When utilizing Relay Servers, there are two ways the files can be sent from the Workspace ONE UEM console to the Relay Server: Push and Pull.
On a Push configuration, the files are sent to the Relay Server via an FTP connection (FTPS and SFTP are also supported). That means that SaaS users would need a public DNS to make the Relay Server available, so the Workspace ONE UEM server can open a connection to send over the files.
As an alternative, a Pull Service may be installed on the Relay Server. In this scenario, the Pull Service will regularly check the console server for files to download and, when there’s something available, it would download this content and place it on FTP home directory. Since the Pull Service is the component that opens a connection (HTTPS) to the Workspace ONE UEM console, there’s no need for it to be public.
Note that the Pull Service is only responsible for downloading files from the Workspace ONE UEM environment. The Relay Server still needs an FTP service running, so the devices can reach out to it to download packages.
Below is a diagram of how this communication would look like:
When installing the Pull Service, you will need both the Installer and the Configuration File (PullServiceInstaller.config). The Configuration File looks like the following:
<endPointAddress>https://<Console Server URL>/contentpull</endPointAddress>
Make sure you adjust the libraryPath and the endPointAddress accordingly before running the installer.
In some cases, your internal network might need an outbound proxy, so the Relay Server can communicate to the SaaS environment. As the Pull Service installer does not give us an option to configure an outbound proxy, I got around this by doing the following:
1. After installing the Pull Service, the installation folder will have a file called AirWatch.Services.PullService.exe.config. This file will look like this:
2. Between <configuration> and <appSettings>, add the following:
<defaultProxy enabled="true" useDefaultCredentials="true">
<proxy usesystemdefault="true" proxyaddress="http://<proxy_address>:<port>"/>
Note: Adjust the XML values accordingly.
3. Restart the Pull Service.
If you need to troubleshoot the Pull Service, a Log file is created on the folder where the Pull Service is installed. This log will indicate if files are being downloaded, if there’s any connectivity issues, etc.
The links below point to the documentation on how to install the Pull Relay Service:
Create a Windows-Based Pull Service Relay Server: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.5/vmware-airwatch-guides-95/GUID-AW95-CreateWindowsPullRelayServer.html
Create a Linux-Based Pull Service Relay Server: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.5/vmware-airwatch-guides-95/GUID-AW95-CreateLinuxPullRelayServer.html
The postings on this site are my own and do not represent VMware’s positions, strategies or opinions.