Skip to end of metadata
Go to start of metadata

A common issue with every installation of AirWatch is AWCM external/internal certificate. It is simple logic that every connection to AWCM should be certificate-signed. With a valid (not self-signed!) certificate. But on the internal side we have some local FQDN which is usually different from how AirWatch "Device Services+AWCM" host (also called Front-End Server or FE) is published on the external network.

So the formal way is to issue a separate certificate for the internal connections, which will be valid for all other AirWatch components (mainly the Console and the Connectors). But everybody wants to avoid all this certificate mayhem. So the answer is - send everybody on the external URL: we already have a valid certificate there, so let's reuse it. A simple and brutal way is to just write the "<internal ip> = <external dns name>" line in the hosts-file on every affiliated server. But a more intelligent way is to do split-dns.

Usually we have the Windows Domain Controller acting as DNS, so we will use it to create a separate zone for, which will send all servers to an internal IP via an external signed URL.

Create split-DNS for single hosts

Since DNS is hierarchy-organized, you can tell the internal DNS server to be authoritative only for a sub-tree of a domain - on If you try to resolve parent zone, the DNS server would go down the Forwarders-hierarchy starting at the DNS root servers. So instead of creating a zone for the whole namespace, create a zone for the host.

  • Add a new primary zone;
  • Don’t allow dynamic updates to the zone;
  • Create a new A/AAAA record for the host.

When creating an A/AAAA record:

  • Leave the name field empty;
  • Don’t create a PTR record;
  • Point it to the internal IP of the host.

Test the record with nslookup:


In case AWCM is still not reachable, check this article.

Happy deploying!