SaaS deployments support basic and relay-endpoint configurations. In a SaaS deployment, Workspace ONE UEM hosts certain components, such as the Console and API servers, in the cloud.

The following diagrams illustrates both the basic and relay-endpoint deployment models. For more information about the traffic between components, see the Network Requirements part of the VMware Tunnel System Requirements section.

Basic Endpoint Workflow

  1. The Workspace ONE UEM Cloud communicates with end-user devices to perform initial device enrollment, which includes creating and delivering certificates.
  2. The VMware Tunnel server retrieves the certificates used for authentication from the Workspace ONE UEM Cloud. It also communicates with the Workspace ONE UEM API for initialization.
  3. End users access internal websites through the Proxy component over port 2020 by default. End users access internal resources through per-app tunnel-enabled applications over port 8443.
  4. The VMware Tunnel server communicates with your internal servers to retrieve the resources end users are trying to access.

Relay-Endpoint Workflow

  1. The Workspace ONE UEM Cloud communicates with end-user devices to perform initial device enrollment, which includes creating and delivering certificates.
  2. The VMware Tunnel Relay server retrieves the certificates used for authentication from the Workspace ONE UEM Cloud. It also communicates with the Workspace ONE UEM API for initialization.
  3. End users access internal websites through the Proxy component over port 2020 by default.
  4. The VMware Tunnel Relay server fields the request and forward it to the VMware Tunnel endpoint server over port 2010 by default.
  5. The VMware Tunnel server communicates with your internal servers to retrieve the resources end users are trying to access.