To deploy VMware Tunnel with Unified Access Gateway, ensure that your system meets the following requirements:

Hypervisor Requirements

Unified Access Gateway that deploys the VMware Tunnel requires a hypervisor to deploy the virtual appliance. You must have a dedicated admin account with full privileges to deploy the OVF.

Supported Hypervisors

  • VMware vSphere v6.0+ web client
  • Microsoft Hyper-V on Windows Server 2012 R2 or Windows Server 2016

Software Requirements

Ensure that you have the most recent version of Unified Access Gateway. VMware Tunnel supports backwards compatibility between Unified Access Gateway and the Workspace ONE UEM console. The backward compatibility allows you to upgrade your VMware Tunnel server shortly after upgrading your Workspace ONE UEM console. To ensure parity between Workspace ONE UEM console and VMware Tunnel, consider planning an early upgrade.

Hardware Requirements

The OVF package for Unified Access Gateway automatically selects the virtual machine configuration that VMware Tunnel requires. Although you can change these settings, do not change the CPU, memory, or disk space to smaller values than the default OVF settings.

To change the default settings, power off the VM in vCenter. Right-click the VM and select Edit Settings.

The default configuration uses 4 GB of RAM and 2 CPUs. You must change the default configuration to meet your hardware requirements. To handle all the device loads and maintenance requirements, consider running a minimum of two VMware Tunnel servers.

Number of Devices Up to 40,000 40,000-80,000 80,000-120,000 120,000-160,000
Number of Servers 2 3 4 5

CPU Cores

4 CPU Cores* 4 CPU Cores each 4 CPU Cores each 4 CPU Cores each

RAM (GB)

8 8 8 8
Hard Disk Space (GB)

10 GB for distro (Linux only)

400 MB for installer

~10 GB for log file space**

*It is possible to deploy only a single VMware Tunnel appliance as part of a smaller deployment. However, consider deploying at least two load-balanced servers with four CPU Cores each regardless of the number of devices for uptime and performance purposes.

**10 GB for a typical deployment. Scale the log file size based on your log use and requirements for storing the logs.

Network Requirements for VMware Tunnel

For configuring the ports listed below, all the traffic is uni-directional (outbound) from the source component to the destination component.

Source

Component

Destination

Component

Protocol

Port

Verification Note

Devices (from Internet and Wi-Fi)

VMware Tunnel Proxy

HTTPS

2020*

After installation, run the following command to validate: 

netstat -tlpn | grep [Port]

1

Devices (from Internet and Wi-Fi)

VMware Tunnel Per-App Tunnel TCP 8443*

After installation, run the following command to validate: 

netstat -tlpn | grep [Port]
1
Admin UI Unified Access Gateway TCP 9443   1
VMware Tunnel Basic Endpoint Configuration

VMware Tunnel

AirWatch Cloud Messaging Server**

HTTPS

SaaS: 443

On-Prem: 2001*

curl -Ivv https://<AWCM URL>:<port>/awcm/status 

The expected response is HTTP 200–OK.

2

VMware Tunnel

Workspace ONE UEM REST API Endpoint

SaaS: https://asXXX.awmdm.

com

On-Prem: 

Most commonly your DS or Workspace ONE UEM console

HTTP or HTTPS

SaaS: 443

On-Prem:

80 or 443

curl -Ivv https://<API URL>/api/mdm/ping

The expected response is HTTP 401–unauthorized.

5
VMware Tunnel Internal resources HTTP, HTTPS, or TCP 80, 443, Any TCP Confirm that the VMware Tunnel can access internal resources over the required port. 4
VMware Tunnel Syslog Server

UDP

514*    
Workspace ONE UEM console VMware Tunnel Proxy HTTPS 2020 On-premises customers can test the connection using the following telnet command: <Tunnel Proxy URL> <Port> 6
VMware Tunnel Cascade Configuration

VMware Tunnel Front-End

AirWatch Cloud Messaging Server**

TLS v1.2

SaaS: 

443

On-Prem: 

2001*

Verify by using wgetto https://<AWCM URL>:<port>/awcm/status and ensure that you receive HTTP 200 response.

2

VMware Tunnel Front-End

VMware Tunnel Back-End

TLS v1.2

8443*

Telnet from VMware Tunnel Front-End to the VMware Tunnel Back-End server on port.

3

VMware Tunnel Back-End

AirWatch Cloud Messaging Server**

TLS v1.2

SaaS: 

443

On-Prem: 

2001*

Verify by using whet to https://<AWCM URL>:<port>/awcm/status and ensure that you receive HTTP 200 response.

2

VMware Tunnel Back-End Internal websites/web apps TCP 80 or 443   4
VMware Tunnel Back-End Internal resources TCP 80, 443, Any TCP   4
VMware Tunnel Front-End and Back-End

Workspace ONE UEM REST API Endpoint

SaaS: https://asXXX.awmdm.

com

On-Prem: 

Most commonly your DS or Workspace ONE UEM console

TLS v1.2 80 or 443
curl -Ivv https://<API URL>/api/mdm/ping

The expected response is HTTP 401–unauthorized.

5
VMware Tunnel Relay-Endpoint Configuration

VMware Tunnel Relay

AirWatch Cloud Messaging Server**

HTTP or HTTPS

SaaS: 

443

On-Prem: 

2001*

curl -Ivv https://<AWCM URL>:<port>/awcm/status. 

The expected response is HTTP 200–OK.

2

VMware Tunnel

Endpoint and Relay

Workspace ONE UEM REST API Endpoint

SaaS: https://asXXX.awmdm.

com

On-Prem: 

Most commonly your DS or Workspace ONE UEM console

HTTP or HTTPS 80 or 443
curl -Ivv https://<API URL>/api/mdm/ping

The expected response is HTTP 401–unauthorized.

 

The VMware Tunnel Endpoint requires access to the REST API Endpoint only during the initial deployment.

5

VMware Tunnel Relay

VMware Tunnel Endpoint

HTTPS

2010*

Telnet from VMware Tunnel Relay to the VMware Tunnel Endpoint server on port.

3

VMware Tunnel Endpoint Internal resources HTTP, HTTPS, or TCP 80, 443, Any TCP Confirm that the VMware Tunnel can access internal resources over the required port. 4
VMware Tunnel Syslog Server UDP 514*    
Workspace ONE UEM console VMware Tunnel Proxy HTTPS 2020 On-premises customers can test the connection using the telnet command: <Tunnel Proxy URL> <Port> 6

*This port can be changed if needed based on your environment's restrictions.

**For SaaS customers who need to whitelist outbound communication, refer to the following Knowledge Base article that lists up-to-date IP ranges that Workspace ONE currently owns:  VMware AirWatch IP ranges for SaaS data centers.

Note Reference:

  1. Devices connect to the public DNS configured for VMware Tunnel over the specified port. If 443 is used, Per-App Tunnel component listens on port 8443.
  2. For the VMware Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes.
  3. For VMware Tunnel Relay topologies to forward device requests to the internal VMware Tunnel endpoint only.
  4. For applications using VMware Tunnel to access internal resources.
  5. The VMware Tunnel must communicate with the API for initialization. Ensure that there is connectivity between the REST API and the VMware Tunnel server. Navigate to Groups & Settings > All Settings > System > Advanced > Site URLS to set the REST API server URL. This page is not available to SaaS customers. The REST API URL for SaaS customers is most commonly your Console or Devices Services server URL.
  6. This is required for a successful "Test Connection" to the VMware Tunnel Proxy from the Workspace ONE UEM console. The requirement is optional and can be omitted without loss of functionality to devices. For SaaS customers, the Workspace ONE UEM console must already have inbound connectivity to the VMware Tunnel Proxy on port 2020 due to the inbound Internet requirement on port 2020.

Network Interface Connection Requirements

You can use one, two, or three network interfaces, and the VMware Tunnel virtual appliance requires a separate static IP address for each. Many DMZ implementations use separated networks to secure the different traffic types. Configure the virtual appliance according to the network design of the DMZ in which it is deployed. Consult your network admin for information regarding your network DMZ.

  • One network interface is appropriate for POCs (proof of concept) or testing. With one NIC, external, internal, and management traffic is all on the same subnet.
  • With two network interfaces, external traffic is on one subnet, and internal and management traffic are on another subnet.
  • Using three network interfaces is the most secure option. With a third NIC, external, internal, and management traffic all has their own subnets.