Workspace ONE UEM powered by AirWatch SaaS environments are integrated with Akamai's Download Delivery CDN network and the on-premises customer can take advantage of this functionality by obtaining Akamai's CDN capabilities. A Content Delivery Network (CDN) is a highly distributed platform of servers that responds directly to the end-user requests for the web content. Content delivery network acts as an intermediary between the AirWatch servers and the end-user devices to mitigate the challenges of delivering the content over the Internet.
Read through the following sections to learn more about setting up the integration between Akamai CDN and Workspace ONE UEM powered by AirWatch.
As an on-premises customer, you must first establish a relationship with the CDN provider for hosting. Once this environment is available, you can then proceed to integrate with Workspace ONE UEM. Integrating Workspace ONE UEM with a CDN provider allows the end users in different regions download the internal applications from the CDN server closest to them, as opposed to an internal file server that is located remotely.
Benefits of Integrating Workspace ONE UEM with CDN
- Increased download speeds for geographically distributed end-users.
- Reduced load for Workspace ONE UEM servers.
Hardware, Software, Network, and Generic Requirements
- CDN (Content Delivery Networks) installer. CDN installer can be found here.
- IIS (Internet Information Services) Server Manager 6 and above.
- Windows Server 2012 and above.
- Minimum of 4 CPU cores and 8 GB RAM.
- Origin Server cannot be on the Device Service or the Console server box.
- Origin Server must be set up in the same domain as the Console Server box.
- Port 443 and 80 must be used only for CDN. Ensure that the Origin server is reachable on these ports.
- Origin Server needs to have a public DNS (Domain Name Servers) so that the Akamai edge server can access the box.
- Origin Server is possible to set up the DNS to do the routing internally to the proper servers, as necessary.
Note: For the Origin Server storage, multiply the average file size by the average number of files, then multiply by two to avoid full disk issues that prevent the caching of files.
- You must have the Akamai Download Delivery solution account.
- You must create a secret key (SHA256 Hash Key). this will be used while running the CDN installer and for the Akamai account for Edge Server Identification.
Workspace ONE UEM and Akamai Integration Architecture
The Workspace ONE UEM and Akamai Integration Workflow highlight the communication and interaction between Workspace ONE UEM and Akamai. Workspace ONE UEM and Akamai Integration support allowlisting of Akamai Edge Server IP Address. That is, if your end-user devices are a part of a network that allows connections to only servers whose IP addresses are allowedlist, then the integration can be implemented with variation in Akamai configuration.
Workspace ONE UEM and Akamai Integration Workflow Components
Workspace ONE Origin Server: The Workspace ONE Origin Server is the file server that is configured for storage of all files that will then be cached within the Akamai CDN.
Content Server Domain : The Content Server Domain is the domain mapping to the configured Akamai Edge Server using the CNAME DNS plus *.edgekey.net.
Akamai Integration Workflow Diagram
|1||Admin uploads apps to the Workspace ONE UEM console.|
|2||Adds the application to the AirWatch Database or the File Storage Server.|
|3||Copies the application files using the configured UNC path and credentials.|
|4||Publish the application to the end-user devices.|
|5||Generate the app download URL containing HMAC Token, which is valid for 24hrs, using the salt/encryption key with SHA256 algorithm.|
|6||Send the generated content download URL to the device.|
|7||Request content from the content server that points to the Akamai Edge server.|
|8||Forward the request to the edge server with the valid HMAC token received from the device.|
|9||Verify if the content is available in cache. Pull the content from the Origin Server if the content is not in the cache or if the content has changed. The communication is authorized by the edge identification key passed in the request header from Edge server.|
|10||If Edge is in the IP allowlist, the request for the file is processed. If Edge IP is not in the allowlist, then the request for 401/403 is processed.|
|11||Stream the content to the devices if the token is valid.|