VMware Tunnel has three gateway deployment options: Unified Access Gateway (UAG), Secure Access Service Edge (SASE), or Linux. Each option has their own prerequisites to confirm before deployment.

All of the deployment options also require your API (Application Programming Interface) and AWCM (VMware AirWatch Cloud Messaging) to be installed correctly, running, and communicating with Workspace ONE UEM without any errors. For more information about AWCM refer to: VMware AirWatch Cloud Messaging.

Note: If you are an on-premises customer, do not configure VMware Tunnel at the Global organization group level. Because the REST API key can only be generated at a Customer type organization group; you will want to configure Tunnel at the Company level or Customer type organization group.

To confirm that your API and AWCM are working without any errors, open your Workspace ONE UEM console and go to Groups & Settings > All Settings > System > Advanced > Site URLs

File path to configure AWCM Server

Validate that you have the following URLs in the Site URLs. If you make any changes, select Save.




Enter in the format of "https://<url>/api".

SaaS customers must contact Workspace ONE UEM support to get their REST API URL.

AWCM Server External URL

Enter in the format of "server.acme.com" and do not include a protocol such as https.

AWCM Service Internal URL

Enter in the format of "https://server.acme.com".

For on-premises customers, the default port for AWCM is 2001. For SaaS customers, AWCM and API use port 443.

Next, go to Groups & Settings > All Settings > System > Advanced > API > REST API and select the Override radio button.

File path to set the REST API information

Ensure that the Enable API Access check box is selected and an API Key is displayed in the text box. If you make any changes, select Save.

Now that you have confirmed this, you are ready to deploy your gateway.