Remote Management server deployment using F5 LTM


When deploying multiple Remote Management servers behind an F5, there are non-default configuration caveats. These caveats include persistence based on the AW-Device-UDID value and removal of the LTM's HTTP proxy before handing the connection off to the server. If you have two Remote Management servers behind an F5, then the persistence settings will ensure that connections (device and Remote Management applet) are always mapped to the same Remote Management server. The removal of the HTTP proxy in the LTM is so the traffic is passed off to the Remote Management server as a web socket connection even though it comes in as HTTPS.

If you are an On-Premises customer, you must configure your LTM with a persistence iRule based on the F5 Solution page for Overview of the CARP hash algorithm. The basics of the iRule are to parse the HTTP header of the incoming connection for the AW-Device-UDID value and then persist on it using the "persist carp" command. Apply this iRule to a persistence profile for use in the Resources section of the configured Virtual Server. You may need to write your own iRule to accomplish this per your internal networking practices. This article contains an example rule.

Important: VMware AirWatch is preparing Remote Management version 3.0 for its end-of-life event, including last order date, availability, and support. For details about this transition, refer to our knowledge base article here. For a viable and advanced replacement, refer to the VMware AirWatch Advanced Remote Management Guide.


To configure Remote Management behind an F5 LTM:

  • Configure the Virtual Server (VIP) setup, including:
    • Create a Client SSL profile to decrypt traffic.
    • Include a Standard HTTP Profile so that the iRule can parse the HTTP Header.
    • Set a TCP Idle Timeout of 3600 seconds (1 hour).
  • Configure a Persistence profile for use in the Resources tab of the Virtual Server configuration. Configure the profile with a 0 second timeout.
  • Create an iRule to remove the HTTP proxy on the F5 to set the traffic to server as Web Socket. Use the HTTP::disable command on the inbound HTTP Request (example below).
  • Configure a Pool for the Virtual Server.
    • Set the pool to send to the Remote Management application severs on an unencrypted port (port 80, unless configured otherwise).

CARP Hash Persistence Profile

CARP Hash persistence inspects http header for UDID value (example below)



CARP Hash iRule

# Rule to parse HTTP Header for AW-Device-UDID value for CARP Hash persistence
# based on
    if { [HTTP::header exists "AW-Device-UDID"] } {
        set awdeviceudid [HTTP::header value AW-Device-UDID]
        if {$awdeviceudid != ""}{
            persist carp $awdeviceudid


iRule to remove HTTP

# Rule to remove HTTP profile/filtering from traffic for the RM endpoint
Have more questions? Submit a request


Article is closed for comments.