VMware Workspace ONE is a management platform that allows IT administrators to centrally control end-users’ mobile devices and cloud-hosted virtual desktops and applications from the cloud or from an on-premises deployment. It is a simple and secure enterprise platform that delivers and manages any app on any device by integrating identity, application, and enterprise mobility management
VMware Workspace ONE UEM (formerly known as AirWatch) provides a comprehensive enterprise mobility platform that delivers simplified access to enterprise applications, secures corporate data, and enables mobile productivity. It also works with the public application stores, to handle the provisioning of native mobile applications to mobile devices.
Workspace ONE UEM can be deployed on-premises in various configurations to suit diverse business requirements. When deployed within a network infrastructure, Workspace ONE UEM can adhere to strict corporate security policies by storing all data on-site. In addition, Workspace ONE UEM has been designed to run on virtual environments, which creates seamless deployments on several different setups.
For high availability, Workspace ONE UEM components need load balancing and session persistence. Application servers receive requests from the console and device users and process the data and results. No persistent data is maintained on these servers, but the user and device sessions are maintained for a short time. So, load balancing and session persistence is a necessity for these components. The Avi Load Balancer can be integrated with Workspace ONE UEM for high availability and session persistence for the various components. The following sections cover the best practices, but you can configure load balancers with an algorithm of your choice.
Topology
In a standard Workspace ONE UEM deployment, multiple servers can be used for the various components. A DMZ architecture can be used to segment the administrative console server into the internal network for increased security. This deployment model allows for increased resource capacity by allowing each server to be dedicated to Workspace ONE UEM components. While these components are combined in some diagrams for illustrative purposes, they can reside on a dedicated server. Many configuration combinations exist and might apply to your network setup. Following is a diagram for reference purpose.
Deployment Modes
Mode 1(One VIP per component)
All the WS1 UEM components or services deployed on different servers and a separate load balancer VIP is configured for each components. For more information, see Load Balancing Workspace ONE UEM Components topic in the VMware Avi Load Balancer Configuration Guide.
Mode 2(Fewer VIPs)
Few components are deployed on the same server whereas other components are deployed on another server. In this deployment mode, two VIPs are used for all components instead of having one VIP for each component.
Workspace ONE UEM Components
The following table explains various Workspace ONE UEM components.
Application Module |
Description |
Workspace ONE UEM Admin Console |
This is the admin console web service for AirWatch. This is used to configure the system and device settings. |
Workspace ONE UEM Admin API |
The AirWatch REST API service |
Workspace ONE UEM Device Services |
This is a web server that interacts with all devices for provisioning and pushing apps/configuration. It also hosts the end-user self-service portal. |
AirWatch Cloud Messaging(AWCM) |
This is a queueing service that is used to hold command queues for the AirWatch stack and Android devices. AWCM provides secure communication to the back-end systems in conjunction with the VMware AirWatch Cloud Connector (ACC). The ACC uses AWCM to securely communicate with the Workspace ONE UEM console. AWCM also streamlines the delivery of messages and commands from the UEM console to devices by eliminating the need for end-users to access the public Internet or use consumer accounts, such as Google IDs. AWCM serves as a comprehensive substitute for Google Cloud Messaging (GCM) or Firebase Cloud Messaging (FCM) for Android devices and is the only option for providing Mobile Device Management (MDM) capabilities for Windows Rugged devices. |
VMware Tunnel |
This Per-App VPN service for devices is an SSL VPN and is hosted as a service on Unified Access Gateway. |
Deployment Considerations and Recommendations
This document covers the best practices, but you can configure load balancers with an algorithm of your choice. Workspace ONE UEM supports simple algorithms such as Round Robin and more sophisticated ones such as Least Connections.
The following are the considerations when setting up load balancing for Workspace ONE UEM components deployed on-premises:
If the Enrollment Session Timeout values are modified in Workspace ONE UEM Console Settings, you must set the Persistence Timeout values to the same value.
UEM console: Session persistence timeout of one hour is required, based on the default configuration of Workspace ONE UEM.
If the Idle Session Timeout values are modified in the UEM Console Settings, you must set the Persistence Timeout values to the same value.
It is recommended for load balancers to redirect all HTTP requests to HTTPS.
XFF header with the actual client IP address must be inserted by the load balancer.
