Mobility is a rapidly growing sector and one that shows no signs of slowing down at any point in the future. We all carry mobile devices, whether its a tablet, phone or laptop, and as an enterprise administrator it’s important that corporate resources are protected when viewed on the device. Hopefully by now, most of us have heard of VMware AirWatch, seen AirWatch or enrolled a device in AirWatch. I won’t get into the details of what it is, there are plenty of articles on my blog where you can catch up if you haven’t ever heard of it. I want to touch on a specific piece of AirWatch that plays a major role in protecting your corporate resources when they are accessed from a mobile device whether it’s a BYOD device, or corporate owned. That AirWatch component is called the AirWatch Cloud Connector or ACC. Connecting clouds sounds cool, but let’s dive into what the ACC really is and what it does.
Basic Overview of the AirWatch Cloud Connector (ACC)
From a very basic explanation, the ACC gives your organization the ability to integrate AirWatch with your back-end enterprise systems. The most basic use for ACC is to configure AirWatch to connect with Enterprise Directory Services, i.e. Active Directory, LDAP. While integrating AD is a great use case for ACC, it can connect to much more, here’s a list of internal components that ACC integrates with:
- Directory Services (AD/LDAP)
- Email Relay (SMTP)
- Email Management Exchange (PowerShell)
- BlackBerry Enterprise Server (BES)
- Lotus Domino Web Service (HTTPS)
- Syslog (Event Log Data)
As an added bonus, if you purchase the PKI integration add-on (available separately), there are several other connections ACC can make such as Microsoft Certificate Services (PKI), Simple Certificate Enrollment Protocol (SCEP PKI), Third Party Certificate Services (for on-premise only). This should give you a good idea of what ACC is from a high level perspective. How do you configure it and where is it configured? Those are great questions and we’ll get to that next.
ACC Installation Pre-requisites
This section of the post will walk you through installing and configuring the ACC. First, let’s look at some pre-requisites to installing/configuring ACC. First off ACC needs to run on top of Windows Server, and note that this is specifically for a SaaS configuration. As for disk space, you will see in the table below that there is a disk requirement for ACC that is only 1 GB, that is all you need within your sever’s disk space.
Once we have the hardware requirements in place, the next logical step to configuring ACC is ensuring that there is adequate connectivity. Most enterprises have a firewall or two in place and it’s important to allow certain ports through so that ACC can do it’s job. Most of the ports listed in the table below are common ports and are most likely already open, but it’s good to be thorough and check just in case.
Where do I put ACC?
This is a good question! It’s a good idea to place your ACC inside your internal network. There are somethings we can place in the DMZ, and other we can expose to the public Internet, but ACC we want internal. Below are some suggested architectures that show the best placement of ACC in an AirWatch architecture.
On-Premise ACC Deployment architecture
SaaS ACC only deployment architecture
Installing and Configuring ACC
Now here’s the funny thing… since VMware acquired AirWatch a couple of years back, the names of AirWatch components have slowly begun to change over time. In the past, you would navigate to Enterprise Integration and then select AirWatch Cloud Connector to download and install it… it’s not there anymore, at least in 9.1. In order to install ACC then you need to navigate to Groups & Settings > All Settings > Systems > Enterprise Integration > VMware Enterprise Systems Connector. This page will display your current settings for Enterprise Integration. Make sure to click on the Override radio button in the Current Setting section. When clicking Override, you will get the option to select General or Advanced settings, click on advanced to get a menu of all the enterprise services you wish to enable through Cloud Connector. The screen shot below shows some of the options you have. Keep the default of Use External AWCM URL unless your company’s security settings block ACC from resolving the External AWCM URL.
After you have chosen the enterprise services yo wish to allow through ACC, next scroll down to the section where you choose the AirWatch services you wish to enable for communications through ACC. After enabling the AirWatch services, it’s important to generate an ACC certificate and provide a password for it, by clicking the Download AWCM Secure Channel Certificate installer link. You will be prompted to enter the password once the installer wizard is launched.
After clicking Override, next click on Enable VMware Enterprise Systems Connector checkbox, this will give you the link to download the Enterprise Systems Connector installer (click on the blue link).
After downloading the installer, right click on it and select Run as Administrator to launch the installer. Once the installer has launched, go through the wizard to complete the installer. You will be given the choice of which components you wish to install, the VMware Identity Manager tool and the AirWatch Cloud Connector. Choose AirWatch Cloud Connector unless you are going to configure Workspace One portal in tandem (another blog post, another time).
After you get through the wizard, and your configuration is complete, it’s a good idea to test your installation to make sure that it’s working. Once again, navigate to Groups & Settings > All Settings > System > Enterprise Integration and then click on VMware Enterprise Systems Connector. Once there, click on the Test Settings button and you should get a green confirmation that reads Cloud Connector is active.
That’s it for installation. There is more to get through with ACC and in future blog posts I will dive deeper into architecture and management methods, but for now you should be off an running with ACC and VMware Enterprise Systems Connector in your enterprise.