I have previously blog about VMware AirWatch and elaborated it's On-Prem and SaaS solutions. (link to blog: https://www.marcus-yeo.com/my-blog/vmware-airwatch-on-prem-vs-saas).

In this blog, I want to talk about all the different components which the AirWatch solution comprises.

i. AirWatch Device Service Server

• Manages all communication to and from mobile devices

ii. AirWatch Admin Console Server

• Placed within customer next workWeb interfaces for admin purposes.

• Manage integration to:

1. Certificates and PKI,

2. Email Infra,

3. Directory Services

4. Content Repositories

5. SQL Server

iii. AirWatch Database

• Stored in Microsoft SQL Server DBResides on a separate server from AirWatch application serversCan be on an existing SQL server

• Stores the configuration and device information

iv. AirWatch Cloud Connector (ACC) - Optional

• ACC provides ability to integrate AirWatch (both SaaS or On-prem) with organization's back end enterprise system.

• Integration includes:

1. Email Relay (SMTP)

2. Directory Services (LDAP/AD)

3. Microsoft Certificate Services (PKI) - Require additional licenses

4. Simple Certificate Enrolment Protocol (SCEP PKI) - Require additional licenses

• This component is optional as it is also possible for AirWatch Device Service Server to connect to back end system directly

v. AirWatch Tunnel - Optional

• Creates VPN connectionAccess to corporate applications via mobile devices connecting from outside the corporate network.

• Pushes down "per-app VPN" profile to the mobile devices which establishes a VPN tunnel through a corporate server when the app is launch

vi. AirWatch Content Gateway (ACG) - Optional

• Access and edit corporate file share from mobile devices.

• Eg. File servers or share point servers placed in the corporate network

vii. AirWatch Secure Email Gateway (SEG) - Optional

• Manages email delivery to mobile devices.

• A ‘proxy’ between mobile devices and corporate email servers

• Manages who and how corporate are being access.

In a nutshell

I couldn't find any diagram online that could show the relationship of all the AirWatch components putting together. The below is a simple diagram drawn by me, base on my understanding of the subject and from my past experience working on AirWatch projects.

Some points to note on the below diagram:

• This is not a hard rule to place the AirWatch components. It may different depending on the environment. E.g. I have seen AirWatch Admin Console and AirWatch Cloud Connector being placed in DMZ zone due to a security constraint by a client.

• AirWatch Admin Console connection to other AirWatch components are indicated in green for ease of viewing.

• Although this is basically a diagram for 'On-Prem' design, I have added a connection for AirWatch SaaS as well, just to show how it will be connected.

• All AirWatch components are drawn for reference, but not all are mandatory. E.g. Depending on the use cases, Service Email Gateway, AirWatch Content Gateway, AirWatch Tunnel may not be necessary

• Having the choice of LB (load balancer) is for HA purpose and is optional.

• AirWatch Admin console, I have drawn it in the 'Internal' zone as it is accessed by users for administrative purposes. However, do note that it does need access out to the internal to communicate with the devices.

"What do you think?" Let me know if you think there is any important/useful detail I have missed in the above write up.