Configuring the VMware Tunnel Edge Service: Workspace ONE Operational Tutorial

Before deploying Unified Access Gateway with VMware Tunnel, it is important to understand the VMware Tunnel components available to provide secure internal access to your device fleet.

VMware Tunnel consists of two major components: Tunnel Proxy and Per-App Tunnel. These components run independently as two separate services on the Unified Access Gateway appliance to enable internal access for an end-user device.

The Tunnel Proxy feature provides internal access to end-users in VMware Workspace ONE® Web (formerly VMware Browser) or other Workspace ONE UEM SDK-enabled applications by securing traffic from the application to a website with SSL encryption and certificate authentication. 

The Tunnel Proxy feature is enabled through settings in an application-specific SDK profile, which is pushed from the Workspace ONE UEM Console with the managed SDK-enabled app. Users also can access internal websites using Workspace ONE Web from non-managed devices, using the Workspace ONE application only in Mobile Application Management (MAM) mode.

The Per-App Tunnel feature enables an SSL VPN connection on a per-application basis for any public or internal application. This feature leverages the native Per-App VPN functionality of Android, iOS, and Windows 10 platforms and a device-side VPN client application to initiate a VPN connection when an enabled application is started. The VMware Workspace ONE® Tunnel client application installed on the user's device maintains an allowlist of applications that should use VPN, handle certificates for enabled applications, and initiate the VPN connection on behalf of the user.

Settings for the Per-App Tunnel feature are pushed to the device in a device profile with the VPN payload configured. Each platform offers slightly different variations of the Per-App Tunnel feature, but all platforms require the presence of the Workspace ONE Tunnel client to use Per-App VPN functionality.

The VMware Tunnel works as an edge service on Unified Access Gateway, and can automatically be configured during deployment using PowerShell, or after deployment, using the Unified Access Gateway administration console.

The Unified Access Gateway appliance OVF template contains several edge services, beyond VMware Tunnel. The template includes Content Gateway, Web Reverse Proxy, and Horizon. The appliance runs from a VMware standard hardened image.

The VMware Tunnel can be deployed in one of two configurations:

• Basic Mode consists of a single Unified Access Gateway appliance, typically situated in the DMZ, where devices can connect to the appropriate port for each feature, authenticate with a certificate issued from the Workspace ONE UEM Console, and connect to internal sites.
• The Cascade Mode option allows devices to authenticate to the front-end tunnel on the Unified Access Gateway appliance located in the DMZ, then connect to the back-end tunnel enabled on another Unified Access Gateway appliance over a single port and then access internal resources.

The following architectural diagram shows an example of two major networks that you can deploy your servers into. For this set of exercises, you deploy the Unified Access Gateway appliance on a DMZ and assign the respective NICs.

At the top of the diagram is vCenter Networking. At the bottom of the diagram is the vApp network required to support the environment. For these exercises, the focus is on the network hosted on the ESXi, and represented by the following three networks:

• VM Network & Management: Represents the dedicated network to access the Management Console
• Internal Network: Represents the internal network on 172.16.0.x range. The Control Center, ESXI, and vCenter are part of the internal network.
• DMZ Network: Represents the DMZ network on 192.168.110.x which is where the Unified Access Gateway appliance is to be deployed. The Unified Access Gateway Internet-facing NIC is associated to this network.

High-level Overview of Traffic Routing

The architectural diagram is based on two ports and two host names that route through the F5 load balancer. In this example, non-standard ports are used for these services in the 6000 - 6500 port range, due to F5 configuration for an internal network.

The next steps detail how the traffic is routed:

1. The host names ( pool##.airwlab.com) are CNAMEs that point to the external IP of the F5.  When these host names are resolved, they are routed to the F5 to be inspected and forwarded to the internal networks.
2. If the request includes only the host name ( pool##.airwlab.com), the F5 uses the Hostname iRule. This Hostname iRule inspects inbound traffic to the F5 over port 443 (HTTPS). The traffic is decrypted using the *.airwlab.com SSL certificate and chain. The Hostname iRule then inspects the traffic, re-encrypts the traffic using the SSL certificate and chain, and then routes the inbound request to the appropriate destination server based on the host name of the request. This process is known as SSL Bridging, which is not supported by Per-App Tunnel.
3. If the request includes the host name and port ( pool##:airwlab.com:6000), the F5 uses the Port iRule. This Port iRule inspects inbound traffic to the F5 over non-443 ports. Unlike the Hostname iRule, the Port iRule parses the request for the port number and then routes the inbound request to the appropriate destination server based on the port of the request. This process does not involve decrypting or re-encrypting the traffic; it forwards the request to the desired destination. This process uses SSL Passthrough.
4. From the F5 Hostname or Port iRules, the traffic is forwarded to the configured IP address.
5. The vPodRouter is configured to forward Unified Access Gateway traffic to the 192.168.110.20 IP address over the DMZ Network.
6. The Nested DMZ Network (192.168.110.0 on vmnic2) is provided by NIC 2 on the ESXi-01 Host (192.168.110.160).
7. The request reaches the nested Unified Access Gateway appliance deployed on 192.168.110.20.

Avoid SSL Bridging

In this example, non-443 ports are used for VMware Tunnel and Content Gateway to avoid decrypting and re-encrypting the traffic because this is not supported with Per-App Tunnel. In other scenarios, you would use the standard ports where possible. This exercise demonstrates that the ports for both services can be configured to work within the architecture.

Unified Access Gateway supports deployments with one, two, or three NICs. This means that the server can be partitioned to receive traffic on a single interface or to route traffic to different interfaces, based on the source of the request. Most often, if you need to implement multiple NICs, you already follow this standard with other web applications in your organization.

You must determine what is appropriate for your environment when selecting the number of NICs during installation. It is important for you to understand the expected behavior when two or three NICs are enabled.

To explore these options, see Deploying VMware Unified Access Gateway: VMware Workspace ONE Operational Tutorial.

In the exercises for deploying the Unified Access Gateway server through vSphere, the vCenter setup is hosted in a nested template. This is not usually the case when working with users in a live environment.

User environments can include multiple networks and can optionally have a Network Protocol Profiles (NPP) that corresponds to the networks to connect to the Unified Access Gateway. Prior to version 3.3, NPP was a requirement. Since version 3.3, NPP is no longer required.

Note: Keep in mind that the Unified Access Gateway requires a netmask, default gateway, and subnet to be defined for each network enabled during deployment.

Double-click the Google Chrome browser icon on the desktop.

1. Launch the Chrome browser from your desktop and click the bookmark for vSphere.
2. Enter the username, such as administrator@vsphere.local.
3. Enter the password, such as VMware1!.
4. Click Login.

After completing the login, you are presented with the vSphere Web Client.

On your desktop, double-click the Google Chrome icon.

For example, navigate to https://<WorkspaceONEUEMHostname> where WorkspaceONEUEMHostname is the host name of the Workspace ONE UEM console.

1. Enter your Username, for example, administrator.
2. Click Next. After you click Next, the Password text box is displayed.

1. Enter your Password, for example, VMware1!
2. Click Login.

Note: If you see a Captcha, be aware that it is case sensitive.

1. Select Accounts.
2. Navigate to Administrators > Roles.
3. Click Add Role.

1. Enter Tunnel API Access for the Role Name.
2. Enter Enterprise in the search box.
3. Confirm that you can see REST Enterprise Integration and click Details.
4. Select Read.
5. Click Save.

A Role with permission to read the VMware Tunnel configuration has been created.

1. Click  Accounts.
2. Navigate to Administrators > List View.
3. Click Add.
4. Select Add Admin.

1. Enter a Username, for example, apiuser.
2. Enter a Password, for example, VMware1!.
3. Confirm the Password.
4. Enter a First Name, for example, API.
5. Enter a Last Name, for example, User.
6. Enter your email for Email Address.
7. Click Save.

1. Select the Roles tab.
2. Click Add Role.
3. Enter the Organization Group name. Specify the organization group where VMware Tunnel will be configured.
4. Enter the Role Access Name previously created. In this example, we used Tunnel API Access.
5. Click Save.

An API account with minimum permission to obtain the VMware Tunnel configuration is ready to be used in the Unified Access Gateway configuration.

NOTE: Checked out devices will likely have the Workspace ONE Intelligent Hub already installed. You may skip this step if your device has the Workspace ONE Intelligent Hub installed.

At this point, if you are using your own iOS device or if the device you are using does not have the Workspace ONE Intelligent Hub Application installed, then install the application from the App Store.

To install the Workspace ONE Intelligent Hub application from the App Store, open the App Store application and download the free Workspace ONE Intelligent Hub application.

Launch the Hub app on the device.  

NOTE: If you have your own iOS device and would like to test, you must download the Workspace ONE Intelligent Hub app first. 

1. Enter the Server URL for your Workspace ONE UEM environment.
2. Click Next.

Click the Server Details button.

Return to the Workspace ONE Intelligent Hub application on your iOS Device,

1. Enter your Group ID for your Organization Group for the Group ID field. See Retrieving Your Group ID from Workspace ONE UEM Console.
2. Tap the Next button.

NOTE: If on an iPhone, you may have to close the keyboard by clicking Done in order to click the Next button.

You now provide user credentials to authenticate to Workspace ONE UEM.

1. Enter testuser in the Username field.
2. Enter VMware1! in the Password field.
3. Tap the Next button.

The Workspace ONE Intelligent Hub prompts you to enable Workspace Services to enroll your device into Workspace ONE UEM.  

Tap Next to begin.

If you are prompted to allow the website to open Settings, tap Allow.

NOTE: If you do not see this prompt, ignore this and continue to the next step. This prompt occurs only for iOS devices on iOS 10.3.3 or later.

Tap Install in the upper-right corner of the Install Profile dialog box.

Tap Install when prompted on the Install Profile dialog.

You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.

Tap Install in the upper-right corner of the screen.

You should now see the iOS request to trust the source of the MDM profile.

Tap Trust when prompted at the Remote Management dialog.

You should now see that the iOS Profile was successfully installed.

Tap Done in the upper-right corner of the prompt.

Your enrollment is now complete. Tap Open to navigate to the Workspace ONE Intelligent Hub.

Tap Done to confirm the notice and continue.

Tap Allow if you get a prompt to allow notifications for the Hub app.

You may be prompted to install a series of applications. If prompted, tap Install to accept the application installation.

Tap I Understand when shown the Privacy policy.

Tap I Agree for the Data Sharing policy.

Confirm that the Hub app shows the user account that you enrolled with.

You have now successfully enrolled your iOS device with Workspace ONE UEM. Continue to the next step.

1. Select Groups & Settings.
2. Select Configurations.
3. Enter Tunnel on the search field and press Enter.
4. Select Tunnel on the result list.

The INI file contains all the configuration settings required to deploy the Unified Access Gateway appliance.

This exercise uses the uag-Tunnel.ini file and is configured for a Unified Access Gateway appliance called UAG-TUNNEL, that has two NICs—NIC one is set to internet facing and NIC two for back end and management.

The INI file is located in the Unified Access Gateway installer ZIP package downloaded in the previous exercise.

Navigate to your Unified Access Gateway INI file. In this example, the INI file is located in UAG Resources.

1. Click the File Explorer icon from the task bar.
2. Select Desktop.
3. Select UAG Resources.
4. Right-click the INI file, for example, uag-TUNNEL.ini.
5. Select Edit with Notepad++.

In this example, the settings are already filled out. The General section includes details such as deployment location and network configuration for the Unified Access Gateway appliance.

The SSLCert and SSLCertAdmin sections contain SSL certificate location for the administrator and Internet interfaces.

The AirWatch section contains the required parameters to enable the VMware Tunnel edge service on your Unified Access Gateway appliance.

1. Enter the apiServerUsername, for example,  apiuser.
   Note: This account only requires READ access to REST API Enterprise integration, full Administrator permission is not required.
2. Enter your  Group ID for the Organization Group.
3. Enter the apiServerUrl, for example, https://v9.airwlab.com. 
4. Enter the airwatchServerHostname, for example,  https://pool##.airwlab.com.

During the Unified Access Gateway deployment, the PowerShell script prompts you for the apiServerUsername password.

Click the PowerShell icon.

After you run the script, it prompts for input.

1. Navigate to the folder containing your INI file. For example, enter cd '.\Desktop\UAG Resources' then press Enter.
2. Enter the following command line, replace the INI filename with the one you have used.

• -rootPwd - set the root password for the Unified Access Gateway appliance.
• -adminPwd - set the admin password for the REST API management access.
• -disableVerification - perform validation of signature and certificate.
• -noSSLVerify - perform SSL verification for the vSphere connection.
• -ceipEnabled - Join the VMware Customer Experience Improvement Program ("CEIP") program.
• -awAPIServerPwd - API password for the respective configured API user under AirWatch section of the INI file.

Note: 3. You might get prompted to enter the password related to the certificates defined on the SSLcert and SSLcertAdmin settings. Certificates can be passed in PEM format using the pemCerts and pemPrivKey settings for the SSLCert and SSLCertAdmin sections of the INI file.

If the -awAPIServerPwd is incorrect, you will get prompted to enter the correct password for the UEM API account.

The deployment starts and you can follow the progress on the same window or on your vSphere Web Client, which you opened at the beginning of this tutorial.

Note: VMWare Tunnel can be configured on the INI using the [AirwatchTunnelGateway] and the same settings, when using this section you must use the -awAPITunnelGatewayAPIServerPwd to inform the API password, and not the -awAPIServerPwd.

1. Confirm the deployment has been completed successfully. The Completed successfully text is shown in the output.
2. Click Close.
3. After a successful deployment, the script automatically powers on the VM UAG-2NIC-TUNNEL.

The Received IP address presented by the script log is a temporary IP; the final IPs for NIC one and NIC two are assigned to the Unified Access Gateway appliance during the first start. Return to the vSphere Web Client and validate the IP address in the next step.

1. Click VM and Templates.
2. Click your VM, for example, UAG-2NIC.
3. Click View all 2 IP addresses.

Important: If the Unified Access Gateway appliance does not finalize the configuration during the first startup, you receive an error message from vSphere Web Client. If that happens, wait for the appliance to finalize, and refresh the entire Google Chrome browser.

1. Click the New Tab button to open a new tab.
2. Navigate to the Unified Access Gateway administration console URL, for example,  https://uagmgt-int.airwlab.com:9443/admin.
3. Enter the username, for example, admin .
4. Enter the password, for example, VMware1!.
5. Click Login.

A successful login redirects you to the following screen. Keep this window open as you will return to the administration console later.

Click Select to configure settings manually.

1. Click SHOW, after you click SHOW, it changes to HIDE.
2. Click the gear icon next to VMware Tunnel Settings. The circle should be green, which means the Unified Access Gateway appliance and Workspace ONE UEM Console can communicate.

The VMware Tunnel edge service is enabled based on the configuration defined in the INI file.

You can change the configuration any time, or choose not to configure settings in the INI file and later enable the settings through the Unified Access Gateway administration console.

Each time you change the configuration and Save, the changes are applied to the configuration files and the VMware Tunnel edge service restarts automatically. Devices cannot communicate with the service during the restart.

Click Cancel.

1. Select Groups & Settings.
2. Select Configurations.
3. Enter Tunnel on the search field and press Enter.
4. Select Tunnel on the result list.

1. Click Edit.
2. Click Default assignment.

In this step, you create a specific rule that is applied only to Safari; any requests to *.corp.local are routed through the VMware Tunnel. All other requests are not routed through VMware Tunnel.

1. Click Add Rule.
2. Select Safari-iOS.
3. Enter a Destination Hostname, for example,  *.corp.local.
4. Click Save & Publish and then OK on the next dialog to confirm.

This exercise helps you to create and push the VPN Profile to the device.

To help you to configure the Workspace ONE Tunnel client application to be deployed to your device through Workspace ONE UEM, follow the chapter Distributing Workspace ONE Tunnel for iOS part of the Deploying VMware Workspace ONE Tunnel: Workspace ONE Operational Tutorial.

Repeat the steps in this exercise, this time for the Google Chrome application.

Google Chrome is used later in this exercise to confirm that Safari is the only browser authorized to access internal websites.

On your iOS device, tap Tunnel to start the Workspace ONE Tunnel client.

Tap Safari Browser.

Navigate to https://www.vmware.com.

You can access the VMware website and no VPN is requested.

1. Navigate to an internal website, for example, http://intranet.corp.local/intranet.
2. You should see a VPN icon, indicating the connection is active. The Workspace ONE Tunnel client application identified a rule that applies to this situation, which you created in Define Device Traffic Rules.
3. The website should load successfully.

Next, verify that you cannot access the intranet from other browsers, even though the VPN connection is active for Safari.