I have previously blog about VMware AirWatch and elaborated it's On-Prem and SaaS solutions. (link to blog: https://www.marcus-yeo.com/my-blog/vmware-airwatch-on-prem-vs-saas).
In this blog, I want to talk about all the different components which the AirWatch solution comprises.
i. AirWatch Device Service Server
Manages all communication to and from mobile devices
ii. AirWatch Admin Console Server
Placed within customer next workWeb interfaces for admin purposes.
Manage integration to:
Certificates and PKI,
iii. AirWatch Database
Stored in Microsoft SQL Server DBResides on a separate server from AirWatch application serversCan be on an existing SQL server
Stores the configuration and device information
iv. AirWatch Cloud Connector (ACC) - Optional
ACC provides ability to integrate AirWatch (both SaaS or On-prem) with organization's back end enterprise system.
Email Relay (SMTP)
Directory Services (LDAP/AD)
Microsoft Certificate Services (PKI) - Require additional licenses
Simple Certificate Enrolment Protocol (SCEP PKI) - Require additional licenses
This component is optional as it is also possible for AirWatch Device Service Server to connect to back end system directly
v. AirWatch Tunnel - Optional
Creates VPN connectionAccess to corporate applications via mobile devices connecting from outside the corporate network.
Pushes down "per-app VPN" profile to the mobile devices which establishes a VPN tunnel through a corporate server when the app is launch
vi. AirWatch Content Gateway (ACG) - Optional
Access and edit corporate file share from mobile devices.
Eg. File servers or share point servers placed in the corporate network
vii. AirWatch Secure Email Gateway (SEG) - Optional
Manages email delivery to mobile devices.
A ‘proxy’ between mobile devices and corporate email servers
Manages who and how corporate are being access.
In a nutshell
I couldn't find any diagram online that could show the relationship of all the AirWatch components putting together. The below is a simple diagram drawn by me, base on my understanding of the subject and from my past experience working on AirWatch projects.
Some points to note on the below diagram:
This is not a hard rule to place the AirWatch components. It may different depending on the environment. E.g. I have seen AirWatch Admin Console and AirWatch Cloud Connector being placed in DMZ zone due to a security constraint by a client.
AirWatch Admin Console connection to other AirWatch components are indicated in green for ease of viewing.
Although this is basically a diagram for 'On-Prem' design, I have added a connection for AirWatch SaaS as well, just to show how it will be connected.
All AirWatch components are drawn for reference, but not all are mandatory. E.g. Depending on the use cases, Service Email Gateway, AirWatch Content Gateway, AirWatch Tunnel may not be necessary
Having the choice of LB (load balancer) is for HA purpose and is optional.
AirWatch Admin console, I have drawn it in the 'Internal' zone as it is accessed by users for administrative purposes. However, do note that it does need access out to the internal to communicate with the devices.
"What do you think?" Let me know if you think there is any important/useful detail I have missed in the above write up.