DMZ-based Unified Access Gateway appliances require certain firewall rules on the front-end and back-end firewalls. During installation, Unified Access Gateway services are set up to listen on certain network ports by default.

A DMZ-based Unified Access Gateway appliance deployment usually includes two firewalls:

  • An external network-facing, front-end firewall is required to protect both the DMZ and the internal network. You configure this firewall to allow external network traffic to reach the DMZ.

  • A back-end firewall between the DMZ and the internal network is required to provide a second tier of security. You configure this firewall to accept only traffic that originates from the services within the DMZ.

Firewall policy strictly controls inbound communications from DMZ service, which greatly reduces the risk of compromising your internal network.

The following tables list the port requirements for the different services within Unified Access Gateway.

Note:

All UDP ports require forward datagrams and reply datagrams to be allowed.

Table 1. Port Requirements for Horizon View

Port

Protocol

Source

Target

Description

443

TCP

Internet

Unified Access Gateway

For web traffic, Horizon Client XML - API, Horizon Tunnel, and Blast Extreme

443

UDP

Internet

Unified Access Gateway

UDP 443 is internally forwarded to UDP 9443 on UDP Tunnel Server service on Unified Access Gateway.

8443

UDP

Internet

Unified Access Gateway

Blast Extreme (optional)

8443

TCP

Internet

Unified Access Gateway

Blast Extreme (optional)

4172

TCP and UDP

Internet

Unified Access Gateway

PCoIP (optional)

443

TCP

Unified Access Gateway

Horizon Broker

Horizon Client XML-API, Blast extreme HTML access, Horizon Air Console Access (HACA)

22443

TCP and UDP

Unified Access Gateway

Desktops and RDS Hosts

Blast Extreme

4172

TCP and UDP

Unified Access Gateway

Desktops and RDS Hosts

PCoIP (optional)

32111

TCP

Unified Access Gateway

Desktops and RDS Hosts

Framework channel for USB Redirection

9427

TCP

Unified Access Gateway

Desktops and RDS Hosts

MMR and CDR

Note:

To allow external client devices to connect to a Unified Access Gateway appliance within the DMZ, the front-end firewall must allow traffic on certain ports. By default the external client devices and external web clients (HTML Access) connect to a Unified Access Gateway appliance within the DMZ on TCP port 443. If you use the Blast protocol, port 8443 must be open on the firewall, but you can configure Blast for port 443 as well.

Table 2. Port Requirements for Web Reverse Proxy

Port

Protocol

Source

Target

Description

443

TCP

Internet

Unified Access Gateway

For web traffic

Any

TCP

Unified Access Gateway

Intranet Site

Any configured custom port on which the Intranet is listening. For example, 80, 443, 8080 and so on.

88

TCP

Unified Access Gateway

KDC Server/AD Server

Required for Identity Bridging to access AD if SAML to Kerberos/Certificate to Kerberos is configured.

88

UDP

Unified Access Gateway

KDC Server/AD Server

Required for Identity Bridging to access AD if SAML to Kerberos/Certificate to Kerberos is configured.

Table 3. Port Requirements for Admin UI

Port

Protocol

Source

Target

Description

9443

TCP

Admin UI

Unified Access Gateway

Management interface

Table 4. Port Requirements for Content Gateway Basic Endpoint Configuration

Port

Protocol

Source

Target

Description

443* or any port > 1024

HTTPS

Devices (from Internet and Wi-Fi)

Unified Access Gateway Content Gateway Endpoint

If 443 is used, Content Gateway will listen on port 10443.

443* or any port > 1024

HTTPS

VMware AirWatch Device Services

Unified Access Gateway Content Gateway Endpoint

443* or any port > 1024

HTTPS

Workspace ONE UEM Console

Unified Access Gateway Content Gateway Endpoint

If 443 is used, Content Gateway will listen on port 10443.

Any port where the repository is listening to.

HTTP or HTTPS

Unified Access Gateway Content Gateway Endpoint

Web-based content repositories such as (SharePoint/WebDAV/CMIS, and so on

Any configured custom port on which the Intranet site is listening to.

137–139 and 445

CIFS or SMB

Unified Access Gateway Content Gateway Endpoint

Network Share-based repositories (Windows file shares)

Intranet Shares

Table 5. Port Requirements for Content Gateway Relay Endpoint Configuration

Port

Protocol

Source

Target/Destination

Description

443* or any port > 1024

HTTP/HTTPS

Unified Access Gateway Relay Server(Content Gateway Relay)

Unified Access Gateway Content Gateway Endpoint

If 443 is used, Content Gateway will listen on port 10443.

443* or any port > 1024

HTTPS

Devices (from Internet and Wi-Fi)

Unified Access Gateway Relay Server(Content Gateway Relay)

If 443 is used, Content Gateway will listen on port 10443.

443* or any port > 1024

TCP

AirWatch Device Services

Unified Access Gateway Relay Server(Content Gateway Relay)

If 443 is used, Content Gateway will listen on port 10443.

443* or any port > 1024

HTTPS

Workspace ONE UEM Console

Any port where the repository is listening to.

HTTP or HTTPS

Unified Access Gateway Content Gateway Endpoint

Web-based content repositories such as (SharePoint/WebDAV/CMIS, and so on

Any configured custom port on which the Intranet site is listening to.

443* or any port > 1024

HTTPS

Unified Access Gateway (Content Gateway Relay)

Unified Access Gateway Content Gateway Endpoint

If 443 is used, Content Gateway will listen on port 10443.

137–139 and 445

CIFS or SMB

Unified Access Gateway Content Gateway Endpoint

Network Share-based repositories (Windows file shares)

Intranet Shares

Note:

Since Content Gateway service runs as a non-root user in Unified Access Gateway, Content Gateway cannot run on system ports and therefore, custom ports should be > 1024.

Table 6. Port Requirements for VMware Tunnel

Port

Protocol

Source

Target/Destination

Verification

Note (See the Note section at the bottom of the page)

2020 *

HTTPS

Devices (from Internet and Wi-Fi)

VMware Tunnel Proxy

Run the following command after installation: netstat -tlpn | grep [Port]

8443 *

TCP

Devices (from Internet and Wi-Fi)

VMware Tunnel Per-App tunnel

Run the following command after installation: netstat -tlpn | grep [Port]

1

Table 7. VMware Tunnel Basic Endpoint Configuration

Port

Protocol

Source

Target/Destination

Verification

Note (See the Note section at the bottom of the page)

SaaS: 443

: 2001 *

HTTPS

VMware Tunnel

AirWatch Cloud Messaging Server

curl -Ivv https://<AWCM URL>:<port>/awcm/status/ping

The expected response is HTTP 200 OK.

2

SaaS: 443

On-Prem: 80 or 443

HTTP or HTTPS

VMware Tunnel

Workspace ONE UEM REST API Endpoint

  • SaaS:https://asXXX.awmdm. com or https://asXXX. airwatchportals.com

  • On-Prem: Most commonly your DS or Console server

curl -Ivv https://<API URL>/api/mdm/ping

The expected response is HTTP 401 unauthorized.

5

80,443, any TCP

HTTP, HTTPS, or TCP

VMware Tunnel

Internal Resources

Confirm that the VMware Tunnel can access internal resources over the required port.

4

514 *

UDP

VMware Tunnel

Syslog Server

On-prem: 2020

HTTPS

Workspace ONE UEM Console

VMware Tunnel Proxy

On-Premises users can test the connection using the telnet command :telnet <Tunnel Proxy URL> <port>

6

Table 8. VMware Tunnel Cascade Configuration

Port

Protocol

Source

Target/Destination

Verification

Note (See the Note section at the bottom of the page)

SaaS: 443

On-Prem: 2001 *

TLS v1.2

VMware Tunnel Front-End

AirWatch Cloud Messaging Server

Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.

2

8443

TLS v1.2

VMware Tunnel Front-End

VMware Tunnel Back-End

Telnet from VMware Tunnel Front-End to the VMware Tunnel Back-End server on port

3

SaaS: 443

On-Prem: 2001

TLS v1.2

VMware Tunnel Back-End

AirWatch Cloud Messaging Server

Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.

2

80 or 443

TCP

VMware Tunnel Back-End

Internal websites/web apps

4

80, 443, any TCP

TCP

VMware Tunnel Back-End

Internal resources

4

80 or 443

HTTPS

VMware Tunnel Front-End and Back-End

Workspace ONE UEM REST API Endpoint

  • SaaS:https://asXXX.awmdm. com or https://asXXX. airwatchportals.com

  • On-Prem: Most commonly your DS or Console server

curl -Ivv https://<API URL>/api/mdm/ping

The expected response is HTTP 401 unauthorized.

5

Table 9. VMware Tunnel Relay-Endpoint Configuration

Port

Protocol

Source

Target/Destination

Verification

Note (See the Note section at the bottom of the page)

SaaS: 443

On-Prem: 2001

HTTP or HTTPS

VMware Tunnel Relay

AirWatch Cloud Messaging Server

curl -Ivv https://<AWCM URL>:<port>/awcm/status/ping

The expected response is HTTP 200 OK.

2

80 or 443

HTTPS or HTTPS

VMware Tunnel Endpoint and Relay

Workspace ONE UEM REST API Endpoint

  • SaaS:https://asXXX.awmdm. com or https://asXXX. airwatchportals.com

  • On-Prem: Most commonly your DS or Console server

curl -Ivv https://<API URL>/api/mdm/ping

The expected response is HTTP 401 unauthorized.

TheVMware Tunnel Endpoint requires access to the REST API Endpoint only during initial deployment.

5

2010 *

HTTPS

VMware Tunnel Relay

VMware Tunnel Endpoint

Telnet from VMware Tunnel Relay to the VMware Tunnel Endpoint server on port

3

80, 443, any TCP

HTTP, HTTPS, or TCP

VMware Tunnel Endpoint

Internal resources

Confirm that the VMware Tunnel can access internal resources over the required port.

4

514 *

UDP

VMware Tunnel

Syslog Server

On-Prem: 2020

HTTPS

Workspace ONE UEM

VMware Tunnel Proxy

On-Premises users can test the connection using the telnet command :telnet <Tunnel Proxy URL> <port>

6

Note:

The following points are valid for the VMware Tunnel requirements.

* - This port can be changed if needed based on your environment's restrictions.

  1. If port 443 is used, Per-App Tunnel will listen on port 8443.

    Note:

    When VMware Tunnel and Content Gateway services are enabled on the same appliance, and TLS Port Sharing is enabled, the DNS names must be unique for each service. When TLS is not enabled only one DNS name can be used for both services as the port will differentiate the incoming traffic. (For Content Gateway, if port 443 is used, Content Gateway will listen on port 10443.)

  2. For the VMware Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes.

  3. For VMware Tunnel Relay topologies to forward device requests to the internal VMware Tunnel endpoint only.

  4. For applications using VMware Tunnel to access internal resources.

  5. The VMware Tunnel must communicate with the API for initialization. Ensure that there is connectivity between the REST API and the VMware Tunnel server. Navigate to Groups & Settings > All Settings > System > Advanced > Site URLs to set the REST API server URL. This page is not available to SaaS customers. The REST API URL for SaaS customers is most commonly your Console or Devices Services server URL.

  6. This is required for a successful "Test Connection" to the VMware Tunnel Proxy from the Workspace ONE UEM console. The requirement is optional and can be omitted without loss of functionality to devices. For SaaS customers, the Workspace ONE UEM console might already have inbound connectivity to the VMware Tunnel Proxy on port 2020 due to the inbound Internet requirement on port 2020.