For customers who do not want to use the Unified Access Gateway deployment or SASE, Workspace ONE UEM offers the Linux installer so you can configure, download, and install VMware Tunnel onto a server. Note that the Linux installer does have different prerequisites and it is important to confirm your system and servers before you begin.

To download the available Linux installer, go to Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel Proxy

Prerequisites for Deploying VMware Tunnel on a Linux Sever

Confirm that your system and server(s) meet the following hardware and software requirements before you begin.

Basic Hardware Requirements for your Tunnel Server

  • VM or Physical Server (64-bit)
  • Hard Disk Space (GB): Installer = 400 MB, Log File = 10 GB
  • RAM: Up to 10,000 = 4 each, 10,000 to 40,000 = 8 each, 40,000 to 100,000 = 16 each.
  • CPU Cores:
    • Up to 5,000 = 1 Server with 2 CPU Cores. While it is possible to deploy only a single VMware Tunnel server as part of a smaller deployment, we suggest deploying at least 2 load-balanced servers with 2 CPU Cores each regardless of number of devices for uptime and performance purposes.

    • 5,000 to 10,000 = 2 load-balanced Servers with 2 CPU Cores each.
    • 10,000 to 40,000 = 2 load-balanced servers with 4 CPU Cores each.
    • 40,000 to 100,000 = 4 load-balanced servers with 4 CPU Cores each.

Basic Software Requirements for Your Tunnel Server

Red Hat Enterprise Linux 7.x

  • Red Hat Enterprise Linux 7.x - Recommended UI-less.
  • Pre-Installation Package - The VMware Tunnel Linux installer automatically downloads required packages when it is connected to the Internet. If your server is offline or has restricted outbound access, then you must run the following commands on your Tunnel server before you install.

    • Openssl : sudo yum -y install openssl
    • Haveged: sudo yum -y install haveged*
    • Json-c: sudo yum -y install json-c
    • libxml2: sudo yum -y install libxml2
    • log4cpp: sudo yum -y install log4cpp*
  • Internally registered DNS record - Optional for a basic endpoint deployment, register the internal DNS record. Relay-endpoint: Register the internal DNS entry for the endpoint server.
  • Externally registered DNS record - Basic endpoint: Register the public DNS record for the basic tunnel server. Relay-endpoint: Register the public DNS record for the relay server.
  • IPv6 enabled locally - IPv6 must be enabled locally on the Tunnel server hosting Per-App Tunnel. Workspace ONE UEM requires it to be enabled for the Per-App Tunnel service to run successfully.
  • SSL Certificate from a trusted third party (Optional) - Workspace ONE UEM certificates are automatically generated by default as part of your Tunnel configuration. Alternatively, you can upload the full chain of the public SSL certificate to the Workspace ONE UEM console during configuration. Ensure that the SSL certificate is trusted by all device types being used. (that is, not all Comodo certificates are natively trusted by Android). SAN certificates are not supported. Ensure that the subject of the certificate is the public DNS of your Tunnel server or is a valid wildcard certificate for the corresponding domain. If your SSL certificate expires, then you must reupload the renewed SSL certificate and redownload and rerun the installer.

You must have the most recent version of the VMware Tunnel installer. The Tunnel supports backwards compatibility between the installer and the UEM console. This backwards compatibility provides a small window to allow you to upgrade your Tunnel server shortly after upgrading your UEM console. Consider upgrading as soon as possible to bring parity between the UEM console and the Tunnel.

Network and Security Requirements

For configuring the ports listed below, all the traffic is uni-directional (outbound) from the source component to the destination component.

Source Component Destination Component Protocol / Port Verification

Devices (from Internet and Wi-Fi)

VMware TunnelProxy

HTTPS

2020*

After installation, run the following command to validate: 

netstat -tlpn https://<VMware_Tunnel_Host > :<port > fontoxml-text-placeholder text="type the label of the UI control"

Devices (from Internet and Wi-Fi)

VMware Tunnel Per-App Tunnel

TCP/UDP

8443* (for Per-App Tunnel)

VMware Tunnel – Basic Endpoint Configuration

Source Component Destination Component Protocol / Port Verification

VMware Tunnel

For the Tunnel to query the UEM console for compliance and tracking purposes.

AirWatch Cloud Messaging Server

SaaS: 443

On-Prem: 2001*

Verify by using wget to https://<AWCM URL > :<port > /awcm/status and ensuring you receive an HTTP 200 response.

VMware Tunnel

*For applications using Tunnel to access internal resources.

Internal Web sites / Web apps

HTTP or HTTPS

80 or 443

VMware Tunnel

*For applications using Tunnel to access internal resources.

Internal resources

HTTP, HTTPS, or TCP/UDP

80, 443, Any TCP/UDP

VMware Tunnel

*The Tunnel must to communicate with the API for initialization. Ensure that there is connectivity between the REST API and the VMware Tunnel server.

Workspace ONE UEM REST API Endpoint

SaaS: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com

On-Prem:

Most commonly your DS or Console server

HTTP or HTTPS

SaaS: 443

On-Prem:80 or 443

curl -Ivv https://<API URL>/api/mdm/ping

The expected response is HTTP 401 – unauthorized.

Console Server

*This is required for a successful "Test Connection" to the VMware Tunnel Proxy from the UEM console. This requirement is optional and can be omitted without loss of functionality to devices.

VMware TunnelProxy

On-Prem: 2001*

Verify after installation using telnet command from the console server to the Tunnel Proxy on port 2020 (On-Premises only).

VMware Tunnel – Cascade Configuration

Source Component Destination Component Protocol / Port Verification

VMware Tunnel Front-End

For the Tunnel to query the UEM console for compliance and tracking purposes.

AirWatch Cloud Messaging Server**

TLS v1.2

SaaS: 

On-Prem: 

2001*

Verify by using wget to https://<AWCM URL > :<port > /awcm/status and ensuring you receive an HTTP 200 response.

VMware Tunnel Front-End

For Tunnel Relay topologies to forward device requests to the internal VMware Tunnel endpoint only.

VMware Tunnel Back-End

TLS v1.2

8443*

Telnet from Tunnel Front-End to the Tunnel Back-End server on port

VMware Tunnel Back-End

For the Tunnel to query the UEM console for compliance and tracking purposes.

AirWatch Cloud Messaging Server**

TLS v1.2

SaaS: 

On-Prem: 

2001*

Verify by using wget to https://<AWCM URL > :<port > /awcm/status and ensuring you receive an HTTP 200 response.

VMware Tunnel Back-End

For applications using Tunnel to access internal resources.

Internal Web sites / Web apps

TLS v1.2

80 or 443

VMware TunnelBack-End

For applications using Tunnel to access internal resources.

Internal resources

TCP/UDP

80, 443, Any TCP/UDP

VMware Tunnel Front-End and Back-End

The Tunnel must communicate with the API for initialization. Ensure that there is connectivity between the REST API and the Tunnel server.

Workspace ONE UEM REST API Endpoint

SaaS: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com

On-Prem:

Most commonly your DS or Console server

TLS v1.2

80 or 443

curl -Ivv https://<API URL>/api/mdm/ping

The expected response is HTTP 401 – unauthorized.

VMware Tunnel – Relay Endpoint Configuration

Source Component

Destination Component

Protocol

Port

Verification

VMware Tunnel Relay

For the Tunnel to query the UEM console for compliance and tracking purposes.

AirWatch Cloud Messaging Server**

HTTP or HTTPS

SaaS: 

443

On-Prem: 

2001*

Verify by using wget to https://<AWCM URL > :<port > /awcm/status and ensuring you receive an HTTP 200 response.

VMware Tunnel Relay

For Tunnel Relay topologies to forward device requests to the internal Tunnel endpoint only.

VMware Tunnel Endpoint

HTTPS

2010*

Telnet from VMware Tunnel Relay to the VMware Tunnel Endpoint server on port

VMware TunnelEndpoint

For applications using VMware Tunnel to access internal resources.

Internal Web sites / Web apps

HTTP or HTTPS

80 or 443

VMware Tunnel Endpoint

For applications using Tunnel to access internal resources.

Internal resources

HTTP, HTTPS, or TCP

80, 443, Any TCP

VMware Tunnel Endpoint and Relay

The Tunnel must communicate with the API for initialization. Ensure that there is connectivity between the REST API and the Tunnel server.

Workspace ONE UEM REST API Endpoint

SaaS: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com

On-Prem:

Most commonly your DS or Console server

HTTP or HTTPS

80 or 443

curl -Ivv https://<API URL>/api/mdm/ping

The expected response is HTTP 401 – unauthorized.

Console Server

This is required for a successful "Test Connection" to the Tunnel Proxy from the UEM console. This requirement is optional and can be omitted without loss of functionality to devices.

VMware Tunnel Proxy

HTTPS

On-Prem: 2020

Verify after installation using telnet command from the console server to the Tunnel Proxy on port 2020 (On-Premesis only).