For customers who do not want to use the Unified Access Gateway deployment, Workspace ONE UEM offers the Linux installer so you can configure, download, and install VMware Tunnel onto a server. The Linux installer has different prerequisites than the Unified Access Gateway method. To download the available Linux installer, go to .
System Requirements for Deploying VMware Tunnel on a Linux Sever
Use the following requirements as a basis for creating your VMware Tunnel server.
Hardware Requirements for VMware Tunnel
Ensure your VMware Tunnel server meets all the following hardware requirements.
- VM or Physical Server (64-bit)
- Hardware Sizing
Number of Devices Up to 5,000 5,000 to 10,000 10,000 to 40,000 40,000 to 100,000 CPU Cores
1 server with 2 CPU Cores* 2 load-balanced servers with 2 CPU Cores each 2 load-balanced servers with 4 CPU Cores each 4 load-balanced servers with 4 CPU Cores each RAM (GB) 4 4 each 8 each 16 each Hard Disk Space (GB) 10 GB for distro (Linux only)
400 MB for installer
~10 GB for log file space**
*It is possible to deploy only a single VMware Tunnel server as part of a smaller deployment. However, consider deploying at least 2 load-balanced servers with 2 CPU Cores each regardless of number of devices for uptime and performance purposes.
**About 10 GB is for a typical deployment. Log file size should be scaled based on your log usage and requirements for storing logs.
Software Requirements for VMware Tunnel
Ensure your VMware Tunnel server meets all the following software requirements.
| Requirement | Notes |
|---|---|
| Red Hat Enterprise Linux 7.x |
(Recommended UI-less) |
| Pre-Installation Package | The VMware Tunnel Linux installer automatically downloads required packages when it is connected to the Internet. If your server is offline or has restricted outbound access, then you must run the following commands on your VMware Tunnel server before you install. Openssl : Haveged: Json-c: libxml2: log4cpp: |
| Internally registered DNS record |
(Optional): For a basic endpoint deployment, register the internal DNS record Relay-endpoint: Register the internal DNS entry for the endpoint server. |
| Externally registered DNS record |
Basic endpoint: Register the public DNS record for the basic tunnel server. Relay-endpoint: Register the public DNS record for the relay server. |
| (Optional) SSL Certificate from a trusted third party |
Workspace ONE UEM certificates are automatically generated by default as part of your Tunnel configuration. Alternatively, you can upload the full chain of the public SSL certificate to the Workspace ONE UEM console during configuration. Ensure that the SSL certificate is trusted by all device types being used. (that is, not all Comodo certificates are natively trusted by Android). SAN certificates are not supported. Ensure that the subject of the certificate is the public DNS of your Tunnel server or is a valid wildcard certificate for the corresponding domain. If your SSL certificate expires, then you must reupload the renewed SSL certificate and redownload and rerun the installer. |
| IPv6 enabled locally | IPv6 must be enabled locally on the Tunnel server hosting Per-App Tunnel. Workspace ONE UEM requires it to be enabled for the Per-App Tunnel service to run successfully. |
You must have the most recent version of the VMware Tunnel installer. The VMware Tunnel supports backwards compatibility between the installer and the UEM console. This backwards compatibility provides a small window to allow you to upgrade your VMware Tunnel server shortly after upgrading your UEM console. Consider upgrading as soon as possible to bring parity between the UEM console and the VMware Tunnel.
Network and Security Requirements for VMware Tunnel
For configuring the ports listed below, all the traffic is uni-directional (outbound) from the source component to the destination component.
| Source Component |
Destination Component |
Protocol |
Port |
Verification | Note |
|---|---|---|---|---|---|
| Devices (from Internet and Wi-Fi) |
VMware Tunnel Proxy |
HTTPS |
2020* |
After installation, run the following command to validate:
|
1 |
| Devices (from Internet and Wi-Fi) |
VMware Tunnel Per-App Tunnel | TCP/UDP | 8443* (for Per-App Tunnel) | 1 | |
| VMware Tunnel – Basic Endpoint Configuration | |||||
| VMware Tunnel |
AirWatch Cloud Messaging Server** |
HTTPS |
SaaS: 443 On-Prem: 2001* |
Verify by using wget to and ensuring you receive an HTTP 200 response. |
2 |
| VMware Tunnel | Internal Web sites / Web apps | HTTP or HTTPS | 80 or 443 | 4 | |
| VMware Tunnel | Internal resources | HTTP, HTTPS, or TCP/UDP | 80, 443, Any TCP/UDP | 4 | |
| VMware Tunnel | Workspace ONE UEM REST API Endpoint SaaS: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com On-Prem: Most commonly your DS or Console server |
HTTP or HTTPS | SaaS: 443 On-Prem: 80 or 443 |
curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 – unauthorized. |
5 |
| Console Server | VMware Tunnel Proxy | HTTPS | On-Prem: 2020 | Verify after installation using telnet command from the console server to the Tunnel Proxy on port 2020 (On-Premesis only). | 6 |
| VMware Tunnel — Cascade Configuration | |||||
| VMware Tunnel Front-End |
AirWatch Cloud Messaging Server** |
TLS v1.2 |
SaaS: 443 On-Prem: 2001* |
Verify by using wget to and ensuring you receive an HTTP 200 response. |
2 |
| VMware Tunnel Front-End |
VMware Tunnel Back-End |
TLS v1.2 |
8443* |
Telnet from VMware Tunnel Front-End to the VMware Tunnel Back-End server on port |
3 |
| VMware Tunnel Back-End |
AirWatch Cloud Messaging Server** |
TLS v1.2 |
SaaS: 443 On-Prem: 2001* |
Verify by using wget to and ensuring you receive an HTTP 200 response. |
2 |
| VMware Tunnel Back-End | Internal Web sites / Web apps | TCP/UDP | 80 or 443 | 4 | |
| VMware Tunnel Back-End | Internal resources | TCP/UDP | 80, 443, Any TCP/UDP | 4 | |
| VMware Tunnel Front-End and Back-End | Workspace ONE UEM REST API Endpoint SaaS: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com On-Prem: Most commonly your DS or Console server |
TLS v1.2 | 80 or 443 | curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 – unauthorized. |
5 |
| VMware Tunnel – Relay Endpoint Configuration | |||||
| VMware Tunnel Relay |
AirWatch Cloud Messaging Server** |
HTTP or HTTPS |
SaaS: 443 On-Prem: 2001* |
Verify by using wget to and ensuring you receive an HTTP 200 response. |
2 |
| VMware Tunnel Relay |
VMware Tunnel Endpoint |
HTTPS |
2010* |
Telnet from VMware Tunnel Relay to the VMware Tunnel Endpoint server on port |
3 |
| VMware Tunnel Endpoint | Internal Web sites / Web apps | HTTP or HTTPS | 80 or 443 | 4 | |
| VMware Tunnel Endpoint | Internal resources | HTTP, HTTPS, or TCP | 80, 443, Any TCP | 4 | |
| VMware Tunnel Endpoint and Relay | Workspace ONE UEM REST API Endpoint SaaS: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com On-Prem: Most commonly your DS or Console server |
HTTP or HTTPS | 80 or 443 | curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 – unauthorized. |
5 |
| Console Server | VMware Tunnel Proxy | HTTPS | On-Prem: 2020 | Verify after installation using telnet command from the console server to the Tunnel Proxy on port 2020 (On-Premesis only). | 6 |
*This port can be changed if needed based on your environment's restrictions.
- For devices attempting to access internal resources.
- For the VMware Tunnel to query the UEM console for compliance and tracking purposes.
- For VMware Tunnel Relay topologies to forward device requests to the internal VMware Tunnel endpoint only.
- For applications using VMware Tunnel to access internal resources.
- The VMware Tunnel must to communicate with the API for initialization. Ensure that there is connectivity between the REST API and the VMware Tunnel server.
- This is required for a successful "Test Connection" to the VMware Tunnel Proxy from the UEM console. This requirement is optional and can be omitted without loss of functionality to devices.
