VMware Tunnel Proxy can be configured using either of the following two configuration models:
- Basic Endpoint (single-tier) using a VMware Tunnel Proxy Endpoint
- Relay-Endpoint (multi-tier) using a VMware Tunnel Proxy Relay and VMware Tunnel Proxy Endpoint
Source | Target or Destination | Protocol | Port | Verification | Notes |
---|---|---|---|---|---|
Devices (from Internet and Wi-Fi) | VMware Tunnel Proxy Endpoint | HTTPS | 2020* | Run the following command after installation: netstat -tlpn | grep [Port] |
Devices connect to the public DNS configured for VMware Tunnel over the specified port. |
VMware Tunnel Proxy Endpoint | Workspace ONE UEM Cloud Messaging Server |
HTTPS | SaaS:443 On-Premises:2001* |
curl -Ivv https://<AWCM URL>:<port>/awcm/status/ping The expected response is HTTP 200 OK. |
For the VMware Tunnel Proxy to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2. |
VMware Tunnel Proxy Endpoint |
UEM REST API
|
HTTP or HTTPS |
SaaS:443 On-Premises:2001* |
curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized |
The VMware Tunnel Proxy must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > System > Advanced > Site URLs to set the REST API URL. This page is not available to Workspace ONE UEM SaaS customers. For Workspace ONE UEM SaaS customers, the REST API URL is most commonly the Console URL or Devices Services URL. |
VMware Tunnel Proxy Endpoint | Internal resources | HTTP, HTTPS, or TCP |
80, 443, any TCP |
Confirm that the VMware Tunnel Proxy Endpoint can access internal resources over the required port. |
For applications using VMware Tunnel Proxy to access internal resources. Exact endpoints or ports are determined by where these resources are located. |
VMware Tunnel Proxy Endpoint | Syslog Server | UDP | 514* | ||
Workspace ONE UEM console | VMware Tunnel Proxy Endpoint | HTTPS | 2020* | On-Premises† customers can test the connection using the telnet command: telnet <Tunnel ProxyURL><port> |
This is required for a successful "Test Connection" to the VMware Tunnel Proxy Endpoint from the Workspace ONE UEM console. |
Source | Target or Destination | Protocol | Port | Verification | Notes |
---|---|---|---|---|---|
Devices (from Internet and Wi-Fi) | VMware Tunnel Proxy Relay | HTTPS | 2020* | Run the following command after installation: netstat -tlpn | grep [Port] |
Devices connect to the public DNS configured for VMware Tunnel over the specified port. |
VMware Tunnel Proxy Relay | Workspace ONE UEM Cloud Messaging Server | HTTP or HTTPS |
SaaS:443 On-Premises:2001* |
curl -Ivv https://<AWCM URL>:<port>/awcm/status/ping The expected response is HTTP 200 OK. |
For the VMware Tunnel Proxy to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2. |
VMware Tunnel Proxy Relay |
UEM REST API
|
HTTP or HTTPS |
SaaS:443 On-Premises:2001* |
curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized The VMware Tunnel Proxy Relay requires access to the UEM REST API only during initial deployment. |
The VMware Tunnel Proxy must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > System > Advanced > Site URLs to set the REST API URL. This page is not available to Workspace ONE UEM SaaS customers. For Workspace ONE UEM SaaS customers, the REST API URL is most commonly the Console URL or Devices Services URL. |
VMware Tunnel Proxy Endpoint |
UEM REST API
|
HTTP or HTTPS |
SaaS:443 On-Premises:2001* |
curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized The VMware Tunnel Proxy Relay requires access to the UEM REST API only during initial deployment. |
The VMware Tunnel Proxy must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > System > Advanced > Site URLs to set the REST API URL. This page is not available to Workspace ONE UEM SaaS customers. For Workspace ONE UEM SaaS customers, the REST API URL is most commonly the Console URL or Devices Services URL. |
VMware Tunnel Proxy Relay | VMware Tunnel Proxy Endpoint | HTTPS | 2010* | Telnet from VMware Tunnel Proxy Relay to the VMware Tunnel Proxy Endpoint on port 2010. |
To forward device requests from the Relay to the Endpoint server. This needs to support a minimum of TLS 1.2. |
VMware Tunnel Proxy Endpoint | Internal resources | HTTP, HTTPS, or TCP |
80, 443, any TCP |
Confirm that the VMware Tunnel Proxy Endpoint can access internal resources over the required port. |
For applications using VMware Tunnel Proxy to access internal resources. Exact endpoints or ports are determined by where these resources are located. |
VMware Tunnel Proxy Endpoint | Syslog Server | UDP | 514* | ||
Workspace ONE UEM console | VMware Tunnel Proxy Relay | HTTPS | 2020* | On-Premises† customers can test the connection using the telnet command: telnet <Tunnel ProxyURL><port> |
This is required for a successful "Test Connection" to the VMware Tunnel Proxy Relay from the Workspace ONE UEM console. |
- * This port can be changed based on your environment's restrictions.
- † On-Premises means the location of the Workspace ONE UEM console.
- ‡ For SaaS customers who need to whitelist outbound communication, refer to the VMware Knowledge Base article that lists up-to-date IP ranges: https://support.workspaceone.com/articles/115001662168-.