DMZ-based Unified Access Gateway appliances require certain firewall rules on the front-end and back-end firewalls. During installation, Unified Access Gateway services are set up to listen on certain network ports by default.

A DMZ-based Unified Access Gateway appliance deployment usually includes two firewalls:

  • An external network-facing, front-end firewall is required to protect both the DMZ and the internal network. You configure this firewall to allow external network traffic to reach the DMZ.
  • A back-end firewall between the DMZ and the internal network is required to provide a second tier of security. You configure this firewall to accept only traffic that originates from the services within the DMZ.

Firewall policy strictly controls inbound communications from DMZ service, which greatly reduces the risk of compromising your internal network.

The following tables list the port requirements for the different services within Unified Access Gateway.
Note: All UDP ports require forward datagrams and reply datagrams to be allowed. Unified Access Gateway services use DNS to resolve hostnames. The DNS server IP addresses are configurable. DNS requests are made on UDP port 53 and so it is important that an external firewall does not block these requests or replies.
Table 1. Port Requirements for the Secure Email Gateway
Port Protocol Source Target/Destination Description
443* or any port greater than 1024 HTTPS Devices (from Internet and Wi-Fi)

Unified Access Gateway

Secure Email Gateway endpoint

Secure Email Gateway listens on port 11443. When 443 or any other port is configured, Unified Access Gateway will internally route the SEG traffic to 11443.
443* or any port greater than 1024 HTTPS Workspace ONE UEM Console

Unified Access Gateway

Secure Email Gateway endpoint

Secure Email Gateway listens on port 11443. When 443 or any other port is configured, Unified Access Gateway will internally route the SEG traffic to 11443.
443* or any port greater than 1024 HTTPS Email Notification Service (when enabled)

Unified Access Gateway

Secure Email Gateway endpoint

Secure Email Gateway listens on port 11443. When 443 or any other port is configured, Unified Access Gateway will internally route the SEG traffic to 11443.
5701 TCP Secure Email Gateway Secure Email Gateway Used for Hazelcast distributed cache.
41232 TLS/TCP Secure Email Gateway Secure Email Gateway Used for Vertx cluster management.
44444 HTTPS Secure Email Gateway Secure Email Gateway Used for Diagnostic and Administrative functionalities.
Any HTTPS Secure Email Gateway Email Server SEG connects to Email server's listener port, usually 443, to serve email traffic
Any HTTPS Secure Email Gateway Workspace ONE UEM API server SEG fetches the configuration and policy data from Workspace ONE. Port is usually 443.
88 TCP Secure Email Gateway KDC Server/AD Server Used for fetching Kerberos authentication tokens when KCD authentication is enabled.
Note: As the Secure Email Gateway (SEG) service runs as a non-root user in the Unified Access Gateway, the SEG cannot run on the system ports. Therefore, the custom ports must be greater than port 1024.
Table 2. Port Requirements for Horizon
Port Protocol Source Target Description
443 TCP Internet Unified Access Gateway For web traffic, Horizon Client XML - API, Horizon Tunnel, and Blast Extreme
443 UDP Internet Unified Access Gateway UDP 443 is internally forwarded to UDP 9443 on UDP Tunnel Server service on Unified Access Gateway.
8443 UDP Internet Unified Access Gateway Blast Extreme (optional)
8443 TCP Internet Unified Access Gateway Blast Extreme (optional)
4172 TCP and UDP Internet Unified Access Gateway PCoIP (optional)
443 TCP Unified Access Gateway Horizon Connection Server Horizon Client XML-API, Blast extreme HTML access, Horizon Air Console Access (HACA)
22443 TCP and UDP Unified Access Gateway Desktops and RDS Hosts Blast Extreme
4172 TCP and UDP Unified Access Gateway Desktops and RDS Hosts PCoIP (optional)
32111 TCP Unified Access Gateway Desktops and RDS Hosts Framework channel for USB Redirection
3389 TCP Unified Access Gateway Desktops and RDS Hosts Only required if the Horizon Clients use the RDP protocol.
9427 TCP Unified Access Gateway Desktops and RDS Hosts MMR, CDR, and HTML5 features For example, Microsoft Teams Optimization, Browser Redirection, and others.
Note: To allow external client devices to connect to a Unified Access Gateway appliance within the DMZ, the front-end firewall must allow traffic on certain ports. By default, the external client devices and external web clients (HTML Access) connect to a Unified Access Gateway appliance within the DMZ on TCP port 443. If you use the Blast protocol, port 8443 must be open on the firewall. If you use Blast through TCP port 443, there is no need to open TCP 8443 on the firewall.
Table 3. Port Requirements for Web Reverse Proxy
Port Protocol Source Target Description
443 TCP Internet Unified Access Gateway For web traffic
Any TCP Unified Access Gateway Intranet Site Any configured custom port on which the Intranet is listening. For example, 80, 443, 8080 and so on.
88 TCP Unified Access Gateway KDC Server/AD Server Required for Identity Bridging to access AD if SAML to Kerberos/Certificate to Kerberos is configured.
88 UDP Unified Access Gateway KDC Server/AD Server Required for Identity Bridging to access AD if SAML to Kerberos/Certificate to Kerberos is configured.
Table 4. Port Requirements for Admin UI
Port Protocol Source Target Description
9443 TCP Admin UI Unified Access Gateway Management interface
Table 5. Port Requirements for Content Gateway Basic Endpoint Configuration
Port Protocol Source Target Description
Any port > 1024 or 443* HTTPS Devices (from Internet and Wi-Fi) Unified Access Gateway Content Gateway Endpoint If 443 is used, Content Gateway will listen on port 10443.
Any port > 1024 or 443* HTTPS Workspace ONE UEM Device Services Unified Access Gateway Content Gateway Endpoint
Any port > 1024 or 443* HTTPS Workspace ONE UEM Console Unified Access Gateway Content Gateway Endpoint If 443 is used, Content Gateway will listen on port 10443.
Any port > 1024 or 443* HTTPS Unified Access Gateway Content Gateway Endpoint Workspace ONE UEM API Server
Any port where the repository is listening to. HTTP or HTTPS Unified Access Gateway Content Gateway Endpoint Web-based content repositories such as (SharePoint/WebDAV/CMIS, and so on Any configured custom port on which the Intranet site is listening to.
137–139 and 445 CIFS or SMB Unified Access Gateway Content Gateway Endpoint Network Share-based repositories (Windows file shares) Intranet Shares
Table 6. Port Requirements for Content Gateway Relay Endpoint Configuration
Port Protocol Source Target/Destination Description
Any port > 1024 or 443* HTTP/HTTPS Unified Access Gateway Relay Server(Content Gateway Relay) Unified Access Gateway Content Gateway Endpoint *If 443 is used, Content Gateway will listen on port 10443.
Any port > 1024 or 443* HTTPS Devices (from Internet and Wi-Fi) Unified Access Gateway Relay Server(Content Gateway Relay) *If 443 is used, Content Gateway will listen on port 10443.
Any port > 1024 or 443* TCP Workspace ONE UEM Device Services Unified Access Gateway Relay Server(Content Gateway Relay) *If 443 is used, Content Gateway will listen on port 10443.
Any port > 1024 or 443* HTTPS Workspace ONE UEM Console Unified Access Gateway Relay Server(Content Gateway Relay) *If 443 is used, Content Gateway will listen on port 10443.
Any port > 1024 or 443* HTTPS Unified Access Gateway Content Gateway Relay Workspace ONE UEM API Server *If 443 is used, Content Gateway will listen on port 10443.
Any port > 1024 or 443* HTTPS Unified Access Gateway Content Gateway Endpoint Workspace ONE UEM API Server *If 443 is used, Content Gateway will listen on port 10443.
Any port where the repository is listening to. HTTP or HTTPS Unified Access Gateway Content Gateway Endpoint Web-based content repositories such as (SharePoint/WebDAV/CMIS, and so on Any configured custom port on which the Intranet site is listening to.
Any port > 1024 or 443* HTTPS Unified Access Gateway (Content Gateway Relay) Unified Access Gateway Content Gateway Endpoint *If 443 is used, Content Gateway will listen on port 10443.
137–139 and 445 CIFS or SMB Unified Access Gateway Content Gateway Endpoint Network Share-based repositories (Windows file shares) Intranet Shares
Note: Since Content Gateway service runs as a non-root user in Unified Access Gateway, Content Gateway cannot run on system ports and therefore, custom ports should be > 1024.
Table 7. Port Requirements for VMware Tunnel
Port Protocol Source Target/Destination Verification Note (See the Note section at the bottom of the page)
8443 * TCP, UDP Devices (from Internet and Wi-Fi) VMware Tunnel Per-App tunnel Run the following command after installation: netstat -tlpn | grep [Port] 1
Table 8. VMware Tunnel Basic Endpoint Configuration
Port Protocol Source Target/Destination Verification Note (See the Note section at the bottom of the page)
SaaS: 443

: 2001 *

HTTPS VMware Tunnel AirWatch Cloud Messaging Server curl -Ivv https://<AWCM URL>:<port>/awcm/status/ping
The expected response is
HTTP 200 OK
.
2
SaaS: 443

On-Prem: 80 or 443

HTTP or HTTPS VMware Tunnel Workspace ONE UEM REST API Endpoint
  • SaaS:https://asXXX.awmdm. com or https://asXXX. airwatchportals.com
  • On-Prem: Most commonly your DS or Console server
curl -Ivv https://<API URL>/api/mdm/ping

The expected response is HTTP 401 unauthorized.

5
80,443, any TCP HTTP, HTTPS, or TCP VMware Tunnel Internal Resources Confirm that the VMware Tunnel can access internal resources over the required port. 4
514 * UDP VMware Tunnel Syslog Server
Table 9. VMware Tunnel Cascade Configuration
Port Protocol Source Target/Destination Verification Note (See the Note section at the bottom of the page)
SaaS: 443

On-Prem: 2001 *

TLS v1.2 VMware Tunnel Front-End AirWatch Cloud Messaging Server Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response. 2
8443 TLS v1.2 VMware Tunnel Front-End VMware Tunnel Back-End Telnet from VMware Tunnel Front-End to the VMware Tunnel Back-End server on port 3
SaaS: 443

On-Prem: 2001

TLS v1.2 VMware Tunnel Back-End Workspace ONE UEM Cloud Messaging Server Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response. 2
80 or 443 TCP VMware Tunnel Back-End Internal websites/web apps 4
80, 443, any TCP TCP VMware Tunnel Back-End Internal resources 4
80 or 443 HTTPS VMware Tunnel Front-End and Back-End Workspace ONE UEM REST API Endpoint
  • SaaS:https://asXXX.awmdm. com or https://asXXX. airwatchportals.com
  • On-Prem: Most commonly your DS or Console server
curl -Ivv https://<API URL>/api/mdm/ping

The expected response is HTTP 401 unauthorized.

5
Table 10. VMware Tunnel Front-end and Back-end Configuration
Port Protocol Source Target/Destination Verification Note (See the Note section at the bottom of the page)
SaaS: 443

On-Prem: 2001

HTTP or HTTPS VMware Tunnel Front-End AirWatch Cloud Messaging Server curl -Ivv https://<AWCM URL>:<port>/awcm/status/ping

The expected response is HTTP 200 OK.

2
80 or 443 HTTPS or HTTPS VMware Tunnel Back-End and Front-End Workspace ONE UEM REST API Endpoint
  • SaaS:https://asXXX.awmdm. com or https://asXXX. airwatchportals.com
  • On-Prem: Most commonly your DS or Console server
curl -Ivv https://<API URL>/api/mdm/ping

The expected response is HTTP 401 unauthorized.

The VMware Tunnel Endpoint requires access to the REST API Endpoint only during initial deployment.

5
2010 * HTTPS VMware Tunnel Front-end VMware Tunnel Back-end Telnet from VMware Tunnel Front-end to the VMware Tunnel Back-end server on port 3
80, 443, any TCP HTTP, HTTPS, or TCP VMware Tunnel Back-end Internal resources Confirm that the VMware Tunnel can access internal resources over the required port. 4
514 * UDP VMware Tunnel Syslog Server

The following points are valid for the VMware Tunnel requirements.

Note: * - This port can be changed if needed based on your environment's restrictions
  1. If port 443 is used, Per-App Tunnel will listen on port 8443.
    Note: When VMware Tunnel and Content Gateway services are enabled on the same appliance, and TLS Port Sharing is enabled, the DNS names must be unique for each service. When TLS is not enabled only one DNS name can be used for both services as the port will differentiate the incoming traffic. (For Content Gateway, if port 443 is used, Content Gateway will listen on port 10443.)
  2. For the VMware Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes.
  3. For VMware Tunnel Front-end topologies to forward device requests to the internal VMware Tunnel Back-end only.
  4. For applications using VMware Tunnel to access internal resources.
  5. The VMware Tunnel must communicate with the API for initialization. Ensure that there is connectivity between the REST API and the VMware Tunnel server. Navigate to Groups & Settings > All Settings > System > Advanced > Site URLs to set the REST API server URL. This page is not available to SaaS customers. The REST API URL for SaaS customers is most commonly your Console or Devices Services server URL.