DMZ-based Unified Access Gateway appliances require certain firewall rules on the front-end and back-end firewalls. During installation, Unified Access Gateway services are set up to listen on certain network ports by default.
A DMZ-based Unified Access Gateway appliance deployment usually includes two firewalls:
- An external network-facing, front-end firewall is required to protect both the DMZ and the internal network. You configure this firewall to allow external network traffic to reach the DMZ.
- A back-end firewall between the DMZ and the internal network is required to provide a second tier of security. You configure this firewall to accept only traffic that originates from the services within the DMZ.
Firewall policy strictly controls inbound communications from DMZ service, which greatly reduces the risk of compromising your internal network.
The following tables list the port requirements for the different services within
Unified Access Gateway.
Note: All UDP ports require forward datagrams and reply datagrams to be allowed.
Unified Access Gateway services use DNS to resolve hostnames. The DNS server IP addresses are configurable. DNS requests are made on UDP port 53 and so it is important that an external firewall does not block these requests or replies.
| Port | Protocol | Source | Target/Destination | Description |
|---|---|---|---|---|
| 443* or any port greater than 1024 | HTTPS | Devices (from Internet and Wi-Fi) | Unified Access Gateway Secure Email Gateway endpoint |
Secure Email Gateway listens on port 11443. When 443 or any other port is configured, Unified Access Gateway will internally route the SEG traffic to 11443. |
| 443* or any port greater than 1024 | HTTPS | Workspace ONE UEM Console | Unified Access Gateway Secure Email Gateway endpoint |
Secure Email Gateway listens on port 11443. When 443 or any other port is configured, Unified Access Gateway will internally route the SEG traffic to 11443. |
| 443* or any port greater than 1024 | HTTPS | Email Notification Service (when enabled) | Unified Access Gateway Secure Email Gateway endpoint |
Secure Email Gateway listens on port 11443. When 443 or any other port is configured, Unified Access Gateway will internally route the SEG traffic to 11443. |
| 5701 | TCP | Secure Email Gateway | Secure Email Gateway | Used for Hazelcast distributed cache. |
| 41232 | TLS/TCP | Secure Email Gateway | Secure Email Gateway | Used for Vertx cluster management. |
| 44444 | HTTPS | Secure Email Gateway | Secure Email Gateway | Used for Diagnostic and Administrative functionalities. |
| Any | HTTPS | Secure Email Gateway | Email Server | SEG connects to Email server's listener port, usually 443, to serve email traffic |
| Any | HTTPS | Secure Email Gateway | Workspace ONE UEM API server | SEG fetches the configuration and policy data from Workspace ONE. Port is usually 443. |
| 88 | TCP | Secure Email Gateway | KDC Server/AD Server | Used for fetching Kerberos authentication tokens when KCD authentication is enabled. |
Note: As the Secure Email Gateway (SEG) service runs as a non-root user in the Unified Access Gateway, the SEG cannot run on the system ports. Therefore, the custom ports must be greater than port 1024.
| Port | Protocol | Source | Target | Description |
|---|---|---|---|---|
| 443 | TCP | Internet | Unified Access Gateway | For web traffic, Horizon Client XML - API, Horizon Tunnel, and Blast Extreme |
| 443 | UDP | Internet | Unified Access Gateway | UDP 443 is internally forwarded to UDP 9443 on UDP Tunnel Server service on Unified Access Gateway. |
| 8443 | UDP | Internet | Unified Access Gateway | Blast Extreme (optional) |
| 8443 | TCP | Internet | Unified Access Gateway | Blast Extreme (optional) |
| 4172 | TCP and UDP | Internet | Unified Access Gateway | PCoIP (optional) |
| 443 | TCP | Unified Access Gateway | Horizon Connection Server | Horizon Client XML-API, Blast extreme HTML access, Horizon Air Console Access (HACA) |
| 22443 | TCP and UDP | Unified Access Gateway | Desktops and RDS Hosts | Blast Extreme |
| 4172 | TCP and UDP | Unified Access Gateway | Desktops and RDS Hosts | PCoIP (optional) |
| 32111 | TCP | Unified Access Gateway | Desktops and RDS Hosts | Framework channel for USB Redirection |
| 3389 | TCP | Unified Access Gateway | Desktops and RDS Hosts | Only required if the Horizon Clients use the RDP protocol. |
| 9427 | TCP | Unified Access Gateway | Desktops and RDS Hosts | MMR, CDR, and HTML5 features For example, Microsoft Teams Optimization, Browser Redirection, and others. |
Note: To allow external client devices to connect to a
Unified Access Gateway appliance within the DMZ, the front-end firewall must allow traffic on certain ports. By default, the external client devices and external web clients (HTML Access) connect to a
Unified Access Gateway appliance within the DMZ on TCP port 443. If you use the Blast protocol, port 8443 must be open on the firewall. If you use Blast through TCP port 443, there is no need to open TCP 8443 on the firewall.
| Port | Protocol | Source | Target | Description |
|---|---|---|---|---|
| 443 | TCP | Internet | Unified Access Gateway | For web traffic |
| Any | TCP | Unified Access Gateway | Intranet Site | Any configured custom port on which the Intranet is listening. For example, 80, 443, 8080 and so on. |
| 88 | TCP | Unified Access Gateway | KDC Server/AD Server | Required for Identity Bridging to access AD if SAML to Kerberos/Certificate to Kerberos is configured. |
| 88 | UDP | Unified Access Gateway | KDC Server/AD Server | Required for Identity Bridging to access AD if SAML to Kerberos/Certificate to Kerberos is configured. |
| Port | Protocol | Source | Target | Description |
|---|---|---|---|---|
| 9443 | TCP | Admin UI | Unified Access Gateway | Management interface |
| Port | Protocol | Source | Target | Description |
|---|---|---|---|---|
| Any port > 1024 or 443* | HTTPS | Devices (from Internet and Wi-Fi) | Unified Access Gateway Content Gateway Endpoint | If 443 is used, Content Gateway will listen on port 10443. |
| Any port > 1024 or 443* | HTTPS | Workspace ONE UEM Device Services | Unified Access Gateway Content Gateway Endpoint | |
| Any port > 1024 or 443* | HTTPS | Workspace ONE UEM Console | Unified Access Gateway Content Gateway Endpoint | If 443 is used, Content Gateway will listen on port 10443. |
| Any port > 1024 or 443* | HTTPS | Unified Access Gateway Content Gateway Endpoint | Workspace ONE UEM API Server | |
| Any port where the repository is listening to. | HTTP or HTTPS | Unified Access Gateway Content Gateway Endpoint | Web-based content repositories such as (SharePoint/WebDAV/CMIS, and so on | Any configured custom port on which the Intranet site is listening to. |
| 137–139 and 445 | CIFS or SMB | Unified Access Gateway Content Gateway Endpoint | Network Share-based repositories (Windows file shares) | Intranet Shares |
| Port | Protocol | Source | Target/Destination | Description |
|---|---|---|---|---|
| Any port > 1024 or 443* | HTTP/HTTPS | Unified Access Gateway Relay Server(Content Gateway Relay) | Unified Access Gateway Content Gateway Endpoint | *If 443 is used, Content Gateway will listen on port 10443. |
| Any port > 1024 or 443* | HTTPS | Devices (from Internet and Wi-Fi) | Unified Access Gateway Relay Server(Content Gateway Relay) | *If 443 is used, Content Gateway will listen on port 10443. |
| Any port > 1024 or 443* | TCP | Workspace ONE UEM Device Services | Unified Access Gateway Relay Server(Content Gateway Relay) | *If 443 is used, Content Gateway will listen on port 10443. |
| Any port > 1024 or 443* | HTTPS | Workspace ONE UEM Console | Unified Access Gateway Relay Server(Content Gateway Relay) | *If 443 is used, Content Gateway will listen on port 10443. |
| Any port > 1024 or 443* | HTTPS | Unified Access Gateway Content Gateway Relay | Workspace ONE UEM API Server | *If 443 is used, Content Gateway will listen on port 10443. |
| Any port > 1024 or 443* | HTTPS | Unified Access Gateway Content Gateway Endpoint | Workspace ONE UEM API Server | *If 443 is used, Content Gateway will listen on port 10443. |
| Any port where the repository is listening to. | HTTP or HTTPS | Unified Access Gateway Content Gateway Endpoint | Web-based content repositories such as (SharePoint/WebDAV/CMIS, and so on | Any configured custom port on which the Intranet site is listening to. |
| Any port > 1024 or 443* | HTTPS | Unified Access Gateway (Content Gateway Relay) | Unified Access Gateway Content Gateway Endpoint | *If 443 is used, Content Gateway will listen on port 10443. |
| 137–139 and 445 | CIFS or SMB | Unified Access Gateway Content Gateway Endpoint | Network Share-based repositories (Windows file shares) | Intranet Shares |
Note: Since
Content Gateway service runs as a non-root user in
Unified Access Gateway,
Content Gateway cannot run on system ports and therefore, custom ports should be > 1024.
| Port | Protocol | Source | Target/Destination | Verification | Note (See the Note section at the bottom of the page) |
|---|---|---|---|---|---|
| 8443 * | TCP, UDP | Devices (from Internet and Wi-Fi) | VMware Tunnel Per-App tunnel | Run the following command after installation: netstat -tlpn | grep [Port] | 1 |
| Port | Protocol | Source | Target/Destination | Verification | Note (See the Note section at the bottom of the page) |
|---|---|---|---|---|---|
| SaaS: 443 : 2001 * |
HTTPS | VMware Tunnel | AirWatch Cloud Messaging Server | curl -Ivv https://<AWCM URL>:<port>/awcm/status/ping
The expected response is
HTTP 200 OK. |
2 |
| SaaS: 443 On-Prem: 80 or 443 |
HTTP or HTTPS | VMware Tunnel | Workspace ONE UEM REST API Endpoint
|
curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized. |
5 |
| 80,443, any TCP | HTTP, HTTPS, or TCP | VMware Tunnel | Internal Resources | Confirm that the VMware Tunnel can access internal resources over the required port. | 4 |
| 514 * | UDP | VMware Tunnel | Syslog Server |
| Port | Protocol | Source | Target/Destination | Verification | Note (See the Note section at the bottom of the page) |
|---|---|---|---|---|---|
| SaaS: 443 On-Prem: 2001 * |
TLS v1.2 | VMware Tunnel Front-End | AirWatch Cloud Messaging Server | Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response. | 2 |
| 8443 | TLS v1.2 | VMware Tunnel Front-End | VMware Tunnel Back-End | Telnet from VMware Tunnel Front-End to the VMware Tunnel Back-End server on port | 3 |
| SaaS: 443 On-Prem: 2001 |
TLS v1.2 | VMware Tunnel Back-End | Workspace ONE UEM Cloud Messaging Server | Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response. | 2 |
| 80 or 443 | TCP | VMware Tunnel Back-End | Internal websites/web apps | 4 | |
| 80, 443, any TCP | TCP | VMware Tunnel Back-End | Internal resources | 4 | |
| 80 or 443 | HTTPS | VMware Tunnel Front-End and Back-End | Workspace ONE UEM REST API Endpoint
|
curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized. |
5 |
| Port | Protocol | Source | Target/Destination | Verification | Note (See the Note section at the bottom of the page) |
|---|---|---|---|---|---|
| SaaS: 443 On-Prem: 2001 |
HTTP or HTTPS | VMware Tunnel Front-End | AirWatch Cloud Messaging Server | curl -Ivv https://<AWCM URL>:<port>/awcm/status/ping The expected response is HTTP 200 OK. |
2 |
| 80 or 443 | HTTPS or HTTPS | VMware Tunnel Back-End and Front-End | Workspace ONE UEM REST API Endpoint
|
curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized. The VMware Tunnel Endpoint requires access to the REST API Endpoint only during initial deployment. |
5 |
| 2010 * | HTTPS | VMware Tunnel Front-end | VMware Tunnel Back-end | Telnet from VMware Tunnel Front-end to the VMware Tunnel Back-end server on port | 3 |
| 80, 443, any TCP | HTTP, HTTPS, or TCP | VMware Tunnel Back-end | Internal resources | Confirm that the VMware Tunnel can access internal resources over the required port. | 4 |
| 514 * | UDP | VMware Tunnel | Syslog Server |
The following points are valid for the VMware Tunnel requirements.
Note:
* - This port can be changed if needed based on your environment's restrictions
- If port 443 is used, Per-App Tunnel will listen on port 8443.
Note: When VMware Tunnel and Content Gateway services are enabled on the same appliance, and TLS Port Sharing is enabled, the DNS names must be unique for each service. When TLS is not enabled only one DNS name can be used for both services as the port will differentiate the incoming traffic. (For Content Gateway, if port 443 is used, Content Gateway will listen on port 10443.)
- For the VMware Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes.
- For VMware Tunnel Front-end topologies to forward device requests to the internal VMware Tunnel Back-end only.
- For applications using VMware Tunnel to access internal resources.
- The VMware Tunnel must communicate with the API for initialization. Ensure that there is connectivity between the REST API and the VMware Tunnel server. Navigate to to set the REST API server URL. This page is not available to SaaS customers. The REST API URL for SaaS customers is most commonly your Console or Devices Services server URL.
