AirWatch PoC Technical Architecture

  • View
    589

  • Download
    54

Embed Size (px)

DESCRIPTION

AirWatch Proof of Concept

Text of AirWatch PoC Technical Architecture

  • 2013 AirWatch, LLC. All Rights Reserved.

    This document, as well as the software described in it, is furnished under license. The information in this manual may only be used in accordance

    with the terms of the license. This document should not be reproduced, stored or transmitted in any form, except as permitted by the license or by

    the express permission of AirWatch, LLC.

    Other product and company names referenced in this document are trademarks and/or registered trademarks of their respective companies.

    AirWatch PoC Technical Architecture | v.2013.06 | June 2013

    Copyright 2013 AirWatch, LLC. All rights reserved. Proprietary & Confidential.

    AirWatch PoC Technical Architecture

    A guide for selecting an AirWatch PoC Evaluation Architecture

  • AirWatch PoC Technical Architecture | v.2013.06 | June 2013

    Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 1 of 29

    Table of Contents

    Overview..................................................................................................................................... 2

    Option 1: Pure Cloud................................................................................................................... 4

    Option 2: Integrated Cloud ......................................................................................................... 6

    Integrated Cloud AirWatch Cloud Connector ......................................................................................................................... 8

    Integrated Cloud No DMZ ..................................................................................................................................................... 11

    Integrated Cloud DMZ Relay ................................................................................................................................................. 14

    Integrated Cloud Reverse Proxy ........................................................................................................................................... 17

    Option 3: On-Premise Single Server Deployment ...................................................................... 20

    Option 4: On-Premise Multiple Server Deployment .................................................................. 23

    Appendix ................................................................................................................................... 26

  • AirWatch PoC Technical Architecture | v.2013.06 | June 2013

    Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 2 of 29

    Overview

    The AirWatch Enterprise Mobility Management (EMM) software can be deployed through a variety of cloud or on-

    premise options to meet an organizations security requirements and IT strategy. This document will outline each of the

    supported configurations and help determine the ideal AirWatch architecture for a successful PoC evaluation.

    The below diagram displays four deployment options including both cloud and on-premise architectures.

    Cloud On Premise

    Benefits

    Fastest implementation with minimal client effort

    No significant investment in technology or services

    Minimal or no network changes required

    Automatic software updates

    Considerations

    Integration with corporate resources

    Security / datacenter requirements

    Benefits

    Comply with corporate on-premise security polices

    Direct integration with corporate systems

    Leverage existing infrastructure investments

    Physical and virtual environments supported

    Considerations

    Network firewall changes required

    Multiple software and hardware required on-premise

    Option 1: Cloud Option 2: Integrated Cloud Option 3: Single Server Option 4: Multi Server

    All devices and admin users point to AirWatchs cloud for device management. No software installed onsite

    All components in the cloud. Lightweight integration component installed on-premise for backend integration

    On-premise deployment with a single AirWatch server installed in the DMZ or internal network

    On-premise deployment with multiple servers in the DMZ and internal network for multi-tier firewall architectures

    Ideal for

    Rapid Deployment

    No corporate infrastructure required

    Does not integrate with corporate resources

    Ideal for

    Cloud clients requiring enterprise integration for

    o LDAP / PKI

    o Exchange

    o Content repositories

    o Etc

    Ideal for

    Leveraging existing infrastructure

    On-premise is required

    Enterprise integration

    Ideal for

    Multi-tier networks

    Resources not available to DMZ

    Special security policy compliance

    Server scalability via tier 1-3 deployments

    Pages 4-5

    Page 8-19

    Page 20-22

    Page 23-25

    *Note POC fees may apply for On-Premise Deployment

  • AirWatch PoC Technical Architecture | v.2013.06 | June 2013

    Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 3 of 29

    Architecture Diagram

    Prerequisite Checklist

    Network Requirements

    The remainder of this document defines the requirements for the architecture options described above. After choosing

    a deployment option from the descriptions above, review the following items for the desired deployment choice:

    1. Architecture Diagram high level design of all level data flow.

    2. Prerequisite Checklist complete list of all software and hardware

    preparations required.

    3. Network Requirements a listing of any port and firewall requirements.

  • AirWatch PoC Technical Architecture | v.2013.06 | June 2013

    Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 4 of 29

    Option 1: Pure Cloud

    Cloud configurations are best suited for clients who want to minimize effort and lead times for evaluating the software. This evaluation architecture can be setup in minutes but typically does not offer integration with backend resources due to client security requirements. Integration can easily be added later by installing the AirWatch Cloud Connector and /or Mobile Access Gateway (see Option 2: Integrated Cloud).

    Architecture Diagram

    Cloud Integration (Optional)

    SAML

    Office 365

    Google Apps for Business

    Prerequisite Checklist

    There are no prerequisites necessary for this deployment option.

  • AirWatch PoC Technical Architecture | v.2013.06 | June 2013

    Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 5 of 29

    Network Requirements

    Pure Cloud

    Source Component

    # Source Host

    Destination Component

    Destination Host Destination IP Protocol Port Ref

    Diagram Yes No N/A

    Administrators / User Self

    Service

    1 {ADMIN_IP} AirWatch SaaS *.airwatchportals.com

    *.awmdm.com

    any *for a list of IP ranges of AW

    Datacenters click

    here

    HTTP/HTTPS 80/443 1

    Ch

    eckl

    ist

    2 {ADMIN_IP} Apple iTunes

    Cloud

    itunes.apple.com ax.itunes.apple.com

    *.mzstatic.com *.phobos.apple.com

    *phobos.apple.com.edgesuite.net

    any HTTP/HTTPS 80/443 N/S

    3 {ADMIN_IP} Google Play

    Store play.google.com any HTTP/HTTPS 80/443 N/S

    4 {ADMIN_IP} Virtual Earth (GPS Maps)

    *.virtualearth.net any HTTP/HTTPS 80/443 N/S

    Devices

    5 {Device_IP} Apple APNs

    Cloud #-courier.push.apple.com gateway.push.apple.com

    17.0.0.0/8 TCP 5223 2

    6 {Device_IP} Apple iTunes

    Cloud

    phobos.apple.com oscp.apple.com

    ax.itunes.apple.com any HTTP/HTTPS 80/443 3

    7 {Device_IP} Android C2DM

    Cloud mtalk.google.com any TCP 5228 4

    8 {Device_IP} AirWatch SaaS *.airwatchportals.com

    *.awmdm

    any *for a list of IP ranges of AW

    Datacenters click

    here

    HTTP/HTTPS 80/443 5

  • AirWatch PoC Technical Architecture | v.2013.06 | June 2013

    Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 6 of 29

    Option 2: Integrated Cloud

    This configuration is recommended for clients who wish to leverage the simplicity of cloud deployments but still

    integrate existing backend resources. Connecting to corporate resources is made simple with the

    AirWatch Cloud Connector (ACC), which can be installed on a small VM or physical server on-

    premise. The AirWatch Mobile Access Gateway (MAG) provides a secure gateway allowing

    devices to access corporate network resources. The ACC and MAG are not co-dependent and

    should be considered optional components, however most all MAG deployments include ACC.

    AirWatch Integration Options ACC MAG

    +

    ++

    + AirWatchs email attachment encryption feature requires the MAG (SEG component)

    ++ AirWatchs content repository sync with the Administrative Console requires the ACC.

    Certificates and PKI

    SIEM

    Corporate App Tunnel (App VPN)

    Directory Services

    Email Infrastructure

    Content Repositories

    Corporate Intranet Access

  • AirWatch PoC Technical Architecture | v.2013.06 | June 2013

    Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 7 of 29

    AirWatch Cloud Connector

    Ideal for

    Fast imple