Perform the following steps to install the MAG for a Basic configuration, which you can view below. Verify the presence of
IIS and install Java on the MAG server as needed, as noted in the Requirements section.
Note: Before you begin, ensure the server you are installing MAG on can reach AWCM by browsing to "https://
{url}:<port>/awcm/status", where <port> is the configurable external port for AWCM. You should see the status of
the AWCM with no SSL errors. If there are errors, resolve them before continuing or the MAG will not properly
function.
Example of a Basic Configuration
For more information about the supported MAG configurations and deployment models, refer to the AirWatch Mobile
Access Gateway Admin Guide, available via AirWatch Resources.
Installing MAG for Basic (Endpoint only) Configurations

1. Open the installer executable on the Endpoint MAG server and then click Next.
latest version.
Page 29
4. Select the check box to indicate if MAG will use an outbound proxy. If so, enter the address of the Proxy Host and
Proxy Port number to be used for communication. If the proxy requires authentication, first select the Does the
proxy require authentication credentials? checkbox, then select whether it uses Basic or NTLM authentication, then
specify the Username and Password credentials.
Page 30
5. Specify whether you are using Proxy auto-configuration (PAC) files as part of your MAG installation. A PAC file is a
set of rules that a browser checks to determine where traffic gets routed. For MAG, traffic is checked against the PAC
file to determine if it has to go through an outbound proxy. If you have authentication for PAC files, then the MAG
must know username and password of the proxy. You can reference a PAC file on a remote server by providing the
PAC URL or Upload a PAC file directly.
Note: If you are accessing outbound proxies through the MAG that use a PAC file and also require authentication,
then refer to Appendix: Outbound Proxies using PAC Files.
When you are finished, click Next.
Page 31
Next.
settings.
Page 32
Verify Installation
found in the same destination folder where the installer executable was initially downloaded. Additionally, select Test
Connection on the MAG configuration page (Groups & Settings ► All Settings ► System ► Enterprise Integration ►
Mobile Access Gateway) in the AirWatch Admin Console to verify the installation. This page will tell you MAG version
info, connectivity to the MAG via HTTP/S, and certificate chain and content endpoint validation.
Page 33
Note for on-premise customers: If you are an on-premise customer and your AirWatch Console server is installed on
the internal network, then you may see fail connection for the Console To line items. This is the expected behavior
when the Console server does not have access to the MAG endpoint in the DMZ and will not affect MAG functionality.
Page 34
Appendix: SSL Offloading
Note: SSL Offloading is supported for Content and Proxy components.
Overview
When accessing HTTP endpoints using HTTP Tunneling, all HTTP traffic is encrypted and authenticated using an
SSL certificate and sent over port 2020 as HTTPS. You can perform SSL Offloading with products such as F5's BIG-IP Local
Traffic Manager (LTM), or Microsoft's Unified Access Gateway (UAG), Threat Management Gateway (TMG) or Internet
Security and Acceleration Server (ISA) solutions. While these are common solutions, support is not exclusive to these.
MAG/AirWatch Tunnel is compatible with general SSL Offloading solutions provided that the solution supports the HTTP
CONNECT method. The following diagram illustrates how SSL Offloading affects traffic in a Relay-Endpoint configuration.
Note: Using the MAG/AirWatch Tunnel to access internal content supports both SSL offloading and also proxying
traffic. Using the MAG to perform proxy functions supports SSL Offloading only.
SSL Offloading Traffic Flow

1. A device requests access to content or resources, which can be either an HTTP or HTTPS endpoint.
l Requests to HTTP endpoints are sent over a port you configure and encrypted and authenticated with an
SSL certificate.
l Requests to HTTPS endpoints are sent over a port you configure and encrypted and authenticated with a third
party SSL certificate.
2. The traffic hits an SSL Termination Proxy, which must contain the AirWatch certificate exported from the AirWatch
Admin Console or your organization's own public certificate.
Page 35
l Requests to HTTP endpoints over the port you configure have their SSL certificate offloaded and sent to the
Relay unencrypted over port 2010.
l Requests to HTTPS endpoints over the port you configure are unaffected and continue to the Relay on that port.
Note: Since all traffic is now sent over the port you configured, you must create a rule on your SSL Termination
Proxy to forward all traffic on that port.
3. The traffic continues from the Relay to the Endpoint on a port you configure.
4. The Endpoint communicates with your backend systems to access the requested content or resources.
Enabling SSL Offloading
To enable SSL Offloading, ensure the SSL Offloading check box is selected during installation for the Relay server. This
informs the Relay to expect to receive all traffic on the port you configured.
Page 36
Appendix: Upgrading the Component
Appendix: Upgrading the Component

To upgrade, simply download and run the installer again using the same procedures outlined previously in this
document, depending on your configuration setup. Note that any custom changes you made to configuration files after
the original installation will be lost, so you may want to make backups of these files to reference later.
Upgrading the MAG for Windows Proxy/Content Components

1. Log in to the AirWatch Admin Console and navigate to Groups & Settings ► All Settings ► System ► Enterprise
Integration ► Mobile Access Gateway.
2. Select the General tab and then select the Download Windows Installer hyperlink.
3. Enter and confirm a certificate password and then click Download.
Note: The MAG password must contain a minimum of six characters.
4. Continue with the steps for MAG Installation for a Relay-Endpoint Configuration or MAG Installation for a Basic
(Endpoint only) Configuration.
Page 37
Appendix: Kerberos KDC Proxy Support

Note: Kerberos KDC Proxy Support is supported for the Proxy component.
MAG/AirWatch Tunnel Proxy supports Kerberos authentication in the requesting application. This new component,
Kerberos KDC proxy (KKDCP), gets installed on the endpoint server. AirWatch KKDCP acts as a proxy to your internal KDC
server. AirWatch-enrolled and compliant devices with a valid AirWatch issued identity certificate can be allowed to access
your internal KDC. For a client application to authenticate to Kerberos- enabled resources, all of the Kerberos requests
need to be passed through KKDCP. The basic requirement for Kerberos authentication is to make sure you install the
Endpoint with Kerberos proxy enabled during configuration in a network where it can access the KDC server.
Note: Currently, this functionality is only supported with the AirWatch Browser v2.5 and higher for Android.
You can enable Kerberos proxy settings in the following manner:

1. During the configuration, check the box Use Kerberos proxy and enter the Realm of the KDC server.
2. If the Realm is not reachable then you could also configure the KDC server IP on the Advanced settings tab in system
settings.
Page 38
Note: Only add the IP if the Realm is not reachable, as it will take precedence over the Realm value entered in the
configuration.
Note: By default the Kerberos proxy server uses port 2040, which is internal only, hence no firewall changes are
required to have external access over this port.
3. Save the settings and download the installer to install MAG.

On Windows, once the MAG is installed you will see that a new Windows service called AirWatch Kerberos Proxy has
been added.
4. Enable Kerberos from the SDK settings in the AirWatch Admin Console so the requesting application is aware of the
Page 39
KKDCP. To do this, navigate to Groups & Settings ► All Settings ► Apps ► Settings And Policies and select Security
Policies. Under Integrated Authentication, select Enable Kerberos. Save the settings.
How to Access Logs

l The path for KKDCP logs for MAG for Windows is: \AirWatch\Logs\MobileAccessGateway
l To make sure the AirWatch KKDCP server is up and running, access the following URL in your browser from the server
where KKDCP is installed: http://localhost:2040/kerberosproxy/status
l If the proxy server is working as expected then the browser return the following response:
{
"kdcServer":"internal-dc01.internal.local.:88",
"kdcAccessible":true
}
Page 40
Appendix: Outbound Proxies using PAC Files

Note: Outbound Proxies using PAC files is supported for the Proxy component.
For Windows
If you are accessing outbound proxies through the MAG that use a PAC file and also require authentication, then you will
need to perform the following steps:
1. In Windows Explorer, navigate to \AirWatch\MobileAccessGateway\bin.
2. Run proxy-tools.
3. Enter 1 for proxy credentials and do NOT press enter.
4. Enter 1 for Basic and 2 for NTLM authentication using a single service account.
Page 41
5. Enter the domain, username and password according to your service account credentials for the outbound proxy
configured in your environment.
Page 42
Finding Additional Documentation

While reading through this documentation you may encounter topics that reference other documents that are not
included here. You may also be looking for separate documentation that is not a part of this resource. You can access this
additional documentation through the AirWatch Resources page (https://resources.air-watch.com) on myAirWatch.
Note: It is always recommended you pull the document from AirWatch Resources each time you need to reference it.
To search for and access additional documentation via the AirWatch Resources page, perform the following step-by-step
instructions:
1. Navigate to http://my.air-watch.com and log in using your AirWatch ID credentials.
2. Select AirWatch Resources from the navigation bar or home screen. The AirWatch Resources page displays with a list
of recent documentation and a list of Resources Categories on the left.
3. Select your AirWatch Version from the drop-down list in the search parameters to filter a displayed list of documents.
Once selected, you will only see documentation that pertains to your particular version of AirWatch.
4. Access documentation using the following methods:

l Select a resource category on the left to view all documents belonging to that category. For example, selecting
Documentation filters your search to include the entire technical documentation set. Selecting Platform filters
your search to only include platform guides.
l Search for a particular resource using the search box in the top-right by entering keywords or document names.
l Add a document to your favorites and it will be added to My Resources. Access documents you have favorited
by selecting myAirWatch from the navigation bar and then selected My Resources from the toolbar.
Page 43
l Download a PDF of a document by selecting the button. Note, however, that documentation is frequently
updated with the latest bug fixes and feature enhancements. Therefore, it is always recommended you pull the
document from AirWatch Resources each time you need to reference it.
Having trouble finding a document? Make sure a specific AirWatch Version is selected. All Versions will typically
return many results. Make sure you select Documentation from the category list, at a minimum. If you know which
category you want to search (e.g., Platform, Install & Architecture, Email Management) then selecting that will also
further narrow your search and provide better results. Filtering by PDF as a File Type will also narrow your search
even further to only include technical documentation manuals.
Page 44

AirWatch (v8.0) - MAG Install Guide For Windows

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AirWatch (v8.0) - MAG Install Guide For Windows

Uploaded by

Copyright:

Available Formats

AirWatch Mobile Access Gateway Installation

Guide for Windows

© 2015 VMware, Inc. All rights reserved.

Introduction to Mobile Access Gateway Installation for

Before You Begin

Prerequisites for MAG Proxy/Content Connectivity for

Source Component Destination Component Protocol Port Verification Note

Source Component Destination Component Protocol Port Verification Note

Source Component Destination Component Protocol Port Verification Note

* For SaaS customers, see https://airwatch.zendesk.com/entries/21419683-What-are-the-AirWatch-IP-ranges-for-SaaS-

4. For devices with the AirWatch Content Locker to access internal content.

Prerequisites for MAG Proxy/Content Connectivity for On-

Sizing for up to 100,000 Devices

Source Component Destination Component Protocol Port Verification Note

Source Component Destination Component Protocol Port Verification Note

Source Component Destination Component Protocol Port Verification Note

1. For devices attempting to access internal resources.

Performing Preliminary Installation Steps

1. Navigate to Groups & Settings ► All Settings

2. Ensure the URLs highlighted above are

b. Enter the following information for the Details section:

For more information, see Appendix – Kerberos KDC Proxy Support.

4. Enter and confirm a certificate password and then click Download.

Note: The MAG password must contain a minimum of six characters.

MAG Proxy/Content Installation for a Relay-Endpoint

Example of a Relay-Endpoint Configuration

Installing the MAG

installing it on the Relay server.

9. Click Install to begin MAG installation on the server.

10. Click Finish to close the MAG installer.

4. Select the Endpoint button to install MAG on the Endpoint server.

When you are finished, click Next.

9. Click Install to begin MAG installation on the server.

10. Click Finish to close the MAG installer.

MAG Proxy/Content Installation for a Basic (Endpoint

Example of a Basic Configuration

Installing MAG for Basic (Endpoint only) Configurations

When you are finished, click Next.

8. Click Install to begin MAG installation on the server.

9. Click Finish to close the MAG installer.

SSL Offloading Traffic Flow

Appendix: Upgrading the Component

Upgrading the MAG for Windows Proxy/Content Components

3. Enter and confirm a certificate password and then click Download.

Note: The MAG password must contain a minimum of six characters.

Appendix: Kerberos KDC Proxy Support

You can enable Kerberos proxy settings in the following manner:

3. Save the settings and download the installer to install MAG.

How to Access Logs

Appendix: Outbound Proxies using PAC Files

3. Enter 1 for proxy credentials and do NOT press enter.

Finding Additional Documentation

4. Access documentation using the following methods:

You might also like