VMware Per-App Tunnel can be configured using either of the following two configuration models:

  • Basic Endpoint (single-tier) using a VMware Per-App Tunnel Basic Endpoint

  • Cascade (multi-tier) using a VMware Per-App Tunnel Front-End and VMware Per-App Tunnel Back-End

Tabelle 1. Port Requirements for VMware Per-App Tunnel Basic Endpoint Configuration

Source

Destination

Protocol

Port

Verification

Notes

Devices (from Internet and Wi-Fi)

VMware Per-App Tunnel Basic Endpoint

TCP, UDP

8443*

Run the following command after installation: netstat -tlpn | grep [Port]

Devices connect to the public DNS configured for VMware Tunnel over the specified port. If 443 is used, Per-App Tunnel component listens on port 8443.

VMware Per-App Tunnel Basic Endpoint

AirWatch Cloud Messaging Server

HTTPS

SaaS:443

On-Premises:2001*

Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.

For the VMware Per-App Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2.

VMware Per-App Tunnel Basic Endpoint

Internal websites/web apps/resources

HTTP, HTTPS, or TCP

80, 443, any required TCP

For applications using VMware Per-App Tunnel to access internal resources. Exact endpoints or ports are determined by where these resources are located.

VMware Per-App Tunnel Basic Endpoint

UEM REST API

  • SaaS‡: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com

  • On-Premises†: Most commonly Device Services or Console server

HTTP or HTTPS

80 or 443

curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized

The VMware Per-App Tunnel must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > System > Advanced > Site URLs to set the REST API URL. This page is not available to Workspace ONE UEM SaaS customers. For Workspace ONE UEM SaaS customers, the REST API URL is most commonly the Console URL or Devices Services URL.

Tabelle 2. Port Requirements for VMware Per-App Tunnel Cascade Configuration

Source

Destination

Protocol

Port

Verification

Notes

Devices (from Internet and Wi-Fi)

VMware Per-App Tunnel Front-End

TCP, UDP

8443*

Run the following command after installation: netstat -tlpn | grep [Port]

Devices connect to the public DNS configured for VMware Tunnel over the specified port. If 443 is used, Per-App Tunnel component listens on port 8443.

VMware Per-App Tunnel Front-End

AirWatch Cloud Messaging Server

HTTPS

SaaS:443

On-Premises:2001*

Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.

For the VMware Per-App Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2.

VMware Per-App Tunnel Front-End

VMware Per-App Tunnel Back-End

TCP

8443

Telnet from VMware Per-App Tunnel Front-End to the VMware Per-App Tunnel Back-End on port 8443.

To forward device requests from the Front-End to the Back-End server. This needs to support a minimum of TLS 1.2.

VMware Per-App Tunnel Back-End

AirWatch Cloud Messaging Server

HTTPS

SaaS:443

On-Premises:2001*

Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.

For VMware Per-App Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2.

VMware Tunnel Back-End

Internal websites/web apps/resources

HTTP, HTTPS, or TCP

80, 443, any required TCP

For applications using VMware Per-App Tunnel to access internal resources. Exact endpoints or ports are determined by where these resources are located.

VMware Per-App Tunnel Front-End

UEM REST API

  • SaaS‡: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com

  • On-Premises†: Most commonly Device Services or Console server

HTTP or HTTPS

80 or 443

curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized

The VMware Per-App Tunnel must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > System > Advanced > Site URLs to set the REST API URL. This page is not available to Workspace ONE UEM SaaS customers. For Workspace ONE UEM SaaS customers, the REST API URL is most commonly the Console URL or Devices Services URL.

VMware Per-App Tunnel Back-End

UEM REST API

  • SaaS‡: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com

  • On-Premises†: Most commonly Device Services or Console server

HTTP or HTTPS

80 or 443

curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized

The VMware Per-App Tunnel must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > System > Advanced > Site URLs to set the REST API URL. This page is not available to Workspace ONE UEM SaaS customers. Workspace ONE UEM SaaS customers, the REST API URL is most commonly the Console URL or Devices Services URL.

NOTES

  • * This port can be changed based on your environment's restrictions.

  • † On-Premises means the location of the Workspace ONE UEM console.

  • ‡ For SaaS customers who need to whitelist outbound communication, refer to the VMware Knowledge Base article that lists up-to-date IP ranges: https://support.workspaceone.com/articles/115001662168-.

For SaaS customers who need to whitelist outbound communication, refer to the following Knowledge Base article that lists up-to-date IP ranges that VMware currently owns: VMware AirWatch IP ranges for SaaS data centers.