The relay-endpoint deployment model architecture includes two instances of the AirWatch Tunnel with separate roles.

The AirWatch Tunnel relay server resides in the DMZ and can be accessed from the public DNS over the configured ports.

The ports to access the public DNS are port 8443 for per app tunnel and port 2020 for proxy. The AirWatch Tunnel endpoint server is installed in the internal network that hosts intranet sites and Web applications. The AirWatch Tunnel endpoint server must have an internal DNS record that can be resolved by the relay server. This deployment model separates the publicly available server from the server that connects directly to internal resources, which provides an added layer of security.

The relay server role includes communicating with the AirWatch API and the AWCM components and authenticating devices when requests are made to AirWatch Tunnel. In this deployment model, AirWatch Tunnel supports an outbound proxy for communicating with the API and AWCM from the relay. The per app tunnel service must communicate with API and AWCM directly. When a device makes a request to the AirWatch Tunnel, the relay server determines if the device is authorized to access the service. Once authenticated, the request is forwarded securely using HTTPS over a single port to the AirWatch Tunnel endpoint server.


The default port is 2010.

The role of the endpoint server is to connect to the internal DNS or IP requested by the device. The endpoint server does not communicate with the API or AWCM unless Enable API and AWCM outbound calls via proxy is set to Enabled in the AirWatch Tunnel settings in the AirWatch console. The relay server performs health checks at a regular interval to ensure that the endpoint is active and available.

These components can be installed on shared or dedicated servers. Install AirWatch Tunnel on dedicated Linux servers to ensure that performance is not impacted by other applications running on the same server. For a relay-endpoint deployment, the proxy and per app tunnel components are installed on the same relay server. Only the proxy component is installed on the endpoint server. The per app tunnel relay component uses the proxy endpoint to connect to internal applications, so the components share a relay-endpoint port and the same endpoint hostname.