To deploy the VMware Tunnel virtual appliance, ensure that your system meets the requirements.

Are you migrating from a Linux server to the virtual appliance? Follow the AirWatch migration flow for migrating to the virtual appliance. For more information, see https://support.air-watch.com/articles/115001666308.

Hypervisor Requirements

The VMware Unified Access Gateway, the virtual appliance that deploys the VMware Tunnel, requires a hypervisor to deploy the virtual appliance. You must have a dedicated Admin Account with full privileges to deploy OVF.

Supported Hypervisors

  • VMware vSphere v6.0+ web client
  • Microsoft Hyper-V on Windows Server 2012 R2 or Windows Server 2016

Software Requirement

You must have the most recent version of the Unified Access Gateway. The VMware Tunnel supports backwards compatibility between the Unified Access Gateway and the AirWatch Console. This backwards compatibility provides a small window to allow you to upgrade your VMware Tunnel server shortly after upgrading your AirWatch Console. Consider upgrading as soon as possible to bring parity between the AirWatch Console and the VMware Tunnel.

Hardware Requirements for VMware Tunnel

The OVF package for the VMware Unified Access Gateway automatically selects the virtual machine configuration that VMware Tunnel requires. Although you can change these settings, do not change the CPU, memory, or disk space to smaller values than the default OVF settings.

To change the default settings, power off the VM in vCenter. Right-click the VM and select Edit Settings to change the default settings as needed.

The default configuration uses 4 GB of RAM and 2 CPUs. You must change this to meet your hardware needs. Consider running a minimum of two VMware Tunnel servers to handle all device loads and maintenance requirements.

Number of Devices Up to 40,000 40,000 - 80,000 80,000 - 120,000 120,000-160,000
Number of Servers 2 3 4 5

CPU Cores

4 CPU Cores* 4 CPU Cores each 4 CPU Cores each 4 CPU Cores each

RAM (GB)

8 8 8 8
Hard Disk Space (GB)

10 GB for distro (Linux only)

400 MB for installer

~10 GB for log file space**

*It is possible to deploy only a single VMware Tunnel appliance as part of a smaller deployment. However, consider deploying at least two load-balanced servers with four CPU Cores each regardless of the number of devices for uptime and performance purposes.

**10 GB for a typical deployment. Scale log file size based on your log use and requirements for storing logs.

Network Requirements for VMware Tunnel

For configuring the ports listed below, all traffic is uni-directional (outbound) from the source component to the destination component.

Source

Component

Destination

Component

Protocol

Port

Verification Note

Devices (from Internet and Wi-Fi)

VMware Tunnel Proxy

HTTPS

2020*

After installation, run the following command to validate: 

netstat -tlpn | grep [Port]

1

Devices (from Internet and Wi-Fi)

VMware Tunnel Per-App Tunnel TCP 8443*

After installation, run the following command to validate: 

netstat -tlpn | grep [Port]
1
Admin Device (from Internet and Wi-Fi) VMware Tunnel admin UI HTTPS 9443    
VMware Tunnel – Basic-Endpoint Configuration

VMware Tunnel

AirWatch Cloud Messaging Server**

HTTPS

SaaS: 443

On-Prem: 2001*

curl -Ivv https://<AWCM URL>:<port>/awcm/status. 

The expected response is HTTP 200 – OK.

2

VMware Tunnel

AirWatch REST API Endpoint

SaaS: https://asXXX.awmdm.

com or https://asXXX.

airwatchportals.com

On-Prem: 

Most commonly your DS or Console server

HTTP or HTTPS

SaaS: 443

On-Prem:

80 or 443

curl -Ivv https://<API URL>/api/help 

The expected response is HTTP 401 – unauthorized.

5
VMware Tunnel Internal resources HTTP, HTTPS, or TCP 80, 443, Any TCP Confirm that the VMware Tunnel can access internal resources over the required port. 4
VMware Tunnel Syslog Server

UDP

514*    
VMware Tunnel — Cascade Configuration

VMware Tunnel Front-End

AirWatch Cloud Messaging Server**

TLS v1.2

SaaS: 

443

On-Prem: 

2001*

Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.

2

VMware Tunnel Front-End

VMware Tunnel Back-End

TLS v1.2

8443*

Telnet from VMware Tunnel Front-End to the VMware Tunnel Back-End server on port

3

VMware Tunnel Back-End

AirWatch Cloud Messaging Server**

TLS v1.2

SaaS: 

443

On-Prem: 

2001*

Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.

2

VMware Tunnel Back-End Internal Web sites / Web apps TCP 80 or 443   4
VMware Tunnel Back-End Internal resources TCP 80, 443, Any TCP   4
VMware Tunnel Front-End and Back-End

AirWatch REST API Endpoint

SaaS: https://asXXX.awmdm.

com or https://asXXX.

airwatchportals.com

On-Prem: 

Most commonly your DS or Console server

TLS v1.2 80 or 443

Verify by using wget to https://APIServerUrl/API/help and ensuring you receive a '401 – not authorized' response.

5
VMware Tunnel – Relay-Endpoint Configuration

VMware Tunnel Relay

AirWatch Cloud Messaging Server**

HTTP or HTTPS

SaaS: 

443

On-Prem: 

2001*

curl -Ivv https://<AWCM URL>:<port>/awcm/status. 

The expected response is HTTP 200 – OK.

2

VMware Tunnel

Endpoint and Relay

AirWatch REST API Endpoint

SaaS: https://asXXX.awmdm.

com or https://asXXX.

airwatchportals.com

On-Prem: 

Most commonly your DS or Console server

HTTP or HTTPS 80 or 443
curl -Ivv https://<API URL>/api/help 

The expected response is HTTP 401 – unauthorized.

 

The VMware Tunnel Endpoint requires access to the REST API Endpoint only during initial deployment.

5

VMware Tunnel Relay

VMware Tunnel Endpoint

HTTPS

2010*

Telnet from VMware Tunnel Relay to the VMware Tunnel Endpoint server on port

3

VMware Tunnel Endpoint Internal resources HTTP, HTTPS, or TCP 80, 443, Any TCP Confirm that the VMware Tunnel can access internal resources over the required port. 4
VMware Tunnel Syslog Server

UDP

514*    

*This port can be changed if needed based on your environment's restrictions.

**

For SaaS customers who need to whitelist outbound communication, please refer to the following AirWatch Knowledge Base article for a list of up-to-date IP ranges AirWatch currently owns:  https://support.air-watch.com/articles/115001662168.

  1. Devices connect to the public DNS configured for VMware Tunnel over the specified port.
  2. For the VMware Tunnel to query the AirWatch Console for compliance and tracking purposes.
  3. For VMware Tunnel Relay topologies to forward device requests to the internal VMware Tunnel endpoint only.
  4. For applications using VMware Tunnel to access internal resources.

  5. The VMware Tunnel must communicate with the API for initialization. Ensure that there is connectivity between the REST API and the VMware Tunnel server. Navigate to Groups & Settings > All Settings > System > Advanced > Site URLS to set the REST API server URL.

Network Interface Connection Requirements

You can use one, two, or three network interfaces, and the VMware Tunnel virtual appliance requires a separate static IP address for each. Many DMZ implementations use separated networks to secure the different traffic types. Configure the virtual appliance according to the network design of the DMZ in which it is deployed. Consult your network admin for information regarding your network DMZ.

  • One network interface is appropriate for POCs (proof of concept) or testing. With one NIC, external, internal, and management traffic are all on the same subnet.
  • With two network interfaces, external traffic is on one subnet, and internal and management traffic are on another subnet.
  • Using three network interfaces is the most secure option. With a third NIC, external, internal, and management traffic all have their own subnets.