The network and security configurations designed for single (all-in-one) server deployments differ from multiple-server deployments. IPv4 is the required protocol for the Workspace ONE Assist server. You must disable IPv6.

IP Address and Port Translation, Single-Server Deployment

The Workspace ONE Assist server is required to have one static IPv4 address. This address must be accessible from the mobile device network and the user network from which users access the web portal. This IP address is translated to the all-in-one server’s Portal (web) services and Connection Proctor (CP) services.

By default, web services are bound to port 443 and 80 and CP services are bound to port 8443, however, your IT team can customize these ports. If Network Address Translation (NAT) is used, one public facing static IP address is required translated to the internal IP address of the Workspace ONE Assist server.

Port Service
80 Portal Services
443 Portal Services and T10 API
8443 Connection Proctor Service

* Indicates customizable port address.

IP Address and Port Translation, Multiple-Server Deployment

Each Connection Proctor server must have its own static IPv4 address that is accessible from the device network and the user network that is translated to the CP service using port 443. The server hosting Portal Services must also have its own static IP address that is accessible from the device network and user network. The portal services are bound to port 443 and 80, however, your IT team can customize these ports.

If network address translation (NAT) is used, the public facing IP addresses must be translated to the internal IP addresses of the servers accordingly.

Core and application components and corresponding services can be deployed on a public facing server or in a private zone. CP services and Portal services must be able to communicate with these core and application services over of a range of ports.

Port Service
80 Portal Services on Portal Server
443 Portal Services and T10 API
8443 Connection Proctor Service on CP Server.
8865 Data Tier Proxy (DTP)
8866 Messaging Entity (ME)
8867 Data Access Proxy (DAP)
8870 Service Coordinator (SVC)
12780 Connection Proctor (CP) from Messaging Entity (ME)

* Indicates customizable port address.

Database services are deployed on the database server. The Workspace ONE Assist system connects to the database server using an IP address, hostname, or instance name. Typically, SQL database allows connections on port 1433.

Persistence for Multiple Server Deployment

Workspace ONE Assist supports IP and SSL persistence. SSL persistence is required for connection proctor servers as the SSL termination must be made at the server level.

SSL persistence is also required for T10 service communication. An SSL certificate must be present on the T10 server since this communication cannot be offloaded.

Firewall Rules, Single-Server Deployment

Firewall rules can be summarized based on the number of allocated IP addresses to the Workspace ONE Assist system.

Source Destination Protocol Port Direction Rule
Device and User Networks / Internet CP Server TCP/TLS/SSL 8443 Inbound Accept
Device and User Networks / Internet Portal Server TCP/HTTPS 443 Inbound Accept
Workspace ONE portal server Portal Server (T10 Interface) TCP/HTTPS 443 Inbound Accept
Advanced Remote Management server MS SQL Database Server TCP 1433 Inbound Accept

Firewall Rules, Multiple Server Deployment

Source Destination Protocol Port Direction Rule
Device and User Networks / Internet CP Server TCP/TLS/SSL 8443 Inbound Accept
Device and User Networks / Internet Portal Server TCP/HTTPS 443 Inbound Accept
Workspace ONE portal server Portal Server (T10 Interface) TCP/HTTPS 443 Inbound Accept
CP Server and Portal Server Core/App Server TCP 8865, 8866, 8867, 8870 Inbound Accept
Core/App Server CP Server TCP 12780 Inbound Accept
Core/App Server Database Server TCP 1433 Inbound Accept

Fully Qualified Domain Name and Site SSL/TLS Certificate, Single-Server Deployment

The Workspace ONE Assist system requires one FQDN assigned to the static IP address which is used for Portal Services and for Connection Proctor services.

The Site SSL/TLS certificate has the following attributes in a single-server deployment:

  • It is used for TLS/SSL bindings for Portal services.
  • It is used in IIS for the Portal Services bound to port 443.
  • It corresponds to the FQDN.
  • It is used for the Connection Proctor Service bound to port 8443.
  • It contains both public and private key pairs.
  • It must be installed on the Workspace ONE Assist server’s personal certificate store before the Workspace ONE Assist software is installed.

Obtain your SSL/TLS certificate from a well-known certificate authority such as Comodo, GoDaddy, and so on. If you prefer a self-signed certificate, then the root and intermediate certificates/public key pair must be installed on mobile devices you intend to remote into.

Fully Qualified Domain Name and Site SSL/TLS Certificate, Multiple Server Deployment

One FQDN is assigned to the Portal server and one FQDN is assigned to each CP server deployed in the ARM system. If a single CP server is deployed, you must have 2 FQDNs. If 2 CP servers are deployed, then 3 FQDNs are required, and so on.

You can obtain a SAN or wildcard site SSL/TLS certificate used for TLS/SSL IIS bindings for the Portal Services. The same SAN or wildcard certificate can be used for the CP servers to bind the CP services. If you have a separate SSL/TLS certificate for each server, then each server must have its own certificate installed. The certificates must correspond to the FQDN assigned to the servers. The certificates must contain both private and public key pairs and they are installed on the server’s local machine certificate store.

Obtain your SSL/TLS certificates from a well-known certificate authority such as Comodo, GoDaddy, and so on. If you prefer a self-signed certificate, then the root and intermediate certificates/public key pair must be installed on mobile devices you intend to remote into.