When you configure Workspace ONE Access with an external firewall, allow-list the IP address ranges or URLs for the following Workspace ONE Access services to provide access to that service.

Use the nslookup command or another command-line tool to query the Domain Name System to obtain the IP addresses to add to your external firewall allow-list. For example, nslookup vapp-updates.vmware.com.

Service Domain Name System Description
Workspace ONE Access Catalog catalog.vmwareidentity.com To make sure that the content of the catalog can be accessed, add the URLs from the list to the allowlist.

That content is also delivered through AWS CloudFront CDN, which maintains its own list of public IP addresses. See http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html.

VMware Verify vmware.authy.com

api.authy.com

If VMware Verify is configured as an authentication method, add the URLS from these lists to the allowlist.
Hybrid KDC kdc.op.<vmwareidentity.xxx> When hybrid KDC is configured for your Workspace ONE Access on-premises operation, select one of the following domains to look up the URLS.
  • vmwareidentity.ca
  • vmwareidentity.com
  • vmwareidentity.eu
  • vmwareidentity.co.uk
  • vmwareidentity.de
  • vmwareidentity.com.au
  • vmwareidentity.asia
Updates from Workspace ONE Access vapp-updates.vmware.com To receive Workspace ONE Access updates and to download patches from the VMware Update Manager, add the URLs from the list to the allowlist.