Introduction to Mobile Access Gateway Installation

Introduction to Mobile Access Gateway Installation This document describes the installation process for the Mobile Access Gateway (MAG), which is an enterprise integration component that provides a secure and effective method for individual applications to access corporate resources. For more information about how you can leverage MAG, architecture and security information, and Admin Console settings to manage the MAG's functionality, please refer to the Mobile Access Gateway Admin Guide. In This Guide Before You Begin Ensure your deployment meets the necessary hardware, sizing, software and firewall requirements before attempting to install the MAG. MAG Installation Preparation Perform some preliminary steps to ensure a smooth installation of the MAG. MAG Installation for a Relay-Endpoint Configuration Run the MAG installer for a relay-endpoint configuration. MAG Installation for a Basic Configuration Run the MAG installer for a basic (endpoint only) configuration. Appendix A SSL Offloading Read more about how to enable SSL Offloading for the MAG. 1

Before You Begin This section covers topics and prerequisites you should familiarize yourself with so you can get the most out of using this guide. In This Section Requirements See a list of requirements you must meet before installing the MAG. Recommended Reading See a list of additional guides that contain supplemental information about MAG. Getting Started See additional considerations you should know before you begin. Requirements For a complete listing of all requirements for installing MAG in a SaaS environment, refer to the Prerequisites for MAG Connectivity in SaaS Environments. For a complete listing of all requirements for installing MAG in an on-premise environment, refer to the Prerequisites for MAG Connectivity for On-Premise Environments. Recommended Reading Mobile Access Gateway Admin Guide This guide provides an overview of the MAG and how to enable MAG functionality within the Admin Console. Getting Started Note the following distinction between on-premise and SaaS deployments: o On-premise refers to deployments where your organization hosts all components and servers on its internal networks. o SaaS refers to deployments where certain components, such as the Console and API servers, are hosted in the cloud by. Before continuing with MAG installation, ensure AWCM is configured and operational. If you are an on-premise customer, refer to the AWCM Guide for instructions on how to configure AWCM before installing the MAG. Ensure you have performed all the necessary preliminary steps in MAG Installation Preparation. 2

Prerequisites for MAG Connectivity for SaaS Environments Status Checkli st Requirement Notes Hardware Requirements VM or Physical Server (64-bit) 1 CPU Core (2.0+ GHz) 2 GB RAM or higher 5 GB Disk Space Sizing for up to 100,000 Devices Number of Devices CPU Cores 1 Up to 5,000 5,000 to 50,000 50,000 to 100,000 100,000+ 4 or 2 load-balanced w/ 2 CPU Cores 4 or 2 load-balanced w/ 2 CPU Cores 2 load-balanced with 4 CPU Cores RAM (GB) 4 4 8 16 General Requirements Remote access to Windows Servers available to and Administrator rights Installation of Notepad++ (Recommended) Recommended to setup Remote Desktop Connection Manager for multiple server management, installer can be downloaded from http://www.microsoft.com/enus/download/confirmation.aspx?id=21101 Installer can be downloaded from http://download.tuxfamily.org/notepadplus/6.5.1/npp.6.5.1.installer.exe Software Requirements Windows Server 2008 R2 or Windows Server 2012 or Windows Server 2012 R2 Install Role from Server Manager Install Features from Server Manager Install.NET Framework 4.0 Java Runtime Environment 7+ IIS 7.0 (Server 2008 R2) IIS 8.0 (Server 2012 or Server 2012 R2) IIS 8.5 (Server 2012 R2 only).net Framework 3.5.1 Features: Entire module (.NET Framework 3.5.1, WCF Activation) Telnet Client Download from http://www.microsoft.com/enus/download/confirmation.aspx?id=17718 Download from https://java.com/en/download/index.jsp 3

Status Checkli st Requirement Internally registered DNS Externally registered DNS SSL Certificate from trusted third party with Subject or Subject Alternative name of DNS IIS 443 Binding with the same SSL certificate Ensure the AWCM SSL certificates Intermediate and Root CA certificate are in the Java CA Keystore on the MAG server Notes Register the MAG relay (If Relay-Endpoint) or register the (If Endpoint only) Register the MAG relay (If Relay-Endpoint) or register the (If Endpoint only) Ensure SSL certificate is trusted by all device types being used. (i.e. not all Comodo certificates are natively trusted by Android) Validate that you can connect to the server over (https://yourdomain.com). At this point, you should see the IIS splash page. Use the Command Line Utility on the MAG server to enter the following: keytool -list -v -keystore $JAVA_HOME\jre \lib\security\cacerts OR Use the GUI tool (free) here: http://portecle.sourceforge.net/ Network Requirements Source Component Destination Component Protocol Port Verification Note Devices (from Internet and Wi- Fi) Devices (from Internet and Wi- Fi) MAG HTTP 2010 (for Browser) MAG 2020 (for Browser) Once MAG starts correctly, it should be listening on ports 2010 and 2020 by default. To make sure, you can open browser and check the following: http://maghost:2010 You should see 407 MAG Authentication Failed! https://maghost:2020 You should see an untrusted certificate screen unless there is a trusted SSL certificate and in that case you should see 407 MAG Authentication Failed! 1 1 Devices (from Internet and Wi- Fi) MAG 443 (for Content) Telnet from Internet to MAG server on port 1 MAG Basic-Endpoint Configuration Cloud Messaging Server* 443 Verify by entering https://<awcm URL>: 443/awcm/status in browser and ensure there is 2 4

Source Component Destination Component Protocol Port Verification Note no certificate trust error Internal Content Repository 80 or 443 4 Internal WebServer/App 80 or 443 5 Internal System Any Any MAG Relay-Endpoint Configuration 6 MAG Relay Cloud Messaging Server 443 Verify by entering https://<awcm URL>:443/awcm/status in browser and ensure there is no certificate trust error 2 MAG Relay HTTP 2010 (for Browser) Telnet from MAG Relay to server on port 3 MAG Relay 443 (for Content) Telnet from MAG Relay to server on port 3 Internal Content Repository 80 or 443 4 Internal WebServer/App 80 or 443 5 Internal System Any Any 6 * For SaaS customers, see https://ask.air-watch.com/entries/21419683-what-are-the--ip-ranges-for-saas-datacenters to view an ASK article that provides the most up-to-date IP ranges. 1. For devices attempting to access internal resources. 2. For the MAG to query the Admin Console for compliance and tracking purposes. 3. For MAG Relay topologies to forward device requests to the internal MAG endpoint only. 4. For devices with the Secure Content Locker to access internal content. 5. For devices with the Secure Browser to access internal websites/web applications. 6. For devices with app tunnel; enables applications to communicate with internal systems. Note: If a firewall resides between the and an internal system you are trying to reach, then you will have to open the corresponding port depending on the traffic. For example, Windows Network Files Shares require ports 135 through 139 and 445 to be open in order to access content on Windows fileshares. 5

Prerequisites for MAG Connectivity for On-Premise Environments Status Checkli st Requirement Notes Hardware Requirements VM or Physical Server (64-bit) 1 CPU Core (2.0+ GHz) 2 GB RAM or higher 5 GB Disk Space Note: The requirements listed here support basic data query. You may require additional server space if your use case involves the transmission of large encrypted files from a content repository. Sizing for up to 100,000 Devices Number of Devices Up to 5,000 5,000 to 50,000 50,000 to 100,000 100,000+ CPU Cores 1 4 or 2 load-balanced w/ 2 CPU Cores 4 or 2 loadbalanced w/ 2 CPU Cores 2 load-balanced with 4 CPU Cores RAM (GB) 4 4 8 16 General Requirements Remote access to Windows Servers available to and Administrator rights Installation of Notepad++ (Recommended) Recommended to setup Remote Desktop Connection Manager for multiple server management; you can download the installer from: http://www.microsoft.com/en-us/download/confirmation.aspx?id=21101 You can download the installer from: http://download.tuxfamily.org/notepadplus/6.5.1/npp.6.5.1.installer.exe Software Requirements Windows Server 2008 R2 or Windows Server 2012 or Windows Server 2012 R2 Install Role from Server Manager Install Features from Server Manager IIS 7.0 (Server 2008 R2) IIS 8.0 (Server 2012 or Server 2012 R2) IIS 8.5 (Server 2012 R2 only).net Framework 3.5.1 Features: Entire module (.NET Framework 3.5.1, WCF Activation) 6

Status Checkli st Requirement Install.NET Framework 4.0 Java Runtime Environment 7+ Internally registered DNS Externally registered DNS SSL Certificate from trusted third party with Subject or Subject Alternative name of DNS IIS 443 Binding with the same SSL certificate Ensure the AWCM SSL certificates Intermediate and Root CA certificate are in the Java CA Keystore on the MAG server Notes Telnet Client Download from http://www.microsoft.com/enus/download/confirmation.aspx?id=17718 Download from https://java.com/en/download/index.jsp Register the MAG relay (If Relay-Endpoint) or register the (If Endpoint only) Register the MAG relay (If Relay-Endpoint) or register the (If Endpoint only) Ensure SSL certificate is trusted by all device types being used. (i.e. not all Comodo certificates are natively trusted by Android) Validate that you can connect to the server over (https://yourdomain.com). At this point, you should see the IIS splash page. Use the Command Line Utility on the MAG server to enter the following: keytool -list -v -keystore $JAVA_HOME\jre \lib\security\cacerts OR Use the GUI tool (free) here: http://portecle.sourceforge.net/ Network Requirements Source Component Destination Component Protocol Port Verification Note Devices (from Internet and Wi- Fi) MAG HTTP 2010 (for Browser) Once MAG starts correctly, it should be listening on ports 2010 and 2020 by default. To make sure, you can open browser and check the following: 1 Devices (from Internet and Wi- Fi) MAG 2020 (for Browser) http://maghost:2010 You should see 407 MAG Authentication Failed! https://maghost:2020 You should see an untrusted certificate screen unless there is a trusted SSL certificate and in that case you should see 407 MAG Authentication Failed! 1 Devices (from Internet and Wi- MAG 443 (for Content) Telnet from Internet to MAG server on port 1 7

Source Component Destination Component Protocol Port Verification Note Fi) MAG Basic-Endpoint Configuration Cloud Messaging Server* 2001 or a port you configure Verify by entering https://<awcm URL>: <port>/awcm/status in browser and ensure there is no certificate trust error 2 MAG Endpoint REST API (DS or CN server) 80 or 443 Verify by entering https://apiserverurl/api/help in browser and ensure there is no certificate trust error (cannot be a self-signed certificate). If you are prompted for credentials, enter Airwatch admin credentials 7 Internal Content Repository 80 or 443 4 Internal WebServer/App 80 or 443 5 Internal System Any Any MAG Relay-Endpoint Configuration 6 MAG Relay Cloud Messaging Server 2001 or a port you configure Verify by entering https://<awcm URL>:<port>/awcm/status in browser and ensure there is no certificate trust error 2 MAG Relay REST API (DS or CN server) 80 or 443 Verify by entering https://apiserverurl/api/help in browser and ensure there is no certificate trust error (cannot be a self-signed certificate). If you are prompted for credentials, enter Airwatch admin credentials 7 MAG Relay HTTP 2010 (for Browser) Telnet from MAG Relay to server on port 3 MAG Relay 443 (for Content) Telnet from MAG Relay to server on port 3 Internal Content Repository 80 or 443 4 Internal WebServer/App 80 or 443 5 Internal System Any Any 6 8

Source Component Destination Component Protocol Port Verification Note Device Services MAG (relay) 80 or 443 8 Console MAG (relay) 80 or 443 9 1. For devices attempting to access internal resources. 2. For the MAG to query the Admin Console for compliance and tracking purposes. 3. For devices with the Secure Content Locker to access internal content from websites, such as SharePoint. 4. For devices with the Browser to access internal websites/web applications. 5. For devices with app tunnel; enables applications to communicate with internal systems. Note: If a firewall resides between the and an internal system you are trying to reach, then you will have to open the corresponding port depending on the traffic. For example, Windows Network Files Shares require ports 135 through 139 and 445 to be open in order to access content on Windows file shares. 6. For MAG Relay topologies to forward device requests to the internal MAG endpoint only. 7. The MAG needs to communicate with the API for initialization. The API server is generally hosted on the Admin Console Server or can be a separate server. Ensure there is connectivity between this server and the MAG server. 8. For the Device Services server to enumerate the repositories via the content relay and convert them into a format devices can use. 9. For the Console server to enumerate the repositories via the content relay for viewing in the Admin Console. 9

MAG Installation Preparation Overview Before installing the MAG within your network, you must ensure your environment meets all the Mobile Access Gateway Requirements, and then prepare for installation by downloading the MAG installation files. Notes: Steps 1 and 2 are applicable for on-premise customers only. If you are a SaaS customer, begin the installer download process with step 4. Before you begin installing MAG, ensure that AWCM is installed correctly, running, and communicating with without any errors. For more information about configuring AWCM refer to the AWCM Guide. recommends you do not configure MAG at the Global organization group level. Performing Preliminary Installation Steps Prepare for the installation by performing the following steps. 1. Navigate to Groups & Settings All Settings System Advanced Site URLs in the Admin Console. 2. Ensure the URLs highlighted above are correct: REST API URL Should be in the format "https://<url>/api". AWCM Server External URL Should be in the format "server.acme.com" and not include a protocol such as https. AWCM Service Internal URL Should be in the format "https://server.acme.com". 3. Select Save. 4. Navigate to Groups & Settings All Settings System Advanced Device Root Certificate and verify the device root certificate exists. If it does not exist, click the Override radio button and generate the root device certificate. 10

5. Navigate to Groups & Settings All Settings System Advanced API REST API and click the Override radio button. 6. Ensure the Enable API Access check box is selected and an API Key is displayed in the field highlighted above. 7. Click Save. 8. Navigate to Groups & Settings All Settings System Enterprise Integration Mobile Access Gateway. If this is your first time configuring MAG, then select Configure and follow the configuration wizard screens. Otherwise, select the Override radio button, ensure the Enable Mobile Access Gateway check box is selected, and then select Configure to configure the following settings. In either case, select Configure MAG for Windows. Note: The MAG for Linux option available here is intended for the App Tunnel mobile app that is not yet released. Please check back when the app is available for instructions on configuring it to provide Per App VPN for your ios 7 and higher devices. a. Select either Basic or Relay-Endpoint as your Configuration Type. Select Next. b. Enter the following information: Host Name The name given to the server where the MAG will be installed. If you plan to install the MAG on an SSL offloaded server, enter the name of that server in place of the Host Name. Note: When entering the Host Name, do not include protocol (http://, https://, etc.). Default HTTP Port The port number automatically assigned for HTTP communication with the MAG. 11

Default Port The port number automatically assigned for communication with the MAG. Note: For example, if you are utilizing both port 2010 and 2020 (HTTP Tunneling) then enter a port value for both fields. If you are utilizing only one port either 2010 or 2020 ( Tunneling) then enter '0' for Default HTTP Port and either 2010 or 2020 for Default Port. Refer to the HTTP and Tunneling section of the Mobile Access Gateway Admin Guide for more information. Content Repository URL The URL used to access the MAG Content Repository Relay from the Internet. Typically the same as the hostname field but with an HTTP/ protocol. For example: ://magrelay.acme.com. Ignore SSL Errors Select to ignore SSL errors that occur during communication between the Admin Console and the content repository. c. If using a Relay-Endpoint setup, enter the Endpoint Details as follows: Host Name Enter the FQDN (absolute domain name) of the MAG endpoint. Relay-Endpoint Port This is the port used for traffic between the MAG relay and MAG endpoint. Note that you should not use port 80, because IIS, which is required for MAG installation, will already be bound to port 80. Content Repository URL The URL used to access the MAG Content Repository Endpoint from the Internet. Typically the same as the hostname field but with an HTTP/ protocol. For example: ://magendpoint.acme.com. Username and Password Enter a Username and Password to create a basic user account for MAG authentication between the MAG relay and endpoint using credentials of your choosing. There is no need to use existing credentials, but you should document the values you enter. d. Select Next. 9. Select the Use Public SSL Certificate check box if you are using third party public SSL certificates for authentication between applications and the MAG. Select Upload to browse for and upload your certificate file (.pfx or.p12). This file must contain both your public and private key pair. Select Next. 10. Review the summary of your MAG configuration and select Save. 11. Select the Advanced tab and then select Generate Certificates to enable MAG Authentication. If you plan to install the MAG on an SSL offloaded server, click Export MAG Certificate from the Admin Console once the certificate has been generated. Then, import the certificate on the server performing SSL offload. (This server can be a load balancer or reverse proxy.) 12

12. Select the General tab and then select the Download Mobile Access Gateway Installer hyperlink. 13. Enter and confirm a certificate password and then click Download. Note: The MAG password must contain a minimum of six characters. 14. Click Save. Note: If you make any changes on this configuration screen after you have downloaded the MAG installer and installed the MAG, then you will need to select Save again, uninstall the MAG, delete all MAG folders, re-download the MAG installer and re-install the MAG. Note: At this time you can configure additional advanced settings, which are documented in the Mobile Access Gateway Admin Guide in the Configuring MAG System Settings section. 13

MAG Installation for a Relay-Endpoint Configuration Overview Perform the following steps to install the MAG for a Relay-Endpoint configuration, which you can view below. Verify the presence of IIS and install Java on the MAG server as needed, as noted in the Requirements section. Note: Before you begin, ensure the server you are installing MAG on can reach AWCM by browsing to "https://{url}:<port>/awcm/status", where <port> is the configurable external port for AWCM. You should see the status of the AWCM with no SSL errors. If there are errors, resolve them before continuing or the MAG will not properly function. Example of a Relay-Endpoint Configuration For more information about the supported MAG configurations and deployment models, refer to the Mobile Access Gateway Admin Guide. Installing the MAG The process below walks you through installing the MAG on the Relay server first. Immediately afterward, follow the instructions for installing the MAG on the Endpoint server as well. Relay Server 1. Open the installer executable on the Relay MAG server and then click Next. For Relay-Endpoint configurations, you must perform MAG installation on both the Relay and Endpoint servers. The steps below assume you are first installing it on the Relay server. Note: If a previous version of MAG is installed, the installer auto-detects it and offers the option to upgrade to the latest version. 2. Accept the End User License Agreement and then click Next. 14

3. Specify the destination for the downloaded MAG installation files and then click Next. 4. Select the Relay button to first install MAG on the Relay server. 15

5. Select Is this server SSL Offloaded? if you are setting up a reverse proxy configuration with SSL Offloading. For more information see the Appendix B SSL Offloading section. 6. Select Next. 7. Enter the Certificate Password you created in the Admin Console and then click Next. 8. Select the Target Site in which the application should be installed using the drop-down menu and then click Next. 16

If Windows Firewall is turned on, you may receive the following dialog indicating that certain profiles are enabled. In this case, please ensure the necessary MAG ports which include both the ones you configured in the Admin Console and the default IIS website port you are using to access content are allowed in the Windows Firewall settings. 9. Click Install to begin MAG installation on the server. 17

10. Click Finish to close the MAG installer. Review the activity found in the.log file created by the MAG installer to verify successful MAG installation. The file can be found in the same destination folder where the installer executable was initially downloaded. Next, you will install the MAG on the Endpoint server. Endpoint Server 1. Open the installer executable on the Endpoint MAG server and then click Next. Note: If a previous version of MAG is installed, the installer auto-detects it and offers the option to upgrade to the latest version. 2. Accept the End User License Agreement and then click Next. 3. Specify the destination for the downloaded MAG installation files and then click Next. 18

4. Select the Endpoint button to install MAG on the Endpoint server. 5. Select the check box to indicate if MAG will use an outbound proxy. If so, enter the address of the Proxy Host and Proxy Port number to be used for communication. If the proxy requires authentication, first select the Does the proxy require authentication credentials? checkbox, then select whether it uses Basic or NTLM authentication, then specify the Username and Password credentials. 6. Specify whether you are using Proxy auto-configuration (PAC) files as part of your MAG installation. A PAC file is a set of rules that a browser checks to determine where traffic gets routed. For MAG, traffic is checked against the PAC file to determine if it has to go through an outbound proxy. If you have authentication for PAC files, then the MAG must know username and password of the proxy. You can reference a PAC file on a remote server by providing the PAC URL or Upload a PAC file directly. When you are finished, click Next. 19

7. Enter the Certificate Password you created in the Admin Console and then click Next. 8. Select the Target Site in which the application should be installed using the drop-down menu and then click Next. 20

If Windows Firewall is turned on, you may receive the following dialog indicating that certain profiles are enabled. In this case, please ensure the necessary MAG ports which include both the ones you configured in the Admin Console and the default IIS website port you are using to access content are allowed in the Windows Firewall settings. 9. Click Install to begin MAG installation on the server. 21

10. Click Finish to close the MAG installer. Review the activity found in the.log file created by the MAG installer to verify successful MAG installation. The file can be found in the same destination folder where the installer executable was initially downloaded. 22

MAG Installation for a Basic (Endpoint only) Configuration Overview Perform the following steps to install the MAG for a Basic configuration, which you can view below. Verify the presence of IIS and install Java on the MAG server as needed, as noted in the Requirements section. Note: Before you begin, ensure the server you are installing MAG on can reach AWCM by browsing to "https://{url}:<port>/awcm/status", where <port> is the configurable external port for AWCM. You should see the status of the AWCM with no SSL errors. If there are errors, resolve them before continuing or the MAG will not properly function. Example of a Basic Configuration For more information about the supported MAG configurations and deployment models, refer to the Mobile Access Gateway Admin Guide. Installing MAG for Basic (Endpoint only) Configurations 1. Open the installer executable on the Endpoint MAG server and then click Next. Note: If a previous version of MAG is installed, the installer auto-detects it and offers the option to upgrade to the latest version. 2. Accept the End User License Agreement and then click Next. 23

3. Specify the destination for the downloaded MAG installation files and then click Next. 4. Select the check box to indicate if MAG will use an outbound proxy. If so, enter the address of the Proxy Host and Proxy Port number to be used for communication. If the proxy requires authentication, first select the Does the proxy require authentication credentials? checkbox, then select whether it uses Basic or NTLM authentication, then specify the Username and Password credentials. 24

5. Specify whether you are using Proxy auto-configuration (PAC) files as part of your MAG installation. A PAC file is a set of rules that a browser checks to determine where traffic gets routed. For MAG, traffic is checked against the PAC file to determine if it has to go through an outbound proxy. If you have authentication for PAC files, then the MAG must know username and password of the proxy. You can reference a PAC file on a remote server by providing the PAC URL or Upload a PAC file directly. When you are finished, click Next. 6. Enter the Certificate Password you created in the Admin Console and then click Next. 25

7. Select the Target Site in which the application should be installed using the drop-down menu and then click Next. If Windows Firewall is turned on, you may receive the following dialog indicating that certain profiles are enabled. In this case, please ensure the necessary MAG ports which include both the ones you configured in the Admin Console and the default IIS website port you are using to access content are allowed in the Windows Firewall settings. 26

8. Click Install to begin MAG installation on the server. 9. Click Finish to close the MAG installer. Review the activity found in the.log file created by the MAG installer to verify successful MAG installation. The file can be found in the same destination folder where the installer executable was initially downloaded. 27

Appendix A SSL Offloading Overview When accessing HTTP endpoints over the MAG using HTTP Tunneling, all HTTP traffic is encrypted and authenticated using an SSL certificate and sent over port 2020 as. You can perform SSL Offloading with products such as F5's BIG-IP Local Traffic Manager (LTM), or Microsoft's Unified Access Gateway (UAG), Threat Management Gateway (TMG) or Internet Security and Acceleration Server (ISA) solutions. The following diagram illustrates how SSL Offloading affects MAG traffic in a Relay-Endpoint configuration. Note: Using the MAG to access internal content supports both SSL offloading and also proxying traffic. Using the MAG to perform app tunneling supports SSL Offloading only. SSL Offloading Traffic Flow 1. A device requests access to content or resources, which can be either an endpoint. Requests to HTTP endpoints are sent over port 2020 and encrypted and authenticated with an SSL certificate. Requests to endpoints are sent over port 2010 and encrypted and authenticated with a third party SSL certificate. 2. The traffic hits an SSL Termination Proxy, which must contain the certificate exported from the Admin Console or your organization's own public certificate. Requests to HTTP endpoints over port 2020 have their SSL certificate offloaded and sent to the MAG relay unencrypted over port 2010. Requests to endpoints over port 2010 are unaffected and continue to the MAG relay on that port. Note: Since all traffic is now sent over port 2010, you must create a rule on your SSL Termination Proxy to forward all traffic on port 2010. 3. The traffic continues from the MAG Relay to the on a port you configure. 4. The communicates with your backend systems to access the requested content or resources. 28

Enabling SSL Offloading To enable SSL Offloading, ensure the SSL Offloading check box is selected in the MAG installation for the MAG Relay server. This informs the MAG Relay to expect to receive all traffic on port 2010. 29