Port Requirements for VMware Per-App Tunnel

VMware Per-App Tunnel can be configured using either of the following two configuration models:

Basic Endpoint (single-tier) using a VMware Per-App Tunnel Basic Endpoint
Cascade (multi-tier) using a VMware Per-App Tunnel Front-End and VMware Per-App Tunnel Back-End

表 1. Port Requirements for VMware Per-App Tunnel Basic Endpoint Configuration
Source	Destination	Protocol	Port	Verification	Notes
Devices (from Internet and Wi-Fi)	VMware Per-App Tunnel Basic Endpoint	TCP, UDP	8443*	Run the following command after installation: netstat -tlpn \| grep [Port]	Devices connect to the public DNS configured for VMware Tunnel over the specified port. If 443 is used, Per-App Tunnel component listens on port 8443.
VMware Per-App Tunnel Basic Endpoint	AirWatch Cloud Messaging Server	HTTPS	SaaS:443 On-Premises:2001*	Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.	For the VMware Per-App Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2.
VMware Per-App Tunnel Basic Endpoint	Internal websites/web apps/resources	HTTP, HTTPS, or TCP	80, 443, any required TCP		For applications using VMware Per-App Tunnel to access internal resources. Exact endpoints or ports are determined by where these resources are located.
VMware Per-App Tunnel Basic Endpoint	UEM REST API SaaS‡: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com On-Premises†: Most commonly Device Services or Console server	HTTP or HTTPS	80 or 443	curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized	The VMware Per-App Tunnel must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to [Groups & Settings > All Settings > System > Advanced > Site URLs] to set the [REST API URL]. This page is not available to Workspace ONE UEM SaaS customers. For Workspace ONE UEM SaaS customers, the [REST API URL] is most commonly the [Console URL ]or [Devices Services URL].

表 2. Port Requirements for VMware Per-App Tunnel Cascade Configuration
Source	Destination	Protocol	Port	Verification	Notes
Devices (from Internet and Wi-Fi)	VMware Per-App Tunnel Front-End	TCP, UDP	8443*	Run the following command after installation: netstat -tlpn \| grep [Port]	Devices connect to the public DNS configured for VMware Tunnel over the specified port. If 443 is used, Per-App Tunnel component listens on port 8443.
VMware Per-App Tunnel Front-End	AirWatch Cloud Messaging Server	HTTPS	SaaS:443 On-Premises:2001*	Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.	For the VMware Per-App Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2.
VMware Per-App Tunnel Front-End	VMware Per-App Tunnel Back-End	TCP	8443	Telnet from VMware Per-App Tunnel Front-End to the VMware Per-App Tunnel Back-End on port 8443.	To forward device requests from the Front-End to the Back-End server. This needs to support a minimum of TLS 1.2.
VMware Per-App Tunnel Back-End	AirWatch Cloud Messaging Server	HTTPS	SaaS:443 On-Premises:2001*	Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.	For VMware Per-App Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2.
VMware Tunnel Back-End	Internal websites/web apps/resources	HTTP, HTTPS, or TCP	80, 443, any required TCP		For applications using VMware Per-App Tunnel to access internal resources. Exact endpoints or ports are determined by where these resources are located.
VMware Per-App Tunnel Front-End	UEM REST API SaaS‡: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com On-Premises†: Most commonly Device Services or Console server	HTTP or HTTPS	80 or 443	curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized	The VMware Per-App Tunnel must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to [Groups & Settings > All Settings > System > Advanced > Site URLs] to set the [REST API URL]. This page is not available to Workspace ONE UEM SaaS customers. For Workspace ONE UEM SaaS customers, the [REST API URL] is most commonly the [Console URL ]or [Devices Services URL].
VMware Per-App Tunnel Back-End	UEM REST API SaaS‡: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com On-Premises†: Most commonly Device Services or Console server	HTTP or HTTPS	80 or 443	curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized	The VMware Per-App Tunnel must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to [Groups & Settings > All Settings > System > Advanced > Site URLs] to set the [REST API URL]. This page is not available to Workspace ONE UEM SaaS customers. Workspace ONE UEM SaaS customers, the [REST API URL] is most commonly the [Console URL ]or [Devices Services URL].

[NOTES]

* This port can be changed based on your environment's restrictions.
† On-Premises means the location of the Workspace ONE UEM console.
‡ For SaaS customers who need to whitelist outbound communication, refer to the VMware Knowledge Base article that lists up-to-date IP ranges: https://support.workspaceone.com/articles/115001662168-.

For SaaS customers who need to whitelist outbound communication, refer to the following Knowledge Base article that lists up-to-date IP ranges that VMware currently owns: VMware AirWatch IP ranges for SaaS data centers.