Port Requirements for VMware Per-App Tunnel

VMware Per-App Tunnel can be configured using either of the following two configuration models:

Basic Endpoint (single-tier) using a VMware Per-App Tunnel Basic Endpoint
Cascade (multi-tier) using a VMware Per-App Tunnel Front-End and VMware Per-App Tunnel Back-End

Table 1. Port Requirements for VMware Per-App Tunnel Basic Endpoint Configuration
Source	Destination	Protocol	Port	Verification	Notes
Devices (from Internet and Wi-Fi)	VMware Per-App Tunnel Basic Endpoint	TCP, UDP	8443*	Run the following command after installation: netstat -tlpn \| grep [Port]	Devices connect to the public DNS configured for VMware Tunnel over the specified port. If 443 is used, Per-App Tunnel component listens on port 8443.
VMware Per-App Tunnel Basic Endpoint	Workspace ONE UEM Cloud Messaging Server	HTTPS	SaaS:443 On-Premises:2001*	Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.	For the VMware Per-App Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2.
VMware Per-App Tunnel Basic Endpoint	Internal websites/web apps/resources	HTTP, HTTPS, or TCP	80, 443, any required TCP		For applications using VMware Per-App Tunnel to access internal resources. Exact endpoints or ports are determined by where these resources are located.
VMware Per-App Tunnel Basic Endpoint	UEM REST API SaaS‡: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com On-Premises†: Most commonly Device Services or Console server	HTTP or HTTPS	80 or 443	curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized	The VMware Per-App Tunnel must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > System > Advanced > Site URLs to set the REST API URL. This page is not available to Workspace ONE UEM SaaS customers. For Workspace ONE UEM SaaS customers, the REST API URL is most commonly the Console URL or Devices Services URL.

Table 2. Port Requirements for VMware Per-App Tunnel Cascade Configuration
Source	Destination	Protocol	Port	Verification	Notes
Devices (from Internet and Wi-Fi)	VMware Per-App Tunnel Front-End	TCP, UDP	8443*	Run the following command after installation: netstat -tlpn \| grep [Port]	Devices connect to the public DNS configured for VMware Tunnel over the specified port. If 443 is used, Per-App Tunnel component listens on port 8443.
VMware Per-App Tunnel Front-End	Workspace ONE UEM Cloud Messaging Server	HTTPS	SaaS:443 On-Premises:2001*	Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.	For the VMware Per-App Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2.
VMware Per-App Tunnel Front-End	VMware Per-App Tunnel Back-End	TCP	8443	Telnet from VMware Per-App Tunnel Front-End to the VMware Per-App Tunnel Back-End on port 8443.	To forward device requests from the Front-End to the Back-End server. This needs to support a minimum of TLS 1.2.
VMware Per-App Tunnel Back-End	Workspace ONE UEM Cloud Messaging Server	HTTPS	SaaS:443 On-Premises:2001*	Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.	For VMware Per-App Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2.
VMware Tunnel Back-End	Internal websites/web apps/resources	HTTP, HTTPS, or TCP	80, 443, any required TCP		For applications using VMware Per-App Tunnel to access internal resources. Exact endpoints or ports are determined by where these resources are located.
VMware Per-App Tunnel Front-End	UEM REST API SaaS‡: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com On-Premises†: Most commonly Device Services or Console server	HTTP or HTTPS	80 or 443	curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized	The VMware Per-App Tunnel must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > System > Advanced > Site URLs to set the REST API URL. This page is not available to Workspace ONE UEM SaaS customers. For Workspace ONE UEM SaaS customers, the REST API URL is most commonly the Console URL or Devices Services URL.
VMware Per-App Tunnel Back-End	UEM REST API SaaS‡: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com On-Premises†: Most commonly Device Services or Console server	HTTP or HTTPS	80 or 443	curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized	The VMware Per-App Tunnel must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > System > Advanced > Site URLs to set the REST API URL. This page is not available to Workspace ONE UEM SaaS customers. Workspace ONE UEM SaaS customers, the REST API URL is most commonly the Console URL or Devices Services URL.

NOTES

* This port can be changed based on your environment's restrictions.
† On-Premises means the location of the Workspace ONE UEM console.
‡ For SaaS customers who need to whitelist outbound communication, refer to the VMware Knowledge Base article that lists up-to-date IP ranges: https://support.workspaceone.com/articles/115001662168-.

For SaaS customers who need to whitelist outbound communication, refer to the following Knowledge Base article that lists up-to-date IP ranges that VMware currently owns: VMware Workspace ONE IP ranges for SaaS data centers.