Download pdf - AirWatch PoC Technical Architecture

2013 AirWatch, LLC. All Rights Reserved.

This document, as well as the software described in it, is furnished under license. The information in this manual may only be used in accordance

with the terms of the license. This document should not be reproduced, stored or transmitted in any form, except as permitted by the license or by

the express permission of AirWatch, LLC.

Other product and company names referenced in this document are trademarks and/or registered trademarks of their respective companies.

AirWatch PoC Technical Architecture | v.2013.06 | June 2013

Copyright 2013 AirWatch, LLC. All rights reserved. Proprietary & Confidential.

AirWatch PoC Technical Architecture

A guide for selecting an AirWatch PoC Evaluation Architecture


Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Page 1 of 29

Table of Contents

Overview..................................................................................................................................... 2

Option 1: Pure Cloud................................................................................................................... 4

Option 2: Integrated Cloud ......................................................................................................... 6

Integrated Cloud AirWatch Cloud Connector ......................................................................................................................... 8

Integrated Cloud No DMZ ..................................................................................................................................................... 11

Integrated Cloud DMZ Relay ................................................................................................................................................. 14

Integrated Cloud Reverse Proxy ........................................................................................................................................... 17

Option 3: On-Premise Single Server Deployment ...................................................................... 20

Option 4: On-Premise Multiple Server Deployment .................................................................. 23

Appendix ................................................................................................................................... 26



Overview

The AirWatch Enterprise Mobility Management (EMM) software can be deployed through a variety of cloud or on-

premise options to meet an organizations security requirements and IT strategy. This document will outline each of the

supported configurations and help determine the ideal AirWatch architecture for a successful PoC evaluation.

The below diagram displays four deployment options including both cloud and on-premise architectures.

Cloud On Premise

Benefits

Fastest implementation with minimal client effort

No significant investment in technology or services

Minimal or no network changes required

Automatic software updates

Considerations

Integration with corporate resources

Security / datacenter requirements

Benefits

Comply with corporate on-premise security polices

Direct integration with corporate systems

Leverage existing infrastructure investments

Physical and virtual environments supported

Considerations

Network firewall changes required

Multiple software and hardware required on-premise

Option 1: Cloud Option 2: Integrated Cloud Option 3: Single Server Option 4: Multi Server

All devices and admin users point to AirWatchs cloud for device management. No software installed onsite

All components in the cloud. Lightweight integration component installed on-premise for backend integration

On-premise deployment with a single AirWatch server installed in the DMZ or internal network

On-premise deployment with multiple servers in the DMZ and internal network for multi-tier firewall architectures

Ideal for

Rapid Deployment

No corporate infrastructure required

Does not integrate with corporate resources

Ideal for

Cloud clients requiring enterprise integration for

o LDAP / PKI

o Exchange

o Content repositories

o Etc

Ideal for

Leveraging existing infrastructure

On-premise is required

Enterprise integration

Ideal for

Multi-tier networks

Resources not available to DMZ

Special security policy compliance

Server scalability via tier 1-3 deployments

Pages 4-5

Page 8-19

Page 20-22

Page 23-25

*Note POC fees may apply for On-Premise Deployment



Architecture Diagram

Prerequisite Checklist

Network Requirements

The remainder of this document defines the requirements for the architecture options described above. After choosing

a deployment option from the descriptions above, review the following items for the desired deployment choice:

1. Architecture Diagram high level design of all level data flow.

2. Prerequisite Checklist complete list of all software and hardware

preparations required.

3. Network Requirements a listing of any port and firewall requirements.



Option 1: Pure Cloud

Cloud configurations are best suited for clients who want to minimize effort and lead times for evaluating the software. This evaluation architecture can be setup in minutes but typically does not offer integration with backend resources due to client security requirements. Integration can easily be added later by installing the AirWatch Cloud Connector and /or Mobile Access Gateway (see Option 2: Integrated Cloud).


Cloud Integration (Optional)

SAML

Office 365

Google Apps for Business


There are no prerequisites necessary for this deployment option.




Pure Cloud

Source Component

# Source Host

Destination Component

Destination Host Destination IP Protocol Port Ref

Diagram Yes No N/A

Administrators / User Self

Service

1 {ADMIN_IP} AirWatch SaaS *.airwatchportals.com

*.awmdm.com

any *for a list of IP ranges of AW

Datacenters click

here

HTTP/HTTPS 80/443 1

Ch

eckl

ist

2 {ADMIN_IP} Apple iTunes

Cloud

itunes.apple.com ax.itunes.apple.com

*.mzstatic.com *.phobos.apple.com

*phobos.apple.com.edgesuite.net

any HTTP/HTTPS 80/443 N/S

3 {ADMIN_IP} Google Play

Store play.google.com any HTTP/HTTPS 80/443 N/S

4 {ADMIN_IP} Virtual Earth (GPS Maps)

*.virtualearth.net any HTTP/HTTPS 80/443 N/S

Devices

5 {Device_IP} Apple APNs

Cloud #-courier.push.apple.com gateway.push.apple.com

17.0.0.0/8 TCP 5223 2

6 {Device_IP} Apple iTunes

Cloud

phobos.apple.com oscp.apple.com

ax.itunes.apple.com any HTTP/HTTPS 80/443 3

7 {Device_IP} Android C2DM

Cloud mtalk.google.com any TCP 5228 4

8 {Device_IP} AirWatch SaaS *.airwatchportals.com

*.awmdm


Datacenters click

here

HTTP/HTTPS 80/443 5



Option 2: Integrated Cloud

This configuration is recommended for clients who wish to leverage the simplicity of cloud deployments but still

integrate existing backend resources. Connecting to corporate resources is made simple with the

AirWatch Cloud Connector (ACC), which can be installed on a small VM or physical server on-

premise. The AirWatch Mobile Access Gateway (MAG) provides a secure gateway allowing

devices to access corporate network resources. The ACC and MAG are not co-dependent and

should be considered optional components, however most all MAG deployments include ACC.

AirWatch Integration Options ACC MAG

+

++

+ AirWatchs email attachment encryption feature requires the MAG (SEG component)

++ AirWatchs content repository sync with the Administrative Console requires the ACC.

Certificates and PKI

SIEM

Corporate App Tunnel (App VPN)

Directory Services

Email Infrastructure

Content Repositories

Corporate Intranet Access



AirWatch Cloud Connector

Ideal for

Fast implementation

Minimal hardware / software on-site Pages 8-10

Integrated Cloud No DMZ Integrated Cloud DMZ Relay Integrated Cloud Reverse Proxy

Ideal for

Clients without a DMZ infrastructure

Ideal for

Clients with an existing DMZ architecture

Limited connections through DMZ firewall

Ideal For

Clients with an existing reverse proxy or WAF architecture

Pages 11-13 Pages 14-16 Page 17-19



Integrated Cloud - AirWatch Cloud Connector


AirWatch Internal Server Includes:





Integrated Cloud AW Cloud Connector

Source # Title Description / Purpose Yes No N/A

Hardware 1 AirWatch Internal

Server

Windows Server Minimum specification: - 1 CPU core ( > 2.0 GHz) - 2 GB RAM -1 GB Disk Space (if logging is being done 5 GB) (physical or virtual)

Ch

eckl

ist

Software

2 Windows OS Windows Server 2008 R2

3 .NET Framework 3.5

& 4

A windows update is required for .NET 4 after installation to update additional software components.

4 Internal Certs (Trust)

Client may need to generate internal certs for the traffic between the external internet interface for the EAS traffic and the Reverse Proxy, F5, SEG, and CAS servers. Details to be determined by the Client architect team.

Firewall Changes

5 Client Firewall Rules See Below Firewall Change Requests

Service Accounts

6 Enterprise Service

Accounts (Optional)

If implementing enterprise services, services accounts will need to be created and given specific permissions to allow integration. See Appendix.




Integrated Cloud AW Cloud Connector

Source Component

Source Host Destination Component


Diagram Yes No N/A

AirWatch Internal Server

A {InternalServer_IP} Client EAS/CAS

Server(s) {InternalURL_CAS} {InternalIP_CAS} HTTP/HTTPS 80,443 1

Ch

eckl

ist

B {InternalServer_IP} Domain Controller

{InternalURL_DC} {InternalIP_DC} LDAP/LDAPS

389, 636,

3268, 3269

2

C {InternalServer_IP} Enterprise Services

(Optional) {InternalURL_ES} {InternalIP_ES}

HTTP/HTTPS /SMTP

80,443, 25, 465

3

D {InternalServer_IP} Certificate Authority (Optional)

{InternalURL_CA} {InternalIP_CA} DCOM

135, 1025-5000,

49152-65535

3

E {InternalServer_IP} AirWatch SaaS *.airwatchportals.com *.awmdm.com


Datacenters click

here

HTTPS 443 4


Service

F {ADMIN_IP} AirWatch SaaS *.airwatchportals.com

*.awmdm.com


Datacenters click

here

HTTP/HTTPS 80/443 5

G {ADMIN_IP} Apple iTunes

Cloud

*.itunes.apple.com *.mzstatic.com

*.phobos.apple.com *phobos.apple.com.edges

uite.net


H {ADMIN_IP} Google Play


I {ADMIN_IP} Virtual Earth (GPS Maps)


Devices

K {Device_IP} Apple APNs


17.0.0.0/8 TCP 5223 6

L {Device_IP} Apple iTunes

Cloud



M {Device_IP} Android C2DM


N {Device_IP} AirWatch SaaS *.airwatchportals.com

*.awmdm.com


Datacenters click

here

HTTP/HTTPS 80/443 9



Integrated Cloud No DMZ




AirWatch Secure Email Gateway

AirWatch Mobile Access Gateway







Server

Windows Server Minimum specification: - 2 CPU core ( > 2.0 GHz) - 4 GB RAM (physical or virtual)

Ch

eckl

ist

Software

2 Windows OS Windows Server 2008 R2 3 IIS 7 Server IIS Server must also have additional role services installed.


& 4


5 Microsoft Messaging

Queue (MSMQ)

Enabled on all AirWatch servers.

6 Java Installed on MAG server.

DNS 7 External URL External URL (DNS Record) resolving to the internal AirWatch server 8 Internal CAS URL Internal URL to relay Exchange ActiveSync traffic from the AirWatch server

Certificates

9 Public SSL Certificate Public trusted SSL Certificate to match the External DNS for the AirWatch SEG/EIS server.



Load Balancer

11 Load Balancer Setup

(Optional)

If installing the SEG/MAG behind a network load balancer, client will need to setup load balancer configuration. Persistence should be set on the SSL session for 15 minutes. See Appendix for more details.

Firewall Changes


Service Accounts


Accounts (Optional)






Source Component



Diagram Yes No N/A




Ch

eckl

ist

B {InternalServer_IP} Domain Controller

{InternalURL_DC} {InternalIP_DC} LDAP/LDAPS

389, 636,

3268, 3269

2

C {InternalServer_IP} Enterprise Services

(Optional) {InternalURL_ES} {InternalIP_ES}

HTTP/HTTPS /SMTP

80,443, 25, 465

3

D {InternalServer_IP} Certificate Authority (Optional)

{InternalURL_CA} {InternalIP_CA} DCOM

135, 1025-5000,

49152-65535

3

E {InternalServer_IP} AirWatch SaaS *.airwatchportals.com *.awmdm.com


Datacenters click

here

HTTPS 443 4


Service


*.awmdm.com


Datacenters click

here

HTTP/HTTPS 80/443 5


Cloud



uite.net






AirWatch SaaS J See IP list

here AirWatch

Server AW Public URL AW Public IP HTTPS 443 6

Devices



17.0.0.0/8 TCP 5223 7


Cloud






*.awmdm.com


Datacenters click

here

HTTP/HTTPS 80/443 10

O {Device_IP} AirWatch

Internal Server AW Public URL AW Public IP HTTPS

443 2010 2020

11



Integrated Cloud DMZ Relay


AirWatch DMZ Server Includes:


AirWatch Mobile Access Gateway Relay



AirWatch Mobile Access Gateway Endpoint






Hardware 1 AirWatch DMZ

Server


Ch

eckl

ist

Software



& 4



Queue (MSMQ)



7 AirWatch Software Available through the administrative console.

DNS

8 External URL External URL (DNS Record) resolving to the AirWatch DMZ server

9 Internal CAS URL Internal URL to relay traffic from the AirWatch SEG/EIS.

10 Internal URL Internal URL (DNS Record) resolving to the AirWatch Internal server

Certificates

11 Public SSL Certificate

(AirWatch DMZ)

Public trusted SSL Certificate to match the External DNS for the AirWatch DMZ server. Required if using SEG / MAG



Load Balancer


(Optional)

If installing the SEG/MAG behind a network load balancer, client will need to setup load balancer configuration. Persistence should be set on the SSL session for 15 minutes. See Appendix for more details.

Firewall Changes


Service Accounts


Accounts (Optional)






Source Component



Diagram Yes No N/A

AirWatch DMZ Server

A {DMZ_Server_IP} Client EAS/CAS


Ch

eckl

ist

B {DMZ_Server_IP} AirWatch Internal Server

{InternalURL_AWInternal} {InternalIP_AWInt

ernal} HTTP/HTTPS

443 2010

2

C {DMZ_Server_IP} AirWatch SaaS *.airwatchportals.com *.awmdm.com


Datacenters click

here

HTTPS 443 3


D {InternalServer_IP} Internal Network

{InternalURL_DC} {Internal_BES}

{Internal_ADCS} {Internal_SMTP}

{Internal_SharePoint} {InternalURL_CA}

{InternalIP_IP}

DCOM HTTPS

LDAP/LDAPS SMTP

389,636,3268, 3269,

135,443,25

4

E {InternalServer_IP} AirWatch DMZ



Service


*.awmdm.com


Datacenters click

here

HTTP/HTTPS 80/443 6


Cloud

itunes.apple.com ax.itunes.apple.com

*.mzstatic.com *.phobos.apple.com

*phobos.apple.com.edgesuite.net






AirWatch SaaS J See IP list

here AirWatch DMZ


Devices



17.0.0.0/8 TCP 5223 8


Cloud






*.awmdm.com


Datacenters click

here

HTTP/HTTPS 80/443 11

O {Device_IP} AirWatch DMZ

Server AW Public URL AW Public IP HTTPS

443 2010 2020

12



Integrated Cloud Reverse Proxy









Cloud with Integration DMZ Reverse Proxy



Server


Ch

eckl

ist

Software



& 4



Queue (MSMQ)


6 Java Installed on MAG.

7 AirWatch Software Will be provided to Client during install.

DNS 8 External URL External URL (DNS Record) resolving to the AirWatch Internal server

9 Internal CAS URL Internal URL to relay Exchange ActiveSync traffic from the AirWatch server

Certificates

10 Public SSL Certificate Public trusted SSL Certificate to match the External DNS for the AirWatch Internal server address



12 MAG SSL Cert The MAG SSL certificate must be installed on the reverse proxy.

Load Balancer


(Optional)

If installing AirWatch behind a network load balancer, client will need to setup load balancer configuration. Persistence should be set on the SSL session for 15 minutes. See Appendix for more details.

Firewall Changes


Service Accounts


Accounts (Optional)





Integrated Cloud DMZ Reverse Proxy

Source Component



Diagram Yes No N/A



Server(s) (Optional)

{InternalURL_CAS} {InternalIP_CAS} HTTP/HTTPS 80,443 1

Ch

eckl

ist

B {InternalServer_IP} Enterprise Services

(Optional)

{InternalURL_DC} {Internal_BES}


{Internal_SharePoint} {InternalURL_CA}

{InternalIP_IP}

DCOM HTTPS

LDAP/LDAPS /SMTP

389,6363268, 3269,

135,443, 25

2

C {InternalServer_IP} AirWatch SaaS *.airwatchportals.com *.awmdm.com


Datacenters click

here

HTTPS 443 3


Service

D {ADMIN_IP} AirWatch SaaS *.airwatchportals.com

*.awmdm.com


Datacenters click

here

HTTP/HTTPS 80/443 4

E {ADMIN_IP} Apple iTunes

Cloud



uite.net


F {ADMIN_IP} Google Play


G {ADMIN_IP} Virtual Earth (GPS Maps)


AirWatch SaaS H See IP list

here AirWatch

Internal Server AW Public URL AW Public IP HTTPS 443 5

Devices

I {Device_IP} Apple APNs


17.0.0.0/8 TCP 5223 6

J {Device_IP} Apple iTunes

Cloud



K {Device_IP} Android C2DM


L {Device_IP} AirWatch SaaS *.airwatchportals.com

*.awmdm.com


Datacenters click

here

HTTP/HTTPS 80/443 9

M {Device_IP} AirWatch

Internal Server AW Public URL AW Public IP HTTPS

443 2010 2020

10



Option 3: On-Premise Single Server Deployment

This configuration allows for simplified installation and maintenance for smaller deployments, while allowing future

scalability and flexibility for high availability. A single-server deployment allows for easy integration to enterprise

services, as well as simplified control and validation over the entire environment. Single Server configurations are

commonly deployed in DMZ architectures where the entire solution is installed on one physical or virtual server. The

use of WAF or TMG solutions are also commonly used to proxy internet facing endpoints.



AirWatch Console

AirWatch Device Services






On-Premise Single Server


Hardware

1 AirWatch Internal

Server

Windows Server to install the AirWatch Server Software Minimum specification: - 2 CPU core ( > 2.0 GHz) -6 GB RAM ~100 GB Drive (physical or virtual)

Ch

eckl

ist

2 Reverse Proxy Server

Optional Client may choose an existing server to use for the reverse proxy or install a dedicated server that meets their specifications

Software


4 SQL Server Microsoft SQL Server 2008 (2008 R2 Recommended) Required on Database server

5 SQL Server Reporting

Services Microsoft SQL Server Reporting Services 2008 (2008 R2 Recommended)

6 IIS 7 Server IIS Server must also have additional role services installed.


& 4



Queue (MSMQ)



DNS

10 External Public URL External URL (DNS Record) for AirWatch Server public internet facing (https://company.mdm.com)

11 Internal CAS URL

(optional) Internal URL to relay traffic from the AirWatch SEG to the ActiveSync CAS server.

12 Internal DC URL

(optional) Client Internal Domain (AD) DNS to use to connect from the AirWatch server to the AD for authenticating users

13 Internal CA Host

(optional)

Internal hostname and CA issuing name of the CA or SCEP endpoint.

Certificates

14 Public SSL Certificate Public trusted SSL Certificate to match the External DNS for the AirWatch SEG/EIS server. (If applicable)



16 MAG SSL Cert The MAG SSL certificate must be installed on the reverse proxy. Firewall Changes


Load Balancer


(Optional)


Service Accounts


Accounts (Optional)





On-Premise Single Server

Source Component



Diagram Yes No N/A


A {InternalServer_IP} Internal Network

{InternalURL_DC} {Internal_CAS} Internal_BES}


{Internal_SharePoint}

{Internal_IPs}

DCOM HTTPS

LDAP/LDAPS SMTP

389,636, 3268, 3269, 135,

443, 25, 465

1

Ch

eckl

ist

B {InternalServer_IP} Apple APNs Cloud

gateway.push.apple.com

feedback.push.apple.com

17.0.0.0/8 TCP 2195, 2196

2

C {InternalServer_IP} Apple iTunes

Cloud *.itunes.apple.com

*.phobos.apple.com any HTTP/HTTPS 80,443 3

D {InternalServer_IP} Google Play

Store play.google.com any HTTP/HTTPS 80,443 N4S

E {InternalServer_IP} Android C2DM

Cloud

android.googleapis.com android.apis.google.com

www.google.com google.com

any HTTPS 443 5

F {InternalServer_IP} CellTrusts SMS

Gateyway (optional)

gateway.celltrust.net 162.42.205.0/24 HTTPS 443 N/S

G {InternalServer_IP} AirWatch Certificate

Portal awcp.air-watch.com


Datacenters click

here

HTTPS 443 N/S

H {InternalServer_IP} SSL Signing

Cert CRL Ex.ocsp.verisign.com TBD HTTP 80 N/S

I {InternalServer_IP} SQL Server {SQLServer_Name} {SQLServer_IP} TCP 1433 6

J {InternalServer_IP} SQL Server

Reporting Svc {SSRS_Name} {SSRS_IP} HTTP 80 7

K {InternalServer_IP} AW

Autodiscovery Server

discovery.awmdm.com 209.208.230.100 HTTPS 443 8


Service

L {ADMIN_IP} AirWatch

Internal Server {InternalServer} {InternalServer_IP} HTTP/HTTPS 80,443 9

M {ADMIN_IP} Virtual Earth (GPS Maps

*.virtualearth.net any HTTP/HTTPS 80,443 N/S

Devices

N {Device_IP} Apple APNs

Cloud

#-courier.push.apple.com gateway.push.apple.co

m

17.0.0.0/8 TCP 5223 10

O {Device_IP} Apple iTunes

Cloud


ax.itunes.apple.com any HTTP/HTTPS 80,443 11

P {Device_IP} Android C2DM


Q {Device_IP} AirWatch

Server AW Public URL AW Public IP HTTP/HTTPS

80,443, 2001, 2010, 2020

13

R {Device_IP} AirWatch

Autodiscovery Server




Option 4: On-Premise Multiple Server Deployment

A multi-server deployment is recommended for organizations managing a larger number of devices and/or those wanting to utilize a DMZ. In a setup using a DMZ, any of the AirWatch components actively communicating with devices should be placed outside of the organizations internal network. Several advantages of this configuration include:

Increased security of external-facing services, such as the AirWatch Device Services component, Secure Email

Gateway, and Mobile Access Gateway, by placing them in the networks DMZ to quarantine incoming traffic

while preventing external visibility to internal resources.


AirWatch DMZ Server Includes:

AirWatch Device Services




AirWatch Console Services





On-Premise Multi Server


Hardware

1 AirWatch Internal

Server (Internal)

Windows Server to install the AirWatch Server Software Minimum specification: - 2 CPU core ( > 2.0 GHz) -6 GB RAM ~100 GB Drive (physical or virtual)

Ch

eckl

ist

2 AirWatch DMZ

Server

Windows Server to install Enterprise Integration Software Minimum specification: - 2 CPU core ( > 2.0 GHz) - 4 GB RAM (physical or virtual)

Software


4 SQL Server Microsoft SQL Server 2008 (2008 R2 Recommended) Required on Database server

5 SQL Server Reporting

Services Microsoft SQL Server Reporting Services 2008 (2008 R2 Recommended)

6 IIS 7 Server IIS Server must also have additional role services installed.


& 4



Queue (MSMQ) Enabled on all AirWatch servers.


DNS

10 External URL External URL (DNS Record) resolving to the AirWatch DMZ server

11 Internal CAS URL Internal URL to relay traffic from the AirWatch SEG server.

11 Internal URL Internal URL (DNS Record) resolving to the AirWatch Internal server

Certificates

12 Public SSL Certificate

(AirWatch DMZ)

Public trusted SSL Certificate to match the External DNS for the AirWatch DMZ server.

13 SSL Certificate

(AirWatch Internal)

SSL certificate to match the Internal URL for the AirWatch Internal server.

Load Balancer


(Optional)


Firewall Changes


Service Accounts


Accounts (Optional)




Network Changes

On-Premise Multi Server

Source Component



Diagram Yes No N/A


A {InternalServer_IP} Internal Network

{InternalURL_DC} {Internal_CAS} Internal_BES}


{Internal_SharePoint}

{Internal_IPs}

DCOM HTTPS

LDAP/LDAPS SMTP

389,636,

3268, 3269, 135, 443, 25, 465

1

Ch

eckl

ist

B {InternalServer_IP} SQL Server {SQLServer_Name} {SQLServer_IP} TCP 1433 2

C {InternalServer_IP} SQL Server Reporting Sync

{SQLServer_Name} {SQLServer_IP} HTTP/HTTPS 80,443 2

D {InternalServer_IP} Apple APNs Cloud

gateway.push.apple.com feedback.push.apple.com

17.0.0.0/8 TCP 2195, 2196

3

E {InternalServer_IP} Apple iTunes

Cloud *.itunes.apple.com

*.phobos.apple.com any HTTP/HTTPS 80,443 4

F {InternalServer_IP} Google Play

Store play.google.com any HTTP/HTTPS 80,443 5

G {InternalServer_IP} Google Cloud

Messaging



any TCP 443 N/S

H {InternalServer_IP} CellTrust SMS gateway.celltrust.net 162.42.205.0/2-4 HTTPS 443 N/S

I {InternalServer_IP} AW DMZ

Server {DMZServer_Name} {DMZServer_IP} TCP

443, 2001

6

J {InternalServer_IP} AirWatch

autodiscovery Server


AirWatch DMZ Server

K {DMZ_Server_IP}

(SEG only) Client CAS Server(s)

{InternalURL_EAS} {InternalIP_EAS} HTTPS 443 8

L {DMZ_Server_IP} Apple APNs

Cloud gateway.push.apple.com 17.0.0.0/8 TCP

2195, 2196

9

M {DMZ_Server_IP} Google Cloud

Messaging



any TCP 443 10

N {DMZ_Server_IP} SSL Cert CRL TBD any HTTP 80 N/S

O {DMZ_Server_IP} AirWatch

Internal Server {InternalServer_URL} {InternalServer_IP} HTTPS

443, 2010

11

P {DMZ_Server_IP} SQL Server {SQLServer_Name} {SQLServer_IP} TCP 1433 2

Q {DMZ_Server_IP} AirWatch



Administrators

R {ADMIN_IP} Virtual Earth (GPS Maps)

*.virtualearth.net any HTTP/HTTPS 80,443 N/S

S {ADMIN_IP} AirWatch

Internal Server {InternalServer_URL} {InternalServer_IP} HTTP/HTTPS 80,443 12

Self Service Portal

T {USER_IP} AirWatch DMZ

Server {DMZ_Server_URL} {DMZ_Server_IP} HTTP/HTTPS 80,443 N/S

Devices

U {Device_IP} Apple APNs


17.0.0.0/8 TCP 5223 13

V {Device_IP} Apple iTunes

Cloud


ax.itunes.apple.com any HTTP/HTTPS 80,443 14

W {Device_IP} Android C2DM


X {Device_IP} AirWatch

Server {DMZ_Server_URL} Public IP HTTP/HTTPS

80, 443,

2001, 2010, 2020

16

Y {Device_IP} AirWatch





Appendix

The table below lists the required service accounts needed to integrate with backend enterprise services.

Service Accounts


Service Accounts

1 SQL Service Account SQL service account to install the AirWatch database. Requires the System Administrator Permission.

2 LDAP Binding

Account

Client LDAP service account to authenticate binding requests into the Client LDAP directory for all users in the desired OU.

3 Enterprise

Integration Service Account

If implementing SCEP, CA, BES, Exchange 2010 PowerShell or SMTP authentication. An AirWatch service account will need to be created and assigned to the AirWatch Enterprise Integration Server. This account requires the Remote Services Permission in AirWatch. AirWatch Enterprise Integration Service Guide

4 Certificate Authority

Service Account

Client CA service account to issue and revoke certificates from the CA. Requires these permissions on the CA:

Issue and Manage Certificates

Request Certificates Requires these permissions on the Certificate Template:

Read

Enroll AirWatch Certificate Managment

5 PowerShell Service

Account

Exchange 2010 and Office 365 permissions:

Organization Client Access

Mail Recipients

Recipient Policies (only if deploying Windows Phone Devices) AirWatch PowerShell Email Configuration Guide

6 BES Service Account

AirWatch BES Integration Guide Service Account permissions can be found in Appendix A1.

7 SharePoint Service

Account

Account with read rights to the content repository to view and index content. The Browse Directories permission must be enabled on SharePoint. AirWatch SharePoint Integration Guide

8 Installation Admin

Rights

An account to run the AirWatch software installation with administrative rights on the AirWatch servers and SA permissions on the database to setup maintenance scripts.

9 SMTP SMTP account to relay emails from the system

10 SCCM AirWatch SCCM Integration Guide



Additional Notes

Apple APNs

From a device the following has to occur for a successful APNs connection: NSLookup gateway.push.apple.com for the TXT record; open

connection to #-courier.push.apple.com on port 5223 where # is the result returned from the TXT record on gateway.push.apple.com

Load Balancer

Load balancers are to be configured with a round robin load balancing mechanism and SSL session persistence of 15 minute sessions

Load balancers are also recommended to redirect all HTTP requests to HTTPS

SSL offloading supported for all services except API services. If offloading SSL, load balancer must forward secure cookies to and from the

AirWatch servers.

Public DNS

External DNS needed for email proxy server

External DNS needed for AirWatch Device Services

Public Trusted SSL Cert

Matching public trusted SSL certs for the public DNS setup for the email proxy server and Device Services Server are required. These certs

must be issued from a valid issuing authority (e.g. VeriSign, GeoTrust, GoDaddy, etc.)

Public IP

A public IP address to access the AirWatch email proxy server from the Internet (HTTPS)

A public IP address to access the AirWatch Device Services server from the Internet (HTTPS)

Proxy

The AirWatch servers can be configured with a proxy / PAC file for outbound internet access. Apple APNs traffic, however, is not HTTP

traffic, and cannot be proxied through traditional HTTP proxies. This traffic must go straight out to the internet, or through an

application/SOCKS proxy.

Kerberos Delegation

If using client certificates for email authentication the SEG server must be joined to the same domain as the backend CAS server and

Kerberos Delegation must be setup in AD between the AirWatch SEG and the CAS server(s). In addition, valid SPNs must be set in AD for

the URL used by the public URL used by the SEG server.

HTTP PUT

iOS MDM requires the support of HTTP PUT commands from the iOS device to the AirWatch MDM server (Device Services)



A1 BES Service Account

BES service account permissions required for integration:

User and Device

Note Topology and Blackberry Administration Service setup permissions not necessary.