To deploy VMware Tunnel for Linux, ensure that your system meets the requirements.

Use the following requirements as a basis for creating your VMware Tunnel server.

Hardware Requirements for VMware Tunnel

Ensure your VMware Tunnel server meets all the following hardware requirements.

Requirement
VM or Physical Server (64-bit)
Hardware Sizing
Number of Devices Up to 5,000 5,000 to 10,000 10,000 to 40,000 40,000 to 100,000

CPU Cores

1 server with 2 CPU Cores* 2 load-balanced servers with 2 CPU Cores each 2 load-balanced servers with 4 CPU Cores each 4 load-balanced servers with 4 CPU Cores each
RAM (GB) 4 4 each 8 each 16 each
Hard Disk Space (GB)

10 GB for distro (Linux only)

400 MB for installer

~10 GB for log file space**

*It is possible to deploy only a single VMware Tunnel server as part of a smaller deployment. However, consider deploying at least 2 load-balanced servers with 2 CPU Cores each regardless of number of devices for uptime and performance purposes.

**About 10 GB is for a typical deployment. Log file size should be scaled based on your log usage and requirements for storing logs.

Software Requirements for VMware Tunnel

Ensure your VMware Tunnel server meets all the following software requirements.

Requirement Notes

Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7

(Recommended UI-less)

Pre-Installation Package

The VMware Tunnel Linux installer automatically downloads required packages when it is connected to the Internet. If your server is offline or has restricted outbound access, then you must run the following commands on your VMware Tunnel server before you install.

Openssl sudo yum -y install openssl
Haveged sudo yum -y install haveged*
Nscd sudo yum -y install nscd
Json-c sudo yum -y install json-c
libxml2 sudo yum -y install libxml2
log4cpp sudo yum -y install log4cpp*
protobuf sudo yum -y install protobuf*

Internally registered DNS record

(Optional): For a basic endpoint deployment, register the internal DNS record

Relay-endpoint: Register the internal DNS entry for the endpoint server.

Externally registered DNS record

Basic endpoint: Register the public DNS record for the basic tunnel server.

Relay-endpoint: Register the public DNS record for the relay server.

(Optional) SSL Certificate from a trusted third party

Workspace ONE UEM certificates are automatically generated by default as part of your Tunnel configuration.

Alternatively, you can upload the full chain of the public SSL certificate to the Workspace ONE UEM console during configuration.

Ensure that the SSL certificate is trusted by all device types being used. (that is, not all Comodo certificates are natively trusted by Android).

SAN certificates are not supported.

Ensure that the subject of the certificate is the public DNS of your Tunnel server or is a valid wildcard certificate for the corresponding domain.

If your SSL certificate expires, then you must reupload the renewed SSL certificate and redownload and rerun the installer.

IPv6 enabled locally IPv6 must be enabled locally on the Tunnel server hosting Per-App Tunnel. Workspace ONE UEM requires it to be enabled for the Per-App Tunnel service to run successfully.

You must have the most recent version of the VMware Tunnel installer. The VMware Tunnel supports backwards compatibility between the installer and the UEM console. This backwards compatibility provides a small window to allow you to upgrade your VMware Tunnel server shortly after upgrading your UEM console. Consider upgrading as soon as possible to bring parity between the UEM console and the VMware Tunnel.

Network and Security Requirements for VMware Tunnel

For configuring the ports listed below, all the traffic is uni-directional (outbound) from the source component to the destination component.

Source Component

Destination Component

Protocol

Port

Verification Note

Devices (from Internet and Wi-Fi)

VMware Tunnel Proxy

HTTPS

2020*

After installation, run the following command to validate: 

netstat -tlpn https://<VMware_Tunnel_Host>:<port>

1

Devices (from Internet and Wi-Fi)

VMware Tunnel Per-App Tunnel TCP 8443* (for Per-App Tunnel)   1
VMware Tunnel – Basic Endpoint Configuration

VMware Tunnel

AirWatch Cloud Messaging Server**

HTTPS

SaaS: 443

On-Prem: 2001*

Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.

2

VMware Tunnel Internal Web sites / Web apps HTTP or HTTPS 80 or 443   4
VMware Tunnel Internal resources HTTP, HTTPS, or TCP 80, 443, Any TCP   4
VMware Tunnel

Workspace ONE UEM REST API Endpoint

SaaS: https://asXXX.awmdm.

com or https://asXXX.

airwatchportals.com

On-Prem: 

Most commonly your DS or Console server

HTTP or HTTPS

SaaS: 443

On-Prem:

80 or 443

curl -Ivv https://<API URL>/api/mdm/ping

The expected response is HTTP 401 – unauthorized.

5
Console Server VMware Tunnel Proxy HTTPS On-Prem: 2020 Verify after installation using telnet command from the console server to the Tunnel Proxy on port 2020 (On-Premesis only). 6
VMware Tunnel — Cascade Configuration

VMware Tunnel Front-End

AirWatch Cloud Messaging Server**

TLS v1.2

SaaS: 

443

On-Prem: 

2001*

Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.

2

VMware Tunnel Front-End

VMware Tunnel Back-End

TLS v1.2

8443*

Telnet from VMware Tunnel Front-End to the VMware Tunnel Back-End server on port

3

VMware Tunnel Back-End

AirWatch Cloud Messaging Server**

TLS v1.2

SaaS: 

443

On-Prem: 

2001*

Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.

2

VMware Tunnel Back-End Internal Web sites / Web apps TCP 80 or 443   4
VMware Tunnel Back-End Internal resources TCP 80, 443, Any TCP   4
VMware Tunnel Front-End and Back-End

Workspace ONE UEM REST API Endpoint

SaaS: https://asXXX.awmdm.

com or https://asXXX.

airwatchportals.com

On-Prem: 

Most commonly your DS or Console server

TLS v1.2 80 or 443
curl -Ivv https://<API URL>/api/mdm/ping

The expected response is HTTP 401 – unauthorized.

5
VMware Tunnel – Relay Endpoint Configuration

VMware Tunnel Relay

AirWatch Cloud Messaging Server**

HTTP or HTTPS

SaaS: 

443

On-Prem: 

2001*

Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.

2

VMware Tunnel Relay

VMware Tunnel Endpoint

HTTPS

2010*

Telnet from VMware Tunnel Relay to the VMware Tunnel Endpoint server on port

3

VMware Tunnel Endpoint Internal Web sites / Web apps HTTP or HTTPS 80 or 443   4
VMware Tunnel Endpoint Internal resources HTTP, HTTPS, or TCP 80, 443, Any TCP   4
VMware Tunnel Endpoint and Relay

Workspace ONE UEM REST API Endpoint

SaaS: https://asXXX.awmdm.

com or https://asXXX.

airwatchportals.com

On-Prem: 

Most commonly your DS or Console server

HTTP or HTTPS 80 or 443
curl -Ivv https://<API URL>/api/mdm/ping

The expected response is HTTP 401 – unauthorized.

5
Console Server VMware Tunnel Proxy HTTPS On-Prem: 2020 Verify after installation using telnet command from the console server to the Tunnel Proxy on port 2020 (On-Premesis only). 6

*This port can be changed if needed based on your environment's restrictions.

For SaaS customers who need to whitelist outbound communication, refer to the following Knowledge Base article that lists up-to-date IP ranges that Workspace ONE currently owns:  VMware AirWatch IP ranges for SaaS data centers

  1. For devices attempting to access internal resources.
  2. For the VMware Tunnel to query the UEM console for compliance and tracking purposes.
  3. For VMware Tunnel Relay topologies to forward device requests to the internal VMware Tunnel endpoint only.
  4. For applications using VMware Tunnel to access internal resources.
  5. The VMware Tunnel must to communicate with the API for initialization. Ensure that there is connectivity between the REST API and the VMware Tunnel server.
  6. This is required for a successful "Test Connection" to the VMware Tunnel Proxy from the UEM console. This requirement is optional and can be omitted without loss of functionality to devices.