Page tree
Skip to end of metadata
Go to start of metadata

Disclaimer

My postings are my own and don’t necessarily represent VMware’s positions, strategies or opinions.

External link:

Console and Database

 Console and Database...
Source ComponentSource ServerSource IPDestination ComponentDestination ServerDestination IPProtocolPortDescription
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)Database ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)TCP1433NOTE: If using a named SQL instance you will need to open the custom TCP/IP port
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)All AirWatch Servers

HTTPS443
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)AWCM Server (typically Device Services URL)awcm.awmdm.comAirWatch IP RangeHTTPS2001
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)Active Directory domain controllerad.fqdn.com#.#.#.#LDAP(S)389, 636, 3268, or 3269For LDAP Integration
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)SMTP Mail Relaysmtp.fqdn.com#.#.#.#SMTP25 or 465For SMTP integration
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)Internal PKIpki.fqdn.com#.#.#.#HTTPS/DCOMDCOM or HTTPSFor PKI Integration
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)Exchange Servermail.fqdn.com#.#.#.#HTTP/HTTPS80/443For Powershell Integration; If not using ESC or EIS
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)gateway.push.apple.com
17.0.0.0/8TCP2195For Cloud Messaging; Apple iOS and Mac OS X only
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)feedback.push.apple.com
17.0.0.0/8TCP2196For Cloud Messaging; Apple iOS and Mac OS X only
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)AirWatch Signing Servicesigning.awmdm.com
HTTPS 443AirWatch Signing Service
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)android.googleapis.com

HTTP/HTTPS80 and 443For Cloud Messaging; Android only
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)*notify.live.net

HTTP/HTTPS80 and 443For Cloud Messaging; Windows Phone 8 and Windows 8 R/T only
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)Apple iTunes
*.itunes.apple.com
*.mzstatic.com
*phobos.apple.com
*phobos.apple.com.edgesuite.net


HTTP80For App Management; Apple iOS and Mac OS X only
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)vpp.itunes.apple.com

HTTPS443For VPP App Management; Apple iOS and Mac OS X only
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)mdmenrollment.apple.com

248.128.0/17

248.192.0/19

2620:149:a40::/46

2a01:b740:a41::/48

2403:300:a41::/48

2403:300:a50::/48

HTTPS443For DEP Management; iOS Supervision only
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)accounts.google.com

HTTPS443For Android Enterprise (e.g. Android for Work) inegration
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)play.google.com

HTTPS443For App Management; Android only
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)android.clients.google.com

TCP80For App Management; Android only
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)*.windowsphone.com

HTTP80For App Management; Windows Phone only
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)next-services.apps.microsoft.com

HTTPS443For App Management; Windows RT/Pro/ENT only
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)inference.location.live.net 

HTTP/HTTPS80/443For Cloud Messaging; Windows Phone only
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)login.live.com 

HTTPS443For Cloud Messaging; Windows Phone only
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)discovery.awmdm.com

HTTPS443For AutoDiscovery
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)gem.awmdm.com

HTTPS443For AirWatch Analytics in myAirWatch
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)awcp.air-watch.com

HTTPS443For APNs Certificate; Apple only
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)appwrap04.awmdm.com/awappwrap

HTTPS443For App Wrapping; Apple only
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)appwrapandroid.awmdm.com/awappwrap

HTTPS443For App Wrapping; Android only
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)fonts.googleapis.com

HTTP80For Console Display
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)Gateway.celltrust.net

HTTPS443For SMS Integration [Optional]
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)Public SSL Cert CRL* (Example: ocsp.verisign.com)

HTTP/HTTPS80 and 443If Console is publically accessible [Optional]
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)Code Signing Cert CRLhttp://csc3-2010-crl.verisign.com/CSC3-2010.crl
HTTP80
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)Code Signing Cert CRLhttps://dl.cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
HTTPS443
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)Code Signing Cert CRLhttps://dl.cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt
HTTPS443
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)Code Signing Cert CRLhttp://crl3.digicert.com/sha2-assured-cs-g1.crl
HTTP80
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)Code Signing Cert CRLhttp://crl4.digicert.com/sha2-assured-cs-g1.crl
HTTP80
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)*.virtualearth.net

HTTPS443Device Location Tracking only
Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)BES Server

HTTPS443Blackberry only

Directory Services, AWCM and API

 Directory Service, AWCM, API Server...
Source ComponentSource ServerSource IPDestination ComponentDestination ServerDestination IPProtocolPortDescription
Devices on Internet and Wi-Fi

Device Services Serverds.awmdm.comAirWatch IP RangeHTTPS443For Device Management
Devices on Internet and Wi-Fi

Device Services Serverawcm.awmdm.comAirWatch IP RangeHTTPS2001For AW Cloud Messaging; WinMo, Win32 or Android only
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)Database ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)TCP1433NOTE: If using a named SQL instance you will need to open the custom TCP/IP port
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)All AirWatch Servers

HTTPS443For DS, Console, SEG, MAG, API
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)AWCM Server (typically the DS)awcm.awmdm.comAirWatch IP RangeHTTPS2001
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)Active Directory domain controllerad.fqdn.com#.#.#.#LDAP(S)389, 636, 3268, or 3269[OPTIONAL] if you don't use ESC
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)SMTP Mail Relaysmtp.fqdn.com#.#.#.#SMTP25 or 465[OPTIONAL] if you don't use ESC
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)Internal PKIpki.fqdn.com#.#.#.#HTTPS/DCOMDCOM or HTTPS[OPTIONAL] if you don't use ESC
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)Exchange Servermail.fqdn.com#.#.#.#HTTP/HTTPS80/443For Powershell Integration; If not using ESC
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)discovery.awmdm.com

HTTPS443For AutoDiscovery
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)gateway.push.apple.com

TCP2195For Cloud Messaging; Apple iOS and Mac OS X only
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)feedback.push.apple.com

TCP2196For Cloud Messaging; Apple iOS and Mac OS X only
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)android.googleapis.com

HTTP/HTTPS80 and 443For Cloud Messaging; Android only
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)*notify.live.net

HTTP/HTTPS80 and 443For Cloud Messaging; Windows Phone only
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)has.spserv.microsoft.com

HTTP/HTTPS80 and 443Windows 10 only for health attestation
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)inference.location.live.net 

HTTP/HTTPS80/443For Cloud Messaging; Windows Phone  only
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)login.live.com 

HTTPS443For Cloud Messaging; Windows Phone only
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)Apple iTunes
*itunes.apple.com
*.mzstatic.com
*phobos.apple.com
*phobos.apple.com.edgesuite.net


HTTP80For App Management; Apple iOS and Mac OS X only
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)vpp.itunes.apple.com

HTTPS443For VPP App Management; Apple iOS and Mac OS X only
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)play.google.com

HTTPS443For App Management; Android only
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)android.clients.google.com

TCP80For App Management; Android only
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)


HTTPS443For AutoDiscovery
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)*.windowsphone.com

HTTP80For App Management; Windows Phone only
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)next-services.apps.microsoft.com

HTTPS443For App Management; Windows RT/Pro/ENT only
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)awcp.air-watch.com/*

HTTPS443For APNs Certificate; Apple only
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)appwrap04.awmdm.com/awappwrap

HTTPS443For App Wrapping; Apple only
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)appwrapandroid.awmdm.com/awappwrap

HTTPS443For App Wrapping; Android only
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)Public SSL Cert CRL* (Example: ocsp.verisign.com)

HTTP/HTTPS80 and 443
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)*.virtualearth.net

HTTPS443Device Location Tracking
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)Code Signing Cert CRLhttp://csc3-2010-crl.verisign.com/CSC3-2010.crl
HTTP80
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)Code Signing Cert CRLhttps://dl.cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
HTTPS443
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)Code Signing Cert CRLhttps://dl.cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt
HTTPS443
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)Code Signing Cert CRLhttp://crl3.digicert.com/sha2-assured-cs-g1.crl
HTTP80
Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)Code Signing Cert CRLhttp://crl4.digicert.com/sha2-assured-cs-g1.crl
HTTP80

Workspace One Intelligence

 Intelligence Connector...
Source ComponentSource ServerSource IPDestination ComponentDestination ServerDestination IPProtocolPort
WS1 Intelligence ConnectorAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)AirWatch Database AirWatch Hosted (SaaS)AirWatch Hosted (SaaS)TCP 1433
WS1 Intelligence ConnectorAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)WSONE Intelligence Serverapi.na1.data.vmwservices.com
HTTPS443
WS1 Intelligence ConnectorAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)WSONE Intelligence Servereventproxy.na1.data.vmwservices.com
HTTPS443
WS1 Intelligence ConnectorAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)WSONE Intelligence Serverna1.data.vmwservices.com
HTTPS443
WS1 Intelligence ConnectorAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)
api.ci.dpa0.org
HTTPS443
WS1 Intelligence ConnectorAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)AirWatch Auto Discoverydiscovery.awmdm.comAirWatch IP RangeHTTPS443

Device (Local WiFi and Internet)

 Mobile Devices (WiFi and WAN)...
Source ComponentDestination ComponentDestination ServerDestination IPProtocolPortDescription
Devices (Internet|WiFi)Device Services Hostnameds.awmdm.comAirWatch IP RangeHTTPS443For MDM functionality
Devices (Internet|WiFi)SEG Hostnameseg.company.com#.#.#.#HTTPS443For Email
Devices (Internet|WiFi)AWCM Serverawcm.awmdm.comAirWatch IP RangeHTTP/HTTPS443 (2001 for On-Premise)For AW Cloud Messaging; WinMo, Win32 or Android only
Devices (Internet|WiFi)Content Gatewaycontentr.company.com#.#.#.#HTTPS443
Devices (Internet|WiFi)Tunnel Relaytunnelr.company.com#.#.#.#HTTPS2020, 8443For Browser, and Per-App Tunnel
Devices (Internet|WiFi)RFSrfs.company.com#.#.#.#HTTPS443For accessing personal content 
Devices (Internet|WiFi)CREcre.company.com#.#.#.#HTTPS443For rendering personal content in a browser
Devices (Internet|WiFi)Identity Manager<customername>.vmwareidentity.comIDM IP RangeHTTPS443For accessing Identity Manager
Devices (Internet|WiFi)IDM - Cert Authcas-aws.vmwareidentity.comIDM IP RangeHTTPS7443For certificate authentication to Identity Manager
Devices (Internet|WiFi)IDM- Cert Auth Android SSOcertproxy.vmwareidentity.comIDM IP RangeHTTPS5262For Android mobile SSO 
Devices (Internet|WiFi)IDM - KDC iOS SSOkdc.vmwareidentity.comIDM IP RangeTCP/UDP88For iOS Mobile SSO
Devices (Internet|WiFi)VESC (VMware Identity Manager Connector)esc.fqdn.com#.#.#.#HTTPS443For Windows Clients accessing the connector for Kerberos authentication.  Device needs to be on network that can request a kerberos token from the Domain Controller
Devices (Internet|WiFi)#-courier.push.apple.com

TCP5223 and 443For Cloud Messaging; Apple iOS and Mac OS X only (# is a random number from 0 to 200)
Devices (Internet|WiFi)phobos.apple.com
ocsp.apple.com
ax.itunes.apple.com


HTTP/HTTPS80 or 443For App Management; Apple iOS and Mac OS X only
Devices (Internet|WiFi)mtalk.google.com

TCP5228For Cloud Messaging; Android only
Devices (Internet|WiFi)play.google.com

HTTPS443For App Management; Android only
Devices (Internet|WiFi)*notify.live.net

HTTP/HTTPS80 or 443For Cloud Messaging; Windows 10+, Windows Phone 8  and Windows 8 R/T only
Devices (Internet|WiFi)*notify.windows.com

HTTPS443For Cloud Messaging; Windows 10+, Windows Phone 8  and Windows 8 R/T only
Devices (Internet|WiFi)inference.location.live.net 

HTTP/HTTPS80/443For Cloud Messaging; Windows 10+, Windows Phone 8  and Windows 8 R/T only
Devices (Internet|WiFi)ekop.intel.com/ekcertservice

HTTPS443For Intel firmware TPM. Authorize this URL if you are filtering Internet access for client devices. This is needed for signed certificates for Secure
Boot.
Devices (Internet|WiFi)ekcert.spserv.microsoft.com

HTTPS443For Qualcomm firmware TPM. Authorize this URL if you are filtering
Internet access for client devices. This is needed for signed certificates for Secure
Boot.
Devices (Internet|WiFi)has.spserv.microsoft.com

HTTPS443Windows 10 only for health attestation
Devices (Internet|WiFi)Public SSL Cert CRL* (Example: ocsp.verisign.com)

HTTP/HTTPS80 and 443
Devices (Internet|WiFi)discovery.awmdm.com

HTTPS443For AirWatch simplified enrollment (Auto Discovery) 
Devices (Internet|WiFi)For North America: gslb.secb2b.com
us-elm.secb2b.com
us-prod-klm.secb2b.com

For China:
china-gslb.secb2b.com.cn
china-elm.secb2b.com.cn
china-klm.secb2b.com

For All Other Regions:
gslb.secb2b.com
eu-elm.secb2b.com
eu-prod-klm.secb2b.com


HTTPS443For Samsung Device Management. Samsung Devices Only
Devices (Internet|WiFi)For the Americas ( USA, Canada, Brazil, etc.. ):
 gslb.secb2b.com
us-elm.secb2b.com
us-knox.secb2b.com
us-prod-klm.secb2b.com
kaps.secb2b.com
d28lmkz7f2awiw.cloudfront.net
 
For China:
china-gslb.secb2b.com.cn
china-elm.secb2b.com.cn
china-knox.secb2b.com.cn
ch-prod-klm.secb2b.com
china-kad.secb2b.com.cn
bjprodkad.blob.core.chinacloudapi.cn
 
All other countries:
gslb.secb2b.com
eu-elm.secb2b.com
eu-knox.secb2b.com
eu-prod-klm.secb2b.com
kaps.secb2b.com d28lmkz7f2awiw.cloudfront.net


HTTP/HTTPS443For Samsung KNOX Device Management. Samsung Devices Only
Devices (Internet|WiFi)
certproxy.vmwareidentity.com


TCP5262For Android SSO (Workspace One)

AirWatch Cloud Connector

 ACC...
Source ComponentSource ServerDestination ComponentDestination ServerDestination IPProtocolPortDescription
ESC Serveresc.fqdn.comAirWatch Cloud Messaging Serverawcm.awmdm.comAirWatch IP RangeHTTPS443 / 2001(on-prem)Telnet from VESC to AWCM Server on port or once installed:
Verify by entering https://awcm.awmdm.com:2001/awcm/status and ensure there is no certificate trust error
ESC Serveresc.fqdn.comAirWatch Admin Consolecn.awmdm.comAirWatch IP RangeHTTP or HTTPS80 or 443Telnet from VESC to Console on port or once installed:
Verify by entering https://cn.awmdm.com and ensure there is no certificate trust error
ESC Serveresc.fqdn.comAirWatch REST APIas.awmdm.comAirWatch IP RangeHTTPS443Diagnostics Service
ESC Serveresc.fqdn.comCRLhttp://csc3-2010-crl.verisign.com/CSC3-2010.crl
HTTP80For various services to function properly
ESC Serveresc.fqdn.comInternal LDAPad.fqdn.com#.#.#.#LDAP(S)389, 636, 3268, or 3269
ESC Server [OPTIONAL]esc.fqdn.comInternal SMTPsmtp.fqdn.com#.#.#.#SMTP25
ESC Server [OPTIONAL]esc.fqdn.comInternal SCEPpki.fqdn.com#.#.#.#HTTP or HTTPS80 or 443
ESC Server [OPTIONAL]esc.fqdn.comInternal ADCSpki.fqdn.com#.#.#.#DCOM135, 1025-5000, 49152-65535
ESC Server [OPTIONAL]esc.fqdn.comInternal Exchange 2010 or highermail.fqdn.com#.#.#.#HTTP or HTTPS80 or 443For Powershell Integration

UAG: Per-App Tunnel, Content Gateway, SEGv2 (New)

 Tunnel with UAG...

Basic Install (1x UAG)

Source ComponentSource ServerSource IPDestination ComponentDestination ServerDestination IPProtocolPortDescription
Devices (from Internet & Wi-Fi)

AirWatch Tunnel Endpointtunnele.company.com#.#.#.#TCP8443For Tunnel PerAppVpn
Devices (from Internet & Wi-Fi)

AirWatch Tunnel Endpointtunnele.company.com#.#.#.#HTTPS2020For Tunnel Proxy (legacy) 
Devices (from Internet and Wi-Fi)

AirWatch Content Gateway Relaycontente.company.com#.#.#.#HTTPS443For Content Gateway
AirWatch Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)AirWatch Content Gateway contente.company.com#.#.#.#HTTPS443For Content Gateway
AirWatch Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)AirWatch Content Gateway contente.company.com#.#.#.#HTTPS443For Content Gateway
AirWatch Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)AirWatch Tunnel Front-Endtunnele.company.com#.#.#.#HTTPS2020For Proxy Test Connection from the Console
AirWatch Tunnel/CG tunnelendpoint.fqdn.com#.#.#.#AirWatch Cloud Messaging Serverawcm.awmdm.comAirWatch IP RangeHTTPS443 / 2001(on-prem)
AirWatch Tunnel/CGtunnelendpoint.fqdn.com#.#.#.#AirWatch REST API as.awmdm.comAirWatch IP RangeHTTPS443For general commands and for SEG Component
AirWatch Tunnel Endpointtunnelendpoint.fqdn.com#.#.#.#Internal Resources

variesvariesTunnel needs to be able to reach any desired destination you wish to give devices access to 
Browser (for admin access)

UAG servertunnelendpoint.fqdn.com#.#.#.#HTTPS9443For access to UAG administrative portal
AWCMAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)UAG servertunnelendpoint.fqdn.com#.#.#.#
11443For SEG Component
SEG API REST Client

UAG servertunnelendpoint.fqdn.com#.#.#.#
44444SEG REST API (UAG Management NIC Affinity)
(SEG 2-node Cluster)tunnelendpoint.fqdn.com#.#.#.#UAG servertunnelendpoint.fqdn.com#.#.#.#

TCP 5701
TCP 41232

Ports need to be open BOTH WAYS between nodes.
+Distributed Cache
+Commumnication between SEG in cluster

Both ports have internal NIC affinity.

Cascade Install (2x UAG)

Source ComponentSource ServerSource IPDestination ComponentDestination ServerDestination IPProtocolPortDescription
Devices (from Internet & Wi-Fi)

AirWatch Tunnel Front-Endtunnelr.company.com#.#.#.#TCP8443For PerAppVpn
Devices (from Internet and Wi-Fi)

AirWatch Content Gateway Relaycontentr.company.com#.#.#.#HTTPS443For Content Gateway
Devices (from Internet & Wi-Fi)

AirWatch Tunnel Front-Endtunnelr.company.com#.#.#.#HTTPS, TCP2020For Tunnel Proxy (Legacy)
AirWatch Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)AirWatch Tunnel Front-Endtunnelr.company.com#.#.#.#HTTPS2020For Proxy Test Connection from the Console 
AirWatch Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)AirWatch Content Gateway Relaycn.awmdm.com#.#.#.#HTTPS443
AirWatch Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)AirWatch Content Gateway Relaycn.awmdm.com#.#.#.#HTTPS443
AirWatch Tunnel Front-Endtunnelrelay.fqdn.com#.#.#.#AirWatch Tunnel Back-Endtunnele.company.com#.#.#.#HTTPS2010For Proxy (e.g. Airwatch Browser)
AirWatch Tunnel Front-Endtunnelrelay.fqdn.com#.#.#.#AirWatch Tunnel Back-Endtunnele.company.com#.#.#.#TCP8443For PerAppVpn
AirWatch Content Gateway Relaycgrelay.fqdn.com#.#.#.#AirWatch Content Gateway Endpointcontente.company.com#.#.#.#HTTPS443
AirWatch Tunnel Front-Endtunnelrelay.fqdn.com#.#.#.#AirWatch Cloud Messaging Serverawcm.awmdm.comAirWatch IP RangeHTTPS443 / 2001(on-prem)
AirWatch Tunnel/CG Front-Endtunnelrelay.fqdn.com#.#.#.#AirWatch REST API as.awmdm.comAirWatch IP RangeHTTPS443
AirWatch Tunnel/CG Back-Endtunnelendpoint.fqdn.com#.#.#.#AirWatch Cloud Messaging Serverawcm.awmdm.comAirWatch IP RangeHTTPS443 / 2001(on-prem)
AirWatch Tunnel/CG Back-Endtunnelendpoint.fqdn.com#.#.#.#AirWatch REST API as.awmdm.comAirWatch IP RangeHTTPS443
AirWatch Tunnel/CG Back-Endtunnelendpoint.fqdn.com#.#.#.#Internal Resources

variesvariesTunnel needs to be able to reach any desired destination you wish to give devices access to 
Browser (for admin access)

UAG Front-Endtunnelrelay.fqdn.com#.#.#.#HTTPS9443For access to UAG administrative portal
Browser (for admin access)

UAG  Back-Endtunnelendpoint.fqdn.com#.#.#.#HTTPS9443For access to UAG administrative portal

Secure EMail Gateway (old Win-based)

 SEG on Windows...
Source ComponentSource ServerSource IPDestination ComponentDestination ServerDestination IPProtocolPortDescription
Devices (from Internet and Wi-fi)

SEG Serverseg.company.com#.#.#.#HTTPS443
AirWatch Console ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)SEG Serverseg.company.com#.#.#.#HTTPS443
AirWatch Device Services ServerAirWatch Hosted (SaaS)AirWatch Hosted (SaaS)SEG Serverseg.company.com#.#.#.#HTTPS443
SEG Serverseg.fqdn.com#.#.#.#AWCM Serverawcm.awmdm.comAirWatch IP RangeHTTPS443 (2001 On Prem)Telnet from SEG to AWCM server on port
SEG Serverseg.fqdn.com#.#.#.#AirWatch REST APIas.awmdm.comAirWatch IP RangeHTTPS443Verify that the following URL prompts for credentials and is trusted from the browser on the SEG servers:
https://as.awmdm.com/api/help
SEG Server (Classic SEG Only)seg.fqdn.com#.#.#.#AirWatch SOAP APIas.awmdm.comAirWatch IP RangeHTTPS443( For Classic SEG only) Verify that the following URL is trusted from the browser on the SEG server:
https://as.awmdm.com/AirWatchServices/Internal/ActiveSyncIntegrationServiceEndpoint.svc
SEG [OPTIONAL]seg.fqdn.com#.#.#.#Internal host name or IP of all other SEG Serversseg.fqdn.com#.#.#.#UDP/TCP41232 and 5701 (for clustering) If you are using SEG Clustering (multiple load balanced SEG servers)
SEGseg.fqdn.com#.#.#.#Mail Servermail.fqdn.com#.#.#.#HTTP or HTTPS80 or 443For Lotus Notes, Novell Groupwise, or Google the Classic SEG would need to be used. Verify that the following URL is trusted from the browser on the SEG server and gives a prompt for credentials:
For Exchange: http(s)://mail.fqdn.com/Microsoft-server-activesync
For Lotus Notes: http(s)://mail.fqdn.com/servlet/traveler/Microsoft-server-activesync
For Google: https://m.google.com/Microsoft-server-activesync
For Groupwise (depending on version): http(s)://mail.fqdn.com/EAS or http(s)://mail.fqdn.com/Microsoft-server-activesync
verify that a 501/505 HTTP page comes up.