To deploy VMware Tunnel for Linux, ensure that your system meets the requirements.

Use the following requirements as a basis for creating your VMware Tunnel server.

Requirement
VM or Physical Server (64-bit)

Hardware Sizing

Number of Devices Up to 5,000 5,000 to 10,000 10,000 to 40,000 40,000 to 100,000

CPU Cores

1 server with 2 CPU Cores* 2 load-balanced servers with 2 CPU Cores each 2 load-balanced servers with 4 CPU Cores each 4 load-balanced servers with 4 CPU Cores each

RAM (GB)

4 4 each 8 each 16 each
Hard Disk Space (GB)

10 GB for distro (Linux only)

400 MB for installer

~10 GB for log file space**

*It is possible to deploy only a single VMware Tunnel server as part of a smaller deployment. However, AirWatch recommends deploying at least 2 load-balanced servers with 2 CPU Cores each regardless of number of devices for uptime and performance purposes.

**About 10 GB is for a typical deployment. Log file size should be scaled based on your log usage and requirements for storing logs.

Software Requirements for VMware Tunnel

Ensure your VMware Tunnel server meets all the following software requirements.

Requirement Notes

Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7

(Recommended UI-less)

Internally registered DNS record

(Optional): For a basic endpoint deployment, register the internal DNS record

Relay-endpoint: Register the internal DNS entry for the endpoint server.

Externally registered DNS record

Basic endpoint: Register the public DNS record for the basic tunnel server.

Relay-endpoint: Register the public DNS record for the relay server.

(Optional) SSL Certificate from a trusted third party

AirWatch certificates are automatically generated by default as part of your Tunnel configuration.

Alternatively, you can upload the full chain of the public SSL certificate to the AirWatch Console during configuration.

Ensure that the SSL certificate is trusted by all device types being used. (that is, not all Comodo certificates are natively trusted by Android).

SAN certificates are not supported.

Ensure that the subject of the certificate is the public DNS of your Tunnel server or is a valid wildcard certificate for the corresponding domain.

If your SSL certificate expires, then you must reupload the renewed SSL certificate and redownload and rerun the installer.

You must have the most recent version of the VMware Tunnel installer. The VMware Tunnel supports backwards compatibility between the installer and the AirWatch Console. This backwards compatibility provides a small window to allow you to upgrade your VMware Tunnel server shortly after upgrading your AirWatch Console. Consider upgrading as soon as possible to bring parity between the AirWatch Console and the VMware Tunnel.

General Requirements for VMware Tunnel

Ensure your VMware Tunnel is set up with the following general requirements to ensure a successful installation.

Requirement Notes

SSH access to Linux Servers available to AirWatch and Administrator rights

 

Administrator account with root privileges to the server

It is required that the root account has full permissions to write files.

If using an account other than root, the account MUST have sudo access with the same privilege as root. Admin accounts must have write and run permissions for the /opt/*, /tmp/*, and /etc/* directories.

If this condition is not met, the installation is likely to fail. Once installation is complete, restrictions can be put into place for these account types.

If you are installing as an account other than root, ensure that the root user is not removed from the sudoers file on the Tunnel server.

VMware Tunnel has outbound Internet access

The VMware Tunnel installer automatically downloads required packages if it is connected to the Internet. If your server is offline or has restricted outbound access, then see Manual Installation of Packages.

IPv6 enabled locally IPv6 must be enabled locally on the Tunnel server hosting Per-App Tunnel. AirWatch requires it to be enabled for the Per-App Tunnel service to run successfully.

Network Requirements for VMware Tunnel

For configuring the ports listed below, all traffic is uni-directional (outbound) from the source component to the destination component.

Source Component

Destination Component

Protocol

Port

Verification Note

Devices (from Internet and Wi-Fi)

VMware Tunnel Proxy

HTTPS

2020*

After installation, run the following command to validate: 

netstat -tlpn https://<AirWatch_Tunnel_Host>:<port>

1

Devices (from Internet and Wi-Fi)

VMware Tunnel Per-App Tunnel TCP 8443* (for Per-App Tunnel)   1
VMware Tunnel – Basic Endpoint Configuration

VMware Tunnel

AirWatch Cloud Messaging Server**

HTTPS

SaaS: 443

On-Prem: 2001*

Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.

2

VMware Tunnel Internal Web sites / Web apps HTTP or HTTPS 80 or 443   4
VMware Tunnel Internal resources HTTP, HTTPS, or TCP 80, 443, Any TCP   4
VMware Tunnel

AirWatch REST API Endpoint

SaaS: https://asXXX.awmdm.

com or https://asXXX.

airwatchportals.com

On-Prem: 

Most commonly your DS or Console server

HTTP or HTTPS

SaaS: 443

On-Prem:

80 or 443

Verify by using wget to https://APIServerUrl/API/help and ensuring you receive a '401 – not authorized' response.

5
VMware Tunnel — Cascade Configuration

VMware Tunnel Front-End

AirWatch Cloud Messaging Server**

TLS v1.2

SaaS: 

443

On-Prem: 

2001*

Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.

2

VMware Tunnel Front-End

VMware Tunnel Back-End

TLS v1.2

8443*

Telnet from VMware Tunnel Front-End to the VMware Tunnel Back-End server on port

3

VMware Tunnel Back-End

AirWatch Cloud Messaging Server**

TLS v1.2

SaaS: 

443

On-Prem: 

2001*

Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.

2

VMware Tunnel Back-End Internal Web sites / Web apps TCP 80 or 443   4
VMware Tunnel Back-End Internal resources TCP 80, 443, Any TCP   4
VMware Tunnel Front-End and Back-End

AirWatch REST API Endpoint

SaaS: https://asXXX.awmdm.

com or https://asXXX.

airwatchportals.com

On-Prem: 

Most commonly your DS or Console server

TLS v1.2 80 or 443

Verify by using wget to https://APIServerUrl/API/help and ensuring you receive a '401 – not authorized' response.

5
VMware Tunnel – Relay Endpoint Configuration

VMware Tunnel Relay

AirWatch Cloud Messaging Server**

HTTP or HTTPS

SaaS: 

443

On-Prem: 

2001*

Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.

2

VMware Tunnel Relay

VMware Tunnel Endpoint

HTTPS

2010*

Telnet from VMware Tunnel Relay to the VMware Tunnel Endpoint server on port

3

VMware Tunnel Endpoint Internal Web sites / Web apps HTTP or HTTPS 80 or 443   4
VMware Tunnel Endpoint Internal resources HTTP, HTTPS, or TCP 80, 443, Any TCP   4
VMware Tunnel Endpoint and Relay

AirWatch REST API Endpoint

SaaS: https://asXXX.awmdm.

com or https://asXXX.

airwatchportals.com

On-Prem: 

Most commonly your DS or Console server

HTTP or HTTPS 80 or 443

Verify by using wget to https://APIServerUrl/API/help and ensuring you receive a '401 – not authorized' response.

5

*This port can be changed if needed based on your environment's restrictions.

**

For SaaS customers who need to whitelist outbound communication, please refer to the following AirWatch Knowledge Base article for a list of up-to-date IP ranges AirWatch currently owns:  https://support.air-watch.com/articles/115001662168.

  1. For devices attempting to access internal resources.
  2. For the VMware Tunnel to query the AirWatch Console for compliance and tracking purposes.
  3. For VMware Tunnel Relay topologies to forward device requests to the internal VMware Tunnel endpoint only.
  4. For applications using VMware Tunnel to access internal resources.

  5. The VMware Tunnel must to communicate with the API for initialization. Ensure that there is connectivity between the REST API and the VMware Tunnel server.