VMware Per-App Tunnel can be configured using either of the following two configuration models:
Basic Endpoint (single-tier) using a VMware Per-App Tunnel Basic Endpoint
Cascade (multi-tier) using a VMware Per-App Tunnel Front-End and VMware Per-App Tunnel Back-End
Source |
Destination |
Protocol |
Port |
Verification |
Notes |
---|---|---|---|---|---|
Devices (from Internet and Wi-Fi) |
VMware Per-App Tunnel Basic Endpoint |
TCP, UDP |
8443* |
Run the following command after installation: netstat -tlpn | grep [Port] |
Devices connect to the public DNS configured for VMware Tunnel over the specified port. If 443 is used, Per-App Tunnel component listens on port 8443. |
VMware Per-App Tunnel Basic Endpoint |
AirWatch Cloud Messaging Server |
HTTPS |
SaaS:443 On-Premises:2001* |
Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response. |
For the VMware Per-App Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2. |
VMware Per-App Tunnel Basic Endpoint |
Internal websites/web apps/resources |
HTTP, HTTPS, or TCP |
80, 443, any required TCP |
For applications using VMware Per-App Tunnel to access internal resources. Exact endpoints or ports are determined by where these resources are located. |
|
VMware Per-App Tunnel Basic Endpoint |
UEM REST API
|
HTTP or HTTPS |
80 or 443 |
curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized |
The VMware Per-App Tunnel must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to [Groups & Settings > All Settings > System > Advanced > Site URLs] to set the [REST API URL]. This page is not available to Workspace ONE UEM SaaS customers. For Workspace ONE UEM SaaS customers, the [REST API URL] is most commonly the [Console URL ]or [Devices Services URL]. |
Source |
Destination |
Protocol |
Port |
Verification |
Notes |
---|---|---|---|---|---|
Devices (from Internet and Wi-Fi) |
VMware Per-App Tunnel Front-End |
TCP, UDP |
8443* |
Run the following command after installation: netstat -tlpn | grep [Port] |
Devices connect to the public DNS configured for VMware Tunnel over the specified port. If 443 is used, Per-App Tunnel component listens on port 8443. |
VMware Per-App Tunnel Front-End |
AirWatch Cloud Messaging Server |
HTTPS |
SaaS:443 On-Premises:2001* |
Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response. |
For the VMware Per-App Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2. |
VMware Per-App Tunnel Front-End |
VMware Per-App Tunnel Back-End |
TCP |
8443 |
Telnet from VMware Per-App Tunnel Front-End to the VMware Per-App Tunnel Back-End on port 8443. |
To forward device requests from the Front-End to the Back-End server. This needs to support a minimum of TLS 1.2. |
VMware Per-App Tunnel Back-End |
AirWatch Cloud Messaging Server |
HTTPS |
SaaS:443 On-Premises:2001* |
Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response. |
For VMware Per-App Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2. |
VMware Tunnel Back-End |
Internal websites/web apps/resources |
HTTP, HTTPS, or TCP |
80, 443, any required TCP |
For applications using VMware Per-App Tunnel to access internal resources. Exact endpoints or ports are determined by where these resources are located. |
|
VMware Per-App Tunnel Front-End |
UEM REST API
|
HTTP or HTTPS |
80 or 443 |
curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized |
The VMware Per-App Tunnel must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to [Groups & Settings > All Settings > System > Advanced > Site URLs] to set the [REST API URL]. This page is not available to Workspace ONE UEM SaaS customers. For Workspace ONE UEM SaaS customers, the [REST API URL] is most commonly the [Console URL ]or [Devices Services URL]. |
VMware Per-App Tunnel Back-End |
UEM REST API
|
HTTP or HTTPS |
80 or 443 |
curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized |
The VMware Per-App Tunnel must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to [Groups & Settings > All Settings > System > Advanced > Site URLs] to set the [REST API URL]. This page is not available to Workspace ONE UEM SaaS customers. Workspace ONE UEM SaaS customers, the [REST API URL] is most commonly the [Console URL ]or [Devices Services URL]. |
[NOTES]
* This port can be changed based on your environment's restrictions.
† On-Premises means the location of the Workspace ONE UEM console.
‡ For SaaS customers who need to whitelist outbound communication, refer to the VMware Knowledge Base article that lists up-to-date IP ranges: https://support.workspaceone.com/articles/115001662168-.
For SaaS customers who need to whitelist outbound communication, refer to the following Knowledge Base article that lists up-to-date IP ranges that VMware currently owns: VMware AirWatch IP ranges for SaaS data centers.