The AirWatch Console and Device Services servers must communicate with several internal and external endpoints for functionality. End-user devices must also reach certain endpoints for access to apps and services.

For configuring the ports listed below, all traffic is uni-directional (outbound) from the source component to the destination component.

 

Source Component

Destination Component

Protocol

Port

Notes
Console Server
 

Admin Console Hostname

discovery.awmdm.com

HTTPS

443

Optional, for AutoDiscovery

 

Admin Console Hostname

awcp.air-watch.com

HTTPS

443

Optional, for APNs Certificate

  Admin Console Hostname gem.awmdm.com HTTPS 443 AirWatch Analytics in myAirWatch
 

Admin Console Hostname

appwrap04.awmdm.com

HTTPS

443

AirWatch Cloud iOS App Wrapping Service

 

Admin Console Hostname

gateway.push.apple.com

(17.0.0.0/8)

TCP

2195

Apple iOS and macOS only

 

Admin Console Hostname

feedback.push.apple.com

(17.0.0.0/8)

TCP

2196

Apple iOS and macOS only

  Admin Console Hostname appwrapandroid.awmdm.com HTTPS 443 AirWatch Cloud Android App Wrapping Service
 

Admin Console Hostname

android.googleapis.com

HTTPS

443

Android only

 

Admin Console Hostname

play.google.com

HTTPS

443

Android only

  Admin Console Hostname android.clients.google.com TCP 443 Android App Management only
  Admin Console Hostname fonts.googleapis.com HTTP/HTTPS 80 or 443 For fonts used in Admin Console
  Admin Console Hostname inference.location.live.net HTTP/HTTPS 80 or 443 For Cloud Messaging for Windows devices
 

Admin Console Hostname

*notify.live.net

HTTP/HTTPS

80 or 443

For Cloud Messaging for Windows devices

  Admin Console Hostname next-services.apps.microsoft.com HTTP/HTTPS 80 or 443 For App Management, Windows 8 /RT only
  Admin Console Hostname *.windowsphone.com HTTP/HTTPS 80 or 443 For App Management, Windows Phone 8 only
  Admin Console Hostname login.live.com HTTPS 443 For Cloud Messaging for Windows devices
  Admin Console Hostname login.windows.net/{TenantName} HTTPS 443 Windows 10 only. Where {TenantName} is the domain name of your tenant in Azure.
  Admin Console Hostname graph.windows.net HTTPS 443 Windows 10 only
  Admin Console Hostname has.spserv.microsoft.com HTTPS 443 Windows 10 only, for health attestation
  Admin Console Hostname *virtualearth.net HTTP/HTTPS 80 or 443 For location services Bing Maps integration
 

Admin Console Hostname

BES Server

HTTPS

443

Blackberry only

 

Admin Console Hostname

Apple iTunes

itunes.apple.com

*.mzstatic.com

*.phobos.apple.com

*.phobos.apple.com.edgesuite.net

HTTP

80

Apple iOS and macOS only

  Admin Console Hostname accounts.google.com/o/oauth2/token HTTPS 443 Android for Work only
 

Admin Console Hostname

gateway.celltrust.net

(162.42.205.0/24)

HTTPS

443

Only requires the use of 443 when using SMS integration

 

Admin Console Hostname

SSL Cert CRL* (Example: ocsp.verisign.com)

HTTP/HTTPS

80 or 443

Optional, if Console is publicly accessible
  Admin Console Hostname

CRL:

http://s1.symcb.com/pca3-g5.crl

HTTP 80 For various services to function properly
 

Admin Console Hostname

All AirWatch Servers

HTTPS

443

 
 

Admin Console Hostname

AWCM server

HTTPS

2001

AWCM may be installed on your Device Services server.
 

Admin Console Hostname

AirWatch API server (if standalone) HTTPS 443

Set up network traffic from the Console server to the API server if the API component is not installed on the Console server.

The API component may be installed on your Device Services server.

 

Admin Console Hostname

File Storage (if not set up on Console server) SMB or NFS

Samba/SMB:

TCP: 445, 137, 139.

UDP: 137, 138

NFS: TCP and UDP: 111 and 2049

Required for reports. For more information see File Storage Requirement.
 

Admin Console Hostname

SQL SSRS Reporting

HTTP

80

 
 

Admin Console Hostname

AirWatch Database server

SQL

1433

 
  Admin Console Hostname Exchange Server HTTP/HTTPS 80 or 443 For PowerShell integration, if not using VMware Enterprise Systems Connector
 

Admin Console Hostname

Active Directory domain controller

LDAP(S)

389 or 636 or 3268 or 3269

For LDAP integration
 

Admin Console Hostname

SMTP Mail Relay

SMTP

25 or 465

For SMTP integration
 

Admin Console Hostname

Internal PKI

HTTPS/

DCOM

443 (HTTPS) or

135 or 1025-5000 or 49152-65535 (DCOM)

For PKI integration
  Admin Console Hostname Memcached TCP 11211  
Console Admin APIs
  Admin Browser VMware Identity Manager Service HTTPS 443 Astro APIs
  Admin Browser Admin Console Hostname HTTPS 443 Console Access
  Admin Browser API Server Hostname HTTPS 443 Astro APIs
API Server (If Standalone)
  API Server Hostname AirWatch Database server SQL 1433  
  API Server Hostname AWCM server HTTPS 2001 If AWCM is hosted on device services, then direct to the Device Services server.
  API Server Hostname Active Directory domain controller LDAP(S)

389 or 636 or 3268 or 3269

Only required if you are integrating with VMware Identity Manager without the use of VMware Enterprise Systems Connector.
  API Server Hostname

android.googleapis.com

play.google.com

HTTP/HTTPS 80 or 443 For Cloud Messaging for Android devices.
  API Server Hostname

inference.location.live.net

*notify.live.net

HTTP/HTTPS 80 or 443 For Cloud Messaging for Windows devices.
  API Server Hostname

gateway.push.apple.com

(17.0.0.0/8)

feedback.push.apple.com

(17.0.0.0/8)

TCP 2195, 2196 For Apple iOS and macOS cloud messaging.
Console Admin APIs
  VMware Identity Manager Service API Server Hostname HTTPS 443 Auth Token Request
  API Server Hostname VMware Identity Manager Service HTTPS 443 Astro APIs
Device Services Server
 

Device Services Hostname

discovery.awmdm.com

HTTPS

443

Optional – For auto discovery functionality

 

Device Services Hostname

gateway.push.apple.com

TCP

2195

Apple only

 

Device Services Hostname

feedback.push.apple.com

TCP

2196

Apple only

 

Device Services Hostname

android.googleapis.com

HTTP/HTTPS

80 and 443

Android only

 

Device Services Hostname

play.google.com

HTTPS

443

Android only

 

Device Services Hostname

android.clients.google.com

TCP

443

Android app management only

 

Device Services Hostname

awcp.air-watch.com

HTTPS

443

Optional, for APNs Certificate
 

Device Services Hostname

inference.location.live.net HTTP/HTTPS 80 or 443 For Cloud Messaging for Windows devices
 

Device Services Hostname

*notify.live.net

HTTP/HTTPS

80 or 443

For Cloud Messaging for Windows devices

 

Device Services Hostname

*.windowsphone.com HTTP 80 For App Management, Windows Phone 8 only
  Device Services Hostname next-services.apps.microsoft.com HTTP/HTTPS 80 or 443 For App Management, Windows 8/RT only
  Device Services Hostname login.live.com HTTPS 443 For Cloud Messaging for Windows devices
  Device Services Hostname login.windows.net/{TenantName} HTTPS 443 Windows 10 only. Where {TenantName} is the domain name of your tenant in Azure.
  Device Services Hostname graph.windows.net HTTPS 443 Windows 10 only
  Device Services Hostname has.spserv.microsoft.com HTTPS 443 Windows 10 only for health attestation
 

Device Services Hostname

Apple iTunes

itunes.apple.com

*.mzstatic.com

*.phobos.apple.com

*.phobos.apple.com.edgesuite.net

HTTP

80

Apple only

 

Device Services Hostname

SSL Cert CRL* (Example: ocsp.verisign.com)

HTTP/HTTPS

80 or 443

 
 

Device Services Hostname

CRL:

http://s1.symcb.com/pca3-g5.crl

HTTP 80 For various services to function properly
 

Device Services Hostname

All AirWatch Servers

HTTPS

443

 
 

Device Services Hostname

AWCM (if standalone) HTTPS 2001 Set up network traffic from the Device Services server to the AWCM server if the AWCM component is not installed on the Device Services server.
 

Device Services Hostname

AirWatch API server (if standalone) HTTPS 443 Set up network traffic from the Device Services server to the API server if the API component is not installed on the Device Services server.
 

Device Services Hostname

File Storage (dedicated server or set up on an internal application server) SMB or NFS

Samba/SMB:

TCP: 445, 137, 139.

UDP: 137, 138

NFS: TCP and UDP: 111 and 2049

Required for reports. For more information see File Storage Requirement.
 

Device Services Hostname

Database Server

SQL

1433

 
  Device Services Hostname Exchange Server HTTP/HTTPS 80 or 443 For PowerShell integration, if not using VMware Enterprise Systems Connector
 

Device Services Hostname

Active Directory domain controller

LDAP(S)

389 or 636 or 3268 or 3269

[OPTIONAL] if you don't use VMware Enterprise Systems Connector

 

Device Services Hostname

SMTP Mail Relay

SMTP

25 or 465

[OPTIONAL] if you do not use VMware Enterprise Systems Connector

 

Device Services Hostname

Internal PKI

HTTPS/

DCOM

443 (HTTPS) or

135 or 1025-5000 or 49152-65535 (DCOM)

[OPTIONAL] if you do not use VMware Enterprise Systems Connector

  Device Services Hostname Memcached TCP 11211  
VMware Identity Manager Service
  Load Balancer VMware Identity Manager service HTTPS 443  
  VMware Identity Manager service VMware Identity Manager service HTTPS 443  
  Browsers VMware Identity Manager service HTTPS 443  
  VMware Identity Manager service vapp-updates.vmware.com HTTPS 443 Access to the upgrade server
  Browsers VMware Identity Manager service HTTPS 8443 Administrator Port
  VMware Identity Manager service SMTP SMTP 25 Port to relay outbound mail
  VMware Identity Manager service Active Directory LDAP, LDAPS, MSFT-GC, MSFT-GC-SSL 389, 636, 3268, 3269 Default values are listed. These ports are configurable.
  VMware Identity Manager service VMware ThinApp repository TCP 445 Access to the ThinApp repository
  VMware Identity Manager service RSA SecurID system UDP 5500 Default value is listed. This port is configurable.
  VMware Identity Manager service DNS server TCP/UDP 53 Every VMware Identity Manager server must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22.
  VMware Identity Manager service Domain controller TCP/UDP 88,464,135  
  VMware Identity Manager service VMware Identity Manager service TCP 9300-9400 Audit needs
  VMware Identity Manager service VMware Identity Manager service TCP 54328 Audit needs
  VMware Identity Manager service VMware Identity Database TCP 1433, 5432, 1521 Microsoft SQL default port is 1433. The PostgreSQL default port is 5432. The Oracle default port is 1521.
  VMware Identity Manager service View server   443 Access to View server.
  VMware Enterprise Systems Connector Citrix Integration Broker server TCP 80, 443 Connection to the Citrix Integration Broker. Port option depends on whether a certificate is installed on the Integration Broker server.
  VMware Identity Manager service AirWatch REST API HTTPS 443 For device compliance checking and for the Enterprise System Connector AirWatch Cloud Connector password authentication method, if that is used.
  VMware Identity Manager service Cloud-hosted KCD UDP 88 Port used for Kerberos traffic from the identity manager to the hosted cloud KDC service.
  Adaptiva Server AW Cloud Connector UDP 34320 Port used for Adaptiva SDK library to send and receive messages to/from Adaptiva Server.
  iOS mobile device Cloud-hosted KCD UDP 88 Port used for Kerberos traffic from the iOS device to the hosted cloud KDC service.
  iOS mobile device VMware Identity Manager service TCP/UDP 88 Port used for Kerberos traffic from iOS device to the built-in KDC
  iOS mobile device VMware Identity Manager service UDP 88 Port used for Kerberos traffic from iOS device to the hosted cloud KDC service.
  iOS mobile device VMware Identity Manager service HTTPS/TCP 443 Port used for Kerberos traffic from iOS device to the hosted cloud KDC service.
  Android mobile device AirWatch HTTPS proxy service TCP 5262 AirWatch Tunnel client routes traffic to the HTTPS proxy for Android devices.
  Browser VMware Identity Manager service HTTP 80 Required
  VMware Identity Manager service Ehcache   40002  
  VMware Identity Manager service RabbitMQ  

4269, 5700, and 25672

 
  VMware Identity Manager service Elasticsearch   9200, 9300, 443, 8443, 80  
  VMware Identity Manager service Android SSO   5262  
  VMware Identity Manager service Browsers HTTPS 6443 For certificate authentication configured in a VMware Identity Manager on premises DMZ deployment.
Console Admin APIs
  Admin Console Hostname VMware Identity Manager Service HTTPS 443 Astro APIs
  Admin Console Hostname Memcached TCP 11211  
Reports Server
 

SSRS Server (Reports Server)

SMTP Mail Relay

SMTP

25 or 465

For reports subscriptions

End-User Devices
 

Devices (Internet/Wi-Fi)

Device Services Hostname

HTTP/HTTPS

80 or 443

Best practice: use HTTPS 443 for additional security.
 

Devices (Internet/Wi-Fi)

SEG Hostname

HTTPS

443

 
 

Devices (Internet/Wi-Fi)

VMware Tunnel Hostname

HTTPS

443, 2020

For Browser access
 

Devices (Internet/Wi-Fi)

#-courier.push.apple.com

(17.0.0.0/8)

TCP

5223 and 443

Apple only. '#' is a random

number from 0 to 200.

 

Devices (Internet/Wi-Fi)

phobos.apple.com

ocsp.apple.com

ax.itunes.apple.com

HTTP/HTTPS

80 or 443

Apple only

 

Devices (Internet/Wi-Fi)

mtalk.google.com

TCP

5228

For Cloud Messaging, Android only

 

Devices (Internet/Wi-Fi)

play.google.com

HTTPS

443

For App Management, Android only
 

Devices (Internet/Wi-Fi)

*.notify.windows.com

HTTPS

443

For Cloud Messaging, Windows 10
 

Devices (Internet/Wi-Fi)

inference.location.live.net HTTP/HTTPS 80 or 443 Retrieve device location, Windows 10
  Devices (Internet/Wi-Fi) *.notify.live.net HTTP/HTTPS 80 or 443 For Cloud Messaging. Windows Phone 10
  Devices (Internet/Wi-Fi) wns.windows.com HTTPS 443 Windows Push Notification Service
  Devices (Internet/Wi-Fi) has.spserv.microsoft.com HTTPS 443 Health Attestation Services, Windows 10
  Devices (Internet/Wi-Fi) microsoft.com/store/apps HTTPS 443 Public app store access
  Devices (Internet/Wi-Fi) bspmts.mp.microsoft.com HTTPS 443 Business store portal app access
  Devices (Internet/Wi-Fi) ekop.intel.com/ekcertservice HTTPS 443 For Intel firmware TPM. Authorize this URL if you are filtering Internet access for client devices. This is needed for signed certificates for Secure Boot.
  Devices (Internet/Wi-Fi) ekcert.spserv.microsoft.com HTTPS 443 For Qualcomm firmware TPM. Authorize this URL if you are filtering Internet access for client devices. This is needed for signed certificates for Secure Boot.
  Devices (Internet/Wi-Fi) *login.live.com HTTP/HTTPS 80 or 443 Request WNS Channel, Windows 10
  Devices (Internet/Wi-Fi) *.windowsphone.com HTTP/HTTPS 80 or 443 Windows Phone 8
  Devices (Internet/Wi-Fi) has.spserv.microsoft.com HTTPS 443 Windows 10 only for health attestation
  Devices (Internet/Wi-Fi)

Public SSL Cert CRL

(Example: ocsp.verisign.com)

HTTP/HTTPS 80 and 443  
 

Devices (Internet/Wi-Fi)

AWCM Server

HTTP/HTTPS

2001

Windows Rugged, Android, macOS, Windows 7, and Windows Desktop devices with AirWatch Protection Agent only.

Windows Desktop devices using the AirWatch Protection Agent use the AWCM for real-time notifications.