VMware Tunnel Proxy can be configured using either of the following two configuration models:

  • Basic Endpoint (single-tier) using a VMware Tunnel Proxy Endpoint
  • Relay-Endpoint (multi-tier) using a VMware Tunnel Proxy Relay and VMware Tunnel Proxy Endpoint
Table 1. Port Requirements for VMware Tunnel Proxy Basic Endpoint Configuration
Source Target or Destination Protocol Port Verification Notes
Devices (from Internet and Wi-Fi) VMware Tunnel Proxy Endpoint HTTPS 2020*

Run the following command after installation: netstat -tlpn | grep [Port]

Devices connect to the public DNS configured for VMware Tunnel over the specified port.
VMware Tunnel Proxy Endpoint

AirWatch Cloud Messaging Server

HTTPS

SaaS:443

On-Premises:2001*

curl -Ivv https://<AWCM URL>:<port>/awcm/status/ping

The expected response is HTTP 200 OK.

For the VMware Tunnel Proxy to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2.
VMware Tunnel Proxy Endpoint
UEM REST API
  • SaaS‡: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com
  • On-Premises†: Most commonly Device Services or Console server

HTTP or HTTPS

SaaS:443

On-Premises:2001*

curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized

The VMware Tunnel Proxy must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > System > Advanced > Site URLs to set the REST API URL. This page is not available to Workspace ONE UEM SaaS customers. For Workspace ONE UEM SaaS customers, the REST API URL is most commonly the Console URL or Devices Services URL.
VMware Tunnel Proxy Endpoint Internal resources

HTTP, HTTPS, or TCP

80, 443, any TCP

Confirm that the VMware Tunnel Proxy Endpoint can access internal resources over the required port.

For applications using VMware Tunnel Proxy to access internal resources. Exact endpoints or ports are determined by where these resources are located.
VMware Tunnel Proxy Endpoint Syslog Server UDP 514*
Workspace ONE UEM console VMware Tunnel Proxy Endpoint HTTPS 2020*

On-Premises† customers can test the connection using the telnet command: telnet <Tunnel ProxyURL><port>

This is required for a successful "Test Connection" to the VMware Tunnel Proxy Endpoint from the Workspace ONE UEM console.
Table 2. Port Requirements for VMware Tunnel Proxy Relay-Endpoint Configuration
Source Target or Destination Protocol Port Verification Notes
Devices (from Internet and Wi-Fi) VMware Tunnel Proxy Relay HTTPS 2020*

Run the following command after installation: netstat -tlpn | grep [Port]

Devices connect to the public DNS configured for VMware Tunnel over the specified port.
VMware Tunnel Proxy Relay AirWatch Cloud Messaging Server

HTTP or HTTPS

SaaS:443

On-Premises:2001*

curl -Ivv https://<AWCM URL>:<port>/awcm/status/ping

The expected response is HTTP 200 OK.

For the VMware Tunnel Proxy to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2.
VMware Tunnel Proxy Relay
UEM REST API
  • SaaS‡: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com
  • On-Premises†: Most commonly Device Services or Console server

HTTP or HTTPS

SaaS:443

On-Premises:2001*

curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized

The VMware Tunnel Proxy Relay requires access to the UEM REST API only during initial deployment.

The VMware Tunnel Proxy must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > System > Advanced > Site URLs to set the REST API URL. This page is not available to Workspace ONE UEM SaaS customers. For Workspace ONE UEM SaaS customers, the REST API URL is most commonly the Console URL or Devices Services URL.
VMware Tunnel Proxy Endpoint
UEM REST API
  • SaaS‡: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com
  • On-Premises†: Most commonly Device Services or Console server

HTTP or HTTPS

SaaS:443

On-Premises:2001*

curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized

The VMware Tunnel Proxy Relay requires access to the UEM REST API only during initial deployment.

The VMware Tunnel Proxy must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > System > Advanced > Site URLs to set the REST API URL. This page is not available to Workspace ONE UEM SaaS customers. For Workspace ONE UEM SaaS customers, the REST API URL is most commonly the Console URL or Devices Services URL.
VMware Tunnel Proxy Relay VMware Tunnel Proxy Endpoint HTTPS 2010*

Telnet from VMware Tunnel Proxy Relay to the VMware Tunnel Proxy Endpoint on port 2010.

To forward device requests from the Relay to the Endpoint server. This needs to support a minimum of TLS 1.2.
VMware Tunnel Proxy Endpoint Internal resources

HTTP, HTTPS, or TCP

80, 443, any TCP

Confirm that the VMware Tunnel Proxy Endpoint can access internal resources over the required port.

For applications using VMware Tunnel Proxy to access internal resources. Exact endpoints or ports are determined by where these resources are located.
VMware Tunnel Proxy Endpoint Syslog Server UDP 514*
Workspace ONE UEM console VMware Tunnel Proxy Relay HTTPS 2020*

On-Premises† customers can test the connection using the telnet command: telnet <Tunnel ProxyURL><port>

This is required for a successful "Test Connection" to the VMware Tunnel Proxy Relay from the Workspace ONE UEM console.
NOTES
  • * This port can be changed based on your environment's restrictions.
  • † On-Premises means the location of the Workspace ONE UEM console.
  • ‡ For SaaS customers who need to whitelist outbound communication, refer to the VMware Knowledge Base article that lists up-to-date IP ranges: https://support.workspaceone.com/articles/115001662168-.