VMware Per-App Tunnel can be configured using either of the following two configuration models:
- Basic Endpoint (single-tier) using a VMware Per-App Tunnel Basic Endpoint
- Cascade (multi-tier) using a VMware Per-App Tunnel Front-End and VMware Per-App Tunnel Back-End
Source | Destination | Protocol | Port | Verification | Notes |
---|---|---|---|---|---|
Devices (from Internet and Wi-Fi) | VMware Per-App Tunnel Basic Endpoint | TCP, UDP | 8443* | Run the following command after installation: netstat -tlpn | grep [Port] | Devices connect to the public DNS configured for VMware Tunnel over the specified port. If 443 is used, Per-App Tunnel component listens on port 8443. |
VMware Per-App Tunnel Basic Endpoint | Workspace ONE UEM Cloud Messaging Server | HTTPS | SaaS:443 On-Premises:2001* |
Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response. | For the VMware Per-App Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2. |
VMware Per-App Tunnel Basic Endpoint | Internal websites/web apps/resources | HTTP, HTTPS, or TCP | 80, 443, any required TCP | For applications using VMware Per-App Tunnel to access internal resources. Exact endpoints or ports are determined by where these resources are located. | |
VMware Per-App Tunnel Basic Endpoint | UEM REST API
|
HTTP or HTTPS | 80 or 443 | curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized | The VMware Per-App Tunnel must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > System > Advanced > Site URLs to set the REST API URL. This page is not available to Workspace ONE UEM SaaS customers. For Workspace ONE UEM SaaS customers, the REST API URL is most commonly the Console URL or Devices Services URL. |
Source | Destination | Protocol | Port | Verification | Notes |
---|---|---|---|---|---|
Devices (from Internet and Wi-Fi) | VMware Per-App Tunnel Front-End | TCP, UDP | 8443* | Run the following command after installation: netstat -tlpn | grep [Port] | Devices connect to the public DNS configured for VMware Tunnel over the specified port. If 443 is used, Per-App Tunnel component listens on port 8443. |
VMware Per-App Tunnel Front-End | Workspace ONE UEM Cloud Messaging Server | HTTPS | SaaS:443 On-Premises:2001* |
Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response. |
For the VMware Per-App Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2. |
VMware Per-App Tunnel Front-End | VMware Per-App Tunnel Back-End | TCP | 8443 | Telnet from VMware Per-App Tunnel Front-End to the VMware Per-App Tunnel Back-End on port 8443. | To forward device requests from the Front-End to the Back-End server. This needs to support a minimum of TLS 1.2. |
VMware Per-App Tunnel Back-End | Workspace ONE UEM Cloud Messaging Server | HTTPS | SaaS:443 On-Premises:2001* |
Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response. | For VMware Per-App Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2. |
VMware Tunnel Back-End | Internal websites/web apps/resources | HTTP, HTTPS, or TCP | 80, 443, any required TCP | For applications using VMware Per-App Tunnel to access internal resources. Exact endpoints or ports are determined by where these resources are located. | |
VMware Per-App Tunnel Front-End | UEM REST API
|
HTTP or HTTPS | 80 or 443 | curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized | The VMware Per-App Tunnel must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > System > Advanced > Site URLs to set the REST API URL. This page is not available to Workspace ONE UEM SaaS customers. For Workspace ONE UEM SaaS customers, the REST API URL is most commonly the Console URL or Devices Services URL. |
VMware Per-App Tunnel Back-End | UEM REST API
|
HTTP or HTTPS | 80 or 443 | curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized | The VMware Per-App Tunnel must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > System > Advanced > Site URLs to set the REST API URL. This page is not available to Workspace ONE UEM SaaS customers. Workspace ONE UEM SaaS customers, the REST API URL is most commonly the Console URL or Devices Services URL. |
NOTES
- * This port can be changed based on your environment's restrictions.
- † On-Premises means the location of the Workspace ONE UEM console.
- ‡ For SaaS customers who need to allow outbound communication, refer to the VMware Knowledge Base article that lists up-to-date IP ranges: VMware Workspace ONE IP ranges for SaaS data centers.