DMZ-based Unified Access Gateway appliances require certain firewall rules on the front-end and back-end firewalls. During installation, Unified Access Gateway services are set up to listen on certain network ports by default.

A DMZ-based Unified Access Gateway appliance deployment usually includes two firewalls:

  • An external network-facing, front-end firewall is required to protect both the DMZ and the internal network. You configure this firewall to allow external network traffic to reach the DMZ.
  • A back-end firewall between the DMZ and the internal network is required to provide a second tier of security. You configure this firewall to accept only traffic that originates from the services within the DMZ.

Firewall policy strictly controls inbound communications from DMZ service, which greatly reduces the risk of compromising your internal network.

The following tables list the port requirements for the different services within Unified Access Gateway.
Note: All UDP ports require forward datagrams and reply datagrams to be allowed.
Table 1. Port Requirements for the Secure Email Gateway
Port Protocol Source Target/Destination Description
443* or any port greater than 1024 HTTPS Devices (from Internet and Wi-Fi)

Unified Access Gateway

Secure Email Gateway endpoint

Secure Email Gateway listens on port 11443
443* or any port greater than 1024 HTTPS Workspace ONE UEM Console

Unified Access Gateway

Secure Email Gateway endpoint

Secure Email Gateway listens on port 11443
443* or any port greater than 1024 HTTPS Email Notification Service (when enabled)

Unified Access Gateway

Secure Email Gateway endpoint

Secure Email Gateway listens on port 11443
5701 HTTP Secure Email Gateway Secure Email Gateway Used for Hazelcast distributed cache
41232 HTTPS Secure Email Gateway Secure Email Gateway Used for Vertx cluster management
44444 HTTPS Secure Email Gateway Secure Email Gateway Used for Diagnostic and Administrative functionalities
Note: As the Secure Email Gateway (SEG) service runs as a non-root user in the Unified Access Gateway, the SEG cannot run on the system ports. Therefore, the custom ports must be greater than port 1024.
Table 2. Port Requirements for Horizon
Port Protocol Source Target Description
443 TCP Internet Unified Access Gateway For web traffic, Horizon Client XML - API, Horizon Tunnel, and Blast Extreme
443 UDP Internet Unified Access Gateway UDP 443 is internally forwarded to UDP 9443 on UDP Tunnel Server service on Unified Access Gateway.
8443 UDP Internet Unified Access Gateway Blast Extreme (optional)
8443 TCP Internet Unified Access Gateway Blast Extreme (optional)
4172 TCP and UDP Internet Unified Access Gateway PCoIP (optional)
443 TCP Unified Access Gateway Horizon Connection Server Horizon Client XML-API, Blast extreme HTML access, Horizon Air Console Access (HACA)
22443 TCP and UDP Unified Access Gateway Desktops and RDS Hosts Blast Extreme
4172 TCP and UDP Unified Access Gateway Desktops and RDS Hosts PCoIP (optional)
32111 TCP Unified Access Gateway Desktops and RDS Hosts Framework channel for USB Redirection
3389 TCP Unified Access Gateway Desktops and RDS Hosts Only required if the Horizon Clients use the RDP protocol.
9427 TCP Unified Access Gateway Desktops and RDS Hosts MMR, CDR, and HTML5 features For example, Microsoft Teams Optimization, Browser Redirection, and others.
Note: To allow external client devices to connect to a Unified Access Gateway appliance within the DMZ, the front-end firewall must allow traffic on certain ports. By default the external client devices and external web clients (HTML Access) connect to a Unified Access Gateway appliance within the DMZ on TCP port 443. If you use the Blast protocol, port 8443 must be open on the firewall, but you can configure Blast for port 443 as well.
Table 3. Port Requirements for Web Reverse Proxy
Port Protocol Source Target Description
443 TCP Internet Unified Access Gateway For web traffic
Any TCP Unified Access Gateway Intranet Site Any configured custom port on which the Intranet is listening. For example, 80, 443, 8080 and so on.
88 TCP Unified Access Gateway KDC Server/AD Server Required for Identity Bridging to access AD if SAML to Kerberos/Certificate to Kerberos is configured.
88 UDP Unified Access Gateway KDC Server/AD Server Required for Identity Bridging to access AD if SAML to Kerberos/Certificate to Kerberos is configured.
Table 4. Port Requirements for Admin UI
Port Protocol Source Target Description
9443 TCP Admin UI Unified Access Gateway Management interface
Table 5. Port Requirements for Content Gateway Basic Endpoint Configuration
Port Protocol Source Target Description
443* or any port > 1024 HTTPS Devices (from Internet and Wi-Fi) Unified Access Gateway Content Gateway Endpoint If 443 is used, Content Gateway will listen on port 10443.
443* or any port > 1024 HTTPS Workspace ONE UEM Device Services Unified Access Gateway Content Gateway Endpoint
443* or any port > 1024 HTTPS Workspace ONE UEM Console Unified Access Gateway Content Gateway Endpoint If 443 is used, Content Gateway will listen on port 10443.
443* or any port > 1024 HTTPS Unified Access Gateway Content Gateway Endpoint Workspace ONE UEM API Server
Any port where the repository is listening to. HTTP or HTTPS Unified Access Gateway Content Gateway Endpoint Web-based content repositories such as (SharePoint/WebDAV/CMIS, and so on Any configured custom port on which the Intranet site is listening to.
137–139 and 445 CIFS or SMB Unified Access Gateway Content Gateway Endpoint Network Share-based repositories (Windows file shares) Intranet Shares
Table 6. Port Requirements for Content Gateway Relay Endpoint Configuration
Port Protocol Source Target/Destination Description
443* or any port > 1024 HTTP/HTTPS Unified Access Gateway Relay Server(Content Gateway Relay) Unified Access Gateway Content Gateway Endpoint If 443 is used, Content Gateway will listen on port 10443.
443* or any port > 1024 HTTPS Devices (from Internet and Wi-Fi) Unified Access Gateway Relay Server(Content Gateway Relay) If 443 is used, Content Gateway will listen on port 10443.
443* or any port > 1024 TCP Workspace ONE UEM Device Services Unified Access Gateway Relay Server(Content Gateway Relay) If 443 is used, Content Gateway will listen on port 10443.
443* or any port > 1024 HTTPS Workspace ONE UEMConsole
443* or any port > 1024 HTTPS Unified Access Gateway Content Gateway Relay Workspace ONE UEM API Server
443* or any port > 1024 HTTPS Unified Access Gateway Content Gateway Endpoint Workspace ONE UEM API Server
Any port where the repository is listening to. HTTP or HTTPS Unified Access Gateway Content Gateway Endpoint Web-based content repositories such as (SharePoint/WebDAV/CMIS, and so on Any configured custom port on which the Intranet site is listening to.
443* or any port > 1024 HTTPS Unified Access Gateway (Content Gateway Relay) Unified Access Gateway Content Gateway Endpoint If 443 is used, Content Gateway will listen on port 10443.
137–139 and 445 CIFS or SMB Unified Access Gateway Content Gateway Endpoint Network Share-based repositories (Windows file shares) Intranet Shares
Note: Since Content Gateway service runs as a non-root user in Unified Access Gateway, Content Gateway cannot run on system ports and therefore, custom ports should be > 1024.
Table 7. Port Requirements for VMware Tunnel
Port Protocol Source Target/Destination Verification Note (See the Note section at the bottom of the page)
2020 * HTTPS Devices (from Internet and Wi-Fi) VMware Tunnel Proxy Run the following command after installation: netstat -tlpn | grep [Port]
8443 * TCP, UDP Devices (from Internet and Wi-Fi) VMware Tunnel Per-App tunnel Run the following command after installation: netstat -tlpn | grep [Port] 1
Table 8. VMware Tunnel Basic Endpoint Configuration
Port Protocol Source Target/Destination Verification Note (See the Note section at the bottom of the page)
SaaS: 443

: 2001 *

HTTPS VMware Tunnel Workspace ONE UEMCloud Messaging Server curl -Ivv https://<AWCM URL>:<port>/awcm/status/ping

The expected response is HTTP 200 OK.

2
SaaS: 443

On-Prem: 80 or 443

HTTP or HTTPS VMware Tunnel Workspace ONE UEM REST API Endpoint
  • SaaS:https://asXXX.awmdm. com or https://asXXX. airwatchportals.com
  • On-Prem: Most commonly your DS or Console server
curl -Ivv https://<API URL>/api/mdm/ping

The expected response is HTTP 401 unauthorized.

5
80,443, any TCP HTTP, HTTPS, or TCP VMware Tunnel Internal Resources Confirm that the VMware Tunnel can access internal resources over the required port. 4
514 * UDP VMware Tunnel Syslog Server
On-prem: 2020 HTTPS Workspace ONE UEM Console VMware Tunnel Proxy On-Premises users can test the connection using the telnet command :telnet <Tunnel Proxy URL> <port> 6
Table 9. VMware Tunnel Cascade Configuration
Port Protocol Source Target/Destination Verification Note (See the Note section at the bottom of the page)
SaaS: 443

On-Prem: 2001 *

TLS v1.2 VMware Tunnel Front-End Workspace ONE UEM Cloud Messaging Server Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response. 2
8443 TLS v1.2 VMware Tunnel Front-End VMware Tunnel Back-End Telnet from VMware Tunnel Front-End to the VMware Tunnel Back-End server on port 3
SaaS: 443

On-Prem: 2001

TLS v1.2 VMware Tunnel Back-End Workspace ONE UEM Cloud Messaging Server Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response. 2
80 or 443 TCP VMware Tunnel Back-End Internal websites/web apps 4
80, 443, any TCP TCP VMware Tunnel Back-End Internal resources 4
80 or 443 HTTPS VMware Tunnel Front-End and Back-End Workspace ONE UEM REST API Endpoint
  • SaaS:https://asXXX.awmdm. com or https://asXXX. airwatchportals.com
  • On-Prem: Most commonly your DS or Console server
curl -Ivv https://<API URL>/api/mdm/ping

The expected response is HTTP 401 unauthorized.

5
Table 10. VMware Tunnel Front-end and Back-end Configuration
Port Protocol Source Target/Destination Verification Note (See the Note section at the bottom of the page)
SaaS: 443

On-Prem: 2001

HTTP or HTTPS VMware Tunnel Front-End Workspace ONE UEM Cloud Messaging Server curl -Ivv https://<AWCM URL>:<port>/awcm/status/ping

The expected response is HTTP 200 OK.

2
80 or 443 HTTPS or HTTPS VMware Tunnel Back-End and Front-End Workspace ONE UEM REST API Endpoint
  • SaaS:https://asXXX.awmdm. com or https://asXXX. airwatchportals.com
  • On-Prem: Most commonly your DS or Console server
curl -Ivv https://<API URL>/api/mdm/ping

The expected response is HTTP 401 unauthorized.

The VMware Tunnel Endpoint requires access to the REST API Endpoint only during initial deployment.

5
2010 * HTTPS VMware Tunnel Front-end VMware Tunnel Back-end Telnet from VMware Tunnel Front-end to the VMware Tunnel Back-end server on port 3
80, 443, any TCP HTTP, HTTPS, or TCP VMware Tunnel Back-end Internal resources Confirm that the VMware Tunnel can access internal resources over the required port. 4
514 * UDP VMware Tunnel Syslog Server
On-Prem: 2020 HTTPS Workspace ONE UEM VMware Tunnel Proxy On-Premises users can test the connection using the telnet command :telnet <Tunnel Proxy URL> <port> 6

The following points are valid for the VMware Tunnel requirements.

Note: * - This port can be changed if needed based on your environment's restrictions
  1. If port 443 is used, Per-App Tunnel will listen on port 8443.
    Note: When VMware Tunnel and Content Gateway services are enabled on the same appliance, and TLS Port Sharing is enabled, the DNS names must be unique for each service. When TLS is not enabled only one DNS name can be used for both services as the port will differentiate the incoming traffic. (For Content Gateway, if port 443 is used, Content Gateway will listen on port 10443.)
  2. For the VMware Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes.
  3. For VMware Tunnel Front-end topologies to forward device requests to the internal VMware Tunnel Back-end only.
  4. For applications using VMware Tunnel to access internal resources.
  5. The VMware Tunnel must communicate with the API for initialization. Ensure that there is connectivity between the REST API and the VMware Tunnel server. Navigate to Groups & Settings > All Settings > System > Advanced > Site URLs to set the REST API server URL. This page is not available to SaaS customers. The REST API URL for SaaS customers is most commonly your Console or Devices Services server URL.
  6. This is required for a successful "Test Connection" to the VMware Tunnel Proxy from the Workspace ONE UEM console. The requirement is optional and can be omitted without loss of functionality to devices. For SaaS customers, the Workspace ONE UEM console might already have inbound connectivity to the VMware Tunnel Proxy on port 2020 due to the inbound Internet requirement on port 2020.