Skip navigation
2018

Raul Cunha's Blog

June 2018 Previous month Next month
ralbertodacu Novice
VMware Employees

Pull Relay Servers

Posted by ralbertodacu Jun 29, 2018

When utilizing Relay Servers, there are two ways the files can be sent from the Workspace ONE UEM console to the Relay Server: Push and Pull.

 

On a Push configuration, the files are sent to the Relay Server via an FTP connection (FTPS and SFTP are also supported). That means that SaaS users would need a public DNS to make the Relay Server available, so the Workspace ONE UEM server can open a connection to send over the files.

 

As an alternative, a Pull Service may be installed on the Relay Server. In this scenario, the Pull Service will regularly check the console server for files to download and, when there’s something available, it would download this content and place it on FTP home directory. Since the Pull Service is the component that opens a connection (HTTPS) to the Workspace ONE UEM console, there’s no need for it to be public.

 

Note that the Pull Service is only responsible for downloading files from the Workspace ONE UEM environment. The Relay Server still needs an FTP service running, so the devices can reach out to it to download packages.

 

Below is a diagram of how this communication would look like:

 

Screen Shot 2018-06-30 at 02.05.08.png

 

 

When installing the Pull Service, you will need both the Installer and the Configuration File (PullServiceInstaller.config). The Configuration File looks like the following:

 

<?xml version="1.0"?>

 

<PullConfiguration>

    <libraryPath>C:\FTP_Home\</libraryPath>

    <endPointAddress>https://<Console Server URL>/contentpull</endPointAddress>

</PullConfiguration>

 

Make sure you adjust the libraryPath and the endPointAddress accordingly before running the installer.

 

 

Outbound Proxy

 

In some cases, your internal network might need an outbound proxy, so the Relay Server can communicate to the SaaS environment. As the Pull Service installer does not give us an option to configure an outbound proxy, I got around this by doing the following:

 

1. After installing the Pull Service, the installation folder will have a file called AirWatch.Services.PullService.exe.config. This file will look like this:

 

<?xml version="1.0"?>

<configuration>

  <appSettings>

    (…)

  </appSettings>

  (…)

</configuration>

 

 

2. Between <configuration> and <appSettings>, add the following:

 

<system.net>

    <defaultProxy enabled="true" useDefaultCredentials="true">

        <proxy usesystemdefault="true" proxyaddress="http://<proxy_address>:<port>"/>

    </defaultProxy>

</system.net>

 

Note: Adjust the XML values accordingly.

 

 

3. Restart the Pull Service.

 

 

Troubleshooting

 

If you need to troubleshoot the Pull Service, a Log file is created on the folder where the Pull Service is installed. This log will indicate if files are being downloaded, if there’s any connectivity issues, etc.

 

 

 

The links below point to the documentation on how to install the Pull Relay Service:

 

Configure a Relay Server: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.5/vmware-airwatch-guides-95/GUID-AW95-ConfigureRelayServer.html

 

Create a Windows-Based Pull Service Relay Server: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.5/vmware-airwatch-guides-95/GUID-AW95-CreateWindowsPullRelayServer.html

 

Create a Linux-Based Pull Service Relay Server: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.5/vmware-airwatch-guides-95/GUID-AW95-CreateLinuxPullRelayServer.html

 

--

 

The postings on this site are my own and do not represent VMware’s positions, strategies or opinions.

Even though some of the components of the UAG appliance can be fully configured from its web console interface, you may want to have remote access to the box itself for troubleshooting.

By default, SSH access is disabled on the appliance, but it can be easily activated.

 

Below I put together some steps to enable SSH on the UAG appliance:

 

Configure the sshd service:

Open to the UAG server from the vSphere console and login as root.

In order to enable SSH, you will need to modify the sshd_config configuration file, and enable the sshd service on the server.

 

Edit the sshd_config file. In this example I am using using vi.

On the Linux shell, type vi /etc/ssh/sshd_config and press <Enter>.

 

Screen Shot 2018-01-09 at 17.20.32.png

 

 

Make the following changes to the /etc/ssh/sshd_config file:

 

  • Change the PermitRootLogin setting from no to yes.
  • Comment the MaxSessions line (add # to the beginning of the line).
  • Comment the AllowGroups line (add # to the beginning of the line).

 

Screen Shot 2018-01-09 at 17.22.01.png

 

Screen Shot 2018-01-09 at 17.22.46.png

 

 

Save the file: <ESC>, :wq!, <Enter>.

 

 

Enable the sshd service:

Use YaST to enable the sshd service.

Type yast <Enter> on the Linux shell to access it.

 

Screen Shot 2018-01-09 at 17.24.05.png

 

 

Navigate to System > Services Manager using the arrow keys and then press <Enter>.

 

Screen Shot 2018-01-09 at 17.24.28.png

 

 

Use the arrow keys to select the sshd service.

Press <Alt>+E to enable the service and <Alt>+S to start it.

 

Screen Shot 2018-01-09 at 17.26.23.png

 

 

To save the configuration, select the OK option by pressing either <Alt>+O or F10.

To exit YaST, select the Quit option by pressing F9.

 

One way to test it is to connect to itself by typing ssh localhost.

 

Screen Shot 2018-01-09 at 17.28.43.png

 

 

 

--

 

The postings on this site are my own and do not represent VMware’s positions, strategies or opinions.