Академический Документы
Профессиональный Документы
Культура Документы
AirWatch v8.2
Have documentation feedback?Email docfeedback@air-watch.com. Note that if you require assistance from AirWatch
Support you should contact support@air-watch.com.
2015 VMware, Inc. All rights reserved.
This document, as well as the software described in it, is furnished under license. The information in this manual may only be used in accordance with the terms of the license. This
document should not be reproduced, stored or transmitted in any form, except as permitted by the license or by the express permission of AirWatch, LLC.
All other marks and names mentioned herein may be trademarks or trade names of their respective companies.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
1
Revision Table
The following table displays revisions to this guide since the release of AirWatch v8.2.
Date Reason
November 2015 Initial upload.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
2
Table of Contents
Chapter 1: Overview 5
Introduction to Mobile Access Gateway Installation for Windows 6
In This Guide 6
Terminology 6
Getting Started 7
Prerequisites for MAGProxy/Content Connectivity for On-Premise Environments 8
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
3
SSLOffloading 41
Kerberos KDC Proxy Support 42
Outbound Proxies using PACFiles 45
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
4
Chapter 1:
Overview
Introduction to Mobile Access Gateway Installation for
Windows 6
In This Guide 6
Terminology 6
Getting Started 7
Prerequisites for MAGProxy/Content Connectivity for On-
Premise Environments 8
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
5
Chapter 1: Overview
In This Guide
l MAGInstallation Preparation Perform some preliminary steps to ensure a smooth installation of the MAG.
l MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows Run the MAG installer for a relay-
endpoint configuration.
l MAG Proxy/Content Installation for a Basic Configuration on Windows Run the MAGinstaller for a basic (endpoint
only)configuration.
l Appendix SSLOffloading Read more about how to enable SSLOffloading for the MAG.
l Appendix Upgrading the MAG Read more about how to upgrade the MAGfrom one version to the next.
l Appendix Kerberos KDCProxy Support Read more about enabling Kerberos authentication functionality.
l Appendix Outbound Proxies using PACFiles Read more about steps you should follow if you are accessing
outbound proxies through the MAG that use a PACfile and also require authentication.
Terminology
Reading over the following terminology as it relates to the various components of the MAG will help aid your
understanding of the technology.
l MAG Mobile Access Gateway. The generic term for the two components that comprise it:Proxy and Content.
l Proxy The MAGcomponent that handles securing traffic between an end-user device and a website via the
AirWatch Browser mobile app.
l Content The MAGcomponent that handles securing end-user access to corporate resources such as a file server via
the AirWatch Content Locker mobile app.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
6
Chapter 1: Overview
Getting Started
l Note the following distinction between on-premise and SaaS deployments:
o On-premise refers to AirWatch deployments where your organization hosts all AirWatch components and
servers on its internal networks.
o SaaS refers to AirWatch deployments where certain AirWatch components, such as the Console and APIservers,
are hosted in the cloud by AirWatch.
Ensure you are using the correct version of this guide. There are two:one for on-premise, and one for SaaS.
l Before continuing with MAG installation, ensure AWCM is configured and operational. If you are an on-premise
customer, refer to the AWCM Guide, available via AirWatch Resources, for instructions on how to configure AWCM
before installing the MAG.
l Ensure you have performed all the necessary preliminary steps in MAG Installation Preparation.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
7
Chapter 1: Overview
Note:The requirements listed here support basic data query. You may
require additional server space if your use case involves the
transmission of large encrypted files from a content repository.
General Requirements
Status
Requirement Notes
Checklist
Ensure that you have Recommended to setup Remote Desktop Connection Manager for multiple
remote access to the server management; you can download the installer from:
servers that AirWatch is http://www.microsoft.com/en-us/download/confirmation.aspx?id=21101
installed on
Installation of Notepad++ You can download the installer from:
(Recommended) http://download.tuxfamily.org/notepadplus/6.5.1/npp.6.5.1.Installer.exe
Software Requirements
Status
Requirement Notes
Checklist
Windows Server 2008 R2 or
Windows Server 2012 or
Windows Server 2012 R2
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
8
Chapter 1: Overview
Software Requirements
Status
Requirement Notes
Checklist
Install Role from Server Manager IIS 7.0 (Server 2008 R2)
IIS 8.0 (Server 2012 or Server 2012 R2)
IIS8.5 (Server 2012 R2 only)
Install .NETFramework 4.5.2 The installer will install this version of .NETprovided the
server has Internet access. Otherwise, download and
manually install it.
Install 64-bit Java Runtime Environment version Download from https://java.com/en/download/index.jsp
7 or greater Note:Ensure 32-bit Java is not installed.
Internally registered DNS Register the MAG relay (If Relay-Endpoint) or register the
MAG Endpoint (If Endpoint only)
Externally registered DNS Register the MAG relay (If Relay-Endpoint) or register the
MAG Endpoint (If Endpoint only)
SSL Certificate from trusted third party with Ensure SSL certificate is trusted by all device types being
Subject or Subject Alternative name of DNS used. (i.e. not all Comodo certificates are natively trusted
by Android)
IIS 443 Binding with the same SSLcertificate Validate that you can connect to the server over HTTPS
(https://yourAirWatchDomain.com). At this point, you
should see the IIS splash page.
Ensure the AWCM SSL certificates Intermediate Use the Command Line Utility on the MAGserver to enter
and Root CA certificate are in the Java CA the following:
Keystore on the MAGserver keytool -list -v -keystore $JAVA_HOME\jre
\lib\security\cacerts
OR
Use the GUI tool (free) here:
http://portecle.sourceforge.net/
Note:For configuring the ports listed below, all traffic is uni-directional (outbound)from the source component to
the destination component.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
9
Chapter 1: Overview
Network Requirements
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
10
Chapter 1: Overview
Network Requirements
Note:If you plan on using the MAG/AirWatch Tunnel Content component to connect to network file shares, then it is
required that either the Endpoint be on the same domain as the NFS or, if the MAG/AirWatch Tunnel is on a different
domain, it must have domain trust with the domain of the NFS.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
11
Chapter 1: Overview
2. For the MAG to query the AirWatch Admin Console for compliance and tracking purposes.
3. For devices with the AirWatch ContentLocker to access internal content from websites, such as SharePoint.
4. For devices with the AirWatch Browser to access internal websites/web applications.
5. For devices with app tunnel; enables applications to communicate with internal systems.
Note:If a firewall resides between the MAGEndpoint and an internal system you are trying to reach, then you
will have to open the corresponding port depending on the traffic. For example, Windows Network Files Shares
require ports 135 through 139 and 445 to be open in order to access content on Windows file shares.
6. For MAG Relay topologies to forward device requests to the internal MAG endpoint only.
7. The MAG needs to communicate with the API for initialization. The API server is generally hosted on the AirWatch
Admin Console Server or can be a separate server. Ensure there is connectivity between this server and the MAG
server.
8. For the Device Services server to enumerate the repositories via the content relay and convert them into a format
devices can use.
9. For the Console server to enumerate the repositories via the content relay for viewing in the AirWatch Admin
Console.
10. For devices with the AirWatch Content Locker to access internal content from Network Shares.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
12
Chapter 2:
Installation Preparation
Overview 14
Performing Preliminary Installation Steps 14
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
13
Chapter 2: Installation Preparation
Overview
Before installing the server within your network, you must ensure your environment meets all the requirements, and
then prepare for installation by downloading the installation files.
Notes:
l Before you begin installing AirWatch Tunnel, ensure that AWCM is installed correctly, running, and
communicating with AirWatch without any errors. For more information about configuring AWCMrefer to
the AirWatch AWCMGuide.
l AirWatch recommends you do not configure AirWatch Tunnel at the Global organization group level.
1. Navigate to Groups &Settings > All Settings > System > Advanced > Site URLs in the AirWatch Admin Console.
3. Select Save.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
14
Chapter 2: Installation Preparation
4. Navigate to Groups &Settings > All Settings > System > Advanced > Device Root Certificate and verify the device
root certificate exists. If it does not exist, click the Override radio button and generate the root device certificate.
5. Navigate to Groups &Settings > All Settings > System > Advanced > API > REST API and click the Override radio
button.
6. Ensure the Enable APIAccess check box is selected and an APIKey is displayed in the field highlighted above.
7. Click Save.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
15
Chapter 3:
Configure MAGProxy/Content
Overview 17
Configuring MAGSettings 17
Configuring Advanced Settings 20
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
16
Chapter 3: Configure MAGProxy/Content
Overview
Perform the following configuration procedure to access the MAGWindows installer, which will let you download and
install the MAG Content and Proxy components.
Configuring MAGSettings
1. Navigate to Groups &Settings > All Settings > System > Enterprise Integration > AirWatch Tunnel.
If this is your first time configuring MAG, then select Configure and follow the configuration wizard screens.
Otherwise, select the Override radio button, ensure the Enable Mobile Access Gateway check box is selected, and
then select Configure to configure the following settings.
2. On the ConfigurationType screen, select Proxy and Content, since Per-App Tunnel is not available for a MAG for
Windows deployment. In the drop-down that displays, select whether you are configuring a Relay-Endpoint or Basic
MAG deployment. Selecting the information icon will show you an example for the selected type.
3. Select Next.
Note:When entering the Host Name, do not include protocol (http://, https://, etc.).
Relay Port The default, recommended value is 2020. The port number automatically assigned for HTTPS
(HTTPS) communication with the MAG.
Relay- The default, recommended value is 2010. This field only displays if you selected Relay-Endpoint as
Endpoint your configuration type. This is the port used for traffic between the MAG relay and MAG endpoint.
Port Note that you should not use port 80, because IIS, which is required for MAG installation, will already
be bound to port 80.
Use Enabling Kerberos proxy support will allow access to Kerberos authentication, typically only available
Kerberos inside the corporate network, for target backend web services. Note that this does not currently
Proxy support Kerberos Constrained Delegation (KCD). For more information, see Appendix Kerberos
KDC Proxy Support.
Note:The Endpoint server needs to be on the same domain as KDC for the Kerberos Proxy to
successfully communicate with the KDC.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
17
Chapter 3: Configure MAGProxy/Content
Setting Description
Realm Enter the domain of the KDCserver.
CONTENT CONFIGURATION
Relay URL This field only displays if you selected Relay-Endpoint as your configuration type. The URLused to
access the MAGContent Repository Relay from the Internet. Typically the same as the hostname
field but with an HTTP/HTTPSprotocol. For example:HTTPS://magrelay.acme.com.
Relay Port This field only displays if you selected Relay-Endpoint as your configuration type. Enter the port to
be used for traffic to and from the content repository.
Relay- This field only displays if you selected Relay-Endpoint as your configuration type. This is the port
Endpoint used for traffic between the MAG relay and MAG endpoint. Note that you should not use port 80,
Port because IIS, which is required for MAG installation, will already be bound to port 80.
Content Enter the FQDN(absolute domain name) of the MAGendpoint.
Repository
URL /
Endpoint
URL
Content Enter the port to be used for traffic to and from the content repository.
Repository
/ Relay-
Endpoint
Port
5. Select Next.
7. Select Next.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
18
Chapter 3: Configure MAGProxy/Content
Note:The CA template must contain the following field in the subject name: CN=UDID.
Supported CAs are ADCS, RSA and SCEP. For more information about integrating with your
certificate provider, please see the certificate management documentation for your CA,
available via AirWatch Resources in the Certificate Management section.
9. Select Next.
10. On the Miscellaneous screen, you can configure whether to enable access logs for the Proxy component.
You must enable this log before you install AirWatch Tunnel. For more information on these settings, refer to the
Access Logs and Syslog Integration and Configuring Advanced Settings sections.
11. Review the summary of your MAGconfiguration and select Save. You are navigated back to the MAG Configuration
page.
12. If you plan to install the MAG on an SSL offloaded server, click Export MAG Certificate from the AirWatch Admin
Console once the certificate has been generated. Then, import the certificate on the server performing SSL offload.
(This server can be a load balancer or reverse proxy.)
13. Select the General tab and then select the Download Windows Installer hyperlink. This downloads a single .exe file
used for installation of both a relay server and endpoint.
Note:If you want to enable Access Logs using syslog, then you need to enable this via the Advanced tab before
you download and run the installer. See Access Logs and Syslog Integration for more information.
14. Enter and confirm a certificate password and then click Download.
Note:The MAG password must contain a minimum of six characters and will be used during installation.
16. Continue with the steps for MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows or
MAGProxy/Content Installation for a Basic (Endpoint only) Configuration on Windows, depending on the
configuration you selected.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
19
Chapter 3: Configure MAGProxy/Content
Note: You must enable this before you install any of the components. Any changes you
make to the access logs configuration on the AirWatch Admin Console require re-
installation of the AirWatch Tunnel server.
Syslog Host This setting displays after you select Enable Access Logs. Enter the URLof your syslog host.
Port This setting displays after you select Enable Access Logs. Enter the Port over which you wish to
communicate with the syslog host.
3. If applicable, configure the following Kerberos Proxy settings, which will display if you selected to Use Kerberos Proxy
during MAG / AirWatch Tunnel configuration. If the realm info you entered during configuration does not work
properly, you have the option of entering the KDCIPaddress here, which will override the information you provided
during configuration.
Setting Description
KDCServer This field will only display if you selected to Use Kerberos Proxy during MAG / AirWatch Tunnel
IP configuration. Enter your KDCServer IPaddress.
Kerberos This field will only display if you selected to Use Kerberos Proxy during MAG / AirWatch Tunnel
Proxy Port configuration. Enter the port over which MAG / AirWatch Tunnel will communicate with your
Kerberos Proxy.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
20
Chapter 3: Configure MAGProxy/Content
Setting Description
Log Set the appropriate logging level, which will determine how much data is reported to the .log files.
Level
Enable Enable this setting to tell the AirWatch Tunnel to write access logs to syslog for any of your own purposes.
Access These logs are not stored locally; they are pushed to the syslog host over the port you define. There is no
Logs correlation between this syslog integration and the integration accessed via Groups &Settings > All
Settings > System > Enterprise Integration > Syslog.
Note: You must enable this before you install any of the components. Any changes you make to the
access logs configuration on the AirWatch Admin Console require re-installation of the AirWatch
Tunnel server.
Syslog This setting displays after you select Enable Access Logs. Enter the URLof your syslog host.
Host
Port This setting displays after you select Enable Access Logs. Enter the Port over which you wish to
communicate with the syslog host.
5. If applicable, configure the following Relay - Endpoint Authentication Credentials settings, which are used for
authentication between the two servers. These fields will be pre-populated for you after configuration, but you can
change them, for example, to meet your organization's password strength requirements.
Setting Description
Username Enter the username used to authenticate the relay and endpoint servers.
Password Enter the password used to authenticate the relay and endpoint servers.
6. Select Save.
Note:After modifying any of these settings, you must restart the MAGservice for the changes to take effect.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
21
Chapter 4:
MAG Proxy/Content Installation for a
Relay-Endpoint Configuration on
Windows
Overview 23
Before You Install 23
Installing the MAG 23
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
22
Chapter 4: MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows
Overview
Perform the following steps to install the MAG for a Relay-Endpoint configuration, which you can view below. Verify the
presence of IIS and install Java on the MAG server as needed, as noted in the Requirements section.
Note:Before you begin, ensure the server you are installing MAGon can reach AWCM by browsing to "https://
{url}:<port>/awcm/status", where <port> is the configurable external port for AWCM. You should see the status of
the AWCMwith no SSLerrors. If there are errors, resolve them before continuing or the MAGwill not properly
function.
For more information about the supported MAGconfigurations and deployment models, refer to the AirWatch Mobile
Access Gateway Admin Guide, available via AirWatch Resources.
Relay Server
1. Open the installer executable on the Relay MAGserver and then click Next. For Relay-Endpoint configurations, you
must perform MAGinstallation on both the Relay and Endpoint servers. The steps below assume you are first
installing it on the Relay server.
Note:If a previous version of MAG is installed, the installer auto-detects it and offers the option to upgrade to
the latest version.
2. Accept the End User License Agreement and then click Next.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
23
Chapter 4: MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows
3. Specify the destination for the downloaded MAGinstallation files and then click Next.
4. Select the Relay button to first install MAG on the Relay server.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
24
Chapter 4: MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows
5. Select Is this server SSLOffloaded? if you are setting up a reverse proxy configuration with SSLOffloading. For more
information see the Appendix SSLOffloading section.
6. Select Next.
7. Enter the Certificate Password you created in the AirWatch Admin Console and then click Next.
8. Select the Target Site in which the AirWatch application should be installed using the drop-down menu and then click
Next.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
25
Chapter 4: MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows
If Windows Firewall is turned on, you may receive the following dialog indicating that certain profiles are enabled. In
this case, please ensure the necessary MAGports which include both the ones you configured in the AirWatch
Admin Console and the default IISwebsite port you are using to access content are allowed in the Windows Firewall
settings.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
26
Chapter 4: MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows
Endpoint Server
1. Open the installer executable on the Endpoint MAGserver and then click Next.
Note:If a previous version of MAG is installed, the installer auto-detects it and offers the option to upgrade to
the latest version.
2. Accept the End User License Agreement and then click Next.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
27
Chapter 4: MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows
3. Specify the destination for the downloaded MAGinstallation files and then click Next.
5. Select the check box to indicate if MAGwill use an outbound proxy. If so, enter the address of the Proxy Host and
Proxy Port number to be used for communication. If the proxy requires authentication, first select the Does the
proxy require authentication credentials?checkbox, then select whether it uses Basic or NTLMauthentication, then
specify the Username and Password credentials.
6. Specify whether you are using Proxy auto-configuration (PAC)files as part of your MAGinstallation. A PAC file is a
set of rules that a browser checks to determine where traffic gets routed. For MAG, traffic is checked against the PAC
file to determine if it has to go through an outbound proxy. If you have authentication for PAC files, then the MAG
must know username and password of the proxy. You can reference a PAC file on a remote server by providing the
PACURL or Upload a PACfile directly.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
28
Chapter 4: MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows
Note:If you are accessing outbound proxies through the MAG that use a PACfile and also require authentication,
then refer to Appendix:Outbound Proxies using PACFiles.
7. Enter the Certificate Password you created in the AirWatch Admin Console and then click Next.
8. Select the Target Site in which the AirWatch application should be installed using the drop-down menu and then click
Next.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
29
Chapter 4: MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows
If Windows Firewall is turned on, you may receive the following dialog indicating that certain profiles are enabled. In
this case, please ensure the necessary MAGports which include both the ones you configured in the AirWatch
Admin Console and the default IISwebsite port you are using to access content are allowed in the Windows Firewall
settings.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
30
Chapter 4: MAG Proxy/Content Installation for a Relay-Endpoint Configuration on Windows
Verify Installation
Review the activity found in the .log file created by the MAG installer to verify successful MAGinstallation. The file can be
found in the same destination folder where the installer executable was initially downloaded. Additionally, select Test
Connection on the MAG configuration page (Groups &Settings > All Settings > System > Enterprise Integration >
AirWatch Tunnel) in the AirWatch Admin Console to verify the installation. This page will tell you MAGversion info,
connectivity to the MAGvia HTTP/S, and certificate chain and content endpoint validation.
Note for on-premise customers:If you are an on-premise customer and your AirWatch Console server is installed on
the internal network, then you may see fail connection for the Console To line items. This is the expected behavior
when the Console server does not have access to the MAGRelay server in the DMZ and will not affect
MAGfunctionality.
At this time you can also review the Advanced MAG settings.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
31
Chapter 5:
MAGProxy/Content Installation for a
Basic (Endpoint only) Configuration on
Windows
Overview 33
Before You Install 33
Installing MAG for Basic (Endpoint only)Configurations 33
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
32
Chapter 5: MAGProxy/Content Installation for a Basic (Endpoint only) Configuration on Windows
Overview
Perform the following steps to install the MAG for a Basic configuration, which you can view below. Verify the presence of
IIS and install Java on the MAG server as needed, as noted in the Requirements section.
Note:Before you begin, ensure the server you are installing MAGon can reach AWCM by browsing to "https://
{url}:<port>/awcm/status", where <port> is the configurable external port for AWCM. You should see the status of
the AWCMwith no SSLerrors. If there are errors, resolve them before continuing or the MAGwill not properly
function.
For more information about the supported MAGconfigurations and deployment models, refer to the AirWatch Mobile
Access Gateway Admin Guide, available via AirWatch Resources.
Note:If a previous version of MAG is installed, the installer auto-detects it and offers the option to upgrade to
the latest version.
2. Accept the End User License Agreement and then click Next.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
33
Chapter 5: MAGProxy/Content Installation for a Basic (Endpoint only) Configuration on Windows
3. Specify the destination for the downloaded MAGinstallation files and then click Next.
4. Select the check box to indicate if MAGwill use an outbound proxy. If so, enter the address of the Proxy Host and
Proxy Port number to be used for communication. If the proxy requires authentication, first select the Does the
proxy require authentication credentials?checkbox, then select whether it uses Basic or NTLMauthentication, then
specify the Username and Password credentials.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
34
Chapter 5: MAGProxy/Content Installation for a Basic (Endpoint only) Configuration on Windows
5. Specify whether you are using Proxy auto-configuration (PAC)files as part of your MAGinstallation. A PAC file is a
set of rules that a browser checks to determine where traffic gets routed. For MAG, traffic is checked against the PAC
file to determine if it has to go through an outbound proxy. If you have authentication for PAC files, then the MAG
must know username and password of the proxy. You can reference a PAC file on a remote server by providing the
PACURL or Upload a PACfile directly.
Note:If you are accessing outbound proxies through the MAG that use a PACfile and also require authentication,
then refer to Appendix:Outbound Proxies using PACFiles.
6. Enter the Certificate Password you created in the AirWatch Admin Console and then click Next.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
35
Chapter 5: MAGProxy/Content Installation for a Basic (Endpoint only) Configuration on Windows
7. Select the Target Site in which the AirWatch application should be installed using the drop-down menu and then click
Next.
If Windows Firewall is turned on, you may receive the following dialog indicating that certain profiles are enabled. In
this case, please ensure the necessary MAGports which include both the ones you configured in the AirWatch
Admin Console and the default IISwebsite port you are using to access content are allowed in the Windows Firewall
settings.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
36
Chapter 5: MAGProxy/Content Installation for a Basic (Endpoint only) Configuration on Windows
Verify Installation
Review the activity found in the .log file created by the MAG installer to verify successful MAGinstallation. The file can be
found in the same destination folder where the installer executable was initially downloaded. Additionally, select Test
Connection on the MAG configuration page (Groups &Settings > All Settings > System > Enterprise Integration >
AirWatch Tunnel) in the AirWatch Admin Console to verify the installation. This page will tell you MAGversion info,
connectivity to the MAGvia HTTP/S, and certificate chain and content endpoint validation.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
37
Chapter 5: MAGProxy/Content Installation for a Basic (Endpoint only) Configuration on Windows
Note for on-premise customers:If you are an on-premise customer and your AirWatch Console server is installed on
the internal network, then you may see fail connection for the Console To line items. This is the expected behavior
when the Console server does not have access to the MAGendpoint in the DMZ and will not affect MAGfunctionality.
At this time you can also review the Advanced MAG settings.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
38
Chapter 6:
Managing MAG
Overview 40
Upgrading the Component 40
Access Logs and Syslog Integration 40
SSLOffloading 41
Kerberos KDC Proxy Support 42
Outbound Proxies using PACFiles 45
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
39
Chapter 6: Managing MAG
Overview
The following topics cover various management tasks you can perform for the AirWatch Mobile Access Gateway once it is
installed. This includes traffic management, uninstallation, and upgrades.
2. Select the General tab and then select the Download Windows Installer hyperlink.
4. Continue with the steps for MAG Installation for a Relay-Endpoint Configuration or MAGInstallation for a Basic
(Endpoint only) Configuration.
Note: You must enable this before you install any of the components. Any changes you make to the access logs
configuration on the AirWatch Admin Console require re-installation of the AirWatch Tunnel server.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
40
Chapter 6: Managing MAG
Most Linux servers by default have support for syslog. To enable a Linux server to act as syslog host, navigate to
rsyslog.conf:
vi /etc/rsyslog.conf
SSLOffloading
Overview
When accessing HTTPendpoints using HTTPTunneling, all HTTPtraffic is encrypted and authenticated using an
SSLcertificate and sent over port 2020 as HTTPS. You can perform SSLOffloading with products such as F5's BIG-IPLocal
Traffic Manager (LTM), or Microsoft's Unified Access Gateway (UAG), Threat Management Gateway (TMG) or Internet
Security and Acceleration Server (ISA) solutions. While these are common solutions, support is not exclusive to these.
MAG/AirWatch Tunnel is compatible with general SSL Offloading solutions provided that the solution supports the HTTP
CONNECT method. The following diagram illustrates how SSLOffloading affects traffic in a Relay-Endpoint configuration.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
41
Chapter 6: Managing MAG
2. The traffic hits an SSL Termination Proxy (customers use their own SSL termination proxy), which must contain the
AirWatch certificate exported from the AirWatch Admin Console or your organization's own public certificate.
l Requests to HTTP endpoints over the port you configure have their SSL certificate offloaded and sent to the
Relay unencrypted over port 2020.
l Requests to HTTPS endpoints over the port you configure are unaffected and continue to the Relay over port
2020.
3. The traffic continues from the Relay to the Endpoint on a port you configure.
4. The Endpoint communicates with your backend systems to access the requested content or resources.
Enabling SSLOffloading
To enable SSLOffloading, ensure the SSLOffloading setting is selected/enabled during installation for the Relay server.
This informs the Relay to expect to receive all traffic on the port you configured.
MAG/AirWatch Tunnel Proxy supports Kerberos authentication in the requesting application. This new component,
Kerberos KDC proxy (KKDCP), gets installed on the endpoint server. AirWatch KKDCP acts as a proxy to your internal KDC
server. AirWatch-enrolled and compliant devices with a valid AirWatch issued identity certificate can be allowed to access
your internal KDC. For a client application to authenticate to Kerberos- enabled resources, all of the Kerberos requests
need to be passed through KKDCP. The basic requirement for Kerberos authentication is to make sure you install the
Endpoint with Kerberos proxy enabled during configuration in a network where it can access the KDC server.
Note: Currently, this functionality is only supported with the AirWatch Browser v2.5 and higher for Android.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
42
Chapter 6: Managing MAG
1. During the configuration, check the box Use Kerberos proxy and enter the Realm of the KDC server.
2. If the Realm is not reachable then you can configure the KDC server IP on the Advanced settings tab in system
settings.
Note: Only add the IP if the Realm is not reachable, as it will take precedence over the Realm value entered in the
configuration.
Note: By default the Kerberos proxy server uses port 2040, which is internal only, hence no firewall changes are
required to have external access over this port.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
43
Chapter 6: Managing MAG
On Windows, once the MAG is installed you will see that a new Windows service called AirWatch Kerberos Proxy has
been added.
4. Enable Kerberos from the SDK settings in the AirWatch Admin Console so the requesting application is aware of the
KKDCP. To do this, navigate to Groups & Settings > All Settings > Apps > Settings And Policies and select Security
Policies. Under Integrated Authentication, select Enable Kerberos. Save the settings.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
44
Chapter 6: Managing MAG
Note:Outbound Proxies using PAC files is supported for the Proxy component.
3. Select your authentication method, which can be None, Basic, or NTLM for a single service account. Also enter your
credentials, if applicable, and the URIof the proxy for testing.
4. Select Save.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
45
Finding Additional Documentation
Note: It is always recommended you pull the document from AirWatch Resources each time you need to reference it.
To search for and access additional documentation via the AirWatch Resources page, perform the following step-by-step
instructions:
1. Navigate to http://my.air-watch.com and log in using your AirWatch ID credentials.
2. Select AirWatch Resources from the navigation bar or home screen. The AirWatchResources page displays with a list
of recent documentation and a list of Resources Categories on the left.
3. Select your AirWatch Version from the drop-down list in the search parameters to filter a displayed list of documents.
Once selected, you will only see documentation that pertains to your particular version of AirWatch.
l Search for a particular resource using the search box in the top-right by entering keywords or document names.
l Add a document to your favorites and it will be added to My Resources. Access documents you have favorited
by selecting myAirWatch from the navigation bar and then selected My Resources from the toolbar.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
46
Finding Additional Documentation
l Download a PDF of a document by selecting the button. Note, however, that documentation is frequently
updated with the latest bug fixes and feature enhancements. Therefore, it is always recommended you pull the
document from AirWatch Resources each time you need to reference it.
Having trouble finding a document?Make sure a specific AirWatch Version is selected. All Versions will typically
return many results. Make sure you select Documentation from the category list, at a minimum. If you know which
category you want to search (e.g., Platform, Install &Architecture, EmailManagement) then selecting that will also
further narrow your search and provide better results. Filtering by PDFas a File Type will also narrow your search
even further to only include technical documentation manuals.
AirWatch Mobile Access Gateway Installation Guide for Windows for On-Premise Customers | v.2015.11 | November 2015
Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
47