Configuring Workspace ONE Tunnel

Configuring Workspace ONE Tunnel

Introduction

Leveraging Per-App VPN allows you to control which applications on a device have access to your VPN by automatically enabling or disabling VPN access based on which applications are active. You no longer need to provide a device-wide VPN on your devices, which can allow unintended or unauthorized apps or processes to access your VPN. In this tutorial, you explore how to configure and deploy Workspace ONE Tunnel to enable per-app VPN on an enrolled device.

These exercises involve the following components:

  • VMware Tunnel Client - The app used to securely connect to the VMware tunnel server (host) to provide Per-App VPN functionality
  • Tunnel Server (Host) - The physical or virtual server (Linux, Windows, UAG) where the Tunnel service is installed, and to which the Tunnel Client connects
  • Per-App Tunnel - The same service for connecting to a secure tunnel channel (VPN) on a per-application basis, which is controlled and configured by the Per-App VPN profile
  • Per-App Tunnel Profiles - The Workspace ONE UEM profile that is pushed to the device that contains the Per-App VPN configurations that the VMware Tunnel Client reads for Per-App VPN

Prerequisites

Before you can perform the procedures in this exercise, you must complete the following tutorials:

In addition, you need to create a VPN Tunnel. For information on setting up a VPN Tunnel, see Configuring VMware Tunnel Edge Services on Unified Access Gateway.

This exercise requires a user to enroll their device into Workspace ONE UEM. Note the user account information in the following table. The details provided in this table are based on a test environment. Your user account details will differ.

User Account Information
Examples of User Account Information
User name
testuser
Password VMware1!
Email testuser@company.com
Group ID ginad
Server hol.awmdm.com


Logging In to the Workspace ONE UEM Console

To perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate In to the Workspace ONE UEM Console

  1. Enter your Username. This is the name provided in the activation email.
  2. Enter your Password. This is the password provided in the activation email.
  3. Click the Login button.

Note: If you see a Captcha, be aware that it is case sensitive.

Creating Per-App VPN Profile

For iOS 7 and higher devices and Android Enterprise devices, you can force selected applications to connect through your corporate VPN. Your VPN provider must support this feature, and you must publish the applications as managed applications.

In this exercise, you configure the iOS profile to be delivered to the device to configure the VMware Tunnel Client on the device to allow only designated applications to access content on internal servers.

1. Add a New Profile

Add a New Profile
  1. Click Add.
  2. Click Profile.

2. Select the OS for the Profile

Click Apple iOS.

3. Configure the General Properties of the Profile

  1. Enter the name, such as Per-App VPN in this example screenshot.
  2. Select the name of your device's assignment group, and select that group. For example, select All Devices (your@email.shown.here) as the Assigned Smart Group.

4. Add a VPN Payload

  1. Click VPN from the Payload menu.
  2. Click CONFIGURE to access the VPN payload settings.

5. Configure the VPN Payload

  1. Select VMware Tunnel from the Connection Type drop-down menu.
  2. Check the Enable VMware Tunnel box.
  3. Click SAVE & PUBLISH.

6. Publish the VPN  Profile

Click PUBLISH.

Publishing VMware Tunnel as a Public App

In this exercise, you create a Per-App VPN profile and deploy an application configured to use the VPN Tunnel on iOS.

Note: A VPN Tunnel must be set up before you begin adding it as a public application. For information on setting up a VPN Tunnel, see Configuring VMware Tunnel Edge Services on Unified Access Gateway.

1. Add VMware Tunnel as a Public App

  1. Click Add.
  2. Click Public Application.

2. Search the App Store for VMware Tunnel

  1. Select Apple iOS for the Platform.
  2. Enter the Name. In this example, VMware Tunnel is the name.
  3. Click NEXT.

3. Select the VMware Tunnel Result

Click SELECT for the VMware Tunnel result.

4. Save and Assign VMware Tunnel

Click SAVE & ASSIGN.

5. Add Assignment for VMware Tunnel

Click Add Assignment.

6. Configure VMware Tunnel Assignment Settings

  1. Click the Selected Assignment Groups field to display the list of created Assignment Groups. Start typing All Devices, and select the All Devices (your@email.shown.here) group.
  2. Select Auto for the App Delivery Method.

7. Configure Policies for VMware Tunnel

  1. Scroll down to find the Policies section.
  2. Select ENABLED for Remove On Unenroll.
  3. Click ADD.

8. Confirm Assignment and Save

  1. Verify that the assignment you created is displayed.
  2. Click SAVE & PUBLISH.

9. Preview Assigned Devices and Publish

Click PUBLISH.

Configuring Workspace ONE Web for Per-App VPN

Now that the VMware Tunnel client is assigned to the appropriate group, this section walks you through the process of adding an application enabled to use Per App Tunnel. After enabling the setting that allows an application to use VPN, you must select the VPN profile that the app should use. This requires that any application you want to leverage Per App VPN is pushed to the device from the Workspace ONE UEM Console as a managed app. There is one exception to this, which is the Safari application on iOS.  This is covered in detail in a later exercise of this section.

This step walks you through the process of adding an application from the Public App store to be associated to the VPN profile you created.

1. Add Workspace ONE Web as a Public App

  1. Click Add.
  2. Click Public Application.

1.1. Search for the Application to Add

  1. Select Apple iOS from the Platform drop-down menu.
  2. Enter a name in the Name field, such as Workspace ONE Web as in this example.
  3. Click Next.

1.2. Select the Application From the Search Results

Click Select on the Workspace ONE Web application.

1.3. Save and Assign Workspace ONE Web

Click SAVE & ASSIGN.

1.4. Add Assignment for Workspace ONE Web

Click ADD ASSIGNMENT.

1.5. Configure Workspace ONE Web Assignment Settings

  1. Click the Selected Assignment Groups field. This displays the list of created Assignment Groups. Start Typing All Devices and select the All Devices (your@email.shown.here) group.
  2. Select AUTO for the App Delivery Method.

1.6. Configure Policies for Workspace ONE Web

  1. Scroll down to find the Policies section.
  2. Select ENABLED for Remove On Unenroll.
  3. Select ENABLED for App Tunneling.
  4. Select the profile named Per-App VPN that you created earlier.
  5. Click ADD.

1.7. Confirm Assignment and Save

  1. Confirm that the Assignment you just configured is displayed.
  2. Click SAVE & PUBLISH.

1.8. Preview Assigned Devices and Publish

Click PUBLISH.

Testing Per App VPN

Now that the device is enrolled and has received the settings configured in the Workspace ONE UEM Console, you are ready to begin testing the Per-App VPN functionality.

1. Testing Per App VPN on iOS

The applications assigned in the previous exercises should push down during enrollment. The VMware Tunnel and Workspace ONE Web applications should be installed on your device.

2. Launch the Workspace ONE Web

Launch the VMware Browser

Press the Home button on your device to return to the Launchpad. Swipe right to see the downloaded applications, if needed.

Tap the Workspace ONE Web icon to launch the application. If prompted, select OK to allow the Web to send your device push notifications.

2.1. Accept the Privacy Prompt

Tap I understand to accept the Privacy prompt.

2.2. Agree to the Data Sharing Prompt

Tap I agree to accept the Data Sharing Prompt.

3. Access the Internal Website with Workspace ONE Web

  1. When the application launches, enter the URL for your intranet website, such as https://internal.airwlab.com.
  2. Note how the VPN icon appears, indicating the connection is active. The application now connects to Workspace ONE UEM and retrieves the settings for your Organization Group.
  3. Note how the website loads and displays a Welcome message.

4. Attempt to Access the Website From Safari

This step verifies that, although the VPN connection is active, other applications on the device are not able to access the Tunnel or internal resources.

4.1. Select the URL from the Workspace ONE Web

Select the URL from the VMware Browser
  1. Press & hold the Navigation Bar in Workspace ONE Web.
  2. Choose Select All to highlight the URL for the internal site.

4.2. Copy the URL from the Workspace ONE Web

Copy the URL from the VMware Browser

Select Copy.

4.3. Open Safari

Open Safari

Return to the launchpad by pressing the Home button on your device. Open Safari by selecting the icon form the Launcher.

4.4. Paste the URL Into the Safari Browser

Paste the URL Into the Safari Browser
  1. Open a new tab by selecting the + sign on the navigation bar.
  2. Select the entry box on the navigation bar.
  3. Press & hold for a count of two then release on the entry box and select Paste.
  4. Select Go on the keyboard.

Note: The website does not load in the Safari browser due to DNS failure. The website is published to an internal DNS that can only be accessed when the VPN connection is being used. Although the VPN connection might remain active (look for the VPN icon in the status bar), Safari is not designated as an application that is allowed to use the Per-App VPN Tunnel. You may have multiple VPN configurations and multiple apps assigned for each VPN. Most Public applications (apps using Cocoa framework) are compatible with per-app VPN on iOS.

Configuring Safari Domain Profiles

In this exercise, you update the Per-App VPN profile and deploy an application configured to use the VPN Tunnel on iOS.

1. Update the Per-App VPN Profile

Proceed to update the iOS profile created earlier to include Safari domains.

Return to the Workspace ONE UEM Console.

  1. Click Devices.
  2. Click Profiles & Resources.
  3. Click Profiles.
  4. Select the edit icon next to the Per-App VPN profile.

2. Add Version to Update the Existing Profile

  1. Click ADD VERSION to allow editing.
  2. Select the VPN payload on the left hand side.

3. Configure Safari Domains

  1. In the Safari Domains field, enter the domain for your intranet website, such as airwlab.com.
    Note: The syntax for Safari Domains does not require a wildcard character. Enter only the domain hostname to whitelist the entire domain to initiate VPN in Safari.
  2. Click SAVE & PUBLISH.

4. Publish the updated VPN  Profile

Click PUBLISH.

Testing Safari Domains with Per-App Tunnel

Now that the VPN profile is updated to include the domain tested in the first example in the Safari Domains list, you can confirm these settings have updated on the device and test in the native Safari application.

1. Confirm the VPN Configuration Has Updated

Verify that the VPN configuration has successfully updated on your device.

1.1. Open Device Settings

Open Device Settings

Tap Settings.

1.2. Open VPN Settings

Open VPN Settings
  1. Tap General.
  2. Scroll down to find the VPN section.
  3. Tap VPN.

1.3. Select Your VPN Configuration

Select Your VPN Configuration

Tap VPN Configuration #XXXXXX from your Per-App VPN profile.

1.4. View Included Per-App VPN Apps

View Included Per-App VPN Apps

Note: All managed applications from the Workspace ONE UEM Console that are enabled to use Per-App VPN and domains listed in Safari Domains in the VPN profile appear in this list.

Whitelisting a domain in the Safari Domains list initiates a VPN connection on demand whenever the user browses to a site within this domain.

Note: Wildcards are not required when whitelisting a Safari Domain. The entire domain is automatically whitelisted for VPN On Demand when added to VPN profile.

2. Attempt to Access the Website From Safari

Now verify that browsing to a site in the domain added to the Safari Domains list does initiate a VPN connection.

2.1. Open Safari

Open Safari

Return to the launchpad by pressing the Home button on the your device. Open Safari by selecting the icon from the Launcher. The VPN icon should not be displayed in the toolbar.

2.2. Browse to the Internal Webpage

Browse to http://internal.airwlab.com

Notice that the website now loads in the Safari browser after the VPN profile is updated to include your intranet website in the Safari Domains list, whitelisting the domain for Per App VPN. The website is published to an internal DNS that can only be accessed when the VPN connection is being used.

Conclusion

This series of exercises describes how to leverage native Per-App VPN capabilities by publishing Per-App VPN profiles to your devices to ensure that only authorized apps are accessing your VPN. This prevents users from needing to manually start and end VPN connections based on what apps they are accessing. It also provides an extra layer of security to your corporate resources by ensuring that non-authorized apps are unable to connect to your VPN.