The VMware Tunnel supports deploying a single-tier model and a multi-tier model. Use the deployment model that best fits your needs.

Both SaaS and on-premises AirWatch environments support the single-tier and multi-tier models. The VMware Tunnel must have a publicly accessible endpoint for devices to connect to when making a request.

Single-tier models have a single instance of VMware Tunnel configured with a public DNS. In the AirWatch Console and the installer, this deployment model uses the basic-endpoint model.

Multi-tier networks have separation between servers with firewalls between the tier. Typical AirWatch multi-tier deployments have a DMZ that separates the Internet from the internal network. VMware Tunnel supports deploying a front-end server in the DMZ that communicates with a back-end server in the internal network.

The multi-tier deployment model includes two instances of the VMware Tunnel with separate roles. The VMware Tunnel front-end server resides in the DMZ and can be accessed from public DNS over the configured ports. The servers in this deployment model communicate with your API and AWCM servers. For SaaS deployments, AirWatch hosts the API and AWCM components in the cloud. For an on-premises environment, the AWCM component is typically installed in the DMZ with the API.