AirWatch Hands-on LabsInternal HOLsTM-HOL-W10-1802 Windows 10 TroubleshootingTroubleshooting Peer Distribution and Content Delivery Network

Troubleshooting Peer Distribution and Content Delivery Network

Another common issue with Windows 10 software distribution is that applications do not download correctly. This exercise covers possible issues when using peer-to-peer (P2P) and Content Delivery Network (CDN).

1. Peer Distribution Troubleshooting

Organizations can use P2P for application deployments by leveraging Workspace ONE UEM peer distribution capabilities. In this section, we will review a few basic logging locations.

1.1. Review Server Logs

  1. In Explorer, navigate to C:\Program Files\Adaptiva\AdaptivaServer\logs.

All of the P2P server logs are located here. Explore the adaptiva.log file for troubleshooting.

1.2. Navigate to %ProgramData%

  1. In Explorer, enter %ProgramData%.

The AirWatch directory contains agent logs including enrollment, product provisioning, and some profiles such as BitLocker.

The AirWatchMDM directory contains the software distribution cache folder. After the software packages are downloaded, they appear in this folder.

1.3. Review P2P Client Logs

In Explorer, enter C:\Windows\AdaptivaSetupLogs\Client.

You can find the P2P client installation logs here—if you encounter installation issues, review these logs.

1.4. Check Client Registry Values

  1. In the registry, navigate to WOW6432Node > Adaptiva > client.

This location contains P2P client configuration information, such as the version, server it is connected to, and other granular details. Workspace ONE UEM handles installing and setting up this information.

1.5. Check Adaptiva Cache Folder

In Explorer, enter C:\AdaptivaCache.

You should have the same content ID listed with the same file size for your application, therefore the next device to enroll or request this application will peer off of our first device. The content is in format: {contentID}.content

This folder is a hidden directory and uses VMware vSAN™ technology so that the space used goes unnoticed to the end user. When the end user needs more disk space, Adaptiva's self-managing cache deletes content.

1.6. Connect to Adaptiva Database

Launch SQL Server Management Studio and click Connect.

1.6.1. Select Adaptiva Content Table

  1. Expand Databases > Adaptiva > Tables.
  2. Right-click dbo.ADAPTIVACONTENTS.
  3. Click Select Top 1000 Rows.

1.6.2. Find Content ID

Content IDs were discussed in the previous steps—note that both of these IDs are on our devices cache for P2P. The database contains the apps metadata and you can explore the database for other information which might be helpful such as device IP/names, office locations, subnets, and so on.

2. Content Delivery Network Troubleshooting

Since AirWatch 8.4.1, the Workspace ONE UEM Console can integrate with Content Delivery Network (CDN) servers to assist with the downloading of large files, in particular when deploying internal applications. Normally, when an internal application is deployed to a device, the device downloads the app directly from the Workspace ONE UEM servers. However, in large environments, especially during large deployments of internal applications, this can lead to bandwidth issues and significant performance degradation.

By integrating a Workspace ONE UEM environment with a CDN server, available bandwidth is greatly expanded and the risk of performance degradation due to file downloads is minimal. The process flow is as follows:

  1. A Workspace ONE UEM environment enables the use of a CDN at an environment-wide level.
  2. Newly uploaded applications will be deployed using CDN.
  3. Whenever a device requests to download an internal app from Workspace ONE UEM, the request is redirected to the CDN server.

CDN integration is a requirement for applications deployed through the Microsoft Store for Business (BSP). With this system, you can purchase apps from the Microsoft app store and then distribute them to devices through Workspace ONE UEM in the same manner that internal apps are distributed. This process allows for CDN to be leveraged when deploying public applications to Windows devices.

Similarly, CDN integration can be effective in improving the performance of software distribution for Windows 10 devices and is required for SaaS environments.

Important: As a requirement for environments using CDN servers for file distribution, enrolled devices must have open access to the internet. The CDN network has a distributed architecture around the globe, and VMware cannot guarantee that a specific file download to a device will come from any individual server. The system is designed to increase the likelihood that a device will download a file from a server in a similar geographic location.

If you have an environment where devices cannot connect to the CDN architecture (for example, due to a strict firewall configuration that allows access only to certain websites/servers), follow the next steps to disable CDN integration in your environment.

2.1. CDN for On-Premises

On-premises environments using AirWatch 8.4.1 and later can integrate with a CDN. However, you must have access to a corporate CDN account to enable the configuration. The process flow for downloads remains the same, although the IP requirements may be different, depending on the CDN system you use. VMware supports integration only with Akamai CDN accounts.

Follow the steps to configure CDN for on-premise environments:

  1. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > CDN > Akamai, select Enabled.
  2. The values on this page can be retrieved by logging in to your CDN provider portal, locating the values, and entering them in this page.
  3. Save your settings to enable CDN.

Note: For detailed step-by-step instructions for your on-premise customers, see the CDN Integration Guide from VMware Docs.

2.2. Workspace ONE UEM with CDN Integration Workflow

Following are some general questions and answers concerning Workspace ONE UEM and CDN.

Q. Does Workspace ONE UEM leverage CDN for both content types and apps uploaded to the Workspace ONE UEM Console

A. No, Workspace ONE UEM leverages CDN only for apps uploaded to the Workspace ONE UEM console. Workspace ONE UEM does not leverage CDN for content or any content uploaded for use with Product Provisioning. 

Q. What components are there to the CDN integration?

A. The main components to the CDN integration with Workspace ONE UEM are as follows:

  • The AirWatch Origin Server is the file server configured for storage of all files to be cached within Akamai on a pull model. This component has to be manually configured if you are using the on-premises deployment model. However, for SaaS users, this is already configured. 
  • The AirWatch Content Domain is the domain mapping to the configured Akamai Edge Server using CNAME (DNS plus *.edgekey.net). 
  • The Akamai Edge Server is responsible for caching and distributing files based on geographic location. It also authenticates resources that end users try to access.

Q. What is the general workflow for CDN integration? Is there a failover method in place? 

A. See the Workspace ONE UEM with CDN Integration Workflow diagram. Note that applications are uploaded to the Workspace ONE UEM Console in the same way. Applications are still stored in the blob table in the database (unless you have file storage set up), but another step is added. After the application has been uploaded, a copy of the application is copied over to the AirWatch Origin Server. Applications always reside at the origin server. Devices are pointed to the AirWatch Content Domain to download the applications, and then the CDN provider’s logic determines which Akamai Edge Server will become the source of the download. If the edge server does not have the requested application then it obtains the application from the origin server (for SaaS there are origin servers at every data center). Akamai has logic to cache and purge their edge servers; however the application is populated on the edge server upon the first request from a device. 

Lastly, if the connection to the CDN provider fails, the content (for example, an application) is  pushed from the Workspace ONE UEM Device Services server, as it would be if CDN integration was not configured.

Note: There is an additional fallback for Windows devices provided by a feature built into the operating system. Workspace ONE UEM can send down multiple download URLs, therefore for software distribution, Workspace ONE UEM will send down the CDN URL as primary and the DS URL as a fallback URL. This is helpful for Windows devices because these devices might be connected to a closed VPN or a locked-down network at times.

Q. How are the applications secured and separated per user (or organization) on the CDN?

A. Communications are secure and happen over HTTPS using SSL connections. Each application is uniquely identified through the blob ID, therefore users deploying the same applications will never share the same data. When the download URL is generated (see a sample URL in Workspace ONE UEM with CDN Integration Workflow) there is an attached  token which expires after 24 hours and a HMAC token which is based on the salt of the CDN account being used. 

Q. When the Install command is processed (user-initiated, admin initiated, or auto) what occurs on the back end?

A. The process is as follows.

  1. First, Workspace ONE UEM makes a test connection to the AirWatch Content Domain URL, to ensure it is reachable. If this URL is non-reachable, then Workspace ONE UEM  generates a download URL pointing to the Workspace ONE UEM Device Services server, bypassing CDN. 
  2. If CDN is reachable, then Workspace ONE UEM generates the download URL and the HAMC and expiration tokens. 
  3. Device then navigates to the download URL, and uses download logic specific to that platform. For example, Timeout and Retry logic varies.
  4. Akamai decides which edge server to use. If the edge server does not have the application, it connects to the AirWatch Origin Server. 
  5. Device completes the download and proceeds with application installation. 

0 Comments

Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.