The steps and navigation path mentioned for various configuration parameters are same for the configuration of other Workspace ONE UEM applications. A few of the attributes differ as mentioned in the tables in the previous section.

Creating a Custom Health Monitor

The following are the steps to create a custom health monitor:

  1. Navigate to Templates > Profiles > Health Monitors. Click Create.

  2. Specify the name and description for the health monitor.

  3. Select HTTPS option from the Type drop-down menu.

  4. Specify the successful and failure checks details and Send Interval and Receive Timeout details.

  5. Is Federated field describes the object's replication scope. If this field is not selected, the object is visible within the controller-cluster and its associated service engines. If checked, the object is replicated across the federation.

  6. Specify the health monitor port

  7. Select the Authentication Type to either NTLM or Basic from the drop-down menu.

  8. Specify the Client Request details (Both header and body).

  9. Select the Response Code option as 2XXfrom the drop-down menu.

  10. Select the SSL Attributesand Use Exact Requestcheck box.

  11. Specify the server maintenance mode and Role-Based Access Control (RBAC) details.

  12. Click Save and proceed to the next step of creating a persistence profile.

Creating a Persistence Profile

For Workspace ONE UEM admin Console, Source IP persistence or cookie-based persistence is preferred with timeout value set to 60 minutes.

The following are the steps to create the persistence profile:

  1. Navigate to Templates > Profiles > Persistence and click Create.

  2. Add the required details to the new persistence profile.

  3. Click Save and proceed to create a pool.

Creating Pool

The following are the steps to create a pool:

  1. Navigate to Applications > Pools. Click CREATE POOL.

  2. Select the cloud from the Select Cloud sub-screen and click Next.

  3. Select Least Connections from the Load Balance drop-down menu.

  4. Select the persistence profile created in the previous step from the Analytics Profile drop-down menu.

  5. To bind the monitor, click Add Active Monitor and select the custom HTTPS monitor that was created in the previous section.

  6. For SSL offload, the Enable SSL option on the pool level is not required as traffic goes to the back-end servers in plain text. If the back-end server listens only on SSL, the traffic needs to be sent in encrypted form. So we need to enable SSL on the pool level. Select the Enable SSL check box, select the appropriate SSL profile, and click Next.

  7. In the Servers tab, add IP addresses of the servers, and click Next.

  8. Navigate through Step 3: Advancedtab and Step 4: Review tab by clicking Next and then click Save.

Creating Application Profile

As a best practice, all HTTP requests must be redirected to HTTPS. Load Balancers for UEM must be configured to set the XFF header with the Client’s Source IP. Other options are not mandatory and depend on the requirement. The default System-Secure-HTTP profile can also be used instead of creating a new application profile.

The following are the steps to create application profile:

  1. Navigate to Templates > Profiles > Application.

  2. Select HTTP from the Create drop-down menu.

  3. Specify the name and description of the application profile, and retain default values in the HTTP Settings section.

  4. Select the check box for X-Forwarded-For.

  5. In the Security tab, select the SSL Everywhere check box.

  6. Click Save to proceed further to install the SSL certificate. If not required, some of these options can be deactivated.

  7. Some services like Device Service and Admin Console might require HTTP Strict Transport Security. Select the HTTP Strict Transport Security (HSTS) check box if required.

Installing SSL Certificate for L7 Virtual Service

The SSL connections are terminated at virtual service level. So the SSL certificate must be assigned to the virtual service. It is advised to install a certificate signed by a valid certificate authority instead of using self-signed certificates. Install the certificate in Avi Load Balancer and ensure that the CA certificate is imported and linked. For more information on instructions, see SSL Certificates topic in the VMware Avi Load Balancer Configuration Guide.

Creating an L7 Virtual Service

The following are the steps to create a Layer 7 virtual service for Workspace ONE UEM Admin console:

  1. Navigate to Applications > Virtual Services.

  2. Select Advanced Setup from the Create Virtual Service drop-down menu. Select a cloud from the Select Cloud drop-down menu.

    1. Application Profile: Select the application profile created in the previous section.

    2. Service Port: Specify the value as 80 and 444 (SSL).

    3. Pool: Specify the pool created in the previous section.

  3. For SSL profile, use the default SSL profile, or create a new one as per the requirement.

  4. For SSL certificate, install the certificate and bind it to the virtual service as shown above.

  5. Click Next and retain the default settings for the remaining fields.

  6. Click Next and then click Save.