2013 AirWatch, LLC. All Rights Reserved.
This document, as well as the software described in it, is furnished under license. The information in this manual may only be used in accordance
with the terms of the license. This document should not be reproduced, stored or transmitted in any form, except as permitted by the license or by
the express permission of AirWatch, LLC.
Other product and company names referenced in this document are trademarks and/or registered trademarks of their respective companies.
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2013 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
AirWatch PoC Technical Architecture
A guide for selecting an AirWatch PoC Evaluation Architecture
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 1 of 29
Table of Contents
Overview..................................................................................................................................... 2
Option 1: Pure Cloud................................................................................................................... 4
Option 2: Integrated Cloud ......................................................................................................... 6
Integrated Cloud AirWatch Cloud Connector ......................................................................................................................... 8
Integrated Cloud No DMZ ..................................................................................................................................................... 11
Integrated Cloud DMZ Relay ................................................................................................................................................. 14
Integrated Cloud Reverse Proxy ........................................................................................................................................... 17
Option 3: On-Premise Single Server Deployment ...................................................................... 20
Option 4: On-Premise Multiple Server Deployment .................................................................. 23
Appendix ................................................................................................................................... 26
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 2 of 29
Overview
The AirWatch Enterprise Mobility Management (EMM) software can be deployed through a variety of cloud or on-
premise options to meet an organizations security requirements and IT strategy. This document will outline each of the
supported configurations and help determine the ideal AirWatch architecture for a successful PoC evaluation.
The below diagram displays four deployment options including both cloud and on-premise architectures.
Cloud On Premise
Benefits
Fastest implementation with minimal client effort
No significant investment in technology or services
Minimal or no network changes required
Automatic software updates
Considerations
Integration with corporate resources
Security / datacenter requirements
Benefits
Comply with corporate on-premise security polices
Direct integration with corporate systems
Leverage existing infrastructure investments
Physical and virtual environments supported
Considerations
Network firewall changes required
Multiple software and hardware required on-premise
Option 1: Cloud Option 2: Integrated Cloud Option 3: Single Server Option 4: Multi Server
All devices and admin users point to AirWatchs cloud for device management. No software installed onsite
All components in the cloud. Lightweight integration component installed on-premise for backend integration
On-premise deployment with a single AirWatch server installed in the DMZ or internal network
On-premise deployment with multiple servers in the DMZ and internal network for multi-tier firewall architectures
Ideal for
Rapid Deployment
No corporate infrastructure required
Does not integrate with corporate resources
Ideal for
Cloud clients requiring enterprise integration for
o LDAP / PKI
o Exchange
o Content repositories
o Etc
Ideal for
Leveraging existing infrastructure
On-premise is required
Enterprise integration
Ideal for
Multi-tier networks
Resources not available to DMZ
Special security policy compliance
Server scalability via tier 1-3 deployments
Pages 4-5
Page 8-19
Page 20-22
Page 23-25
*Note POC fees may apply for On-Premise Deployment
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 3 of 29
Architecture Diagram
Prerequisite Checklist
Network Requirements
The remainder of this document defines the requirements for the architecture options described above. After choosing
a deployment option from the descriptions above, review the following items for the desired deployment choice:
1. Architecture Diagram high level design of all level data flow.
2. Prerequisite Checklist complete list of all software and hardware
preparations required.
3. Network Requirements a listing of any port and firewall requirements.
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 4 of 29
Option 1: Pure Cloud
Cloud configurations are best suited for clients who want to minimize effort and lead times for evaluating the software. This evaluation architecture can be setup in minutes but typically does not offer integration with backend resources due to client security requirements. Integration can easily be added later by installing the AirWatch Cloud Connector and /or Mobile Access Gateway (see Option 2: Integrated Cloud).
Architecture Diagram
Cloud Integration (Optional)
SAML
Office 365
Google Apps for Business
Prerequisite Checklist
There are no prerequisites necessary for this deployment option.
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 5 of 29
Network Requirements
Pure Cloud
Source Component
# Source Host
Destination Component
Destination Host Destination IP Protocol Port Ref
Diagram Yes No N/A
Administrators / User Self
Service
1 {ADMIN_IP} AirWatch SaaS *.airwatchportals.com
*.awmdm.com
any *for a list of IP ranges of AW
Datacenters click
here
HTTP/HTTPS 80/443 1
Ch
eckl
ist
2 {ADMIN_IP} Apple iTunes
Cloud
itunes.apple.com ax.itunes.apple.com
*.mzstatic.com *.phobos.apple.com
*phobos.apple.com.edgesuite.net
any HTTP/HTTPS 80/443 N/S
3 {ADMIN_IP} Google Play
Store play.google.com any HTTP/HTTPS 80/443 N/S
4 {ADMIN_IP} Virtual Earth (GPS Maps)
*.virtualearth.net any HTTP/HTTPS 80/443 N/S
Devices
5 {Device_IP} Apple APNs
Cloud #-courier.push.apple.com gateway.push.apple.com
17.0.0.0/8 TCP 5223 2
6 {Device_IP} Apple iTunes
Cloud
phobos.apple.com oscp.apple.com
ax.itunes.apple.com any HTTP/HTTPS 80/443 3
7 {Device_IP} Android C2DM
Cloud mtalk.google.com any TCP 5228 4
8 {Device_IP} AirWatch SaaS *.airwatchportals.com
*.awmdm
any *for a list of IP ranges of AW
Datacenters click
here
HTTP/HTTPS 80/443 5
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 6 of 29
Option 2: Integrated Cloud
This configuration is recommended for clients who wish to leverage the simplicity of cloud deployments but still
integrate existing backend resources. Connecting to corporate resources is made simple with the
AirWatch Cloud Connector (ACC), which can be installed on a small VM or physical server on-
premise. The AirWatch Mobile Access Gateway (MAG) provides a secure gateway allowing
devices to access corporate network resources. The ACC and MAG are not co-dependent and
should be considered optional components, however most all MAG deployments include ACC.
AirWatch Integration Options ACC MAG
+
++
+ AirWatchs email attachment encryption feature requires the MAG (SEG component)
++ AirWatchs content repository sync with the Administrative Console requires the ACC.
Certificates and PKI
SIEM
Corporate App Tunnel (App VPN)
Directory Services
Email Infrastructure
Content Repositories
Corporate Intranet Access
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 7 of 29
AirWatch Cloud Connector
Ideal for
Fast implementation
Minimal hardware / software on-site Pages 8-10
Integrated Cloud No DMZ Integrated Cloud DMZ Relay Integrated Cloud Reverse Proxy
Ideal for
Clients without a DMZ infrastructure
Ideal for
Clients with an existing DMZ architecture
Limited connections through DMZ firewall
Ideal For
Clients with an existing reverse proxy or WAF architecture
Pages 11-13 Pages 14-16 Page 17-19
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 8 of 29
Integrated Cloud - AirWatch Cloud Connector
Architecture Diagram
AirWatch Internal Server Includes:
AirWatch Cloud Connector
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 9 of 29
Prerequisite Checklist
Integrated Cloud AW Cloud Connector
Source # Title Description / Purpose Yes No N/A
Hardware 1 AirWatch Internal
Server
Windows Server Minimum specification: - 1 CPU core ( > 2.0 GHz) - 2 GB RAM -1 GB Disk Space (if logging is being done 5 GB) (physical or virtual)
Ch
eckl
ist
Software
2 Windows OS Windows Server 2008 R2
3 .NET Framework 3.5
& 4
A windows update is required for .NET 4 after installation to update additional software components.
4 Internal Certs (Trust)
Client may need to generate internal certs for the traffic between the external internet interface for the EAS traffic and the Reverse Proxy, F5, SEG, and CAS servers. Details to be determined by the Client architect team.
Firewall Changes
5 Client Firewall Rules See Below Firewall Change Requests
Service Accounts
6 Enterprise Service
Accounts (Optional)
If implementing enterprise services, services accounts will need to be created and given specific permissions to allow integration. See Appendix.
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 10 of 29
Network Requirements
Integrated Cloud AW Cloud Connector
Source Component
Source Host Destination Component
Destination Host Destination IP Protocol Port Ref
Diagram Yes No N/A
AirWatch Internal Server
A {InternalServer_IP} Client EAS/CAS
Server(s) {InternalURL_CAS} {InternalIP_CAS} HTTP/HTTPS 80,443 1
Ch
eckl
ist
B {InternalServer_IP} Domain Controller
{InternalURL_DC} {InternalIP_DC} LDAP/LDAPS
389, 636,
3268, 3269
2
C {InternalServer_IP} Enterprise Services
(Optional) {InternalURL_ES} {InternalIP_ES}
HTTP/HTTPS /SMTP
80,443, 25, 465
3
D {InternalServer_IP} Certificate Authority (Optional)
{InternalURL_CA} {InternalIP_CA} DCOM
135, 1025-5000,
49152-65535
3
E {InternalServer_IP} AirWatch SaaS *.airwatchportals.com *.awmdm.com
any *for a list of IP ranges of AW
Datacenters click
here
HTTPS 443 4
Administrators / User Self
Service
F {ADMIN_IP} AirWatch SaaS *.airwatchportals.com
*.awmdm.com
any *for a list of IP ranges of AW
Datacenters click
here
HTTP/HTTPS 80/443 5
G {ADMIN_IP} Apple iTunes
Cloud
*.itunes.apple.com *.mzstatic.com
*.phobos.apple.com *phobos.apple.com.edges
uite.net
any HTTP/HTTPS 80/443 N/S
H {ADMIN_IP} Google Play
Store play.google.com any HTTP/HTTPS 80/443 N/S
I {ADMIN_IP} Virtual Earth (GPS Maps)
*.virtualearth.net any HTTP/HTTPS 80/443 N/S
Devices
K {Device_IP} Apple APNs
Cloud #-courier.push.apple.com gateway.push.apple.com
17.0.0.0/8 TCP 5223 6
L {Device_IP} Apple iTunes
Cloud
phobos.apple.com oscp.apple.com
ax.itunes.apple.com any HTTP/HTTPS 80/443 7
M {Device_IP} Android C2DM
Cloud mtalk.google.com any TCP 5228 8
N {Device_IP} AirWatch SaaS *.airwatchportals.com
*.awmdm.com
any *for a list of IP ranges of AW
Datacenters click
here
HTTP/HTTPS 80/443 9
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 11 of 29
Integrated Cloud No DMZ
Architecture Diagram
AirWatch Internal Server Includes:
AirWatch Cloud Connector
AirWatch Secure Email Gateway
AirWatch Mobile Access Gateway
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 12 of 29
Prerequisite Checklist
Integrated Cloud No DMZ
Source # Title Description / Purpose Yes No N/A
Hardware 1 AirWatch Internal
Server
Windows Server Minimum specification: - 2 CPU core ( > 2.0 GHz) - 4 GB RAM (physical or virtual)
Ch
eckl
ist
Software
2 Windows OS Windows Server 2008 R2 3 IIS 7 Server IIS Server must also have additional role services installed.
4 .NET Framework 3.5
& 4
A windows update is required for .NET 4 after installation to update additional software components.
5 Microsoft Messaging
Queue (MSMQ)
Enabled on all AirWatch servers.
6 Java Installed on MAG server.
DNS 7 External URL External URL (DNS Record) resolving to the internal AirWatch server 8 Internal CAS URL Internal URL to relay Exchange ActiveSync traffic from the AirWatch server
Certificates
9 Public SSL Certificate Public trusted SSL Certificate to match the External DNS for the AirWatch SEG/EIS server.
10 Internal Certs (Trust)
Client may need to generate internal certs for the traffic between the external internet interface for the EAS traffic and the Reverse Proxy, F5, SEG, and CAS servers. Details to be determined by the Client architect team.
Load Balancer
11 Load Balancer Setup
(Optional)
If installing the SEG/MAG behind a network load balancer, client will need to setup load balancer configuration. Persistence should be set on the SSL session for 15 minutes. See Appendix for more details.
Firewall Changes
12 Client Firewall Rules See Below Firewall Change Requests
Service Accounts
13 Enterprise Service
Accounts (Optional)
If implementing enterprise services, services accounts will need to be created and given specific permissions to allow integration. See Appendix.
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 13 of 29
Network Requirements
Integrated Cloud No DMZ
Source Component
Source Host Destination Component
Destination Host Destination IP Protocol Port Ref
Diagram Yes No N/A
AirWatch Internal Server
A {InternalServer_IP} Client EAS/CAS
Server(s) {InternalURL_CAS} {InternalIP_CAS} HTTP/HTTPS 80,443 1
Ch
eckl
ist
B {InternalServer_IP} Domain Controller
{InternalURL_DC} {InternalIP_DC} LDAP/LDAPS
389, 636,
3268, 3269
2
C {InternalServer_IP} Enterprise Services
(Optional) {InternalURL_ES} {InternalIP_ES}
HTTP/HTTPS /SMTP
80,443, 25, 465
3
D {InternalServer_IP} Certificate Authority (Optional)
{InternalURL_CA} {InternalIP_CA} DCOM
135, 1025-5000,
49152-65535
3
E {InternalServer_IP} AirWatch SaaS *.airwatchportals.com *.awmdm.com
any *for a list of IP ranges of AW
Datacenters click
here
HTTPS 443 4
Administrators / User Self
Service
F {ADMIN_IP} AirWatch SaaS *.airwatchportals.com
*.awmdm.com
any *for a list of IP ranges of AW
Datacenters click
here
HTTP/HTTPS 80/443 5
G {ADMIN_IP} Apple iTunes
Cloud
*.itunes.apple.com *.mzstatic.com
*.phobos.apple.com *phobos.apple.com.edges
uite.net
any HTTP/HTTPS 80/443 N/S
H {ADMIN_IP} Google Play
Store play.google.com any HTTP/HTTPS 80/443 N/S
I {ADMIN_IP} Virtual Earth (GPS Maps)
*.virtualearth.net any HTTP/HTTPS 80/443 N/S
AirWatch SaaS J See IP list
here AirWatch
Server AW Public URL AW Public IP HTTPS 443 6
Devices
K {Device_IP} Apple APNs
Cloud #-courier.push.apple.com gateway.push.apple.com
17.0.0.0/8 TCP 5223 7
L {Device_IP} Apple iTunes
Cloud
phobos.apple.com oscp.apple.com
ax.itunes.apple.com any HTTP/HTTPS 80/443 8
M {Device_IP} Android C2DM
Cloud mtalk.google.com any TCP 5228 9
N {Device_IP} AirWatch SaaS *.airwatchportals.com
*.awmdm.com
any *for a list of IP ranges of AW
Datacenters click
here
HTTP/HTTPS 80/443 10
O {Device_IP} AirWatch
Internal Server AW Public URL AW Public IP HTTPS
443 2010 2020
11
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 14 of 29
Integrated Cloud DMZ Relay
Architecture Diagram
AirWatch DMZ Server Includes:
AirWatch Secure Email Gateway
AirWatch Mobile Access Gateway Relay
AirWatch Internal Server Includes:
AirWatch Cloud Connector
AirWatch Mobile Access Gateway Endpoint
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 15 of 29
Prerequisite Checklist
Integrated Cloud DMZ Relay
Source # Title Description / Purpose Yes No N/A
Hardware 1 AirWatch DMZ
Server
Windows Server Minimum specification: - 2 CPU core ( > 2.0 GHz) - 4 GB RAM (physical or virtual)
Ch
eckl
ist
Software
2 Windows OS Windows Server 2008 R2 3 IIS 7 Server IIS Server must also have additional role services installed.
4 .NET Framework 3.5
& 4
A windows update is required for .NET 4 after installation to update additional software components.
5 Microsoft Messaging
Queue (MSMQ)
Enabled on all AirWatch servers.
6 Java Installed on MAG server.
7 AirWatch Software Available through the administrative console.
DNS
8 External URL External URL (DNS Record) resolving to the AirWatch DMZ server
9 Internal CAS URL Internal URL to relay traffic from the AirWatch SEG/EIS.
10 Internal URL Internal URL (DNS Record) resolving to the AirWatch Internal server
Certificates
11 Public SSL Certificate
(AirWatch DMZ)
Public trusted SSL Certificate to match the External DNS for the AirWatch DMZ server. Required if using SEG / MAG
12 Internal Certs (Trust)
Client may need to generate internal certs for the traffic between the external internet interface for the EAS traffic and the Reverse Proxy, F5, SEG, and CAS servers. Details to be determined by the Client architect team.
Load Balancer
13 Load Balancer Setup
(Optional)
If installing the SEG/MAG behind a network load balancer, client will need to setup load balancer configuration. Persistence should be set on the SSL session for 15 minutes. See Appendix for more details.
Firewall Changes
14 Client Firewall Rules See Below Firewall Change Requests
Service Accounts
15 Enterprise Service
Accounts (Optional)
If implementing enterprise services, services accounts will need to be created and given specific permissions to allow integration. See Appendix.
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 16 of 29
Network Requirements
Integrated Cloud DMZ Relay
Source Component
Source Host Destination Component
Destination Host Destination IP Protocol Port Ref
Diagram Yes No N/A
AirWatch DMZ Server
A {DMZ_Server_IP} Client EAS/CAS
Server(s) {InternalURL_CAS} {InternalIP_CAS} HTTP/HTTPS 80,443 1
Ch
eckl
ist
B {DMZ_Server_IP} AirWatch Internal Server
{InternalURL_AWInternal} {InternalIP_AWInt
ernal} HTTP/HTTPS
443 2010
2
C {DMZ_Server_IP} AirWatch SaaS *.airwatchportals.com *.awmdm.com
any *for a list of IP ranges of AW
Datacenters click
here
HTTPS 443 3
AirWatch Internal Server
D {InternalServer_IP} Internal Network
{InternalURL_DC} {Internal_BES}
{Internal_ADCS} {Internal_SMTP}
{Internal_SharePoint} {InternalURL_CA}
{InternalIP_IP}
DCOM HTTPS
LDAP/LDAPS SMTP
389,636,3268, 3269,
135,443,25
4
E {InternalServer_IP} AirWatch DMZ
Server AW Public URL AW Public IP HTTPS 443 5
Administrators / User Self
Service
F {ADMIN_IP} AirWatch SaaS *.airwatchportals.com
*.awmdm.com
any *for a list of IP ranges of AW
Datacenters click
here
HTTP/HTTPS 80/443 6
G {ADMIN_IP} Apple iTunes
Cloud
itunes.apple.com ax.itunes.apple.com
*.mzstatic.com *.phobos.apple.com
*phobos.apple.com.edgesuite.net
any HTTP/HTTPS 80/443 N/S
H {ADMIN_IP} Google Play
Store play.google.com any HTTP/HTTPS 80/443 N/S
I {ADMIN_IP} Virtual Earth (GPS Maps)
*.virtualearth.net any HTTP/HTTPS 80/443 N/S
AirWatch SaaS J See IP list
here AirWatch DMZ
Server AW Public URL AW Public IP HTTPS 443 7
Devices
K {Device_IP} Apple APNs
Cloud #-courier.push.apple.com gateway.push.apple.com
17.0.0.0/8 TCP 5223 8
L {Device_IP} Apple iTunes
Cloud
phobos.apple.com oscp.apple.com
ax.itunes.apple.com any HTTP/HTTPS 80/443 9
M {Device_IP} Android C2DM
Cloud mtalk.google.com any TCP 5228 10
N {Device_IP} AirWatch SaaS *.airwatchportals.com
*.awmdm.com
any *for a list of IP ranges of AW
Datacenters click
here
HTTP/HTTPS 80/443 11
O {Device_IP} AirWatch DMZ
Server AW Public URL AW Public IP HTTPS
443 2010 2020
12
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 17 of 29
Integrated Cloud Reverse Proxy
Architecture Diagram
AirWatch Internal Server Includes:
AirWatch Cloud Connector
AirWatch Secure Email Gateway
AirWatch Mobile Access Gateway
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 18 of 29
Prerequisite Checklist
Cloud with Integration DMZ Reverse Proxy
Source # Title Description / Purpose Yes No N/A
Hardware 1 AirWatch Internal
Server
Windows Server Minimum specification: - 2 CPU core ( > 2.0 GHz) - 4 GB RAM (physical or virtual)
Ch
eckl
ist
Software
2 Windows OS Windows Server 2008 R2 3 IIS 7 Server IIS Server must also have additional role services installed.
4 .NET Framework 3.5
& 4
A windows update is required for .NET 4 after installation to update additional software components.
5 Microsoft Messaging
Queue (MSMQ)
Enabled on all AirWatch servers.
6 Java Installed on MAG.
7 AirWatch Software Will be provided to Client during install.
DNS 8 External URL External URL (DNS Record) resolving to the AirWatch Internal server
9 Internal CAS URL Internal URL to relay Exchange ActiveSync traffic from the AirWatch server
Certificates
10 Public SSL Certificate Public trusted SSL Certificate to match the External DNS for the AirWatch Internal server address
11 Internal Certs (Trust)
Client may need to generate internal certs for the traffic between the external internet interface for the EAS traffic and the Reverse Proxy, F5, SEG, and CAS servers. Details to be determined by the Client architect team.
12 MAG SSL Cert The MAG SSL certificate must be installed on the reverse proxy.
Load Balancer
13 Load Balancer Setup
(Optional)
If installing AirWatch behind a network load balancer, client will need to setup load balancer configuration. Persistence should be set on the SSL session for 15 minutes. See Appendix for more details.
Firewall Changes
14 Client Firewall Rules See Below Firewall Change Requests
Service Accounts
15 Enterprise Service
Accounts (Optional)
If implementing enterprise services, services accounts will need to be created and given specific permissions to allow integration. See Appendix.
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 19 of 29
Network Requirements
Integrated Cloud DMZ Reverse Proxy
Source Component
Source Host Destination Component
Destination Host Destination IP Protocol Port Ref
Diagram Yes No N/A
AirWatch Internal Server
A {InternalServer_IP} Client EAS/CAS
Server(s) (Optional)
{InternalURL_CAS} {InternalIP_CAS} HTTP/HTTPS 80,443 1
Ch
eckl
ist
B {InternalServer_IP} Enterprise Services
(Optional)
{InternalURL_DC} {Internal_BES}
{Internal_ADCS} {Internal_SMTP}
{Internal_SharePoint} {InternalURL_CA}
{InternalIP_IP}
DCOM HTTPS
LDAP/LDAPS /SMTP
389,6363268, 3269,
135,443, 25
2
C {InternalServer_IP} AirWatch SaaS *.airwatchportals.com *.awmdm.com
any *for a list of IP ranges of AW
Datacenters click
here
HTTPS 443 3
Administrators / User Self
Service
D {ADMIN_IP} AirWatch SaaS *.airwatchportals.com
*.awmdm.com
any *for a list of IP ranges of AW
Datacenters click
here
HTTP/HTTPS 80/443 4
E {ADMIN_IP} Apple iTunes
Cloud
*.itunes.apple.com *.mzstatic.com
*.phobos.apple.com *phobos.apple.com.edges
uite.net
any HTTP/HTTPS 80/443 N/S
F {ADMIN_IP} Google Play
Store play.google.com any HTTP/HTTPS 80/443 N/S
G {ADMIN_IP} Virtual Earth (GPS Maps)
*.virtualearth.net any HTTP/HTTPS 80/443 N/S
AirWatch SaaS H See IP list
here AirWatch
Internal Server AW Public URL AW Public IP HTTPS 443 5
Devices
I {Device_IP} Apple APNs
Cloud #-courier.push.apple.com gateway.push.apple.com
17.0.0.0/8 TCP 5223 6
J {Device_IP} Apple iTunes
Cloud
phobos.apple.com oscp.apple.com
ax.itunes.apple.com any HTTP/HTTPS 80/443 7
K {Device_IP} Android C2DM
Cloud mtalk.google.com any TCP 5228 8
L {Device_IP} AirWatch SaaS *.airwatchportals.com
*.awmdm.com
any *for a list of IP ranges of AW
Datacenters click
here
HTTP/HTTPS 80/443 9
M {Device_IP} AirWatch
Internal Server AW Public URL AW Public IP HTTPS
443 2010 2020
10
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 20 of 29
Option 3: On-Premise Single Server Deployment
This configuration allows for simplified installation and maintenance for smaller deployments, while allowing future
scalability and flexibility for high availability. A single-server deployment allows for easy integration to enterprise
services, as well as simplified control and validation over the entire environment. Single Server configurations are
commonly deployed in DMZ architectures where the entire solution is installed on one physical or virtual server. The
use of WAF or TMG solutions are also commonly used to proxy internet facing endpoints.
Architecture Diagram
AirWatch Internal Server Includes:
AirWatch Console
AirWatch Device Services
AirWatch Secure Email Gateway
AirWatch Mobile Access Gateway
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 21 of 29
Prerequisite Checklist
On-Premise Single Server
Source # Title Description / Purpose Yes No N/A
Hardware
1 AirWatch Internal
Server
Windows Server to install the AirWatch Server Software Minimum specification: - 2 CPU core ( > 2.0 GHz) -6 GB RAM ~100 GB Drive (physical or virtual)
Ch
eckl
ist
2 Reverse Proxy Server
Optional Client may choose an existing server to use for the reverse proxy or install a dedicated server that meets their specifications
Software
3 Windows OS Windows Server 2008 R2
4 SQL Server Microsoft SQL Server 2008 (2008 R2 Recommended) Required on Database server
5 SQL Server Reporting
Services Microsoft SQL Server Reporting Services 2008 (2008 R2 Recommended)
6 IIS 7 Server IIS Server must also have additional role services installed.
7 .NET Framework 3.5
& 4
A windows update is required for .NET 4 after installation to update additional software components.
8 Microsoft Messaging
Queue (MSMQ)
Enabled on all AirWatch servers.
9 Java Installed on MAG server.
DNS
10 External Public URL External URL (DNS Record) for AirWatch Server public internet facing (https://company.mdm.com)
11 Internal CAS URL
(optional) Internal URL to relay traffic from the AirWatch SEG to the ActiveSync CAS server.
12 Internal DC URL
(optional) Client Internal Domain (AD) DNS to use to connect from the AirWatch server to the AD for authenticating users
13 Internal CA Host
(optional)
Internal hostname and CA issuing name of the CA or SCEP endpoint.
Certificates
14 Public SSL Certificate Public trusted SSL Certificate to match the External DNS for the AirWatch SEG/EIS server. (If applicable)
15 Internal Certs (Trust)
Client may need to generate internal certs for the traffic between the external internet interface for the EAS traffic and the Reverse Proxy, F5, SEG, and CAS servers. Details to be determined by the Client architect team.
16 MAG SSL Cert The MAG SSL certificate must be installed on the reverse proxy. Firewall Changes
17 Client Firewall Rules See Below Firewall Change Requests
Load Balancer
18 Load Balancer Setup
(Optional)
If installing AirWatch behind a network load balancer, client will need to setup load balancer configuration. Persistence should be set on the SSL session for 15 minutes. See Appendix for more details.
Service Accounts
19 Enterprise Service
Accounts (Optional)
If implementing enterprise services, services accounts will need to be created and given specific permissions to allow integration. See Appendix.
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 22 of 29
Network Requirements
On-Premise Single Server
Source Component
Source Host Destination Component
Destination Host Destination IP Protocol Port Ref
Diagram Yes No N/A
AirWatch Internal Server
A {InternalServer_IP} Internal Network
{InternalURL_DC} {Internal_CAS} Internal_BES}
{Internal_ADCS} {Internal_SMTP}
{Internal_SharePoint}
{Internal_IPs}
DCOM HTTPS
LDAP/LDAPS SMTP
389,636, 3268, 3269, 135,
443, 25, 465
1
Ch
eckl
ist
B {InternalServer_IP} Apple APNs Cloud
gateway.push.apple.com
feedback.push.apple.com
17.0.0.0/8 TCP 2195, 2196
2
C {InternalServer_IP} Apple iTunes
Cloud *.itunes.apple.com
*.phobos.apple.com any HTTP/HTTPS 80,443 3
D {InternalServer_IP} Google Play
Store play.google.com any HTTP/HTTPS 80,443 N4S
E {InternalServer_IP} Android C2DM
Cloud
android.googleapis.com android.apis.google.com
www.google.com google.com
any HTTPS 443 5
F {InternalServer_IP} CellTrusts SMS
Gateyway (optional)
gateway.celltrust.net 162.42.205.0/24 HTTPS 443 N/S
G {InternalServer_IP} AirWatch Certificate
Portal awcp.air-watch.com
any *for a list of IP ranges of AW
Datacenters click
here
HTTPS 443 N/S
H {InternalServer_IP} SSL Signing
Cert CRL Ex.ocsp.verisign.com TBD HTTP 80 N/S
I {InternalServer_IP} SQL Server {SQLServer_Name} {SQLServer_IP} TCP 1433 6
J {InternalServer_IP} SQL Server
Reporting Svc {SSRS_Name} {SSRS_IP} HTTP 80 7
K {InternalServer_IP} AW
Autodiscovery Server
discovery.awmdm.com 209.208.230.100 HTTPS 443 8
Administrators / User Self
Service
L {ADMIN_IP} AirWatch
Internal Server {InternalServer} {InternalServer_IP} HTTP/HTTPS 80,443 9
M {ADMIN_IP} Virtual Earth (GPS Maps
*.virtualearth.net any HTTP/HTTPS 80,443 N/S
Devices
N {Device_IP} Apple APNs
Cloud
#-courier.push.apple.com gateway.push.apple.co
m
17.0.0.0/8 TCP 5223 10
O {Device_IP} Apple iTunes
Cloud
phobos.apple.com oscp.apple.com
ax.itunes.apple.com any HTTP/HTTPS 80,443 11
P {Device_IP} Android C2DM
Cloud mtalk.google.com any TCP 5228 12
Q {Device_IP} AirWatch
Server AW Public URL AW Public IP HTTP/HTTPS
80,443, 2001, 2010, 2020
13
R {Device_IP} AirWatch
Autodiscovery Server
discovery.awmdm.com 209.208.230.100 HTTPS 443 14
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 23 of 29
Option 4: On-Premise Multiple Server Deployment
A multi-server deployment is recommended for organizations managing a larger number of devices and/or those wanting to utilize a DMZ. In a setup using a DMZ, any of the AirWatch components actively communicating with devices should be placed outside of the organizations internal network. Several advantages of this configuration include:
Increased security of external-facing services, such as the AirWatch Device Services component, Secure Email
Gateway, and Mobile Access Gateway, by placing them in the networks DMZ to quarantine incoming traffic
while preventing external visibility to internal resources.
Architecture Diagram
AirWatch DMZ Server Includes:
AirWatch Device Services
AirWatch Secure Email Gateway
AirWatch Mobile Access Gateway
AirWatch Internal Server Includes:
AirWatch Console Services
AirWatch Cloud Connector
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 24 of 29
Prerequisite Checklist
On-Premise Multi Server
Source # Title Description / Purpose Yes No N/A
Hardware
1 AirWatch Internal
Server (Internal)
Windows Server to install the AirWatch Server Software Minimum specification: - 2 CPU core ( > 2.0 GHz) -6 GB RAM ~100 GB Drive (physical or virtual)
Ch
eckl
ist
2 AirWatch DMZ
Server
Windows Server to install Enterprise Integration Software Minimum specification: - 2 CPU core ( > 2.0 GHz) - 4 GB RAM (physical or virtual)
Software
3 Windows OS Windows Server 2008 R2
4 SQL Server Microsoft SQL Server 2008 (2008 R2 Recommended) Required on Database server
5 SQL Server Reporting
Services Microsoft SQL Server Reporting Services 2008 (2008 R2 Recommended)
6 IIS 7 Server IIS Server must also have additional role services installed.
7 .NET Framework 3.5
& 4
A windows update is required for .NET 4 after installation to update additional software components.
8 Microsoft Messaging
Queue (MSMQ) Enabled on all AirWatch servers.
9 Java Installed on MAG server.
DNS
10 External URL External URL (DNS Record) resolving to the AirWatch DMZ server
11 Internal CAS URL Internal URL to relay traffic from the AirWatch SEG server.
11 Internal URL Internal URL (DNS Record) resolving to the AirWatch Internal server
Certificates
12 Public SSL Certificate
(AirWatch DMZ)
Public trusted SSL Certificate to match the External DNS for the AirWatch DMZ server.
13 SSL Certificate
(AirWatch Internal)
SSL certificate to match the Internal URL for the AirWatch Internal server.
Load Balancer
14 Load Balancer Setup
(Optional)
If installing AirWatch behind a network load balancer, client will need to setup load balancer configuration. Persistence should be set on the SSL session for 15 minutes. See Appendix for more details.
Firewall Changes
15 Client Firewall Rules See Below Firewall Change Requests
Service Accounts
16 Enterprise Service
Accounts (Optional)
If implementing enterprise services, services accounts will need to be created and given specific permissions to allow integration. See Appendix.
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 25 of 29
Network Changes
On-Premise Multi Server
Source Component
Source Host Destination Component
Destination Host Destination IP Protocol Port Ref
Diagram Yes No N/A
AirWatch Internal Server
A {InternalServer_IP} Internal Network
{InternalURL_DC} {Internal_CAS} Internal_BES}
{Internal_ADCS} {Internal_SMTP}
{Internal_SharePoint}
{Internal_IPs}
DCOM HTTPS
LDAP/LDAPS SMTP
389,636,
3268, 3269, 135, 443, 25, 465
1
Ch
eckl
ist
B {InternalServer_IP} SQL Server {SQLServer_Name} {SQLServer_IP} TCP 1433 2
C {InternalServer_IP} SQL Server Reporting Sync
{SQLServer_Name} {SQLServer_IP} HTTP/HTTPS 80,443 2
D {InternalServer_IP} Apple APNs Cloud
gateway.push.apple.com feedback.push.apple.com
17.0.0.0/8 TCP 2195, 2196
3
E {InternalServer_IP} Apple iTunes
Cloud *.itunes.apple.com
*.phobos.apple.com any HTTP/HTTPS 80,443 4
F {InternalServer_IP} Google Play
Store play.google.com any HTTP/HTTPS 80,443 5
G {InternalServer_IP} Google Cloud
Messaging
android.googleapis.com android.apis.google.com
www.google.com google.com
any TCP 443 N/S
H {InternalServer_IP} CellTrust SMS gateway.celltrust.net 162.42.205.0/2-4 HTTPS 443 N/S
I {InternalServer_IP} AW DMZ
Server {DMZServer_Name} {DMZServer_IP} TCP
443, 2001
6
J {InternalServer_IP} AirWatch
autodiscovery Server
discovery.awmdm.com 209.208.230.100 HTTPS 443 7
AirWatch DMZ Server
K {DMZ_Server_IP}
(SEG only) Client CAS Server(s)
{InternalURL_EAS} {InternalIP_EAS} HTTPS 443 8
L {DMZ_Server_IP} Apple APNs
Cloud gateway.push.apple.com 17.0.0.0/8 TCP
2195, 2196
9
M {DMZ_Server_IP} Google Cloud
Messaging
android.googleapis.com android.apis.google.com
www.google.com google.com
any TCP 443 10
N {DMZ_Server_IP} SSL Cert CRL TBD any HTTP 80 N/S
O {DMZ_Server_IP} AirWatch
Internal Server {InternalServer_URL} {InternalServer_IP} HTTPS
443, 2010
11
P {DMZ_Server_IP} SQL Server {SQLServer_Name} {SQLServer_IP} TCP 1433 2
Q {DMZ_Server_IP} AirWatch
autodiscovery Server
discovery.awmdm.com 209.208.230.100 HTTPS 443 17
Administrators
R {ADMIN_IP} Virtual Earth (GPS Maps)
*.virtualearth.net any HTTP/HTTPS 80,443 N/S
S {ADMIN_IP} AirWatch
Internal Server {InternalServer_URL} {InternalServer_IP} HTTP/HTTPS 80,443 12
Self Service Portal
T {USER_IP} AirWatch DMZ
Server {DMZ_Server_URL} {DMZ_Server_IP} HTTP/HTTPS 80,443 N/S
Devices
U {Device_IP} Apple APNs
Cloud #-courier.push.apple.com gateway.push.apple.com
17.0.0.0/8 TCP 5223 13
V {Device_IP} Apple iTunes
Cloud
phobos.apple.com oscp.apple.com
ax.itunes.apple.com any HTTP/HTTPS 80,443 14
W {Device_IP} Android C2DM
Cloud mtalk.google.com any TCP 5228 15
X {Device_IP} AirWatch
Server {DMZ_Server_URL} Public IP HTTP/HTTPS
80, 443,
2001, 2010, 2020
16
Y {Device_IP} AirWatch
autodiscovery Server
discovery.awmdm.com 209.208.230.100 HTTPS 443 18
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 26 of 29
Appendix
The table below lists the required service accounts needed to integrate with backend enterprise services.
Service Accounts
Source # Title Description / Purpose Yes No N/A
Service Accounts
1 SQL Service Account SQL service account to install the AirWatch database. Requires the System Administrator Permission.
2 LDAP Binding
Account
Client LDAP service account to authenticate binding requests into the Client LDAP directory for all users in the desired OU.
3 Enterprise
Integration Service Account
If implementing SCEP, CA, BES, Exchange 2010 PowerShell or SMTP authentication. An AirWatch service account will need to be created and assigned to the AirWatch Enterprise Integration Server. This account requires the Remote Services Permission in AirWatch. AirWatch Enterprise Integration Service Guide
4 Certificate Authority
Service Account
Client CA service account to issue and revoke certificates from the CA. Requires these permissions on the CA:
Issue and Manage Certificates
Request Certificates Requires these permissions on the Certificate Template:
Read
Enroll AirWatch Certificate Managment
5 PowerShell Service
Account
Exchange 2010 and Office 365 permissions:
Organization Client Access
Mail Recipients
Recipient Policies (only if deploying Windows Phone Devices) AirWatch PowerShell Email Configuration Guide
6 BES Service Account
AirWatch BES Integration Guide Service Account permissions can be found in Appendix A1.
7 SharePoint Service
Account
Account with read rights to the content repository to view and index content. The Browse Directories permission must be enabled on SharePoint. AirWatch SharePoint Integration Guide
8 Installation Admin
Rights
An account to run the AirWatch software installation with administrative rights on the AirWatch servers and SA permissions on the database to setup maintenance scripts.
9 SMTP SMTP account to relay emails from the system
10 SCCM AirWatch SCCM Integration Guide
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 27 of 29
Additional Notes
Apple APNs
From a device the following has to occur for a successful APNs connection: NSLookup gateway.push.apple.com for the TXT record; open
connection to #-courier.push.apple.com on port 5223 where # is the result returned from the TXT record on gateway.push.apple.com
Load Balancer
Load balancers are to be configured with a round robin load balancing mechanism and SSL session persistence of 15 minute sessions
Load balancers are also recommended to redirect all HTTP requests to HTTPS
SSL offloading supported for all services except API services. If offloading SSL, load balancer must forward secure cookies to and from the
AirWatch servers.
Public DNS
External DNS needed for email proxy server
External DNS needed for AirWatch Device Services
Public Trusted SSL Cert
Matching public trusted SSL certs for the public DNS setup for the email proxy server and Device Services Server are required. These certs
must be issued from a valid issuing authority (e.g. VeriSign, GeoTrust, GoDaddy, etc.)
Public IP
A public IP address to access the AirWatch email proxy server from the Internet (HTTPS)
A public IP address to access the AirWatch Device Services server from the Internet (HTTPS)
Proxy
The AirWatch servers can be configured with a proxy / PAC file for outbound internet access. Apple APNs traffic, however, is not HTTP
traffic, and cannot be proxied through traditional HTTP proxies. This traffic must go straight out to the internet, or through an
application/SOCKS proxy.
Kerberos Delegation
If using client certificates for email authentication the SEG server must be joined to the same domain as the backend CAS server and
Kerberos Delegation must be setup in AD between the AirWatch SEG and the CAS server(s). In addition, valid SPNs must be set in AD for
the URL used by the public URL used by the SEG server.
HTTP PUT
iOS MDM requires the support of HTTP PUT commands from the iOS device to the AirWatch MDM server (Device Services)
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 28 of 29
A1 BES Service Account
BES service account permissions required for integration:
User and Device
Note Topology and Blackberry Administration Service setup permissions not necessary.