Академический Документы
Профессиональный Документы
Культура Документы
AirWatch v8.0
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Table of Contents
What's New 3
Introduction to Mobile Access Gateway Installation for Windows 4
In This Guide 4
Terminology 4
Before You Begin 5
In This Section 5
Requirements 5
Recommended Reading 5
Getting Started 5
Prerequisites for MAG Proxy/Content Connectivity for SaaS Environments 6
Prerequisites for MAG Proxy/Content Connectivity for On-Premise Environments 10
Installation Preparation 15
Overview 15
Performing Preliminary Installation Steps 15
Configure MAG Proxy/Content 17
MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows 20
Overview 20
Installing the MAG 20
MAG Proxy/Content Installation for a Basic (Endpoint only) Configuration on Windows 29
Overview 29
Installing MAG for Basic (Endpoint only) Configurations 29
Appendix: SSL Offloading 35
Overview 35
SSL Offloading Traffic Flow 35
Enabling SSL Offloading 36
Appendix: Upgrading the Component 37
Upgrading the MAG for Windows Proxy/Content Components 37
Appendix: Kerberos KDC Proxy Support 38
How to Access Logs 40
Appendix: Outbound Proxies using PAC Files 41
For Windows 41
Finding Additional Documentation 43
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 2
What's New
What's New
This guide has been updated with the latest features and functionality from the most recent release of AirWatch v8.0. The
list below includes these new features and the sections and pages on which they appear.
l The MAG configuration process now lets you use enterprise CA certificates to authenticate devices against the
MAG Proxy component. See Configure MAG Proxy/Content on Windows for more information.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 3
Introduction to Mobile Access Gateway Installation for Windows
In This Guide
l Before You Begin – Ensure your deployment meets the necessary hardware, sizing, software and firewall
requirements before attempting to install the MAG.
l MAG Installation Preparation – Perform some preliminary steps to ensure a smooth installation of the MAG.
l MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows – Run the MAG installer for a relay-
endpoint configuration.
l MAG Proxy/Content Installation for a Basic Configuration on Windows – Run the MAG installer for a basic (endpoint
only) configuration.
l Appendix – SSL Offloading – Read more about how to enable SSL Offloading for the MAG.
l Appendix – Upgrading the MAG – Read more about how to upgrade the MAG from one version to the next.
l Appendix – Kerberos KDC Proxy Support – Read more about enabling Kerberos authentication functionality.
l Appendix – Outbound Proxies using PAC Files – Read more about steps you should follow if you are accessing
outbound proxies through the MAG that use a PAC file and also require authentication.
Terminology
Reading over the following terminology as it relates to the various components of the MAG will help aid your
understanding of the technology.
l MAG – Mobile Access Gateway. The generic term for the two components that comprise it: Proxy and Content.
l Proxy – The MAG component that handles securing traffic between an end-user device and a website via the
AirWatch Browser mobile app.
l Content – The MAG component that handles securing end-user access to corporate resources such as a file server via
the AirWatch Content Locker mobile app.
l App Wrapping – Functionality that lets you secure enterprise applications without code changes. It can add an extra
layer of security and data loss prevention while offering a consistent user experience.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 4
Before You Begin
In This Section
l Requirements – See a list of requirements you must meet before installing the MAG.
l Recommended Reading – See a list of additional guides that contain supplemental information about MAG.
l Getting Started – See additional considerations you should know before you begin.
Requirements
l For a complete listing of all requirements for installing MAG in a SaaS environment, refer to Prerequisites for
MAG Proxy/Content Connectivity for SaaS Environments.
l For a complete listing of all requirements for installing MAG in an on-premise environment, refer to Prerequisites for
MAG Proxy/Content Connectivity for On-Premise Environments.
Recommended Reading
l AirWatch Cloud Messaging (AWCM) Guide – This guide walks on-premise customers through setting up the AWCM
service, which is required for using MAG.
l AirWatch Mobile Access Gateway Admin Guide – This guide provides an overview of the MAG and how to enable
MAG functionality within the AirWatch Admin Console.
l AirWatch On-Premise Configuration Guide – This guide details the various aspects of an on-premise deployment,
including hardware sizing, high availability, monitoring/maintenance, and so on.
Getting Started
l Note the following distinction between on-premise and SaaS deployments:
o On-premise refers to AirWatch deployments where your organization hosts all AirWatch components and
servers on its internal networks.
o SaaS refers to AirWatch deployments where certain AirWatch components, such as the Console and API servers,
are hosted in the cloud by AirWatch.
l Before continuing with MAG installation, ensure AWCM is configured and operational. If you are an on-premise
customer, refer to the AWCM Guide, available via AirWatch Resources, for instructions on how to configure AWCM
before installing the MAG.
l Ensure you have performed all the necessary preliminary steps in MAG Installation Preparation.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 5
Prerequisites for MAG Proxy/Content Connectivity for SaaS Environments
General Requirements
Remote access to Windows Recommended to setup Remote Desktop Connection Manager for
Servers available to multiple server management, installer can be downloaded from
AirWatch and http://www.microsoft.com/en-us/download/confirmation.aspx?id=21101
Administrator rights
Installation of Notepad++ Installer can be downloaded from
(Recommended) http://download.tuxfamily.org/notepadplus/6.5.1/npp.6.5.1.Installer.exe
Software Requirements
Windows Server 2008 R2 or
Windows Server 2012 or
Windows Server 2012 R2
Install Role from Server IIS 7.0 (Server 2008 R2)
Manager IIS 8.0 (Server 2012 or Server 2012 R2)
IIS 8.5 (Server 2012 R2 only)
Install .NET Framework The installer will install this version of .NET provided the server has Internet
4.5.2 access. Otherwise, download and manually install it.
Install 64-bit Java Runtime Download from https://java.com/en/download/index.jsp
Environment version 7 or Note: Ensure 32-bit Java is not installed.
greater
Internally registered DNS Register the MAG relay (If Relay-Endpoint) or register the MAG Endpoint (If
Endpoint only)
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 6
Prerequisites for MAG Proxy/Content Connectivity for SaaS Environments
Status
Requirement Notes
Checklist
Externally registered DNS Register the MAG relay (If Relay-Endpoint) or register the MAG Endpoint (If
Endpoint only)
SSL Certificate from trusted Ensure SSL certificate is trusted by all device types being used. (i.e. not all
third party with Subject or Comodo certificates are natively trusted by Android)
Subject Alternative name
of DNS
IIS 443 Binding with the Validate that you can connect to the server over HTTPS
same SSL certificate (https://yourAirWatchDomain.com). At this point, you should see the IIS
splash page.
Ensure the AWCM SSL Use the Command Line Utility on the MAG server to enter the following:
certificates Intermediate keytool -list -v -keystore $JAVA_HOME\jre \lib\security\cacerts
and Root CA certificate are OR
in the Java CA Keystore on
Use the GUI tool (free) here: http://portecle.sourceforge.net/
the MAG server
Note: For configuring the ports listed below, all traffic is uni-directional (outbound) from the source component to the
destination component.
Network Requirements
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 7
Prerequisites for MAG Proxy/Content Connectivity for SaaS Environments
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 8
Prerequisites for MAG Proxy/Content Connectivity for SaaS Environments
Note: If you plan on using the MAG/AirWatch Tunnel to connect to network file shares, then it is required that either
the Endpoint be on the same domain as the NFS or, if the MAG/AirWatch Tunnel is on a different domain, it must
have domain trust with the domain of the NFS.
2. For the MAG to query the AirWatch Admin Console for compliance and tracking purposes.
3. For MAG Relay topologies to forward device requests to the internal MAG endpoint only.
5. For devices with the AirWatch Browser to access internal websites/web applications.
6. For devices with app tunnel; enables applications to communicate with internal systems.
Note: If a firewall resides between the MAG Endpoint and an internal system you are trying to reach, then you will
have to open the corresponding port depending on the traffic. For example, Windows Network Files Shares
require ports 135 through 139 and 445 to be open in order to access content on Windows fileshares.
7. The MAG needs to communicate with the API for initialization. Ensure there is connectivity between the REST API and
the MAG server.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 9
Prerequisites for MAG Proxy/Content Connectivity for On-Premise Environments
Note: The requirements listed here support basic data query. You may
require additional server space if your use case involves the
transmission of large encrypted files from a content repository.
General Requirements
Remote access to Windows Recommended to setup Remote Desktop Connection Manager for
Servers available to multiple server management; you can download the installer from:
AirWatch and http://www.microsoft.com/en-us/download/confirmation.aspx?id=21101
Administrator rights
Installation of Notepad++ You can download the installer from:
(Recommended) http://download.tuxfamily.org/notepadplus/6.5.1/npp.6.5.1.Installer.exe
Software Requirements
Windows Server 2008 R2 or
Windows Server 2012 or
Windows Server 2012 R2
Install Role from Server IIS 7.0 (Server 2008 R2)
Manager IIS 8.0 (Server 2012 or Server 2012 R2)
IIS 8.5 (Server 2012 R2 only)
Install .NET Framework The installer will install this version of .NET provided the server has Internet
4.5.2 access. Otherwise, download and manually install it.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 10
Prerequisites for MAG Proxy/Content Connectivity for On-Premise Environments
Status
Requirement Notes
Checklist
Install 64-bit Java Runtime Download from https://java.com/en/download/index.jsp
Environment version 7 or Note: Ensure 32-bit Java is not installed.
greater
Internally registered DNS Register the MAG relay (If Relay-Endpoint) or register the MAG Endpoint (If
Endpoint only)
Externally registered DNS Register the MAG relay (If Relay-Endpoint) or register the MAG Endpoint (If
Endpoint only)
SSL Certificate from trusted Ensure SSL certificate is trusted by all device types being used. (i.e. not all
third party with Subject or Comodo certificates are natively trusted by Android)
Subject Alternative name
of DNS
IIS 443 Binding with the Validate that you can connect to the server over HTTPS
same SSL certificate (https://yourAirWatchDomain.com). At this point, you should see the IIS
splash page.
Ensure the AWCM SSL Use the Command Line Utility on the MAG server to enter the following:
certificates Intermediate keytool -list -v -keystore $JAVA_HOME\jre \lib\security\cacerts
and Root CA certificate are OR
in the Java CA Keystore on
Use the GUI tool (free) here: http://portecle.sourceforge.net/
the MAG server
Note: For configuring the ports listed below, all traffic is uni-directional (outbound) from the source component to the
destination component.
Network Requirements
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 11
Prerequisites for MAG Proxy/Content Connectivity for On-Premise Environments
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 12
Prerequisites for MAG Proxy/Content Connectivity for On-Premise Environments
Note: If you plan on using the MAG/AirWatch Tunnel to connect to network file shares, then it is required that either
the Endpoint be on the same domain as the NFS or, if the MAG/AirWatch Tunnel is on a different domain, it must
have domain trust with the domain of the NFS.
2. For the MAG to query the AirWatch Admin Console for compliance and tracking purposes.
3. For devices with the AirWatch Content Locker to access internal content from websites, such as SharePoint.
4. For devices with the AirWatch Browser to access internal websites/web applications.
5. For devices with app tunnel; enables applications to communicate with internal systems.
Note: If a firewall resides between the MAG Endpoint and an internal system you are trying to reach, then you will
have to open the corresponding port depending on the traffic. For example, Windows Network Files Shares
require ports 135 through 139 and 445 to be open in order to access content on Windows file shares.
6. For MAG Relay topologies to forward device requests to the internal MAG endpoint only.
7. The MAG needs to communicate with the API for initialization. The API server is generally hosted on the AirWatch
Admin Console Server or can be a separate server. Ensure there is connectivity between this server and the MAG
server.
8. For the Device Services server to enumerate the repositories via the content relay and convert them into a format
devices can use.
9. For the Console server to enumerate the repositories via the content relay for viewing in the AirWatch Admin
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 13
Prerequisites for MAG Proxy/Content Connectivity for On-Premise Environments
Console.
10. For devices with the AirWatch Content Locker to access internal content from Network Shares.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 14
Installation Preparation
Installation Preparation
Overview
Before installing the server within your network, you must ensure your environment meets all the requirements, and
then prepare for installation by downloading the installation files.
Notes:
l Steps 1 through 3 are applicable for on-premise customers only. If you are a SaaS customer, begin with step 4.
l Before you begin installing AirWatch Tunnel, ensure that AWCM is installed correctly, running, and
communicating with AirWatch without any errors. For more information about configuring AWCM refer to the
AirWatch AWCM Guide.
l AirWatch recommends you do not configure AirWatch Tunnel at the Global organization group level.
3. Select Save.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 15
Installation Preparation
4. Navigate to Groups & Settings ► All Settings ► System ► Advanced ► Device Root Certificate and verify the device
root certificate exists. If it does not exist, click the Override radio button and generate the root device certificate.
5. Navigate to Groups & Settings ► All Settings ► System ► Advanced ► API ► REST API and click the Override radio
button.
6. Ensure the Enable API Access check box is selected and an API Key is displayed in the field highlighted above.
7. Click Save.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 16
Configure MAG Proxy/Content
Configure MAG Proxy/Content
Perform the following configuration procedure to access the MAG Windows installer, which will let you download and
install the MAG Content and Proxy components.
1. Navigate to Groups & Settings ► All Settings ► System ► Enterprise Integration ► Mobile Access Gateway.
If this is your first time configuring MAG, then select Configure and follow the configuration wizard screens.
Otherwise, select the Override radio button, ensure the Enable Mobile Access Gateway check box is selected, and
then select Configure to configure the following settings. In either case, select Configure MAG for Windows.
a. Select either Basic or Relay-Endpoint as your Configuration Type. Select Next.
You can find more info on these configuration types in the MAG Admin Guide, available via AirWatch Resources.
Note: When entering the Host Name, do not include protocol (http://, https://, etc.).
l Default HTTPS Port – The port number automatically assigned for HTTPS communication with the MAG.
Note: By default AirWatch Tunnel utilizies a single HTTPS Port for HTTPS Tunneling. If you want to define
an HTTP Port and use HTTP Tunneling you can do so on the Advanced settings page after configuration.
Refer to the HTTP and HTTPS Tunneling section of the AirWatch Mobile Access Gateway Admin Guide,
available via AirWatch Resources for more information.
l Use Kerberos Proxy – Enabling Kerberos proxy support will allow access to Kerberos authentication,
typically only available inside the corporate network, for target backend web services. Note that this does
not currently support Kerberos Constrained Delegation (KCD).
Note: The Endpoint server needs to be on the same domain as KDC for the Kerberos Proxy to
successfully communicate with the KDC.
l Relay-Endpoint Port – This is the port used for traffic between the MAG relay and MAG endpoint. Note that
you should not use port 80, because IIS, which is required for MAG installation, will already be bound to port
80.
Content Configuration:
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 17
Configure MAG Proxy/Content
l Content Repository URL – The URL used to access the MAG Content Repository Relay from the Internet.
Typically the same as the hostname field but with an HTTP/HTTPS protocol. For
example: HTTPS://magrelay.acme.com.
Note: If using a Relay-Endpoint setup, enter both the Relay and Endpoint URLs.
c. Click Next to advance to the SSL section. Enter the following information:
App Wrapping / Browser / SDK SSL Certificate:
l Select the Use Public SSL Certificate check box if you are using third party public SSL certificates for
authentication between AirWatch applications and the MAG. Select Upload to browse for and upload your
certificate file (.pfx or .p12). This file must contain both your public and private key pair.
Content SSL Certificate:
l Ignore SSL Errors – Select to ignore SSL errors that occur during communication between the AirWatch
Admin Console and the content repository.
d. Click Next to advance to the Authentication section, where you can select to use an enterprise CA in place of
AirWatch issued certificates. Select Default to use AirWatch issued certificates. Select Enterprise CA to display
drop-downs for your certificate authority and certificate template that you have uploaded into AirWatch. Also
upload your root certificate of your CA.
Note: The CA template must contain the following field in the subject name: CN=UDID. Supported CAs are
ADCS, RSA and SCEP. For more information about integrating with your certificate provider, please see the
certificate management documentation for your CA, available via AirWatch Resources in the Certificate
Management section.
e. Click Next to display the Summary section. Review the summary of your MAG configuration and select Save. You
are navigated back to the MAG Configuration page.
2. Select the Advanced tab and then select Generate Certificates to enable MAG Authentication. If you plan to install
the MAG on an SSL offloaded server, click Export MAG Certificate from the AirWatch Admin Console once the
certificate has been generated. Then, import the certificate on the server performing SSL offload. (This server can be a
load balancer or reverse proxy.)
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 18
Configure MAG Proxy/Content
Note: The other settings on this Advanced tab are explained in the AirWatch MAG Admin Guide, available via
AirWatch Resources.
3. Select the General tab and then select the Download Windows Installer hyperlink.
5. Click Save.
6. Continue with the steps for MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows or
MAG Proxy/Content Installation for a Basic (Endpoint only) Configuration on Windows, depending on the
configuration you selected.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 19
MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows
Overview
Perform the following steps to install the MAG for a Relay-Endpoint configuration, which you can view below. Verify the
presence of IIS and install Java on the MAG server as needed, as noted in the Requirements section.
Note: Before you begin, ensure the server you are installing MAG on can reach AWCM by browsing to "https://
{url}:<port>/awcm/status", where <port> is the configurable external port for AWCM. You should see the status of
the AWCM with no SSL errors. If there are errors, resolve them before continuing or the MAG will not properly
function.
For more information about the supported MAG configurations and deployment models, refer to the AirWatch Mobile
Access Gateway Admin Guide, available via AirWatch Resources.
Relay Server
1. Open the installer executable on the Relay MAG server and then click Next. For Relay-Endpoint configurations, you
must perform MAG installation on both the Relay and Endpoint servers. The steps below assume you are first
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 20
MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows
Note: If a previous version of MAG is installed, the installer auto-detects it and offers the option to upgrade to the
latest version.
2. Accept the End User License Agreement and then click Next.
3. Specify the destination for the downloaded MAG installation files and then click Next.
4. Select the Relay button to first install MAG on the Relay server.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 21
MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows
5. Select Is this server SSL Offloaded? if you are setting up a reverse proxy configuration with SSL Offloading. For more
information see the Appendix B – SSL Offloading section.
6. Select Next.
7. Enter the Certificate Password you created in the AirWatch Admin Console and then click Next.
8. Select the Target Site in which the AirWatch application should be installed using the drop-down menu and then click
Next.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 22
MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows
If Windows Firewall is turned on, you may receive the following dialog indicating that certain profiles are enabled. In
this case, please ensure the necessary MAG ports – which include both the ones you configured in the AirWatch
Admin Console and the default IIS website port you are using to access content – are allowed in the Windows Firewall
settings.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 23
MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows
Endpoint Server
1. Open the installer executable on the Endpoint MAG server and then click Next.
Note: If a previous version of MAG is installed, the installer auto-detects it and offers the option to upgrade to the
latest version.
2. Accept the End User License Agreement and then click Next.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 24
MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows
3. Specify the destination for the downloaded MAG installation files and then click Next.
5. Select the check box to indicate if MAG will use an outbound proxy. If so, enter the address of the Proxy Host and
Proxy Port number to be used for communication. If the proxy requires authentication, first select the Does the
proxy require authentication credentials? checkbox, then select whether it uses Basic or NTLM authentication, then
specify the Username and Password credentials.
6. Specify whether you are using Proxy auto-configuration (PAC) files as part of your MAG installation. A PAC file is a
set of rules that a browser checks to determine where traffic gets routed. For MAG, traffic is checked against the PAC
file to determine if it has to go through an outbound proxy. If you have authentication for PAC files, then the MAG
must know username and password of the proxy. You can reference a PAC file on a remote server by providing the
PAC URL or Upload a PAC file directly.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 25
MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows
Note: If you are accessing outbound proxies through the MAG that use a PAC file and also require authentication,
then refer to Appendix: Outbound Proxies using PAC Files.
7. Enter the Certificate Password you created in the AirWatch Admin Console and then click Next.
8. Select the Target Site in which the AirWatch application should be installed using the drop-down menu and then click
Next.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 26
MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows
If Windows Firewall is turned on, you may receive the following dialog indicating that certain profiles are enabled. In
this case, please ensure the necessary MAG ports – which include both the ones you configured in the AirWatch
Admin Console and the default IIS website port you are using to access content – are allowed in the Windows Firewall
settings.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 27
MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows
Verify Installation
Review the activity found in the .log file created by the MAG installer to verify successful MAG installation. The file can be
found in the same destination folder where the installer executable was initially downloaded. Additionally, select Test
Connection on the MAG configuration page (Groups & Settings ► All Settings ► System ► Enterprise Integration ►
Mobile Access Gateway) in the AirWatch Admin Console to verify the installation. This page will tell you MAG version
info, connectivity to the MAG via HTTP/S, and certificate chain and content endpoint validation.
Note for on-premise customers: If you are an on-premise customer and your AirWatch Console server is installed on
the internal network, then you may see fail connection for the Console To line items. This is the expected behavior
when the Console server does not have access to the MAG Relay server in the DMZ and will not affect
MAG functionality.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 28
MAG Proxy/Content Installation for a Basic (Endpoint only) Configuration on Windows
Overview
Perform the following steps to install the MAG for a Basic configuration, which you can view below. Verify the presence of
IIS and install Java on the MAG server as needed, as noted in the Requirements section.
Note: Before you begin, ensure the server you are installing MAG on can reach AWCM by browsing to "https://
{url}:<port>/awcm/status", where <port> is the configurable external port for AWCM. You should see the status of
the AWCM with no SSL errors. If there are errors, resolve them before continuing or the MAG will not properly
function.
For more information about the supported MAG configurations and deployment models, refer to the AirWatch Mobile
Access Gateway Admin Guide, available via AirWatch Resources.
Note: If a previous version of MAG is installed, the installer auto-detects it and offers the option to upgrade to the
latest version.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 29
MAG Proxy/Content Installation for a Basic (Endpoint only) Configuration on Windows
2. Accept the End User License Agreement and then click Next.
3. Specify the destination for the downloaded MAG installation files and then click Next.
4. Select the check box to indicate if MAG will use an outbound proxy. If so, enter the address of the Proxy Host and
Proxy Port number to be used for communication. If the proxy requires authentication, first select the Does the
proxy require authentication credentials? checkbox, then select whether it uses Basic or NTLM authentication, then
specify the Username and Password credentials.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 30
MAG Proxy/Content Installation for a Basic (Endpoint only) Configuration on Windows
5. Specify whether you are using Proxy auto-configuration (PAC) files as part of your MAG installation. A PAC file is a
set of rules that a browser checks to determine where traffic gets routed. For MAG, traffic is checked against the PAC
file to determine if it has to go through an outbound proxy. If you have authentication for PAC files, then the MAG
must know username and password of the proxy. You can reference a PAC file on a remote server by providing the
PAC URL or Upload a PAC file directly.
Note: If you are accessing outbound proxies through the MAG that use a PAC file and also require authentication,
then refer to Appendix: Outbound Proxies using PAC Files.
6. Enter the Certificate Password you created in the AirWatch Admin Console and then click Next.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 31
MAG Proxy/Content Installation for a Basic (Endpoint only) Configuration on Windows
7. Select the Target Site in which the AirWatch application should be installed using the drop-down menu and then click
Next.
If Windows Firewall is turned on, you may receive the following dialog indicating that certain profiles are enabled. In
this case, please ensure the necessary MAG ports – which include both the ones you configured in the AirWatch
Admin Console and the default IIS website port you are using to access content – are allowed in the Windows Firewall
settings.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 32
MAG Proxy/Content Installation for a Basic (Endpoint only) Configuration on Windows
Verify Installation
Review the activity found in the .log file created by the MAG installer to verify successful MAG installation. The file can be
found in the same destination folder where the installer executable was initially downloaded. Additionally, select Test
Connection on the MAG configuration page (Groups & Settings ► All Settings ► System ► Enterprise Integration ►
Mobile Access Gateway) in the AirWatch Admin Console to verify the installation. This page will tell you MAG version
info, connectivity to the MAG via HTTP/S, and certificate chain and content endpoint validation.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 33
MAG Proxy/Content Installation for a Basic (Endpoint only) Configuration on Windows
Note for on-premise customers: If you are an on-premise customer and your AirWatch Console server is installed on
the internal network, then you may see fail connection for the Console To line items. This is the expected behavior
when the Console server does not have access to the MAG endpoint in the DMZ and will not affect MAG functionality.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 34
Appendix: SSL Offloading
Appendix: SSL Offloading
Note: SSL Offloading is supported for Content and Proxy components.
Overview
When accessing HTTP endpoints using HTTP Tunneling, all HTTP traffic is encrypted and authenticated using an
SSL certificate and sent over port 2020 as HTTPS. You can perform SSL Offloading with products such as F5's BIG-IP Local
Traffic Manager (LTM), or Microsoft's Unified Access Gateway (UAG), Threat Management Gateway (TMG) or Internet
Security and Acceleration Server (ISA) solutions. While these are common solutions, support is not exclusive to these.
MAG/AirWatch Tunnel is compatible with general SSL Offloading solutions provided that the solution supports the HTTP
CONNECT method. The following diagram illustrates how SSL Offloading affects traffic in a Relay-Endpoint configuration.
Note: Using the MAG/AirWatch Tunnel to access internal content supports both SSL offloading and also proxying
traffic. Using the MAG to perform proxy functions supports SSL Offloading only.
l Requests to HTTPS endpoints are sent over a port you configure and encrypted and authenticated with a third
party SSL certificate.
2. The traffic hits an SSL Termination Proxy, which must contain the AirWatch certificate exported from the AirWatch
Admin Console or your organization's own public certificate.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 35
Appendix: SSL Offloading
l Requests to HTTP endpoints over the port you configure have their SSL certificate offloaded and sent to the
Relay unencrypted over port 2010.
l Requests to HTTPS endpoints over the port you configure are unaffected and continue to the Relay on that port.
Note: Since all traffic is now sent over the port you configured, you must create a rule on your SSL Termination
Proxy to forward all traffic on that port.
3. The traffic continues from the Relay to the Endpoint on a port you configure.
4. The Endpoint communicates with your backend systems to access the requested content or resources.
Enabling SSL Offloading
To enable SSL Offloading, ensure the SSL Offloading check box is selected during installation for the Relay server. This
informs the Relay to expect to receive all traffic on the port you configured.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 36
Appendix: Upgrading the Component
2. Select the General tab and then select the Download Windows Installer hyperlink.
4. Continue with the steps for MAG Installation for a Relay-Endpoint Configuration or MAG Installation for a Basic
(Endpoint only) Configuration.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 37
Appendix: Kerberos KDC Proxy Support
MAG/AirWatch Tunnel Proxy supports Kerberos authentication in the requesting application. This new component,
Kerberos KDC proxy (KKDCP), gets installed on the endpoint server. AirWatch KKDCP acts as a proxy to your internal KDC
server. AirWatch-enrolled and compliant devices with a valid AirWatch issued identity certificate can be allowed to access
your internal KDC. For a client application to authenticate to Kerberos- enabled resources, all of the Kerberos requests
need to be passed through KKDCP. The basic requirement for Kerberos authentication is to make sure you install the
Endpoint with Kerberos proxy enabled during configuration in a network where it can access the KDC server.
Note: Currently, this functionality is only supported with the AirWatch Browser v2.5 and higher for Android.
2. If the Realm is not reachable then you could also configure the KDC server IP on the Advanced settings tab in system
settings.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 38
Appendix: Kerberos KDC Proxy Support
Note: Only add the IP if the Realm is not reachable, as it will take precedence over the Realm value entered in the
configuration.
Note: By default the Kerberos proxy server uses port 2040, which is internal only, hence no firewall changes are
required to have external access over this port.
4. Enable Kerberos from the SDK settings in the AirWatch Admin Console so the requesting application is aware of the
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 39
Appendix: Kerberos KDC Proxy Support
KKDCP. To do this, navigate to Groups & Settings ► All Settings ► Apps ► Settings And Policies and select Security
Policies. Under Integrated Authentication, select Enable Kerberos. Save the settings.
l To make sure the AirWatch KKDCP server is up and running, access the following URL in your browser from the server
where KKDCP is installed: http://localhost:2040/kerberosproxy/status
l If the proxy server is working as expected then the browser return the following response:
{
"kdcServer":"internal-dc01.internal.local.:88",
"kdcAccessible":true
}
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 40
Appendix: Outbound Proxies using PAC Files
For Windows
If you are accessing outbound proxies through the MAG that use a PAC file and also require authentication, then you will
need to perform the following steps:
1. In Windows Explorer, navigate to \AirWatch\MobileAccessGateway\bin.
2. Run proxy-tools.
4. Enter 1 for Basic and 2 for NTLM authentication using a single service account.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 41
Appendix: Outbound Proxies using PAC Files
5. Enter the domain, username and password according to your service account credentials for the outbound proxy
configured in your environment.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 42
Finding Additional Documentation
Note: It is always recommended you pull the document from AirWatch Resources each time you need to reference it.
To search for and access additional documentation via the AirWatch Resources page, perform the following step-by-step
instructions:
1. Navigate to http://my.air-watch.com and log in using your AirWatch ID credentials.
2. Select AirWatch Resources from the navigation bar or home screen. The AirWatch Resources page displays with a list
of recent documentation and a list of Resources Categories on the left.
3. Select your AirWatch Version from the drop-down list in the search parameters to filter a displayed list of documents.
Once selected, you will only see documentation that pertains to your particular version of AirWatch.
l Search for a particular resource using the search box in the top-right by entering keywords or document names.
l Add a document to your favorites and it will be added to My Resources. Access documents you have favorited
by selecting myAirWatch from the navigation bar and then selected My Resources from the toolbar.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 43
Finding Additional Documentation
l Download a PDF of a document by selecting the button. Note, however, that documentation is frequently
updated with the latest bug fixes and feature enhancements. Therefore, it is always recommended you pull the
document from AirWatch Resources each time you need to reference it.
Having trouble finding a document? Make sure a specific AirWatch Version is selected. All Versions will typically
return many results. Make sure you select Documentation from the category list, at a minimum. If you know which
category you want to search (e.g., Platform, Install & Architecture, Email Management) then selecting that will also
further narrow your search and provide better results. Filtering by PDF as a File Type will also narrow your search
even further to only include technical documentation manuals.
AirWatch Mobile Access Gateway Installation Guide for Windows | v.2015.07 | July 2015
Copyright © 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Page 44