How to configure the MAG to utilize SSL offloading


When utilizing a Mobile Access Gateway (MAG) to allow access to internal resources, you may choose to design the network to perform SSL Offloading with products such as F5's BIG-IP Local Traffic Manager (LTM), Microsoft's Unified Access Gateway (UAG), Threat Management Gateway (TMG) or Internet Security and Acceleration Server (ISA) solutions. While these are common solutions, support is not exclusive to these. MAG/AirWatch Tunnel is compatible with general SSL Offloading solutions provided that the solution supports the HTTP CONNECT method. The following document illustrates how SSL Offloading affects traffic in a Relay-Endpoint configuration.

SSL Offloading Traffic Flow


1.  A device requests access to content or resources, which can be either an HTTP or HTTPS endpoint.

  • By default, both HTTP and HTTPS traffic is sent over a single HTTPS port (default 2020).  This traffic is encrypted and sent via an HTTPS tunnel.
  • For efficiency, separate port can be configured for HTTP and HTTPS traffic.
    • Requests to HTTP endpoints are sent over a port you configure (default 2020) are sent through an HTTPS tunnel encrypted with the MAG certificate.
    • Requests to HTTPS endpoints are sent over a port you configure (default 2010) are encrypted by an SSL certificate configured on the endpoint and sent through an HTTP tunnel.

2.  The traffic hits an SSL Termination Proxy, which must contain the SSL certificate installed on the MAG, whether it is an AirWatch-generated certificate or a 3rd party SSL certificate.

  • In the case of only a single HTTPS port being active, the certificate encrypting the HTTPS tunnel is offloaded and the request is sent to the Relay over the same port.  That is, if port 2020 is specified for the HTTPS tunnel, the request between the Proxy and Relay will also be on port 2020, though the tunnel will now be unencrypted. As such, when configuring the offloading on the SSL Termination Proxy, ensure that traffic is entering and leaving on the same port.
  • In deployments using a split HTTP and HTTPS tunnel:
    • Requests sent using the HTTPS tunnel have their SSL certificate offloaded and sent to the Relay unencrypted over the port specified for the HTTP tunnel..
    • Requests sent through the HTTP tunnel are unaffected and continue to the Relay on that same port.
    • Note: Since all traffic that originates in the HTTPS tunnel is now offloaded, you must create a rule on your SSL Termination Proxy to forward all traffic to the HTTP tunnel (for example, all incoming traffic on port 2020 is forwarded to port 2010).

3.  The traffic continues from the Relay to the Endpoint on the Relay-Endpoint Port.

4.  The Endpoint communicates with your backend systems to access the requested content or resources.

Enabling SSL Offloading

To enable SSL Offloading, ensure the SSL Offloading check box is selected during installation for the Relay server. This informs the Relay to expect to receive all traffic on a single port.


Have more questions? Submit a request


Article is closed for comments.