To deploy VMware Tunnel for Windows, ensure your system meetings the requirements.

Hardware Requirements

Use the following requirements as a basis for creating your VMware Tunnel server, which can be a VM or physical server (64-bit).

Number of Devices Up to 5,000 5,000 to 10,000 10,000 to 40,000 40,000 to 100,000

CPU Cores

1 server with 2 CPU Cores* 2 load-balanced servers with 2 CPU Cores each 2 load-balanced servers with 4 CPU Cores each 4 load-balanced servers with 4 CPU Cores each

RAM (GB)

4 4 each 8 each 16 each
Hard Disk Space (GB)

10 GB for distro (Linux only)

400 MB for installer

~10 GB for log file space**

*It is possible to deploy only a single VMware Tunnel server as part of a smaller deployment. However, consider deploying at least 2 load-balanced servers with 2 CPU Cores each regardless of number of devices for uptime and performance purposes.

**About 10 GB is for a typical deployment. Log file size should be scaled based on your log usage and requirements for storing logs.

Software Requirements for VMware Tunnel

Ensure your VMware Tunnel server meets all the following software requirements.

Requirement Notes

Windows Server 2008 R2 and above

 

Install 64-bit Java Runtime Environment version 7 or greater

Do not pre-install Java, the Tunnel installer automatically installs

Note: Ensure that 32-bit Java is not installed.

Internally registered DNS record

Register the VMware Tunnel Proxy relay (If Relay-Endpoint) or register the VMware Tunnel Proxy Endpoint (If Endpoint only)

Externally registered DNS record

Register the VMware Tunnel Proxy relay (If Relay-Endpoint) or register the VMware Tunnel Proxy Endpoint (If Endpoint only)

(Optional) SSL Certificate from a trusted third party with Subject or Subject Alternative name of DNS

If you opt not to use the Workspace ONE UEM certificates that are automatically generated by default as part of your Tunnel configuration, then you can use a public SSL certificate. Ensure that the full chain of certificates is present when you upload the certificate in the Workspace ONE UEM console.

Ensure that the SSL certificate is trusted by all device types being used. (that is, not all Comodo certificates are natively trusted by Android).

If VMware Tunnel is already installed and running and your SSL certificate expires, then you must reupload the renewed SSL certificate and redownload and rerun the installer.

Ensure that the AWCM SSL certificates Intermediate and Root CA certificate are in the Java CA Keystore on the VMware Tunnel Proxy server

Use the Command Line Utility on the VMware Tunnel Proxy server to enter the following: keytool -list -v -keystore $JAVA_HOME\jre \lib\security\cacerts

OR

Use the GUI tool (free) here: http://portecle.sourceforge.net/

General Requirements for VMware Tunnel

Ensure your VMware Tunnel is set up with the following general requirements to ensure a successful installation.

Requirement Notes

Ensure that you have remote access to the servers that Workspace ONE UEM is installed on

Set up Remote Desktop Connection Manager for multiple server management, installer can be downloaded from https://www.microsoft.com/en-us/download/details.aspx?id=44989

Installation of Notepad++ (Recommended)

Installer can be downloaded from http://download.tuxfamily.org/notepadplus/6.5.1/npp.6.5.1.Installer.exe

Network Requirements for VMware Tunnel

For configuring the ports listed below, all the traffic is uni-directional (outbound) from the source component to the destination component.

Source Component

Destination Component

Protocol

Port

Verification Note

Devices (from Internet and Wi-Fi)

VMware Tunnel Proxy

HTTPS

2020* by default

Once VMware Tunnel Proxy starts correctly, it listens on the HTTPS port by default. To make sure, you can open a browser and check the following:

https://<AirWatch_Tunnel_Proxy_Host > :<port > – Verify you see an untrusted certificate screen unless there is a trusted SSL certificate and in that case you see 407 MAG Authentication Failed!

1

VMware Tunnel Proxy – Basic-Endpoint Configuration

VMware Tunnel Proxy 

AirWatch Cloud Messaging Server**

HTTPS

SaaS: 

443

On Prem:

2001 or a port you configure

Verify by entering https://<AWCM URL > :<port > /awcm/status in browser and ensure that there is no certificate trust error

2

VMware Tunnel Proxy Internal Web sites / Web apps HTTP or HTTPS 80 or 443   4
VMware Tunnel Proxy 

Workspace ONE UEM REST API Endpoint

SaaS: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com

On-Prem: 

Most commonly your DS or Console server

HTTP or HTTPS

SaaS: 443

On-Prem:

80 or 443

Verify by entering https://APIServerUrl/API/help in browser. If you are prompted for credentials, enter Workspace ONE UEM console admin credentials and an API help page displays. 5
Console Server VMware Tunnel Proxy HTTPS On-Prem: 2020 Verify after installation using telnet command from the console server to the Tunnel Proxy on port 2020 (On-Premesis only). 6
VMware Tunnel Proxy – Relay-Endpoint Configuration

VMware Tunnel Proxy Relay

AirWatch Cloud Messaging Server**

HTTP or HTTPS

SaaS:

443

On Prem: 

2001 or a port you configure

Verify by entering https://<AWCM URL > :<port > /awcm/status in browser and ensure that there is no certificate trust error

2

VMware Tunnel Proxy Relay

VMware Tunnel Proxy Endpoint

HTTPS

2010*

Telnet from VMware Tunnel Proxy Relay to the VMware Tunnel Proxy Endpoint server on port

3

VMware Tunnel Proxy Endpoint Internal Web sites / Web apps HTTP or HTTPS 80 or 443   4
VMware Tunnel Proxy Endpoint and Relay

Workspace ONE UEM REST API Endpoint

SaaS: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com

On-Prem: 

Most commonly your DS or Console server

HTTP or HTTPS

SaaS: 443

On-Prem:

80 or 443

Verify by entering https://APIServerUrl/API/help in browser. If you are prompted for credentials, enter Workspace ONE UEM console admin credentials and an API help page displays. 5
Console Server VMware Tunnel Proxy HTTPS On-Prem: 2020 Verify after installation using telnet command from the console server to the Tunnel Proxy on port 2020 (On-Premesis only). 6

*This port can be changed if needed based on your environment's restrictions.

  1. For devices attempting to access internal resources.
  2. For the VMware Tunnel Proxy to query the Workspace ONE UEM console for compliance and tracking purposes.
  3. For VMware Tunnel Proxy Relay topologies to forward device requests to the internal VMware Tunnel Proxy endpoint only.
  4. For applications using VMware Tunnel to access internal resources.
  5. The VMware Tunnel Proxy must communicate with the API for initialization. Ensure that there is connectivity between the REST API and the VMware Tunnel Proxy server.
  6. This is required for a successful "Test Connection" to the VMware Tunnel Proxy from the UEM console. This requirement is optional and can be omitted without loss of functionality to devices.

Note: As new security threats are discovered, its preferable to disable old and weak cipher suites to ensure the connections happen over a secure communication channel. For more information, see the Knowledge Base article Disabling Weak Ciphers for VMware Tunnel Proxy available here: