SaaS Customers
ACC Installation and Integration for SaaS
AirWatch v8.3
Have documentation feedback?Email docfeedback@air-watch.com. Note that if you require assistance from AirWatch
Support you should contact support@air-watch.com.
Copyright 2016 VMware, Inc. All rights reserved. This product is protected by copyright and intellectual property laws in the United States and other countries as well as by
international treaties. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and other jurisdictions. All other marks and names mentioned herein may be trademarks of their
respective companies.
VMware AirWatch Cloud Connector Guide for SaaS Customers | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
1
Revision Table
The following table displays revisions to this guide since the release of AirWatch v8.3.
Date Reason
February 2016 Initial upload.
March 2016 Explained how the ACCauto-update feature affects the ACCversion number listed under
Add or Remove Programs. See ACC Auto-Update Option on page 18 for more information.
VMware AirWatch Cloud Connector Guide for SaaS Customers | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
2
Table of Contents
Chapter 1: Overview 4
Introduction to the ACCGuide 5
In This Guide 5
Prerequisites for SaaSEnvironments 6
VMware AirWatch Cloud Connector Guide for SaaS Customers | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
3
Chapter 1:
Overview
Introduction to the ACCGuide 5
In This Guide 5
Prerequisites for SaaSEnvironments 6
VMware AirWatch Cloud Connector Guide for SaaS Customers | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
4
Chapter 1: Overview
In This Guide
l Before You Begin This section covers topics and prerequisites you should familiarize yourself with so you can get
the most out of using this guide.
l Architecture & Security This section lets you see the basic architecture type for your deployment.
l Prerequisites for ACCConnectivity in SaaSEnvironments This section details all of the prerequisites for running
ACCin a SaaSenvironment.
l ACC Installation This section details the installation process for the ACC and how to enable it in the AirWatch Admin
Console.
l Upgrading ACC This section gives instructions on how to upgrade the ACCfrom a previous version and how to set
up automatic updates.
l Regenerating Certificates This section tells you how to regenerate certificates for the ACC.
VMware AirWatch Cloud Connector Guide for SaaS Customers | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
5
Chapter 1: Overview
Note: ACC traffic is automatically load-balanced by the AWCM component. It does not require a separate load
balancer. Multiple ACCs in the same organization group that connect to the same AWCM server for high availability
can all expect to receive traffic (a live-live configuration). How traffic is routed is determined by AWCM and depends
on the current load.
Status
Requirement Notes
Checklist
General Requirements
Ensure that you have AirWatch recommends setting up Remote Desktop Connection Manager for
remote access to the multiple server management, installer can be downloaded from
servers that AirWatch is http://www.microsoft.com/en-us/download/confirmation.aspx?id=21101
installed on Typically, installations are performed remotely over a web meeting or screen
share that an AirWatch consultant provides. Some customers also provide
AirWatch with VPN credentials to directly access the environment as well.
Installation of Installer can be downloaded from
Notepad++ http://download.tuxfamily.org/notepadplus/6.5.1/npp.6.5.1.Installer.exe
(Recommended)
Services accounts for Validate AD connectivity method using LDP.exe tool (See
authentication to http://www.computerperformance.co.uk/ScriptsGuy/ldp.zip)
backend systems LDAP, BES, PowerShell, etc.
VMware AirWatch Cloud Connector Guide for SaaS Customers | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
6
Chapter 1: Overview
Status
Requirement Notes
Checklist
Software Requirements
Windows Server
2008 R2 or
Windows Server
2012 or
Windows Server
2012 R2
Install PowerShell PowerShell version 3.0+ is required if you are deploying the PowerShell MEM-direct
on the server model for email. To check your version, open PowerShell and run the command
$PSVersionTable. More details on this and other email models can be found in
the VMware AirWatch Mobile Email Management Guide, available on AirWatch
Resources.
Install The ACCauto-update feature will not function correctly until your ACCserver is
.NETFramework updated to .NETFramework 4.5.2. The ACCauto-update feature will not update the
4.5.2 .NETFramework automatically. Please install .NET4.5.2 manually on the ACCserver
before performing an upgrade.
For configuring the ports listed below, all traffic is uni-directional (outbound)from the source component to the
destination component.
An outbound proxy or any other connection management software or hardware must not terminate or reject the
outbound connection from the ACC. The outbound connection required for use by ACC must remain open at all times.
Source
Destination Component Protocol Port Verification
Component
Network Requirements
ACCServer AirWatch AWCM HTTPS 443 Verify by entering
For example: https://awcmXXX.awmdm.com/awcm/status
(https://awcm274.awmdm. and ensure there is no certificate trust error.
com) (Replace 'XXX' with the same number as used
in your environment URL, for example, '100'
for cn100.)
ACCServer AirWatch Admin Console HTTPor 80 or Verify by entering
For example: HTTPS 443 https://cnXXX.awmdm.com and ensure there
(https://cn274.awmdm.com) is no certificate trust error. (Replace 'XXX' with
the same number as used in your
environment URL, for example, '100' for
cn100.)
If auto-update is enabled, ACC must be able to
query AirWatch Admin Console for updates
using port 443.
VMware AirWatch Cloud Connector Guide for SaaS Customers | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
7
Chapter 1: Overview
Source
Destination Component Protocol Port Verification
Component
Network Requirements
ACCServer AirWatch API HTTPS 443 Verify by entering
For example: https://asXXX.awmdm.com/api/help and
ensure you are prompted for credentials.
(https://as274.awmdm.com)
(Replace 'XXX' with the same number as used
in your environment URL, for example, '100'
for cn100.)
ACCto API access is required for the proper
functioning of the AirWatch Diagnostics
service.
ACCServer CRL: HTTP 80 For various services to function properly
http://csc3-2010-
crl.verisign.com/CSC3-
2010.crl
Optional Integrations
ACC Server Internal SMTP SMTP 25
ACC Server Internal LDAP LDAPor 389,
LDAPS 636,
3268,
or
3269
ACC Server Internal SCEP HTTPor 80 or
HTTPS 443
ACC Server Internal ADCS DCOM 135,
1025-
5000,
49152-
65535
ACC Server Internal BES HTTPor 80 or
HTTPS 443
ACC Server Internal Exchange 2010 or HTTPor 80 or
higher HTTPS 443
For SaaS customers who need to whitelist outbound communication, please refer to the following AirWatch
Knowledge Base article for a list of up-to-date IPranges AirWatch currently owns:https://support.air-
watch.com/articles/21419683-What-are-the-AirWatch-IP-ranges-for-SaaS-data-centers-.
VMware AirWatch Cloud Connector Guide for SaaS Customers | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
8
Chapter 2:
Architecture & Security
Overview 10
Supported Configurations 10
ACC SaaS Deployment Model 10
VMware AirWatch Cloud Connector Guide for SaaS Customers | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
9
Chapter 2: Architecture & Security
Overview
The AirWatch Cloud Connector (ACC)is a Windows service that can be installed on a physical or virtual server running
Windows 2008 R2 or higher. It operates from within your internal network and can be configured behind any existing
Web Application Firewalls (WAF) or load balancers. By initiating a secure HTTPS connection from ACC to the AirWatch
Cloud Messaging Service (AWCM), ACC can periodically transmit information from your internal resources such as AD,
LDAP, etc. to the AirWatch Admin Console without any firewall changes. If you plan on proxying ACC traffic through an
outbound proxy, then there are settings in ACC that will allow for proxying.
Supported Configurations
Use ACC in the following configurations:
l Using HTTPS transport
VMware AirWatch Cloud Connector Guide for SaaS Customers | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
10
Chapter 3:
ACC Installation
Overview 12
Establishing Communications with AWCM 12
Enabling ACC from the AirWatch Admin Console 12
Running the ACC Installer 15
Verifying a Successful ACC Installation 16
Integrating with your Directory Service 16
VMware AirWatch Cloud Connector Guide for SaaS Customers | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
11
Chapter 3: ACC Installation
Overview
This chapter details how to install the AirWatch Cloud Connector (ACC).It covers first enabling it in the AirWatch Admin
Console and then downloading and running the installer executable file onto the server that will host the service.
Note:If you are a SaaS customer and do not see this page in the system settings, then these settings have
already been configured for you.
VMware AirWatch Cloud Connector Guide for SaaS Customers | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
12
Chapter 3: ACC Installation
Important:Perform the following steps on the server running ACC. Do not download the installation program onto
another computer and copy it to the ACC server.
1. Navigate to Groups &Settings > All Settings > System > Enterprise Integration > Cloud Connector.
l Use Internal AWCMURL Use this option if your security settings restrict your ACCserver
from resolving the External AWCMURL. For example, if ACC is on your internal network and
your AWCMserver is in a DMZ.
VMware AirWatch Cloud Connector Guide for SaaS Customers | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
13
Chapter 3: ACC Installation
Setting Description
Enterprise Select the Enabled or Disabled buttons to enable or disable Enterprise Services. The services
Services you select (enabled) will integrate with ACC.
l SMTP (Email Relay)
AirWatch SaaS offers email delivery through its own SMTP, but you can enable ACC to use
another SMTP server here. Enter SMTP servers settings for email in Groups &Settings > All
Settings > System > Enterprise Integration > Email (SMTP).
l Syslog (Client/server protocol used to integrate with the AirWatch event log data)
The following components are only available if you purchased the PKI Integration add-on, which
is available separately:
l Microsoft Certificate Services (PKI)
Note for SaaS customers:You do not need to download the Secure Channel Certificate
installer.
5. Navigate back to the General tab and select Download Cloud Connector Installer.
VMware AirWatch Cloud Connector Guide for SaaS Customers | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
14
Chapter 3: ACC Installation
6. A Download Cloud Connector Installer screen displays. Enter a password for the ACC certificate in the fields. The
password will be needed later when you run the ACC installer and need to enter the certificate password.
7. Select Download and save the Cloud Connector x.x Installer.exe file on the ACC server for use later in Running the
ACC Installer.
3. Select Change... to select the installation directory and then select Next.
4. Enter the Certificate Password that you provided on the System Settings page in AirWatch. Select Next.
5. If you plan on proxying ACC traffic through an outbound proxy, then select the check box and provide proxy server
information. If needed, enter the Username and Password credentials and then select Next.
VMware AirWatch Cloud Connector Guide for SaaS Customers | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
15
Chapter 3: ACC Installation
6. When the installation screen appears, select Install to begin the installation.
The installer displays a checkbox for auto-updating ACC. For more information on auto-update, see the ACC Auto-
Update Option.
7. Select Finish.
2. Select Test Connection at the bottom of the screen and the following message displays:
If a message displays saying AirWatch cannot communicate with AWCM, then this is not an ACCissue. This is an
AWCMissue, and you should consult with your AirWatch representative .
If a message displays saying AirWatch can communicate with AWCMbut ACC is not responding, then this is an issue
with ACC. It probably means there is a certificate issue with ACC, or ACCcannot reach the AWCMserver. You could
try regenerating the ACC certificate, uninstalling ACC, deleting all ACCfolders, re-downloading ACC, and re-installing
it.
3. If migrating, determine which features are new in ACC and test the new functionality to verify the migration was
successful.
VMware AirWatch Cloud Connector Guide for SaaS Customers | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
16
Chapter 4:
Managing ACC
Overview 18
Upgrading ACC 18
ACC Auto-Update Option 18
ACCManual Update Option 19
Regenerating Certificates 19
VMware AirWatch Cloud Connector Guide for SaaS Customers | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
17
Chapter 4: Managing ACC
Overview
The following topics cover various management tasks you can perform for the AirWatch Cloud Connector once it is
installed. This includes uninstallation and upgrades.
Upgrading ACC
Upgrade the AirWatch Cloud Connector (ACC)from the AirWatch Admin Console to take advantage of the latest bug fixes
and enhancements. This process can be automated using the ACCauto-update option, or performed manually for
situations where administrative control is a priority.
Benefits
l No need to determine manually if you need to upgrade and then have to search for the latest ACC version the
software does it for you.
l Since it assures you stay updated, you always have the latest features, enhancements and fixes.
Update Process
ACC auto-update is performed using the Bank1 and Bank2 folders inside the CloudConnector folder. AirWatch detects
which of these folders is empty and streams the appropriate ACC files into it, in addition to emptying the contents of the
other folder. For the subsequent update, AirWatch repeats the process except for the alternate folder. This process
repeats each time a new version is auto-updated. This process is illustrated below.
Important:Do not delete the Bank1 or Bank2 folders. The Bank1 and Bank2 folders are integral to the ACC auto-
update process.
ACC auto-updates are performed with security in mind. Every update is signed by the AirWatch Admin Console and
verified by ACC, so it will only update itself with a trusted upgrade. The upgrade process is also transparent to the
VMware AirWatch Cloud Connector Guide for SaaS Customers | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
18
Chapter 4: Managing ACC
AirWatch Admin. When a newer version is available, ACC knows from querying the AirWatch Admin Console on port 443,
and then an upgrade occurs.
While ACC is upgrading to the latest version, it will not be available, so there will be a short loss of service (i.e., approx. 1
minute). For those who have multiple ACC servers, to ensure all ACC services are not down at the same time, AirWatch
incorporates a random timer to the upgrade process so ACC outages will occur at different times for very short periods of
time.
If the ACC auto-updates, the version under Add or Remove Programs does not change the original version will still be
listed. The version under Add or Remove Programs only changes when you run the full ACCinstaller. The best way to
verify if the auto-update succeeded is to look in the ACC logs for what version is running.
l If AirWatch, AWCM, or ACC certificates are regenerated, which would then require the latest version of ACC installed
and a reboot to recognize the new certificate(s).
l The second approach is to use either of the Bank folders. In this case, leave either the .config or .config.old file
available in the other Bank folder so the stock .config file can be repaired to customized values. Unzip the files
and restart the Cloud Connector service, which will run with the newly upgraded version.
Regenerating Certificates
You may find it necessary to regenerate the certificates used for AirWatch and AirWatch Cloud Connector (ACC)servers,
for example, if they expire or if your organization requires it on a regularly scheduled basis. The process is simple and is
performed from the AirWatch Admin Console, however it does require you to download and run the ACCinstaller again.
The certificates contain a Thumbprint and expiration date. Both can be cleared and regenerated at the same time by
selecting the Regenerate Certificates button and following the prompts. If you regenerate certificates, ACC will no longer
VMware AirWatch Cloud Connector Guide for SaaS Customers | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
19
Chapter 4: Managing ACC
be able to communicate with AirWatch and you will need to perform the installation procedure again to allow both server
to recognize the new certificates.
Perform the following steps to regenerate certificates for AirWatch and ACC servers.
1. Navigate to Groups &Settings > All Settings > System > Enterprise Integration > Cloud Connector. Both
certificates, their thumbprints, and expiration dates are shown on the Advanced tab.
2. Select Regenerate Certificates to generate a new certificate for the ACC and AirWatch servers.
3. If required, enter your security PIN to confirm the action and acknowledge the warning message. Old certificates are
deleted and new certificates, thumbprints, and expiration dates are regenerated.
VMware AirWatch Cloud Connector Guide for SaaS Customers | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
20
Chapter 4: Managing ACC
When you enter your PINto confirm, the ACC will no longer be able to communicate with the AirWatch server. To
restore communications between ACC and the AirWatch server, you need to return to Installing ACC and complete
all the steps again. This will allow both servers to recognize the latest certificate and regain communications.
VMware AirWatch Cloud Connector Guide for SaaS Customers | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
21
Finding Additional Documentation
Note: AirWatch recommends you always pull the document from AirWatch Resources each time you need to
reference it.
To search for and access additional documentation on the AirWatch Resources page, perform the following step-by-step
instructions:
1. Navigate to http://my.air-watch.com and log in using your AirWatch ID credentials.
2. Select AirWatch Resources from the navigation bar or home screen. The AirWatchResources page displays with a list
of recent documentation and a list of Resources Categories on the left.
3. Select your AirWatch Version from the drop-down list in the search parameters to filter a displayed list of documents.
Once selected, you will only see documentation that pertains to your particular version of AirWatch.
l Search for a particular resource using the search box in the top-right by entering keywords or document names.
l Add a document to your favorites and it will be added to My Resources. Access documents you have favorited
by selecting myAirWatch from the navigation bar and then selected My Resources from the toolbar.
VMware AirWatch Cloud Connector Guide for SaaS Customers | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
22
Finding Additional Documentation
l Download a PDF of a document by selecting the button. Note, however, that documentation is frequently
updated with the latest bug fixes and feature enhancements. Therefore, AirWatch recommends you always pull
the document from AirWatch Resources each time you need to reference it.
Having trouble finding a document?Make sure a specific AirWatch Version is selected. All Versions will typically
return many results. Make sure you select Documentation from the category list, at a minimum. If you know which
category you want to search (e.g., Platform, Install &Architecture, EmailManagement) then selecting that will also
further narrow your search and provide better results. Filtering by PDFas a File Type will also narrow your search
even further to only include technical documentation manuals.
VMware AirWatch Cloud Connector Guide for SaaS Customers | v.2016.04 | April 2016
Copyright 2016 VMware, Inc. All rights reserved. Proprietary & Confidential.
23