Avi Vantage and VMware Workspace ONE UEM


VMware Workspace ONE is a management platform that allows IT administrators to centrally control end-users’ mobile devices and cloud-hosted virtual desktops and applications from the cloud or from an on-premises deployment. It is a simple and secure enterprise platform that delivers and manages any app on any device by integrating identity, application, and enterprise mobility management.

VMware Workspace ONE UEM (formerly known as AirWatch) provides a comprehensive enterprise mobility platform that delivers simplified access to enterprise applications, secures corporate data, and enables mobile productivity. It also works with the public application stores, to handle the provisioning of native mobile applications to mobile devices. Workspace ONE UEM can be deployed on-premises in various configurations to suit diverse business requirements. When deployed within a network infrastructure, Workspace ONE UEM can adhere to strict corporate security policies by storing all data on-site. In addition, Workspace ONE UEM has been designed to run on virtual environments, which creates seamless deployments on several different setups.
For high availability, Workspace ONE UEM components need load balancing and session persistence. Application servers receive requests from the console and device users and process the data and results. No persistent data is maintained on these servers, but the user and device sessions are maintained for a short time, so load balancing and session persistence is a necessity for these components.

Avi load balancer can be integrated with Workspace ONE UEM for high availability and session persistence for the various components.
This document covers the best practices, but you can configure load balancers with an algorithm of your choice.


In a standard Workspace ONE UEM deployment, multiple servers can be used for the various components. A DMZ architecture can be used to segment the administrative console server into the internal network for increased security. This deployment model allows for increased resource capacity by allowing each server to be dedicated to Workspace ONE UEM components. While these components are combined in some diagrams for illustrative purposes, they can reside on a dedicated server. Many configuration combinations exist and may apply to your network setup Below is a diagram for reference purpose:


Deployment Modes

  • Mode 1(One VIP per component) — All the WS1 UEM components or services deployed on different servers and a separate load balancer VIP is configured for each components.

  • Mode 2(Fewer VIPs): Few components are deployed on the same server whereas other components are deployed on another server. In this deployment mode, two VIPs are used for all components instead of having one VIP for each component.

Workspace ONE UEM Components

The following table explains various Workspace ONE UEM components.

Application Module Description
Workspace ONE UEM Admin Console This is the admin console web service for AirWatch. This is used to configure the system and device settings.
Workspace ONE UEM Admin API The AirWatch REST API service
Workspace ONE UEM Device Services This is a web server that interacts with all devices for provisioning and pushing apps/configuration. It also hosts the end-user self-service portal.
AirWatch Cloud Messaging(AWCM) This is a queueing service that is used to hold command queues for the AirWatch stack, as well as Android devices.
AWCM provides secure communication to the back-end systems in conjunction with the VMware AirWatch Cloud Connector (ACC). The ACC uses AWCM to securely communicate with the Workspace ONE UEM console.
AWCM also streamlines the delivery of messages and commands from the UEM console to devices by eliminating the need for end-users to access the public Internet or use consumer accounts, such as Google IDs. AWCM serves as a comprehensive substitute for Google Cloud Messaging (GCM) or Firebase Cloud Messaging (FCM) for Android devices and is the only option for providing Mobile Device Management (MDM) capabilities for Windows Rugged devices.
VMware Tunnel This Per-App VPN service for devices is an SSL VPN and is hosted as a service on Unified Access Gateway.
Secure Email Gateway V2 (SEG V2) This service protects mail infrastructure of an organization. It enables VMware AirWatch Mobile Email Management (MEM) functionalities. The Content Gateway provides a secure and effective medium for end users to access internal repositories..
Content Gateway provides a secure and effective medium for end users to access internal repositories. Using the VMware Content Gateway with VMware Workspace ONE Content provides levels of access to your corporate content. The end-users can remotely access their documentation, financial documents, board books, and more directly from content repositories or internal file shares.

For more information on deploying Avi Vantage with the SEG V2 and the Content Gateway, refer to Integrating Secure Email Gateway and Content Gateway with Avi Vantage.

Deployment Considerations and Recommendations

This document covers the best practices, but you can configure load balancers with an algorithm of your choice. Workspace ONE UEM supports simple algorithms such as Round Robin and more sophisticated ones such as Least Connections.

The followings are the considerations when setting up load balancing for Workspace ONE UEM components deployed on-premises:

  • If the Enrollment Session Timeout values are modified in Workspace ONE UEM Console Settings, then you must set the Persistence Timeout values to the same value.
  • UEM console: Session persistence timeout of one hour is required based on the default configuration of Workspace ONE UEM.
  • If the Idle Session Timeout values are modified in the UEM Console Settings, then you must set the Persistence Timeout values to the same value.
  • It is recommended to load balancers to redirect all HTTP requests to HTTPS.
  • XFF header with the actual client IP address should be inserted by the load balancer.