For customers who do not want to use the Unified Access Gateway deployment, Workspace ONE UEM offers the Linux installer so you can configure, download, and install VMware Tunnel onto a server. The Linux installer has different prerequisites than the Unified Access Gateway method. To download the available Linux installer, go to .
System Requirements for Deploying VMware Tunnel with Unified Access Gateway
Deploying VMware Tunnel with Unified Access Gateway, requires that your system meets a few hypervisor, software and hardware requirements.
Hypervisor Requirements
Unified Access Gateway that deploys the VMware Tunnel requires a hypervisor to deploy the virtual appliance. You must have a dedicated admin account with full privileges to deploy the OVF.
Supported Hypervisors:
- VMware vSphere 6.0+ web client.
- Microsoft Hyper-V on Windows Server 2012 R2 or Windows Server 2016.
Software Requirements
Ensure that you have the most recent version of Unified Access Gateway. VMware Tunnel supports backwards compatibility between Unified Access Gateway and the Workspace ONE UEM console. The backward compatibility allows you to upgrade your VMware Tunnel server shortly after upgrading your Workspace ONE UEM console. To ensure parity between Workspace ONE UEM console and VMware Tunnel, consider planning an early upgrade.
Hardware Requirements
The OVF package for Unified Access Gateway automatically selects the virtual machine configuration that VMware Tunnel requires. Although you can change these settings, do not change the CPU, memory, or disk space to smaller values than the default OVF settings.
To change the default settings, power off the VM in vCenter. Right-click the VM and select Edit Settings.
The default configuration uses 4 GB of RAM and 2 CPUs. You must change the default configuration to meet your hardware requirements. To handle all the device loads and maintenance requirements, consider running a minimum of two VMware Tunnel servers.
| Number of Devices | Up to 40,000 | 40,000-80,000 | 80,000-120,000 | 120,000-160,000 |
|---|---|---|---|---|
| Number of Servers | 2 | 3 | 4 | 5 |
| CPU Cores |
4 CPU Cores* | 4 CPU Cores each | 4 CPU Cores each | 4 CPU Cores each |
| RAM (GB) |
8 | 8 | 8 | 8 |
| Hard Disk Space (GB) | 10 GB for distro (Linux only) 400 MB for installer ~10 GB for log file space** |
|||
*It is possible to deploy only a single VMware Tunnel appliance as part of a smaller deployment. However, consider deploying at least two load-balanced servers with four CPU Cores each regardless of the number of devices for uptime and performance purposes.
**10 GB for a typical deployment. Scale the log file size based on your log use and requirements for storing the logs.
Network Requirements for VMware Tunnel
For configuring the ports listed below, all the traffic is uni-directional (outbound) from the source component to the destination component.
| Source Component |
DestinationComponent |
Protocol |
Port |
Verification | Note |
|---|---|---|---|---|---|
| Devices (from Internet and Wi-Fi) |
VMware Tunnel Proxy |
HTTPS |
2020* |
After installation, run the following command to validate: netstat -tlpn | grep [Port] |
1 |
| Devices (from Internet and Wi-Fi) |
VMware Tunnel Per-App Tunnel | TCP/UDP | 8443* | After installation, run the following command to validate: netstat -tlpn | grep [Port] |
1 |
| Admin UI | Unified Access Gateway | TCP | 9443 | 1 |
| Source Component |
DestinationComponent |
Protocol |
Port |
Verification | Note |
|---|---|---|---|---|---|
| VMware Tunnel |
AirWatch Cloud Messaging Server** |
HTTPS |
SaaS: 443 On-Prem: 2001* |
curl -Ivv https://<AWCM URL>:<port>/awcm/status The expected response is |
2 |
| VMware Tunnel | Workspace ONE UEM REST API Endpoint SaaS: https://asXXX.awmdm.com On-Prem: Most commonly your DS or Workspace ONE UEM console |
HTTP or HTTPS | SaaS: 443 On-Prem: 80 or 443 |
curl -Ivv https://<API URL>/api/mdm/ping The expected response is |
5 |
| VMware Tunnel | Internal resources | HTTP, HTTPS, or TCP/UDP | 80, 443, Any TCP/UDP | Confirm that the VMware Tunnel can access internal resources over the required port. | 4 |
| VMware Tunnel | Syslog Server | UDP |
514* | ||
| Workspace ONE UEM console | VMware Tunnel Proxy | HTTPS | 2020 | On-premises customers can test the connection using the following telnet command: <Tunnel Proxy URL> <Port> |
6 |
| Source Component |
DestinationComponent |
Protocol |
Port |
Verification | Note |
|---|---|---|---|---|---|
| VMware Tunnel Front-End |
AirWatch Cloud Messaging Server** |
TLS v1.2 |
SaaS: 443 On-Prem: 2001* |
Verify by using |
2 |
| VMware Tunnel Front-End |
VMware Tunnel Back-End |
TLS v1.2 |
8443* |
Telnet from VMware Tunnel Front-End to the VMware Tunnel Back-End server on port. |
3 |
| VMware Tunnel Back-End |
AirWatch Cloud Messaging Server** |
TLS v1.2 |
SaaS: 443 On-Prem: 2001* |
Verify by using |
2 |
| VMware Tunnel Back-End | Internal websites/web apps | TCP/UDP | 80 or 443 | 4 | |
| VMware Tunnel Back-End | Internal resources | TCP/UDP | 80, 443, Any TCP/UDP | 4 | |
| VMware Tunnel Front-End and Back-End | Workspace ONE UEM REST API Endpoint SaaS: https://asXXX.awmdm.com On-Prem: Most commonly your DS or Workspace ONE UEM console |
TLS v1.2 | 80 or 443 | curl -Ivv https://<API URL>/api/mdm/ping The expected response is |
5 |
| Source Component |
DestinationComponent |
Protocol |
Port |
Verification | Note |
|---|---|---|---|---|---|
| VMware Tunnel Relay |
AirWatch Cloud Messaging Server** |
HTTP or HTTPS |
SaaS: 443 On-Prem: 2001* |
curl -Ivv https://<AWCM URL>:<port>/awcm/status. The expected response is |
2 |
| VMware TunnelEndpoint and Relay | Workspace ONE UEM REST API Endpoint SaaS: https://asXXX.awmdm.com On-Prem: Most commonly your DS or Workspace ONE UEM console |
HTTP or HTTPS | 80 or 443 | curl -Ivv https://<API URL>/api/mdm/ping The expected response is The VMware Tunnel Endpoint requires access to the REST API Endpoint only during the initial deployment. |
5 |
| VMware Tunnel Relay |
VMware Tunnel Endpoint |
HTTPS |
2010* |
Telnet from VMware Tunnel Relay to the VMware Tunnel Endpoint server on port. |
3 |
| VMware Tunnel Endpoint | Internal resources | HTTP, HTTPS, or TCP | 80, 443, Any TCP | Confirm that the VMware Tunnel can access internal resources over the required port. | 4 |
| VMware Tunnel | Syslog Server | UDP | 514* | ||
| Workspace ONE UEM console | VMware Tunnel Proxy | HTTPS | 2020 | On-premises customers can test the connection using the telnet command: <Tunnel Proxy URL> <Port> |
6 |
*This port can be changed if needed based on your environment's restrictions.
Note Reference:
- Devices connect to the public DNS configured for VMware Tunnel over the specified port. If 443 is used, Per-App Tunnel component listens on port 8443.
- For the VMware Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes.
- For VMware Tunnel Relay topologies to forward device requests to the internal VMware Tunnel endpoint only.
- For applications using VMware Tunnel to access internal resources.
- The VMware Tunnel must communicate with the API for initialization. Ensure that there is connectivity between the REST API and the VMware Tunnel server. Navigate to to set the REST API server URL. This page is not available to SaaS customers. The REST API URL for SaaS customers is most commonly your Console or Devices Services server URL.
- This is required for a successful "Test Connection" to the VMware Tunnel Proxy from the Workspace ONE UEM console. The requirement is optional and can be omitted without loss of functionality to devices. For SaaS customers, the Workspace ONE UEM console must already have inbound connectivity to the VMware Tunnel Proxy on port 2020 due to the inbound Internet requirement on port 2020.
Network Interface Connection Requirements
You can use one, two, or three network interfaces, and the VMware Tunnel virtual appliance requires a separate static IP address for each. Many DMZ implementations use separated networks to secure the different traffic types. Configure the virtual appliance according to the network design of the DMZ in which it is deployed. Consult your network admin for information regarding your network DMZ.
- One network interface is appropriate for POCs (proof of concept) or testing. With one NIC, external, internal, and management traffic is all on the same subnet.
- With two network interfaces, external traffic is on one subnet, and internal and management traffic are on another subnet.
- With a third NIC, external, internal, and management traffic all has their own subnets.
