Vous êtes sur la page 1sur 120

PDFTables.

com

This
asthe
well
as the This
with document,
the terms of
license.
AirWatch
PoC
Technical
Architecture
A
guide
for
selecting
an
PoC
software
described
in
it,
is furnished
document should not be AirWatch
reproduced,
Evaluation
Architecture

2013
AirWatch,
LLC.
All
Rights
under license.
The information
in this
stored
or transmitted
in any form,
Reserved.
manual
may
only
be
used
in
exceptproduct
as permitted
by the license
Other
and company
names or
accordance
by
referenced
in this document are
the express and/or
permission
of AirWatch,
trademarks
registered
LLC.
trademarks of their respective
companies.
AirWatch PoC
Technical
Architecture
Copyright
2013
AirWatch,
LLC. All |
v.2013.06
|
June
2013
rights reserved. Proprietary &
Confidential.

Overview..........................................
Option
1: Pure
Table
of
........................................................
Cloud................................................
Option
2:Contents
Integrated
...................................
2 Cloud
........................................................
Cloud
...............................................
Integrated Cloud AirWatch
...........
4
........................................................
Connector ........................................
Integrated
Cloud No
..
6
........................................................
DMZ
................................................
Integrated Cloud DMZ
.........................
........................................................
Relay
...............................................
Integrated
Cloud 8
Reverse
.............................................
11
........................................................
Proxy
...............................................
..........................................
14
........................................................
Option 3: On-Premise Single Server
....................................
17
Deployment
.....................................
Option 4: On-Premise
Multiple
Server
.................................
20
Deployment
.....................................
Appendix
.........................................
............................. 23
........................................................
..................................
26
AirWatch
PoC
Technical
Architecture
Copyright
2012
AirWatch,
LLC. All |
v.2013.06
| June Proprietary
2013
rights
reserved.
&
Confidential.
Page 1 of 29

Overview
The AirWatch Enterprise Mobility Management (EMM) software can be deployed throug
premise options to meet an organizations security requirements and IT strategy. This
supported configurations and help determine the ideal AirWatch architecture for a suc
The below diagram displays four deployment options including both cloud and on-prem
Cloud On Premise
Benefits
Fastest implementation with minimal client effort
No significant investment in technology or services
Minimal or no network changes required
Automatic software updates
Considerations
Integration with corporate
resources
Security / datacenter requirements
Option 1: Cloud
Option 2: Integrated Cloud
All devices and admin users point
All components in the cloud.
to AirWatchs cloud for device
Lightweight integration
management. No software
component installed on-premise
installed onsite
for backend integration
Ideal for...
Ideal for...
Rapid Deployment
Cloud clients requiring
No corporate infrastructure
enterprise integration for
required
o

Page 1

PDFTables.com
Does not integrate with
corporate resources

o
o
o

Pages 4-5
*Note POC fees may apply for On-Premise Deployment
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 2 of 29

The remainder of this document defines the requirements for the architecture options
a deployment option from the descriptions
above, review
the following
Architecture
Diagram
high levelitems for the d
1.
design of all level
dataflow.
Prerequisite
Checklist
complete list
2.
of all software
and hardware
preparations
required.
Network Requirements a listing of
3.
any port and firewall requirements.
AirWatch PoC Technical Architecture | v.2013.06
Copyright 2012 AirWatch, LLC. All rights reser

Optionconfigurations
1: Pure Cloud are best suited for clients who want to minimize effort
Cloud
and lead
times for
evaluatingcan
thebe
software.
This
evaluation
architecture
setup in minutes but typically does not
offer
integration
backend resources
due
to
client
security with
requirements.
Integration
can easily be added later by
installing the AirWatch Cloud Connector and /or
Mobile Access Gateway (see Option 2: Integrated Cloud).
Architecture Diagram
Cloud Integration (Optional)

SAML

Office 365

Google Apps for Business


Prerequisite Checklist
There are no prerequisites necessary for this deployment option.
AirWatch
Technical
Architecture
| v.2013.06
| JuneProprietary
2013
CopyrightPoC
2012
AirWatch,
LLC. All rights
reserved.
&
Confidential.
Page 4 of 29
Network Requirements
Source
Component

Administrators

Page 2

PDFTables.com
/ User Self
2
Service

3
4
5

6
Devices

AirWatch PoC Technical Architecture | v.2013.06 | June 2013


Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 5 of 29

Option 2: Integrated Cloud


This configuration is recommended for clients who wish to leverage the simplicity of cl
integrate existing backend resources. Connecting to corporate resources is made simp
AirWatch Cloud Connector (ACC), which can be installed on a small VM or physical serv
premise. The AirWatch Mobile Access Gateway (MAG) provides a secure gateway allow
devices to access corporate network resources. The ACC and MAG are not co-dependen
should be considered optional components, however most all MAG deployments includ
AirWatch Integration Options
ACC
Certificates and PKI

Directory Services

Email Infrastructure

SIEM

Content Repositories
++
Corporate Intranet Access
Corporate App Tunnel (App VPN)
+
AirWatchs email attachment encryption feature requires the MAG (SEG component)
++ AirWatchs content repository sync with the Administrative Console requires the AC
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 6 of 29

Page 3

PDFTables.com

Ideal for...

Integrated Cloud No DMZ


Ideal for...

Clients without a DMZ


infrastructure

Fast implementation
Minimal hardware / software on-site
Integrated Cloud DMZ Relay
Ideal for...

Clients with an existing DMZ


architecture
Limited connections through DMZ
firewall
Pages 11-13
Pages 14-16
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 7 of 29
Integrated Cloud - AirWatch Cloud
Connector
Architecture Diagram
AirWatch Internal Server Includes:

Cloud
Connector
AirWatch PoC
Technical
Architecture
Copyright
2012
AirWatch,
LLC. All |
v.2013.06
|
June
2013
rights reserved. Proprietary &
Confidential.
Page 8 of 29
Prerequisite Checklist
Source

Hardware

2
Software

4
Firewall
Changes

Service
Accounts
AirWatch PoC Technical Architecture | v.2013.06 | June 2013

Page 4

PDFTables.com
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 9 of 29
Network Requirements
Source
Component
A

C
AirWatch
Internal Server
D

G
Administrators
/ User Self
Service

H
I
K

L
Devices

Page 5

PDFTables.com

AirWatch PoC Technical Architecture | v.2013.06 | June 2013


Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 10 of 29
Integrated Cloud No DMZ
Architecture Diagram
AirWatch Internal Server Includes:

AirWatch Cloud Connector


AirWatch Secure Email Gateway
Mobile
Access
Gateway
AirWatch PoC
Technical
Architecture
Copyright
2012
AirWatch,
LLC. All |
v.2013.06
|
June
2013
rights reserved. Proprietary &
Confidential.
Page 11 of 29

Prerequisite Checklist
Source

Hardware

2
3
Software

DNS

5
6
7
8
9

Certificates

10

Load
Balancer
Firewall
Changes

11
12

Page 6

PDFTables.com
Service
Accounts
13
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 12 of 29
Network Requirements
Source
Component
A

C
AirWatch
Internal Server
D

G
Administrators
/ User Self
Service

H
I

AirWatch SaaS

Page 7

PDFTables.com
K

L
M
Devices

O
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 13 of 29
Integrated Cloud DMZ Relay
Architecture Diagram
AirWatch DMZ Server Includes:

AirWatch Internal Server Includes:

Secure Access
Email Gateway
AirWatch Mobile
Gateway
Relay
Cloud Connector
AirWatch Mobile
Access Gateway
Endpoint
AirWatch PoC
Technical
Architecture
Copyright
2012
AirWatch,
LLC. All |
v.2013.06
| June Proprietary
2013
rights
reserved.
&
Confidential.
Page 14 of 29

Prerequisite Checklist
Source

Hardware

2
3
4
Software

5
6
7

Page 8

PDFTables.com
8
9
10

DNS

11

Certificates

12

Load
Balancer
Firewall
Changes

13
14

Service
Accounts
15
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 15 of 29
Network Requirements
Source
Component
A
B
AirWatch DMZ
Server
C

D
AirWatch
Internal Server

Page 9

PDFTables.com

G
/ User Self

H
I
AirWatch SaaS

J
K

L
M
Devices

O
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 16 of 29
Integrated Cloud Reverse Proxy
Architecture Diagram
AirWatch Internal Server Includes:

AirWatch Cloud Connector


AirWatch Secure Email Gateway
Mobile
Access
Gateway
AirWatch
Technical
Architecture
CopyrightPoC
2012
AirWatch,
LLC. All |
v.2013.06
| June Proprietary
2013
rights
reserved.
&
Confidential.
Page 17 of 29

Prerequisite Checklist
Source

Page 10

PDFTables.com
Hardware

2
3
4
Software

5
6
7
8
9

DNS

10

Certificates

11
12

Load
Balancer
Firewall
Changes

13
14

Service
Accounts
15
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 18 of 29
Network Requirements
Source
Component
A

B
AirWatch
Internal Server

Page 11

PDFTables.com

E
Administrators
/ User Self
Service

F
G

AirWatch SaaS

H
I

J
K
Devices

M
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 19 of 29
Option
3: On-Premise
Single
Deployment
This
configuration
allows
for Server
simplified
installation and maintenance for
smaller deployments,
while
future A single-server deployment
scalability
and flexibility
for allowing
high availability.
allows
for
easy
integration
to
enterprise
services,
as
well
as
simplified
control
and where
validation
the
entire is
commonly deployed in DMZ architectures
the over
entire
solution
environment.
Single
Server
are
installed
on one
physical
or configurations
virtual server. The
use of WAF or TMG solutions are also commonly used to proxy internet
facing endpoints.
Architecture Diagram
AirWatch Internal Server Includes:

Page 12

PDFTables.com

AirWatch Console
AirWatch Device Services
AirWatch Secure Email Gateway
Mobile
Access
Gateway
AirWatch
Technical
Architecture
CopyrightPoC
2012
AirWatch,
LLC. All |
v.2013.06
| June Proprietary
2013
rights
reserved.
&
Confidential.
Page 20 of 29

Prerequisite Checklist
Source

1
Hardware

2
3
4
5
6
7
8
9
10
11
DNS

12
13
14

Certificates

15
16

Firewall
Changes

17

Load
Balancer

18

Page 13

PDFTables.com
Service
Accounts
19
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 21 of 29
Network Requirements
Source
Component

C
D

E
AirWatch
Internal Server
F

H
I
J

K
Administrators
/ User Self
Service

L
M

Page 14

PDFTables.com

O
Devices

R
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 22 of 29
Option
4: On-Premise
Multiple
Server Deployment
A multi-server
deployment
is recommended
for organizations managing a
larger number
of devices
those
wanting
to utilize
a DMZ. and/or
In a setup
using a DMZ, any of the AirWatch
components
actively
communicating
with
devices
should be placed
outside
of the organizations
internal
network.
Several
Increased
security
of Access
external-facing
Gateway,
and
Mobile
Gateway,
advantages of this configuration include:
services,
such
as
the
AirWatch
Device
by placing them in the networks
DMZ

Services
component,
Secure
Email
to quarantine incoming traffic
while preventing external visibility to
internal resources.
Architecture Diagram
AirWatch DMZ Server Includes:

AirWatch Device Services

AirWatch Secure Email Gateway

AirWatch Mobile Access Gateway


AirWatch Internal Server Includes:

AirWatch Console Services

Cloud
Connector
AirWatch
Technical
Architecture
CopyrightPoC
2012
AirWatch,
LLC. All |
v.2013.06
| June Proprietary
2013
rights
reserved.
&
Confidential.
Page 23 of 29
Prerequisite Checklist
Source

Page 15

PDFTables.com
1

Hardware

3
4
5
6
7
8
9
10
11
11

DNS

Certificates

13

Load
Balancer
Firewall
Changes

14
15

Service
Accounts
16
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 24 of 29
Network Changes
Source
Component

Page 16

PDFTables.com

B
C
D
AirWatch
Internal Server

E
F
G

H
I

J
K
L

M
AirWatch DMZ
Server
N
O
P
Q

R
Administrators
Self Service
Portal

S
T
U

Page 17

PDFTables.com

V
W
Devices

Y
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 25 of 29

Appendix
The table below lists the required service accounts needed to integrate with backend e
Source

#
1
2

Service
Accounts

Page 18

PDFTables.com

8
9
10
AirWatch PoC Technical Architecture | v.2013.06 | June 2013
Copyright 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Page 26 of 29
From a device the following has to
Additional Notes

occur for a successful


APNs
connection
to #connection:
NSLookup
courier.push.apple.com on port 5223
Apple
APNs
gateway.push.apple.com
for the
TXT
where
# is the result returned
from
record;
open
the
TXT
record
on
Load balancers are to be configured
gateway.push.apple.com
with
a round robin
load balancing
SSL offloading
supported
for all
Load
Balancer
mechanism
and
SSL
session If
Load balancers
services
except are
API also
services.
persistence
of 15
minute
sessions
recommended
to
redirect
all HTTP
offloading
SSL,
load
balancer
must
requestssecure
to HTTPS
forward
cookies to and from
the
AirWatch servers.
Public DNS
External
DNS needed for email proxy
server
External DNS
needed
forSSL
AirWatch
Matching
public
trusted
certs for
Device
Services
the public DNS setup for the email
Public
Trusted
SSL
Cert
proxybe
server
and
Device
Services
must
issued
from
a valid
issuing
Server are(e.g.
required.
These
certs
authority
VeriSign,
GeoTrust,
GoDaddy,
A
public IPetc.)
address to access the
Public
IP
AirWatch
email
proxy
A public IP address
to server
accessfrom
the the
Internet
(HTTPS)
AirWatch
Device
Services
from
The AirWatch
servers
can server
be
the
Internet
(HTTPS)
configured
a proxy
/ PAC file for
traffic,
and with
cannot
be proxied
Proxy
outbound
internet access.
Apple
through
traditional
HTTP proxies.
APNs
traffic,
however,
is
not
HTTP
This traffic must go straight out
to
the
internet,
or
through
an
If using client certificates for email
application/SOCKS
authentication
the proxy.
SEG
server
must in
Kerberos
Delegation
must
be setup
Kerberos
Delegation
be
joined
to
the
same
domain
as
the
AD between
AirWatch SEG and
backend
CAS server
the
CAS server(s).
Inand
addition, valid
SPNs
must
be
set
in
AD
for URLofused
the
URL
used
by
the
public
iOS MDM requires the support
by thePUT
SEGcommands
server.
HTTP
from the iOS
HTTP
PUT
device to the AirWatch MDM server
(Device Services)
AirWatch
PoC
Technical
Architecture
Copyright
2012
AirWatch,
LLC. All |
v.2013.06
|
June
2013
rights reserved. Proprietary &
Confidential.
Page 27 of 29

A1 BES Service Account

Page 19

PDFTables.com

BES service account permissions


required
for integration:
Note Topology
and Blackberry
User and DeviceService setup
Administration
permissions
necessary.
AirWatch
PoC
Technical
Architecture
Copyright
not
2012
AirWatch,
LLC. All |
v.2013.06
| June Proprietary
2013
rights
reserved.
&
Confidential.
Page 28 of 29

Page 20

PDFTables.com

be deployed through a variety of cloud or onnd IT strategy. This document will outline each of the
chitecture for a successful PoC evaluation.
h cloud and on-premise architectures.

Benefits
Comply with corporate on-premise security po
Direct integration with corporate systems
Leverage existing infrastructure investments
Physical and virtual environments supported
Considerations
Network firewall changes required
Multiple software and hardware required on-p
Option 3: Single Server
On-premise deployment with a
single AirWatch server installed in
the DMZ or internal network

mise

LDAP / PKI

Ideal for...
Leveraging existing
infrastructure
On-premise is required

Page 21

PDFTables.com
Exchange
Content repositories
Etc...
Page 8-19

Enterprise integration

Page 20-22

Confidential.

rchitecture options described above. After choosing


wing items for the desired deployment choice:
Architecture

Prerequisite

Diagram
Checklist
tecture | v.2013.06 | June 2013
LLC. All rights reserved. Proprietary & Confidential.

Source
Host

Destination
Component

{ADMIN_IP}

AirWatch SaaS

Page 22

PDFTables.com
Apple iTunes
{ADMIN_IP}
Cloud

{ADMIN_IP}
{ADMIN_IP}
{Device_IP}

Google Play
Store
Virtual Earth
(GPS Maps)
Apple APNs
Cloud

{Device_IP}

Apple iTunes
Cloud
Android C2DM
Cloud

{Device_IP}

AirWatch SaaS

{Device_IP}

Confidential.

the simplicity of cloud deployments but still


urces is made simple with the
VM or physical server oncure gateway allowing
re not co-dependent and
deployments include ACC.
MAG

SEG component)
sole requires the ACC.

Confidential.

Page 23

PDFTables.com
AirWatch Cloud Connector

Pages 8-10
Integrated Cloud Reverse Proxy
Ideal For...
Clients with an existing reverse
proxy
or WAF architecture

Page 17-19

Confidential.

Title

Windows OS
.NET Framework 3.5
&4

Description / Purpose
Windows Server
Minimum specification:
- 1 CPU core ( > 2.0 GHz)
- 2GB
GBDisk
RAMSpace (if logging is being
-1
done 5 GB)
Client
may
to generate internal
(physical
orneed
virtual)
A
windows
update
required
for
certs
for the
trafficis
between
the
Windows
Server
2008 R2to update
.NET
4
after
installation
external
additional
internet interface for the EAS traffic
software
components.
and the Reverse
Proxy, F5, SEG, and

Internal Certs (Trust)

CAS
servers. Details to be determined by
the Client architect team.

AirWatch Internal
Server

Client Firewall Rules


Enterprise Service
Accounts
(Optional)

If implementing enterprise services,


See
Below
Firewallwill
Change
services
accounts
need Requests
to be
created and
given specific permissions to allow
integration. See Appendix.

Page 24

PDFTables.com

Confidential.

Source Host
{InternalServer_IP}

{InternalServer_IP}

{InternalServer_IP}

{InternalServer_IP}

Destination
Component
Client EAS/CAS
Server(s)
Domain
Controller
Enterprise
Services
(Optional)
Certificate
Authority
(Optional)

{InternalServer_IP}

AirWatch SaaS

{ADMIN_IP}

AirWatch SaaS

{ADMIN_IP}

Apple iTunes

{ADMIN_IP}
{ADMIN_IP}
{Device_IP}

{Device_IP}
{Device_IP}

Google Play
Store
Virtual Earth
(GPS Maps)
Apple APNs
Cloud
Apple iTunes
Cloud
Android C2DM
Cloud

Page 25

PDFTables.com

{Device_IP}

AirWatch SaaS

Confidential.

Title

AirWatch Internal
Server
Windows OS
IIS 7 Server
.NET Framework 3.5
&4
Microsoft Messaging
Queue (MSMQ)
Java
External URL
Internal CAS URL

Description / Purpose
Windows Server
Minimum specification:
- 2 CPU core ( > 2.0 GHz)
- 4 GB RAM
(physical or virtual)
Windows
2008
R2 additional
IIS
ServerServer
must
also
A windows
update
is have
required
for
role services
installed. to update
.NET
4 after installation
additional
software components.

Load Balancer Setup


(Optional)

Enabled on all AirWatch servers.


Installed
on MAG
server.
External URL
URL
(DNS
Record)
resolving
Internal
to
relay
Exchange
Client
may
need
to
generate
internal
to
the
internal
AirWatch
server
ActiveSync
traffic
from
the
AirWatch
Public
trusted
SSL Certificate
to
certs for
the traffic
between the
server
match
the
External
DNS
for
the
external
AirWatch
SEG/EIS for the EAS traffic
internet
interface
If
installing
the SEG/MAG behind a
server.
and
the Reverse
Proxy, client
F5, SEG,
network
load balancer,
willand
CAS
need to setup
servers.
Details
to be determined by
load balancer
configuration.
the
Client
architect
team.
Persistence should be
set on the SSL
session for 15
minutes. See Appendix for more
details.

Client Firewall Rules

See Below Firewall Change Requests

Public SSL Certificate

Internal Certs (Trust)

Page 26

If implementing enterprise services,


PDFTables.com
Enterprise Service
Accounts
(Optional)

services accounts will need to be


created and
given specific permissions to allow
integration. See Appendix.

Confidential.

Source Host
{InternalServer_IP}

{InternalServer_IP}

{InternalServer_IP}

{InternalServer_IP}

Destination
Component
Client EAS/CAS
Server(s)
Domain
Controller
Enterprise
Services
(Optional)
Certificate
Authority
(Optional)

{InternalServer_IP}

AirWatch SaaS

{ADMIN_IP}

AirWatch SaaS

{ADMIN_IP}

Apple iTunes

{ADMIN_IP}
{ADMIN_IP}
See IP list
here

Google Play
Store
Virtual Earth
(GPS Maps)
AirWatch
Server

Page 27

PDFTables.com
{Device_IP}

Apple APNs
Cloud

{Device_IP}

Apple iTunes
Cloud
Android C2DM
Cloud

{Device_IP}

AirWatch SaaS

{Device_IP}

AirWatch
Internal Server

{Device_IP}

Confidential.

Title

AirWatch DMZ
Server
Windows OS
IIS 7 Server
.NET Framework 3.5
&4
Microsoft Messaging
Queue (MSMQ)
Java
AirWatch Software

Description / Purpose
Windows Server
Minimum specification:
- 2 CPU core ( > 2.0 GHz)
- 4 GB RAM
(physical or virtual)
Windows
2008
R2 additional
IIS
ServerServer
must
also
A windows
update
is have
required
for
role
services
installed.
.NET 4 after installation to update
additional
software components.
Enabled on all AirWatch servers.
Installed on
MAG server.
Available
through
the administrative
console.

Page 28

PDFTables.com
External URL
Internal CAS URL
Internal URL
Public SSL Certificate
(AirWatch DMZ)

Internal Certs (Trust)


Load Balancer Setup
(Optional)
Client Firewall Rules
Enterprise Service
Accounts
(Optional)

External URL (DNS Record) resolving


to
the AirWatch
DMZ traffic
server from the
Internal
URL to relay
Client
may
need
to
generate
internal
AirWatch
SEG/EIS.
Internal
URL
(DNS
resolving
Public
trusted
SSL Record)
Certificate
to
certs for
the traffic
between the
to the AirWatch
Internal
server
match
the
External
DNS
for
the
external
AirWatch
DMZ
internet
interface
for the behind
EAS traffic
If
installing
the SEG/MAG
a
server.
Required
if
using
SEG
/ MAG
and
the
Reverse
Proxy,
F5,
SEG,
and
network load balancer, client will
CAS
need to setup
servers.
Details
to be determined by
load balancer
configuration.
the
Client
architect
team.
Persistence should be
set on the SSL
session for 15
minutes. See Appendix for more
details.
If implementing enterprise services,
See
Below
Firewallwill
Change
services
accounts
need Requests
to be
created and
given specific permissions to allow
integration. See Appendix.

Confidential.

Source Host
{DMZ_Server_IP}
{DMZ_Server_IP}

{DMZ_Server_IP}

Destination
Component
Client EAS/CAS
Server(s)
AirWatch
Internal Server

AirWatch SaaS

Internal
{InternalServer_IP}
Network

{InternalServer_IP}

AirWatch DMZ
Server

{ADMIN_IP}

AirWatch SaaS

Page 29

PDFTables.com

Apple iTunes
{ADMIN_IP}
Cloud

{ADMIN_IP}
{ADMIN_IP}
See IP list
here
{Device_IP}

Google Play
Store
Virtual Earth
(GPS Maps)
AirWatch DMZ
Server
Apple APNs
Cloud

{Device_IP}

Apple iTunes
Cloud
Android C2DM
Cloud

{Device_IP}

AirWatch SaaS

{Device_IP}

AirWatch DMZ
Server

{Device_IP}

Confidential.

Title

Description / Purpose
Windows Server

Page 30

PDFTables.com
AirWatch Internal
Server
Windows OS
IIS 7 Server
.NET Framework 3.5
&4
Microsoft Messaging
Queue (MSMQ)
Java
AirWatch Software
External URL
Internal CAS URL

Minimum specification:
- 2 CPU core ( > 2.0 GHz)
- 4 GB RAM
(physical or virtual)
Windows
2008
R2 additional
IIS
ServerServer
must
also
A windows
update
is have
required
for
role
services
installed.
.NET 4 after installation to update
additional
software components.

Public SSL Certificate

Enabled on all AirWatch servers.


Installed
on MAG.to Client during
Will
be provided
install.
External URL
URL to
(DNS
Record)
resolving
Internal
relay
Exchange
Client
may
need Internal
to generate
internal
to
the
AirWatch
server
ActiveSync
traffic
from
the
AirWatch
Public
trusted
SSL Certificate
to
certs for
the traffic
between the
server the External DNS for the
match
external
AirWatch
Internal for the EAS traffic
internet interface
server
and theaddress
Reverse Proxy, F5, SEG, and

Internal Certs (Trust)


MAG SSL Cert

CAS
If installing AirWatch behind a
servers.
to be determined
network Details
load balancer,
client will by
the
Client
architect
team.
The
SSL certificate
must be
needMAG
to setup
load
installed
on
the
reverse
proxy.
balancer configuration. Persistence

Load Balancer Setup


(Optional)

should be set on the SSL session for


15 minutes.
See Appendix for more details.

Client Firewall Rules


Enterprise Service
Accounts
(Optional)

If implementing enterprise services,


See
Below
Firewallwill
Change
services
accounts
need Requests
to be
created and
given specific permissions to allow
integration. See Appendix.

Confidential.

Source Host

{InternalServer_IP}

{InternalServer_IP}

Destination
Component
Client EAS/CAS
Server(s)
(Optional)
Enterprise
Services

(Optional)

{InternalServer_IP}

AirWatch SaaS

Page 31

PDFTables.com

{ADMIN_IP}

AirWatch SaaS

{ADMIN_IP}

Apple iTunes

{ADMIN_IP}
{ADMIN_IP}
See IP list
here
{Device_IP}

Google Play
Store
Virtual Earth
(GPS Maps)
AirWatch
Internal Server
Apple APNs
Cloud

{Device_IP}

Apple iTunes
Cloud
Android C2DM
Cloud

{Device_IP}

AirWatch SaaS

{Device_IP}

AirWatch
Internal Server

{Device_IP}

Confidential.

Page 32

PDFTables.com

Title

AirWatch Internal
Server

Reverse Proxy Server


Optional
Windows OS
SQL Server
SQL Server Reporting
Services
IIS 7 Server
.NET Framework 3.5
&4
Microsoft Messaging
Queue (MSMQ)
Java
External Public URL
Internal CAS URL
(optional)
Internal DC URL
(optional)
Internal CA Host
(optional)
Public SSL Certificate

Internal Certs (Trust)


MAG SSL Cert
Client Firewall Rules
Load Balancer Setup
(Optional)

Description
/ Purpose
Windows
Server
to install the
AirWatch Server Software
Minimum specification:
- 2 CPU core ( > 2.0 GHz)
-6
GB RAM
Client
may choose an existing server
~100
to useGB
forDrive
the reverse proxy or install
(physical
or virtual)
a
dedicated server that meets their
specifications
Microsoft SQL Server 2008 (2008 R2
Windows Server2008
R2 on
Recommended)
Required
Database SQL
server
Microsoft
Server Reporting
Services 2008 (2008 R2
Recommended)
IIS
Server must
also
additional
A windows
update
is have
required
for
role
services
installed.
.NET 4 after installation to update
additional
software components.
Enabled
all(DNS
AirWatch
servers.
External on
URL
Record)
for
Installed
on
MAG
server.
AirWatch Server public internet
facing
(https://company.mdm.com)
Internal URL to relay traffic from the
AirWatch
SEG to
the ActiveSync
Client
Internal
Domain
(AD) DNSCAS
to
server.
use to connect from the AirWatch
server to the
AD for authenticating users
Client may need to generate internal
Internal
hostname
and CA issuing
Public
trusted
SSL Certificate
to
certs for
the traffic
between the
name
of
the
CA
or
SCEP
endpoint.
match
the
External
DNS
for
the
external
AirWatch
SEG/EIS for the EAS traffic
internet interface
server.
(If
applicable)
and the Reverse
Proxy, F5, SEG, and
CAS
servers. Details to be determined by
the Client
architect
team.
The
MAG SSL
certificate
must be
If installing AirWatch behind a
installed on the reverse proxy.
network load balancer, client will
need to setup load
See
Below
Firewall Change
Requests
balancer
configuration.
Persistence
should be set on the SSL session for
15 minutes.
See Appendix for more details.

Page 33

If implementing enterprise services,


PDFTables.com
Enterprise Service
Accounts
(Optional)

services accounts will need to be


created and
given specific permissions to allow
integration. See Appendix.

Confidential.

Source Host

Destination
Component

{InternalServer_IP}

Internal

Network
{InternalServer_IP}

{InternalServer_IP}
{InternalServer_IP}

{InternalServer_IP}

{InternalServer_IP}

{InternalServer_IP}

{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}

{InternalServer_IP}
{ADMIN_IP}
{ADMIN_IP}

Apple APNs
Cloud
Apple iTunes
Cloud
Google Play
Store
Android C2DM
Cloud
CellTrusts SMS
Gateyway
(optional)
AirWatch
Certificate
Portal
SSL Signing
Cert CRL
SQL Server
SQL Server
Reporting Svc
AW
Autodiscovery
Server
AirWatch
Internal Server
Virtual Earth

Page 34

PDFTables.com
(GPS Maps
Apple APNs
{Device_IP}
Cloud

{Device_IP}
{Device_IP}

Apple iTunes
Cloud
Android C2DM
Cloud
AirWatch

{Device_IP}
Server

{Device_IP}

AirWatch
Autodiscovery
Server

Confidential.

Title

AirWatch Internal

Description
/ Purpose
Windows
Server
to install the
AirWatch Server Software
Minimum specification:
- 2 CPU core ( > 2.0 GHz)

Page 35

PDFTables.com
Server
(Internal)

AirWatch DMZ
Server
Windows OS
SQL Server
SQL Server Reporting
Services
IIS 7 Server
.NET Framework 3.5
&4
Microsoft Messaging
Queue (MSMQ)
Java
External URL
Internal CAS URL
Internal URL
Public SSL Certificate
(AirWatch DMZ)
SSL Certificate
(AirWatch Internal)
Load Balancer Setup
(Optional)
Client Firewall Rules
Enterprise Service
Accounts
(Optional)

-6 GB RAM
~100 GB Drive
(physical Server
or virtual)
Windows
to install Enterprise
Integration Software
Minimum specification:
- 2 CPU core ( > 2.0 GHz)
- 4 GB RAM
(physical
virtual)
Microsoft or
SQL
Server 2008 (2008 R2
Windows
Server
R2 on
Recommended) 2008
Required
Database
server
Microsoft SQL
Server Reporting
Services 2008 (2008 R2
Recommended)
IIS
Server must
also
additional
A windows
update
is have
required
for
role services
installed. to update
.NET
4 after installation
additional
software components.
Enabled on all AirWatch servers.
Installed
on MAG
server.
External URL
(DNS
Record) resolving
to the AirWatch
DMZ traffic
server from the
Internal
URL to relay
AirWatch
SEG(DNS
server.
Internal
URL
resolving
Public
trusted
SSL Record)
Certificate
to
to
the
AirWatch
Internal
server
match the External DNS for the
AirWatch DMZ
If installing AirWatch behind a
server.
network load balancer, client will
SSL
to match the Internal
needcertificate
to setup load
URL
for
the
AirWatch
Internal
server.
balancer configuration.
Persistence
should be set on the SSL session for
15 minutes.
See Appendix for more details.
If implementing enterprise services,
See
Below
Firewallwill
Change
services
accounts
need Requests
to be
created and
given specific permissions to allow
integration. See Appendix.

Confidential.

Source Host

Destination
Component

{InternalServer_IP}

Internal

Page 36

PDFTables.com

{InternalServer_IP}

Network
SQL Server
SQL Server
Reporting Sync
Apple APNs
Cloud
Apple iTunes
Cloud
Google Play
Store

{InternalServer_IP}

Google Cloud

{InternalServer_IP}
{InternalServer_IP}
{InternalServer_IP}

{InternalServer_IP}

{InternalServer_IP}
{InternalServer_IP}

{InternalServer_IP}
{DMZ_Server_IP}
(SEG only)
{DMZ_Server_IP}

{DMZ_Server_IP}

{DMZ_Server_IP}
{DMZ_Server_IP}
{DMZ_Server_IP}
{DMZ_Server_IP}

{ADMIN_IP}
{ADMIN_IP}
{USER_IP}
{Device_IP}

Messaging
CellTrust SMS
AW DMZ
Server
AirWatch
autodiscovery
Server
Client CAS
Server(s)
Apple APNs
Cloud
Google Cloud
Messaging
SSL Cert CRL
AirWatch
Internal Server
SQL Server
AirWatch
autodiscovery
Server
Virtual Earth
(GPS Maps)
AirWatch
Internal Server
AirWatch DMZ
Server
Apple APNs
Cloud

Page 37

PDFTables.com

{Device_IP}
{Device_IP}

Apple iTunes
Cloud
Android C2DM
Cloud

AirWatch
{Device_IP}
Server

{Device_IP}

AirWatch
autodiscovery
Server

Confidential.

rate with backend enterprise services.


Title
SQL Service Account
LDAP Binding
Account

Enterprise
Integration Service
Account

Certificate Authority
Service Account

PowerShell Service
Account

SQL service account to install the


Description
/service
Purpose
AirWatch
database.
Client LDAP
account to
Requires the System
authenticate
binding Administrator
requests into
Permission.
the
Client LDAP
directory
for all users
the
desired
If
implementing
SCEP, in
CA,
BES,
OU.AirWatch
Exchange
2010
PowerShell
orwill
SMTP
An
service
account
need
authentication.
to be created
and assigned
to This
the
Enterprise
Integration
Server.
AirWatchrequires the Remote Services
account
Permission
in AirWatch.
AirWatch
Enterprise Integration
Service
Guide
Client
CA
service account to issue and
revoke certificates
from the on
CA.the
Requires
these permissions
CA:
Issue and Manage Certificates
Request Certificates
Requires these permissions on the
Certificate Template:
Read
Enroll
AirWatch Certificate
Managment
Exchange
2010 and Office
365
permissions:
Organization Client Access
Recipients
Mail
Recipient
Policies (only if
deploying Windows Phone Devices)

Page 38

PDFTables.com

BES Service Account


SharePoint Service
Account
Installation Admin
Rights
SMTP
SCCM

AirWatch PowerShell Email


Account with read rights to the
Configuration
Guide
AirWatch
BES Integration
content repository
to viewGuide
and index
Service
Account
permissions
can be
content.
found
in Appendix
A1. permission
The
Browse
Directories
An account
to
run the AirWatch
must
be enabled
on SharePoint.
software
installation
with
AirWatch
SharePoint
administrative rights Integration
on
Guide
the AirWatch servers and SA
permissions on the database to setup
maintenance
scripts.
SMTP account to relay emails from
the system
AirWatch SCCM Integration Guide

Confidential.

Page 39

PDFTables.com

Page 40

PDFTables.com

premise security polices


porate systems
ucture investments
nments supported

required
dware required on-premise
Option 4: Multi Server
On-premise deployment with
multiple servers in the DMZ and
internal network for multi-tier
firewall architectures
Ideal for...
Multi-tier networks
Resources not available to DMZ
Special security policy

Page 41

PDFTables.com
compliance
Server scalability via tier 1-3
deployments
Page 23-25

Network
Requirements

Page 3 of 29

Destination Host

Destination IP
any
*for a list of IP

*.airwatchportals.com
*.awmdm.com

ranges of AW
Datacenters click
here

itunes.apple.com
ax.itunes.apple.com

Page 42

PDFTables.com
*.mzstatic.com
any
*.phobos.apple.com
*phobos.apple.com.edges
uite.net
play.google.com

any

*.virtualearth.net
#-courier.push.apple.com
gateway.push.apple.com

any

phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
mtalk.google.com

17.0.0.0/8

any
any
any
*for a list of IP

*.airwatchportals.com

*.awmdm

ranges of AW
Datacenters click
here

Page 43

PDFTables.com

Integrated Cloud AW Cloud Connector


Yes
No

Page 44

PDFTables.com

Destination Host

Destination IP

{InternalURL_CAS}

{InternalIP_CAS}

{InternalURL_DC}

{InternalIP_DC}

{InternalURL_ES}

{InternalIP_ES}

{InternalURL_CA}

{InternalIP_CA}

*.airwatchportals.com
*.awmdm.com

any
*for a list of IP
ranges of AW
Datacenters click
here
any
*for a list of IP

*.airwatchportals.com
*.awmdm.com

ranges of AW
Datacenters click
here

*.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
*phobos.apple.com.edges
uite.net

any

play.google.com

any

*.virtualearth.net
#-courier.push.apple.com
gateway.push.apple.com

any
17.0.0.0/8

phobos.apple.com
oscp.apple.com
ax.itunes.apple.com

any

mtalk.google.com

any

Page 45

PDFTables.com
any
*for a list of IP
*.airwatchportals.com

*.awmdm.com

ranges of AW
Datacenters click
here

Integrated Cloud No DMZ


Yes

No

Page 46

PDFTables.com

Destination Host

Destination IP

{InternalURL_CAS}

{InternalIP_CAS}

{InternalURL_DC}

{InternalIP_DC}

{InternalURL_ES}

{InternalIP_ES}

{InternalURL_CA}

{InternalIP_CA}

*.airwatchportals.com
*.awmdm.com

any
*for a list of IP
ranges of AW
Datacenters click
here
any
*for a list of IP

*.airwatchportals.com
*.awmdm.com

ranges of AW
Datacenters click
here

*.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
*phobos.apple.com.edges
uite.net

any

play.google.com

any

*.virtualearth.net

any

AW Public URL

AW Public IP

Page 47

PDFTables.com
#-courier.push.apple.com
gateway.push.apple.com

17.0.0.0/8

phobos.apple.com
oscp.apple.com
ax.itunes.apple.com

any

mtalk.google.com

any
any
*for a list of IP

*.airwatchportals.com
*.awmdm.com

ranges of AW
Datacenters click
here

AW Public URL

AW Public IP

Integrated Cloud DMZ Relay


Yes

No

Page 48

PDFTables.com

Destination Host

Destination IP

{InternalURL_CAS}

{InternalIP_CAS}

{InternalURL_AWInternal}

{InternalIP_AWInt
ernal}
any
*for a list of IP
ranges of AW
Datacenters click
here

*.airwatchportals.com
*.awmdm.com
{InternalURL_DC}
{Internal_BES}
{Internal_ADCS}

{InternalIP_IP}
{Internal_SMTP}
{Internal_SharePoint}
{InternalURL_CA}
AW Public URL

AW Public IP
any
*for a list of IP

*.airwatchportals.com
*.awmdm.com

ranges of AW
Datacenters click

Page 49

PDFTables.com
here
itunes.apple.com
ax.itunes.apple.com
*.mzstatic.com
any
*.phobos.apple.com
*phobos.apple.com.edges
uite.net
play.google.com

any

*.virtualearth.net

any

AW Public URL
#-courier.push.apple.com
gateway.push.apple.com

AW Public IP

phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
mtalk.google.com

17.0.0.0/8

any
any
any
*for a list of IP

*.airwatchportals.com
*.awmdm.com

ranges of AW
Datacenters click
here

AW Public URL

AW Public IP

Cloud with Integration DMZ Reverse Proxy


Yes
No

Page 50

PDFTables.com

Destination Host

Destination IP

{InternalURL_CAS}

{InternalIP_CAS}

{InternalURL_DC}
{Internal_BES}
{Internal_ADCS}

{InternalIP_IP}

{Internal_SMTP}
{Internal_SharePoint}
{InternalURL_CA}

*.airwatchportals.com

any
*for a list of IP
ranges of AW

Page 51

PDFTables.com
*.awmdm.com

Datacenters click
here
any
*for a list of IP

*.airwatchportals.com
*.awmdm.com

ranges of AW
Datacenters click
here

*.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
*phobos.apple.com.edges
uite.net

any

play.google.com

any

*.virtualearth.net

any

AW Public URL
#-courier.push.apple.com
gateway.push.apple.com

AW Public IP

phobos.apple.com
oscp.apple.com
ax.itunes.apple.com
mtalk.google.com

17.0.0.0/8

any
any
any
*for a list of IP

*.airwatchportals.com
*.awmdm.com

ranges of AW
Datacenters click
here

AW Public URL

AW Public IP

Page 52

PDFTables.com

On-Premise Single Server


Yes

No

Page 53

PDFTables.com

Destination Host

Destination IP

{InternalURL_DC}
{Internal_CAS}
Internal_BES}

{Internal_IPs}

{Internal_ADCS}
{Internal_SMTP}
{Internal_SharePoint}
gateway.push.apple.co
m
feedback.push.apple.co
m
*.itunes.apple.com
*.phobos.apple.com
play.google.com
android.googleapis.com
android.apis.google.com
www.google.com
google.com
gateway.celltrust.net

17.0.0.0/8

any
any

any

162.42.205.0/24

Ex.ocsp.verisign.com

any
*for a list of IP
ranges of AW
Datacenters click
here
TBD

{SQLServer_Name}
{SSRS_Name}

{SQLServer_IP}
{SSRS_IP}

discovery.awmdm.com

209.208.230.100

{InternalServer}

{InternalServer_IP}

*.virtualearth.net

any

awcp.air-watch.com

Page 54

PDFTables.com
#courier.push.apple.com
17.0.0.0/8
gateway.push.apple.co
m
phobos.apple.com
oscp.apple.com
ax.itunes.apple.com

any

mtalk.google.com

any

AW Public URL

AW Public IP

discovery.awmdm.com

209.208.230.100

On-Premise Multi Server


Yes

No

Page 55

PDFTables.com

Destination Host

Destination IP

{InternalURL_DC}
{Internal_CAS}
Internal_BES}

{Internal_IPs}

Page 56

PDFTables.com
{Internal_ADCS}
{Internal_SMTP}
{Internal_SharePoint}
{SQLServer_Name}

{SQLServer_IP}

{SQLServer_Name}
gateway.push.apple.com
feedback.push.apple.com
*.itunes.apple.com
*.phobos.apple.com

{SQLServer_IP}
17.0.0.0/8

play.google.com
android.googleapis.com
android.apis.google.com
www.google.com
google.com
gateway.celltrust.net
{DMZServer_Name}

any

discovery.awmdm.com

209.208.230.100

{InternalURL_EAS}

{InternalIP_EAS}

gateway.push.apple.com

17.0.0.0/8

android.googleapis.com
android.apis.google.com
www.google.com
google.com
TBD
{InternalServer_URL}

any

any

162.42.205.0/2-4
{DMZServer_IP}

any

any
{InternalServer_IP}

{SQLServer_Name}

{SQLServer_IP}

discovery.awmdm.com

209.208.230.100

*.virtualearth.net

any

{InternalServer_URL}

{InternalServer_IP}

{DMZ_Server_URL}
#-courier.push.apple.com
gateway.push.apple.com

{DMZ_Server_IP}
17.0.0.0/8

Page 57

PDFTables.com
phobos.apple.com
oscp.apple.com
ax.itunes.apple.com

any

mtalk.google.com

any

{DMZ_Server_URL}

Public IP

discovery.awmdm.com

209.208.230.100

Service Accounts
Yes

No

Page 58

PDFTables.com

Page 59

PDFTables.com

Page 60

PDFTables.com

Page 61

PDFTables.com

Protocol

Port

HTTP/HTTPS

80/443

Page 62

PDFTables.com
HTTP/HTTPS

80/443

HTTP/HTTPS

80/443

HTTP/HTTPS

80/443

TCP

HTTP/HTTPS

5223

80/443

TCP

HTTP/HTTPS

5228

80/443

Page 63

PDFTables.com

N/A

Page 64

PDFTables.com

Protocol

Integrated Cloud AW Cloud Connector


Port

HTTP/HTTPS

LDAP/LDAPS

80,443
389,
636,
3268,
3269
80,443

HTTP/HTTPS
/SMTP

DCOM

, 25,
465
135,
10255000,
4915265535

HTTPS

443

HTTP/HTTPS

80/443

HTTP/HTTPS

80/443

HTTP/HTTPS

80/443

HTTP/HTTPS

80/443

TCP

HTTP/HTTPS

5223

80/443

TCP

5228

Page 65

PDFTables.com

HTTP/HTTPS

80/443

N/A

Page 66

PDFTables.com

Protocol

Port

HTTP/HTTPS

LDAP/LDAPS

80,443
389,
636,
3268,
3269
80,443

HTTP/HTTPS
/SMTP

DCOM

, 25,
465
135,
10255000,
4915265535

HTTPS

443

HTTP/HTTPS

80/443

HTTP/HTTPS

80/443

HTTP/HTTPS

80/443

HTTP/HTTPS

80/443

HTTPS

443

Page 67

PDFTables.com
TCP

HTTP/HTTPS

5223

80/443

TCP

5228

HTTP/HTTPS

80/443

HTTPS

443
2010
2020

N/A

Page 68

PDFTables.com

Protocol

Port

HTTP/HTTPS

80,443

HTTP/HTTPS

443
2010

HTTPS

DCOM
HTTPS
LDAP/LDAPS
SMTP

443

389,636,
3268,
3269,
135,443,
25

HTTPS

HTTP/HTTPS

443

80/443

Page 69

PDFTables.com

HTTP/HTTPS

80/443

HTTP/HTTPS

80/443

HTTP/HTTPS

80/443

HTTPS

443

TCP

HTTP/HTTPS

5223

80/443

TCP

5228

HTTP/HTTPS

80/443

HTTPS

443
2010
2020

N/A

Page 70

PDFTables.com

Protocol

Port

HTTP/HTTPS

80,443

DCOM
HTTPS

389,636
3268,
3269,

LDAP/LDAPS
/SMTP

135,443,
25

HTTPS

443

Page 71

PDFTables.com

HTTP/HTTPS

80/443

HTTP/HTTPS

80/443

HTTP/HTTPS

80/443

HTTP/HTTPS

80/443

HTTPS

443

TCP

HTTP/HTTPS

5223

80/443

TCP

5228

HTTP/HTTPS

80/443

HTTPS

443
2010
2020

Page 72

PDFTables.com

N/A

Page 73

PDFTables.com

Protocol

Port

DCOM
HTTPS

389,636,
3268,
3269,

LDAP/LDAPS
SMTP

135,
443, 25,
465

TCP

2195,

HTTP/HTTPS

2196
80,443

HTTP/HTTPS

80,443

HTTPS

443

HTTPS

443

HTTPS

443

HTTP

80

TCP
HTTP

1433
80

HTTPS

443

HTTP/HTTPS

80,443

HTTP/HTTPS

80,443

Page 74

PDFTables.com

TCP

5223

HTTP/HTTPS

80,443

TCP

5228
80,443,
2001,

HTTP/HTTPS
2010,
2020
HTTPS

443

N/A

Page 75

PDFTables.com

Protocol

Port

DCOM
HTTPS

389,63
6,
3268,
3269,

Page 76

PDFTables.com

LDAP/LDAPS
SMTP
TCP
HTTP/HTTPS
TCP

135,
443,
25,
465
1433
80,443
2195,
2196

HTTP/HTTPS

80,443

HTTP/HTTPS

80,443

TCP

HTTPS
TCP

443

443
443,
2001

HTTPS

443

HTTPS

443

TCP

2195,
2196

TCP

HTTP
HTTPS

443

80
443,
2010
1433

TCP
HTTPS

443

HTTP/HTTPS

80,443

HTTP/HTTPS

80,443

HTTP/HTTPS

80,443

TCP

5223

Page 77

PDFTables.com

HTTP/HTTPS

80,443

TCP

5228
80,
443,

HTTP/HTTPS

2001,
2010,
2020

HTTPS

443

N/A

Page 78

PDFTables.com

Page 79

PDFTables.com

Page 80

PDFTables.com

Page 81

PDFTables.com

Ref
Diagram

Yes

Page 82

PDFTables.com
N/S

N/S
N/S
2

3
4

Page 83

PDFTables.com

Page 84

PDFTables.com

Connector
Ref
Diagram

Yes
1

N/S

N/S
N/S
6

7
8

Page 85

PDFTables.com

Page 86

PDFTables.com

Integrated Cloud No DMZ


Yes

Ref
Diagram
1

N/S

N/S
N/S
6

Page 87

PDFTables.com
7

8
9

10

11

Page 88

PDFTables.com

Integrated Cloud DMZ Relay


Ref
Diagram

Yes
1
2

Page 89

PDFTables.com

N/S

N/S
N/S
7
8

9
10

11

12

Page 90

PDFTables.com

Integrated Cloud DMZ Reverse Proxy


Ref
Yes
Diagram
1

Page 91

PDFTables.com

N/S

N/S
N/S
5
6

7
8

10

Page 92

PDFTables.com

Page 93

PDFTables.com

On-Premise Single Server


Yes

Ref
Diagram

3
N4S

N/S

N/S

N/S
6
7

8
9
N/S

Page 94

PDFTables.com

10

11
12

13

14

Page 95

PDFTables.com

On-Premise Multi Server


Yes

Ref
Diagram

Page 96

PDFTables.com

2
2
3

4
5
N/S

N/S
6

7
8
9

10

N/S
11
2
17

N/S
12
N/S
13

Page 97

PDFTables.com

14
15

16

18

Page 98

PDFTables.com

Page 99

PDFTables.com

Page 100

PDFTables.com

Page 101

PDFTables.com

Pure Cloud
No

N/A

Page 102

PDFTables.com

Page 103

PDFTables.com

Page 104

PDFTables.com

No

N/A

Page 105

PDFTables.com

Page 106

PDFTables.com

No

N/A

Page 107

PDFTables.com

Page 108

PDFTables.com

No

N/A

Page 109

PDFTables.com

Page 110

PDFTables.com

No

N/A

Page 111

PDFTables.com

Page 112

PDFTables.com

Page 113

PDFTables.com

No

N/A

Page 114

PDFTables.com

Page 115

PDFTables.com

No

N/A

Page 116

PDFTables.com

Page 117

PDFTables.com

Page 118

PDFTables.com

Page 119

PDFTables.com

Page 120