Configuring the VMware Tunnel Edge Service: Workspace ONE Operational TutorialVMware Workspace ONE UEM 2107 and later
VMware Unified Access Gateway 3.3 and later
VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. This tutorial walks through configuring the VMware Tunnel™ edge service on VMware Unified Access Gateway™.
This operational tutorial is intended for IT professionals and Workspace ONE UEM administrators of existing production environments.
Knowledge of additional technologies such as network, VPN configuration, VMware Workspace ONE® Intelligence and VMware Workspace ONE® UEM is also helpful.
Configuring VMware Tunnel Edge Services on Unified Access Gateway
The VMware Tunnel™ is an edge service on VMware Unified Access Gateway™, which enables Per-App VPN on managed mobile devices to secure access to internal resources. VMware Tunnel allows individual applications to authenticate and securely communicate with back end resources over HTTP(S) for proxy and HTTP(S) or TCP for Per-App Tunneling.
This section helps you to configure the VMware Tunnel edge service on Unified Access Gateway.
- Enrolling an iOS device
- Configuring VMware Tunnel in the Workspace ONE UEM Console
- Deploying Unified Access Gateway and enabling VMware Tunnel edge services through PowerShell
- Defining network traffic rules for Per-App Tunnel
- Configuring VPN Profile and deploying Workspace ONE Tunnel client
- Validating access to internal websites based on device traffic rules using an enrolled iOS device
The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.
VMware Tunnel Components
Before deploying Unified Access Gateway with VMware Tunnel, it is important to understand the VMware Tunnel components available to provide secure internal access to your device fleet.
VMware Tunnel consists of two major components: Tunnel Proxy and Per-App Tunnel. These components run independently as two separate services on the Unified Access Gateway appliance to enable internal access for an end-user device.
The Tunnel Proxy feature provides internal access to end-users in VMware Workspace ONE® Web (formerly VMware Browser) or other Workspace ONE UEM SDK-enabled applications by securing traffic from the application to a website with SSL encryption and certificate authentication.
The Tunnel Proxy feature is enabled through settings in an application-specific SDK profile, which is pushed from the Workspace ONE UEM Console with the managed SDK-enabled app. Users also can access internal websites using Workspace ONE Web from non-managed devices, using the Workspace ONE application only in Mobile Application Management (MAM) mode.
The Per-App Tunnel feature enables an SSL VPN connection on a per-application basis for any public or internal application. This feature leverages the native Per-App VPN functionality of Android, iOS, and Windows 10 platforms and a device-side VPN client application to initiate a VPN connection when an enabled application is started. The VMware Workspace ONE® Tunnel client application installed on the user's device maintains an allowlist of applications that should use VPN, handle certificates for enabled applications, and initiate the VPN connection on behalf of the user.
Settings for the Per-App Tunnel feature are pushed to the device in a device profile with the VPN payload configured. Each platform offers slightly different variations of the Per-App Tunnel feature, but all platforms require the presence of the Workspace ONE Tunnel client to use Per-App VPN functionality.
VMware Tunnel Edge Service on Unified Access Gateway
The VMware Tunnel works as an edge service on Unified Access Gateway, and can automatically be configured during deployment using PowerShell, or after deployment, using the Unified Access Gateway administration console.
The Unified Access Gateway appliance OVF template contains several edge services, beyond VMware Tunnel. The template includes Content Gateway, Web Reverse Proxy, and Horizon. The appliance runs from a VMware standard hardened image.
VMware Tunnel Deployment Model on Unified Access Gateway
The VMware Tunnel can be deployed in one of two configurations:
- Basic Mode consists of a single Unified Access Gateway appliance, typically situated in the DMZ, where devices can connect to the appropriate port for each feature, authenticate with a certificate issued from the Workspace ONE UEM Console, and connect to internal sites.
- The Cascade Mode option allows devices to authenticate to the front-end tunnel on the Unified Access Gateway appliance located in the DMZ, then connect to the back-end tunnel enabled on another Unified Access Gateway appliance over a single port and then access internal resources.
1. TLS Port Sharing
TLS port sharing is an important component on Unified Access Gateway that allows the use of a single port (443) for multiple edge services. It is enabled by default on Unified Access Gateway whenever multiple edge services are configured to use TCP port 443. Supported edge services are VMware Tunnel (Per-App Tunnel component only), Content Gateway, and Web reverse proxy.
When enabling Per-App Tunnel and Content Gateway edge services with TLS Port Sharing, a TLS SNI rule is automatically created to forward incoming traffic on port 443 to the edge service port 10443 for Content Gateway and 8443 for Per-App Tunnel, respectively. After that the edge service communicate with the internal resource based on the original request. The Tunnel Proxy edge service does not route through TLS and remains on port 2020.
Note: To enable port sharing on TCP port 443, ensure that each configured edge service has a unique external host name pointing to Unified Access Gateway. When port sharing is not enabled, each edge service is assigned to a different port and can use the same external name.
2. Basic Model
The Basic deployment model includes a single Unified Access Gateway appliance, which requires a public host name and a dedicated port for each component.
The default port for Tunnel Proxy is 2020 and the default port for Per-App Tunnel is 443. When TLS Port Sharing is disabled, the Per-App Tunnel default port is 8443.
These ports are secured with a Workspace ONE UEM-issued tunnel certificate, issued from the device root certificate in your Workspace ONE UEM environment or a public third-party SSL certificate.
Note: TLS Port Sharing is enabled by default in Unified Access Gateway 3.3 and later.
3. Cascade Model
The Cascade deployment model architecture includes two instances of Unified Access Gateway with VMware Tunnel enabled on each. In cascade mode, the front-end server resides in the DMZ and communicates to the back-end server in your internal network.
The flow is as follows:
- The Per-App Tunnel requests originate from port 443 when TLS Port Sharing is enabled on the front-end Unified Access Gateway.
- The internal Unified Access Gateway redirects the request to HAProxy, which redirects the request to VMware Tunnel edge service on port 8443.
- VMware Tunnel authenticates the device and forwards the request to the back-end tunnel, which redirects to the specific internal resource port.
- Tunnel Proxy requests go through port 2020 at the Tunnel Proxy front-end, which validates the device and forwards traffic to the back-end Tunnel Proxy through port 2010.
TLS Port Sharing does not apply to Tunnel Proxy.
The architectural diagram below shows an example environment which emulates a typical environment, including DMZ and internal networks.
In this example, external requests to the vApp are sent to the vPod Router, which directs those requests to the appropriate resource based on the incoming port. Ports 4000-6500 are reserved for the environment components so all traffic coming in on these ports is forwarded to your Unified Access Gateway appliance's appropriate edge service. In addition, ports 443 and 9443 are forwarded to the Unified Access Gateway appliance over the respective ports.
The vApp Networks (internal, DMZ, and transit) are created within the vApp. The internal and transit networks are NATed to the SE-UCS-Network for outbound internet connectivity while the DMZ network routes through the vPodRouter for inbound and outbound access. Note that the vPodRouter does not have a NIC on the Internal network and therefore cannot route external traffic to resources on the internal network.
vPod Router | ESXi01 6.5.0 U1 | Control Center | vCenter Server 6.5 U1 deployed in the ESXi01
1. Architecture Overview Diagram
The following architectural diagram shows an example of two major networks that you can deploy your servers into. For this set of exercises, you deploy the Unified Access Gateway appliance on a DMZ and assign the respective NICs.
At the top of the diagram is vCenter Networking. At the bottom of the diagram is the vApp network required to support the environment. For these exercises, the focus is on the network hosted on the ESXi, and represented by the following three networks:
- VM Network & Management: Represents the dedicated network to access the Management Console
- Internal Network: Represents the internal network on
172.16.0.xrange. The Control Center, ESXI, and vCenter are part of the internal network.
- DMZ Network: Represents the DMZ network on
192.168.110.xwhich is where the Unified Access Gateway appliance is to be deployed. The Unified Access Gateway Internet-facing NIC is associated to this network.
High-level Overview of Traffic Routing
The architectural diagram is based on two ports and two host names that route through the F5 load balancer. In this example, non-standard ports are used for these services in the 6000 - 6500 port range, due to F5 configuration for an internal network.
The next steps detail how the traffic is routed:
- The host names (
pool##.airwlab.com) are CNAMEs that point to the external IP of the F5. When these host names are resolved, they are routed to the F5 to be inspected and forwarded to the internal networks.
- If the request includes only the host name (
pool##.airwlab.com), the F5 uses the Hostname iRule. This Hostname iRule inspects inbound traffic to the F5 over port 443 (HTTPS). The traffic is decrypted using the
*.airwlab.comSSL certificate and chain. The Hostname iRule then inspects the traffic, re-encrypts the traffic using the SSL certificate and chain, and then routes the inbound request to the appropriate destination server based on the host name of the request. This process is known as SSL Bridging, which is not supported by Per-App Tunnel.
- If the request includes the host name and port (
pool##:airwlab.com:6000), the F5 uses the Port iRule. This Port iRule inspects inbound traffic to the F5 over non-443 ports. Unlike the Hostname iRule, the Port iRule parses the request for the port number and then routes the inbound request to the appropriate destination server based on the port of the request. This process does not involve decrypting or re-encrypting the traffic; it forwards the request to the desired destination. This process uses SSL Passthrough.
- From the F5 Hostname or Port iRules, the traffic is forwarded to the configured IP address.
- The vPodRouter is configured to forward Unified Access Gateway traffic to the
192.168.110.20IP address over the DMZ Network.
- The Nested DMZ Network (
192.168.110.0on vmnic2) is provided by NIC 2 on the ESXi-01 Host (
- The request reaches the nested Unified Access Gateway appliance deployed on
Avoid SSL Bridging
In this example, non-443 ports are used for VMware Tunnel and Content Gateway to avoid decrypting and re-encrypting the traffic because this is not supported with Per-App Tunnel. In other scenarios, you would use the standard ports where possible. This exercise demonstrates that the ports for both services can be configured to work within the architecture.
2. Network Interfaces
Unified Access Gateway supports deployments with one, two, or three NICs. This means that the server can be partitioned to receive traffic on a single interface or to route traffic to different interfaces, based on the source of the request. Most often, if you need to implement multiple NICs, you already follow this standard with other web applications in your organization.
You must determine what is appropriate for your environment when selecting the number of NICs during installation. It is important for you to understand the expected behavior when two or three NICs are enabled.
To explore these options, see Deploying VMware Unified Access Gateway: VMware Workspace ONE Operational Tutorial.
3. General Considerations
In the exercises for deploying the Unified Access Gateway server through vSphere, the vCenter setup is hosted in a nested template. This is not usually the case when working with users in a live environment.
User environments can include multiple networks and can optionally have a Network Protocol Profiles (NPP) that corresponds to the networks to connect to the Unified Access Gateway. Prior to version 3.3, NPP was a requirement. Since version 3.3, NPP is no longer required.
Note: Keep in mind that the Unified Access Gateway requires a netmask, default gateway, and subnet to be defined for each network enabled during deployment.
Before you can perform the steps in this exercise, you must install and configure the following components:
- VMware AirWatch 8.4 and later or VMware Workspace ONE UEM 9.5 and later
- VMware vSphere ESX host with a vCenter Server (vSphere 6® and later)
- vSphere data store and network to use
- PowerShell script running on Windows 8.1 or later machines, or Windows Server 2008 R2 or later
- Windows machine running the PowerShell script with VMware OVF Tool command installed (see OVR Tool Software Download to install OVF Tool 4.3 or later)
- Unified Access Gateway PowerShell script, such as
uagdeploy-VERSION.ZIP, available at my.vmware.com, after download extract the files into a folder on your Windows machine)
- iPhone, iPad, and iPod Touch devices running iOS 9.0 and later
Ensure the following settings are enabled in the Workspace ONE UEM Console:
- Organization Group created and set as Customer Type
- Device Root Certificate issued
- REST API Key generated at the Organization Group where VMware Tunnel will be enabled
Logging In to the vSphere Web Client
To perform most of this exercise, you need to log in to the vSphere Web Client.
1. Launch Chrome Browser
Double-click the Google Chrome browser icon on the desktop.
2. Authenticate to the vSphere Web Client
- Launch the Chrome browser from your desktop and click the bookmark for vSphere.
- Enter the username, such as
- Enter the password, such as
- Click Login.
After completing the login, you are presented with the vSphere Web Client.
Logging In to the Workspace ONE UEM Console
To perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.
1. Launch Chrome Browser
On your desktop, double-click the Google Chrome icon.
3. Authenticate In to the Workspace ONE UEM Console
- Enter your Username, for example,
- Click Next. After you click Next, the Password text box is displayed.
- Enter your Password, for example,
- Click Login.
Note: If you see a Captcha, be aware that it is case sensitive.
Creating API Account and Setting Permissions
Unified Access Gateway requires access to the Workspace ONE UEM API Server to retrieve the VMware Tunnel configuration and configure the Tunnel Edge Service. Unified Access Gateway uses an API account configured during deployment, after that the communication is based on certificates.
The API account does not require full administrator permissions, instead it only requires read access to the Enterprise API Integration.
Create API Role Permission
- Select Accounts.
- Navigate to Administrators > Roles.
- Click Add Role.
Set API Role Permission
Tunnel API Accessfor the Role Name.
Enterprisein the search box.
- Confirm that you can see REST Enterprise Integration and click Details.
- Select Read.
- Click Save.
A Role with permission to read the VMware Tunnel configuration has been created.
Create API Administrator Account
- Click Accounts.
- Navigate to Administrators > List View.
- Click Add.
- Select Add Admin.
Add API Admin
- Enter a Username, for example,
- Enter a Password, for example,
- Confirm the Password.
- Enter a First Name, for example,
- Enter a Last Name, for example,
your emailfor Email Address.
- Click Save.
- Select the Roles tab.
- Click Add Role.
- Enter the Organization Group name. Specify the organization group where VMware Tunnel will be configured.
- Enter the Role Access Name previously created. In this example, we used Tunnel API Access.
- Click Save.
An API account with minimum permission to obtain the VMware Tunnel configuration is ready to be used in the Unified Access Gateway configuration.
Enrolling an iOS Device
In this section, enroll your iOS device in Workspace ONE UEM by installing the Workspace ONE Intelligent Hub (formerly the AirWatch Agent). A Group ID is required to complete enrollment. See Retrieving Your Group ID from Workspace ONE UEM Console.
1. Download and Install Workspace ONE Intelligent Hub from App Store (IF NEEDED)
NOTE: Checked out devices will likely have the Workspace ONE Intelligent Hub already installed. You may skip this step if your device has the Workspace ONE Intelligent Hub installed.
At this point, if you are using your own iOS device or if the device you are using does not have the Workspace ONE Intelligent Hub Application installed, then install the application from the App Store.
To install the Workspace ONE Intelligent Hub application from the App Store, open the App Store application and download the free Workspace ONE Intelligent Hub application.
2. Launch the Workspace ONE Intelligent Hub
Launch the Hub app on the device.
NOTE: If you have your own iOS device and would like to test, you must download the Workspace ONE Intelligent Hub app first.
3. Enter the Server URL
- Enter the Server URL
for your Workspace ONE UEM environment.
- Click Next.
Click the Server Details button.
4. Enter the Group ID for Workspace ONE Intelligent Hub
Return to the Workspace ONE Intelligent Hub application on your iOS Device,
- Enter your Group ID for your Organization Group for the Group ID field. See Retrieving Your Group ID from Workspace ONE UEM Console.
- Tap the Next button.
NOTE: If on an iPhone, you may have to close the keyboard by clicking Done in order to click the Next button.
5. Enter User Credentials
You now provide user credentials to authenticate to Workspace ONE UEM.
testuserin the Username field.
VMware1!in the Password field.
- Tap the Next button.
6. Redirect to Safari and Enable MDM Enrollment in Settings
The Workspace ONE Intelligent Hub prompts you to enable Workspace Services to enroll your device into Workspace ONE UEM.
Tap Next to begin.
7. Allow Website to Open Settings (IF NEEDED)
If you are prompted to allow the website to open Settings, tap Allow.
NOTE: If you do not see this prompt, ignore this and continue to the next step. This prompt occurs only for iOS devices on iOS 10.3.3 or later.
8. Install the Workspace ONE MDM Profile
Tap Install in the upper-right corner of the Install Profile dialog box.
9. Install and Verify the Workspace ONE MDM Profile
Tap Install when prompted on the Install Profile dialog.
10. iOS MDM Profile Warning
You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.
Tap Install in the upper-right corner of the screen.
11. Trust the Remote Management Profile.
You should now see the iOS request to trust the source of the MDM profile.
Tap Trust when prompted at the Remote Management dialog.
12. iOS Profile Installation Complete
You should now see that the iOS Profile was successfully installed.
Tap Done in the upper-right corner of the prompt.
13. Workspace ONE UEM Enrollment Success
Your enrollment is now complete. Tap Open to navigate to the Workspace ONE Intelligent Hub.
14. Accept the Workspace ONE Intelligent Hub Notice
Tap Done to confirm the notice and continue.
15. Accept Notifications for Hub (IF NEEDED)
Tap Allow if you get a prompt to allow notifications for the Hub app.
16. Accept the App Installation (IF NEEDED)
You may be prompted to install a series of applications. If prompted, tap Install to accept the application installation.
18. Accept the Data Sharing Policy
Tap I Agree for the Data Sharing policy.
19. Confirm the Device Enrollment in the Hub App
Confirm that the Hub app shows the user account that you enrolled with.
You have now successfully enrolled your iOS device with Workspace ONE UEM. Continue to the next step.
Enabling VMware Tunnel in the Workspace ONE UEM Console
When the VMware Tunnel edge service is enabled on the Unified Access Gateway appliance, it retrieves the VMware Tunnel configuration from Workspace ONE UEM. Therefore, the VMware Tunnel must be configured first in the Workspace ONE UEM Console, prior to deployment of the Unified Access Gateway appliance.
This section helps you to configure VMware Tunnel in the Workspace ONE UEM Console.
1. Open All Settings
- Select Groups & Settings.
- Select Configurations.
Tunnelon the search field and press Enter.
- Select Tunnel on the result list.
2. Configure VMware Tunnel Settings
2.1. Configure Hostname and Port Details
- Enter the VMware Tunnel server host name for Hostname.
- Enter a Port number.
- Click Next.
2.2. Configure VMware Tunnel SSL Certificate
- Select Airwatch as the certificate.
If you want to use your own SSL Public Certificate, select Third Party and upload the certificate using the console.
2.3. Confirm VMware Tunnel Settings
Verify that the configuration summary is correct. Click Save to continue.
2.4. Download the Unified Access Gateway Appliance
After the configuration is saved, click Download Installer to download the Unified Access Gateway virtual appliance. Extract the ZIP file on the Windows machine where you will install Unified Access Gateway.
The next section helps you to deploy the Unified Access Gateway appliance OVF through PowerShell and configure VMware Tunnel edge services based on the settings configured in Workspace ONE UEM.
Preparing VMware Tunnel INI Settings for Deployment
This section covers the required INI settings to enable the VMware Tunnel edge service during the Unified Access Gateway appliance deployment. Ensure you are logged in to the machine where you will install Unified Access Gateway. Extract the contents of the Unified Access Gateway ZIP file on this machine.
1. Configure the General Deployment Settings
The INI file contains all the configuration settings required to deploy the Unified Access Gateway appliance.
This exercise uses the
uag-Tunnel.ini file and is configured for a Unified Access Gateway appliance called
UAG-TUNNEL, that has two NICs—NIC one is set to internet facing and NIC two for back end and management.
The INI file is located in the Unified Access Gateway installer ZIP package downloaded in the previous exercise.
2. Edit the INI File
Navigate to your Unified Access Gateway INI file. In this example, the INI file is located in
- Click the File Explorer icon from the task bar.
- Select Desktop.
- Select UAG Resources.
- Right-click the INI file, for example, uag-TUNNEL.ini.
- Select Edit with Notepad++.
3. General and Network Settings
In this example, the settings are already filled out. The General section includes details such as deployment location and network configuration for the Unified Access Gateway appliance.
The SSLCert and SSLCertAdmin sections contain SSL certificate location for the administrator and Internet interfaces.
4. Configure VMware Tunnel Settings
The AirWatch section contains the required parameters to enable the VMware Tunnel edge service on your Unified Access Gateway appliance.
- Enter the apiServerUsername, for example,
Note: This account only requires READ access to REST API Enterprise integration, full Administrator permission is not required.
- Enter your
Group IDfor the Organization Group.
- Enter the apiServerUrl, for example,
- Enter the airwatchServerHostname, for example,
During the Unified Access Gateway deployment, the PowerShell script prompts you for the apiServerUsername password.
Deploying Unified Access Gateway Appliance
After you have configured the INI file for your Unified Access Gateway deployment, the next step is to run the PowerShell script passing the INI as a parameter.
1. Open PowerShell
Click the PowerShell icon.
2. Deploy Unified Access Gateway Using PowerShell
After you run the script, it prompts for input.
- Navigate to the folder containing your INI file. For example, enter
cd '.\Desktop\UAG Resources'then press Enter.
- Enter the following command line, replace the INI filename with the one you have used.
.\uagdeploy.ps1 .\uag-tunnel.ini -rootPwd VMware1! -adminPwd VMware1! -disableVerification false -noSSLVerify false -ceipEnabled yes -awAPIServerPwd <password>
- -rootPwd - set the root password for the Unified Access Gateway appliance.
- -adminPwd - set the admin password for the REST API management access.
- -disableVerification - perform validation of signature and certificate.
- -noSSLVerify - perform SSL verification for the vSphere connection.
- -ceipEnabled - Join the VMware Customer Experience Improvement Program ("CEIP") program.
- -awAPIServerPwd - API password for the respective configured API user under AirWatch section of the INI file.
Note: 3. You might get prompted to enter the password related to the certificates defined on the SSLcert and SSLcertAdmin settings. Certificates can be passed in PEM format using the
pemPrivKey settings for the SSLCert and SSLCertAdmin sections of the INI file.
-awAPIServerPwd is incorrect, you will get prompted to enter the correct password for the UEM API account.
The deployment starts and you can follow the progress on the same window or on your vSphere Web Client, which you opened at the beginning of this tutorial.
Note: VMWare Tunnel can be configured on the INI using the [AirwatchTunnelGateway] and the same settings, when using this section you must use the -awAPITunnelGatewayAPIServerPwd to inform the API password, and not the -awAPIServerPwd.
3. Confirm the PowerShell Script Deployment Completes
- Confirm the deployment has been completed successfully. The
Completed successfullytext is shown in the output.
- Click Close.
- After a successful deployment, the script automatically powers on the VM UAG-2NIC-TUNNEL.
The Received IP address presented by the script log is a temporary IP; the final IPs for NIC one and NIC two are assigned to the Unified Access Gateway appliance during the first start. Return to the vSphere Web Client and validate the IP address in the next step.
4. Validate Unified Access Gateway Deployment
- Click VM and Templates.
- Click your VM, for example, UAG-2NIC.
- Click View all 2 IP addresses.
Important: If the Unified Access Gateway appliance does not finalize the configuration during the first startup, you receive an error message from vSphere Web Client. If that happens, wait for the appliance to finalize, and refresh the entire Google Chrome browser.
Validating VMware Tunnel Settings on the Unified Access Gateway Appliance
The VMware Tunnel is now enabled and running based on the INI settings that you provided during the Unified Access Gateway deployment.
As an alternative to deploying the VMware Tunnel using PowerShell, you can use the Unified Access Gateway administration console, which allows you to enable or change the current VMware Tunnel settings.
This section helps you to validate the VMware Tunnel settings using the Unified Access Gateway administration console.
1. Log In to the Unified Access Gateway Administration Console
- Click the New Tab button to open a new tab.
- Navigate to the Unified Access Gateway administration console URL, for example,
- Enter the username, for example,
- Enter the password, for example,
- Click Login.
2. Validate Configuration Settings
A successful login redirects you to the following screen. Keep this window open as you will return to the administration console later.
Click Select to configure settings manually.
3. Access the VMware Tunnel Settings
- Click SHOW, after you click SHOW, it changes to HIDE.
- Click the gear icon next to VMware Tunnel Settings. The circle should be green, which means the Unified Access Gateway appliance and Workspace ONE UEM Console can communicate.
4. Validate the VMware Tunnel Settings on Unified Access Gateway
The VMware Tunnel edge service is enabled based on the configuration defined in the INI file.
You can change the configuration any time, or choose not to configure settings in the INI file and later enable the settings through the Unified Access Gateway administration console.
Each time you change the configuration and Save, the changes are applied to the configuration files and the VMware Tunnel edge service restarts automatically. Devices cannot communicate with the service during the restart.
Configuring Network Traffic Rules for Per-App Tunnel
From Workspace ONE UEM Console, you can define network traffic rules to granularly control how the VMware Tunnel and Workspace ONE Tunnel app directs traffic from devices.
The configuration in this exercise applies to the Per-App Tunnel component. Device traffic rules control how devices handle traffic from specified applications and server traffic rules manage network traffic when you have third-party proxies configured.
Device traffic rules force the Workspace ONE Tunnel application to:
- Send traffic through the tunnel
- Block all traffic to specified domains
- Bypass the internal network straight to the Internet
- Send traffic to a HTTPS proxy site
The device traffic rules are created and ranked to give an order of execution. Every time a specified application is opened, the Workspace ONE Tunnel application checks the list of rules to determine which rule applies to the situation. If no set rules match, Workspace ONE Tunnel applies the default action. The default action—set for all applications except Safari—applies to domains not mentioned in a rule. If no rules are specified, the default action applies to all domains. The created device traffic rules apply to all VPN VMware Tunnel profiles in the organization group that the rules are created in.
Server traffic rules enable you to manage the network traffic when you have third-party proxies configured in your network. These rules apply to traffic originating from the VMware Tunnel. The rules force the VMware Tunnel to send traffic to specific destinations either through the proxy or to bypass it.
1. Navigate to All Settings
- Select Groups & Settings.
- Select Configurations.
Tunnelon the search field and press Enter.
- Select Tunnel on the result list.
2. Edit Device Traffic Rules Set
- Click Edit.
- Click Default assignment.
3. Define Device Traffic Rules
In this step, you create a specific rule that is applied only to Safari; any requests to
*.corp.local are routed through the VMware Tunnel. All other requests are not routed through VMware Tunnel.
- Click Add Rule.
- Select Safari-iOS.
- Enter a Destination Hostname, for example,
- Click Save & Publish and then OK on the next dialog to confirm.
Configuring VPN Profile and Workspace ONE Tunnel Client
To provide Per-App VPN capability on the devices, you must send a VPN profile and Workspace ONE Tunnel client to the devices.
1. Configure Device Profile
This exercise helps you to create and push the VPN Profile to the device.
1.1. Add Device Profile
- Select Devices.
- Select Profiles & Resources.
- Select Profiles.
- Click Add, then click Add Profile.
1.3. Configure General Profile Settings
- Enter a Name, for example,
- Select and Assigned Group, for example,
- Select the VPN payload and click Configure.
2. Configure Workspace ONE Tunnel Client Application for Deployment
To help you to configure the Workspace ONE Tunnel client application to be deployed to your device through Workspace ONE UEM, follow the chapter Distributing Workspace ONE Tunnel for iOS part of the Deploying VMware Workspace ONE Tunnel: Workspace ONE Operational Tutorial.
3. Configure Google Chrome Application for Deployment
Repeat the steps in this exercise, this time for the Google Chrome application.
Google Chrome is used later in this exercise to confirm that Safari is the only browser authorized to access internal websites.
Validating VMware Tunnel Implementation for Per-App VPN
After enrollment is complete, ensure that the Workspace ONE Tunnel and Google Chrome applications are installed on your iOS device.
1. Launch and Enable the Workspace ONE Tunnel Client
On your iOS device, tap Tunnel to start the Workspace ONE Tunnel client.
1.1. Start Workspace ONE Tunnel For the First Time
This step enables the newly-installed Workspace ONE Tunnel client to initiate a VPN connection automatically on behalf of the user whenever an enabled application is launched. You perform this step only once.
Tap Continue to enable the Workspace ONE Tunnel application as a VPN client on the device.
2. Open Safari Browser
Tap Safari Browser.
3. Access Public Website from Safari
You can access the VMware website and no VPN is requested.
4. Access Intranet Website with Safari Browser
- Navigate to an internal website, for example,
- You should see a VPN icon, indicating the connection is active. The Workspace ONE Tunnel client application identified a rule that applies to this situation, which you created in Define Device Traffic Rules.
- The website should load successfully.
5. Attempt to Access Intranet Website From Google Chrome
Next, verify that you cannot access the intranet from other browsers, even though the VPN connection is active for Safari.
5.1. Open Google Chrome browser
Tap Google Chrome.
5.2. Navigate to the Intranet Website
- Navigate to an internal website, for example,
- Note that VPN is not active.
- You should see an error message stating
This site can't be reached.
The website is published to an internal DNS that can only be accessed when using the VPN connection. The website does not load for Google Chrome because the device traffic rule configured allows access to the internal domain only through the Safari browser. Safari is enabled to initiate Per-App VPN Tunnel only for the domains configured in the device traffic rules.
Summary and Additional Resources
This operational tutorial provided steps to configure the VMware Tunnel edge service for Unified Access Gateway in a Workspace ONE UEM environment.
The following procedures were included:
- Configure VMware Tunnel in the Workspace ONE UEM Console
- Deploy Unified Access Gateway enabling VMware Tunnel edge services through PowerShell
- Define network traffic rules for Per-App Tunnel
- Configure VPN Profile and deployment Workspace ONE Tunnel client
- Validate access to internal websites based on device traffic rules
For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.
Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon.
The following updates were made to this guide:
|2021/09/16||Updated the following sections:
|2021/07/15||Updated Tunnel configuration steps on Workspace ONE UEM and deployment steps of Workspace ONE Tunnel for iOS|
|2020/10/06||Added the chapter Creating API Account and Setting Permissions, which describes the specific permissions required by the API account used to configure the Tunnel Edge Service on Unified Access Gateway.|
About the Author
This tutorial was written by:
- Andreano Lanusse, End-User-Computing Staff Architect, Technical Marketing, VMware.
Your feedback is valuable.
To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at email@example.com.