VMware Per-App Tunnel can be configured using either of the following two configuration models:

  • Basic Endpoint (single-tier) using a VMware Per-App Tunnel Basic Endpoint
  • Cascade (multi-tier) using a VMware Per-App Tunnel Front-End and VMware Per-App Tunnel Back-End
Table 1. Port Requirements for VMware Per-App Tunnel Basic Endpoint Configuration
Source Destination Protocol Port Verification Notes
Devices (from Internet and Wi-Fi) VMware Per-App Tunnel Basic Endpoint TCP, UDP 8443* Run the following command after installation: netstat -tlpn | grep [Port] Devices connect to the public DNS configured for VMware Tunnel over the specified port. If 443 is used, Per-App Tunnel component listens on port 8443.
VMware Per-App Tunnel Basic Endpoint Workspace ONE UEM Cloud Messaging Server HTTPS

SaaS:443

On-Premises:2001*

Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response. For the VMware Per-App Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2.
VMware Per-App Tunnel Basic Endpoint Internal websites/web apps/resources HTTP, HTTPS, or TCP 80, 443, any required TCP For applications using VMware Per-App Tunnel to access internal resources. Exact endpoints or ports are determined by where these resources are located.
VMware Per-App Tunnel Basic Endpoint UEM REST API
  • SaaS‡: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com
  • On-Premises†: Most commonly Device Services or Console server
HTTP or HTTPS 80 or 443 curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized The VMware Per-App Tunnel must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > System > Advanced > Site URLs to set the REST API URL. This page is not available to Workspace ONE UEM SaaS customers. For Workspace ONE UEM SaaS customers, the REST API URL is most commonly the Console URL or Devices Services URL.
Table 2. Port Requirements for VMware Per-App Tunnel Cascade Configuration
Source Destination Protocol Port Verification Notes
Devices (from Internet and Wi-Fi) VMware Per-App Tunnel Front-End TCP, UDP 8443* Run the following command after installation: netstat -tlpn | grep [Port] Devices connect to the public DNS configured for VMware Tunnel over the specified port. If 443 is used, Per-App Tunnel component listens on port 8443.
VMware Per-App Tunnel Front-End Workspace ONE UEM Cloud Messaging Server HTTPS

SaaS:443

On-Premises:2001*

Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.

For the VMware Per-App Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2.
VMware Per-App Tunnel Front-End VMware Per-App Tunnel Back-End TCP 8443 Telnet from VMware Per-App Tunnel Front-End to the VMware Per-App Tunnel Back-End on port 8443. To forward device requests from the Front-End to the Back-End server. This needs to support a minimum of TLS 1.2.
VMware Per-App Tunnel Back-End Workspace ONE UEM Cloud Messaging Server HTTPS

SaaS:443

On-Premises:2001*

Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response. For VMware Per-App Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2.
VMware Tunnel Back-End Internal websites/web apps/resources HTTP, HTTPS, or TCP 80, 443, any required TCP For applications using VMware Per-App Tunnel to access internal resources. Exact endpoints or ports are determined by where these resources are located.
VMware Per-App Tunnel Front-End UEM REST API
  • SaaS‡: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com
  • On-Premises†: Most commonly Device Services or Console server
HTTP or HTTPS 80 or 443 curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized The VMware Per-App Tunnel must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > System > Advanced > Site URLs to set the REST API URL. This page is not available to Workspace ONE UEM SaaS customers. For Workspace ONE UEM SaaS customers, the REST API URL is most commonly the Console URL or Devices Services URL.
VMware Per-App Tunnel Back-End UEM REST API
  • SaaS‡: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com
  • On-Premises†: Most commonly Device Services or Console server
HTTP or HTTPS 80 or 443 curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized The VMware Per-App Tunnel must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > System > Advanced > Site URLs to set the REST API URL. This page is not available to Workspace ONE UEM SaaS customers. Workspace ONE UEM SaaS customers, the REST API URL is most commonly the Console URL or Devices Services URL.
NOTES
  • * This port can be changed based on your environment's restrictions.
  • † On-Premises means the location of the Workspace ONE UEM console.
  • ‡ For SaaS customers who need to whitelist outbound communication, refer to the VMware Knowledge Base article that lists up-to-date IP ranges: https://support.workspaceone.com/articles/115001662168-.
For SaaS customers who need to whitelist outbound communication, refer to the following Knowledge Base article that lists up-to-date IP ranges that VMware currently owns: VMware Workspace ONE IP ranges for SaaS data centers.