VMware Per-App Tunnel can be configured using either of the following two configuration models:

  • Basic Endpoint (single-tier) using a VMware Per-App Tunnel Basic Endpoint

  • Cascade (multi-tier) using a VMware Per-App Tunnel Front-End and VMware Per-App Tunnel Back-End

表 1. Port Requirements for VMware Per-App Tunnel Basic Endpoint Configuration

Source

Destination

Protocol

Port

Verification

Notes

Devices (from Internet and Wi-Fi)

VMware Per-App Tunnel Basic Endpoint

TCP, UDP

8443*

Run the following command after installation: netstat -tlpn | grep [Port]

Devices connect to the public DNS configured for VMware Tunnel over the specified port. If 443 is used, Per-App Tunnel component listens on port 8443.

VMware Per-App Tunnel Basic Endpoint

AirWatch Cloud Messaging Server

HTTPS

SaaS:443

On-Premises:2001*

Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.

For the VMware Per-App Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2.

VMware Per-App Tunnel Basic Endpoint

Internal websites/web apps/resources

HTTP, HTTPS, or TCP

80, 443, any required TCP

For applications using VMware Per-App Tunnel to access internal resources. Exact endpoints or ports are determined by where these resources are located.

VMware Per-App Tunnel Basic Endpoint

UEM REST API

  • SaaS‡: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com

  • On-Premises†: Most commonly Device Services or Console server

HTTP or HTTPS

80 or 443

curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized

The VMware Per-App Tunnel must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to [Groups & Settings > All Settings > System > Advanced > Site URLs] to set the [REST API URL]. This page is not available to Workspace ONE UEM SaaS customers. For Workspace ONE UEM SaaS customers, the [REST API URL] is most commonly the [Console URL ]or [Devices Services URL].

表 2. Port Requirements for VMware Per-App Tunnel Cascade Configuration

Source

Destination

Protocol

Port

Verification

Notes

Devices (from Internet and Wi-Fi)

VMware Per-App Tunnel Front-End

TCP, UDP

8443*

Run the following command after installation: netstat -tlpn | grep [Port]

Devices connect to the public DNS configured for VMware Tunnel over the specified port. If 443 is used, Per-App Tunnel component listens on port 8443.

VMware Per-App Tunnel Front-End

AirWatch Cloud Messaging Server

HTTPS

SaaS:443

On-Premises:2001*

Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.

For the VMware Per-App Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2.

VMware Per-App Tunnel Front-End

VMware Per-App Tunnel Back-End

TCP

8443

Telnet from VMware Per-App Tunnel Front-End to the VMware Per-App Tunnel Back-End on port 8443.

To forward device requests from the Front-End to the Back-End server. This needs to support a minimum of TLS 1.2.

VMware Per-App Tunnel Back-End

AirWatch Cloud Messaging Server

HTTPS

SaaS:443

On-Premises:2001*

Verify by using wget to https://<AWCM URL>:<port>/awcm/status and ensuring you receive an HTTP 200 response.

For VMware Per-App Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes. This needs to support a minimum of TLS 1.2.

VMware Tunnel Back-End

Internal websites/web apps/resources

HTTP, HTTPS, or TCP

80, 443, any required TCP

For applications using VMware Per-App Tunnel to access internal resources. Exact endpoints or ports are determined by where these resources are located.

VMware Per-App Tunnel Front-End

UEM REST API

  • SaaS‡: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com

  • On-Premises†: Most commonly Device Services or Console server

HTTP or HTTPS

80 or 443

curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized

The VMware Per-App Tunnel must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to [Groups & Settings > All Settings > System > Advanced > Site URLs] to set the [REST API URL]. This page is not available to Workspace ONE UEM SaaS customers. For Workspace ONE UEM SaaS customers, the [REST API URL] is most commonly the [Console URL ]or [Devices Services URL].

VMware Per-App Tunnel Back-End

UEM REST API

  • SaaS‡: https://asXXX.awmdm.com or https://asXXX.airwatchportals.com

  • On-Premises†: Most commonly Device Services or Console server

HTTP or HTTPS

80 or 443

curl -Ivv https://<API URL>/api/mdm/ping The expected response is HTTP 401 unauthorized

The VMware Per-App Tunnel must communicate with the UEM REST API for initialization. In the Workspace ONE UEM console, go to [Groups & Settings > All Settings > System > Advanced > Site URLs] to set the [REST API URL]. This page is not available to Workspace ONE UEM SaaS customers. Workspace ONE UEM SaaS customers, the [REST API URL] is most commonly the [Console URL ]or [Devices Services URL].

[NOTES]

  • * This port can be changed based on your environment's restrictions.

  • † On-Premises means the location of the Workspace ONE UEM console.

  • ‡ For SaaS customers who need to whitelist outbound communication, refer to the VMware Knowledge Base article that lists up-to-date IP ranges: https://support.workspaceone.com/articles/115001662168-.

For SaaS customers who need to whitelist outbound communication, refer to the following Knowledge Base article that lists up-to-date IP ranges that VMware currently owns: VMware AirWatch IP ranges for SaaS data centers.