Introduction

We live in a world of connected devices and cloud based SDDC. Every day more and more corporations are looking to migrate heavy on premise deployments to cloud based models. Security is a core requirement for a successful cloud based deployment and ongoing management.

Software defined networking utilizing VMWare NSX removes the burden associated to heavy investments in physical hardware and provides dynamic and instant configuration changes without ever needing to physically touch the network.

The NSX firewall sits between the running virtual machine and the network, providing the ability to prevent the connection ever reaching or leaving the virtual machine. The firewall is bi-directional and therefore can be configured on both ingress and egress connectivity.

By extending the power of VMware NSX to your AirWatch deployment, you can control the end to end communication and security from the device to your internal resources.

1. Different types of VPN Connections

Before we get started with the lab, let us learn the differences among the types of VPN connections which can be leveraged in a corporate infrastructure.

1.1. Traditional VPN Connections

Traditional VPN Connections

Traditional VPN connections permit access to an entire subnet such as the DMZ. This is an insecure approach to external communication since any connection can effectively connect to any server or device inside the DMZ or subnet.

Note: Please click on the image to expand.

1.2. Per App VPN Connections

Per App VPN Connections

Per App VPN connections reduce the connectivity by limiting the inbound connection from a single application. This is a more secure approach to a device VPN, however, the Per-App VPN is still granting the application the ability to connect to other endpoints on the terminating subnet.

Note: Please click on the image to expand.

1.3. Per App VPN with Micro Segmentation

Per App VPN with Micro Segmentation

Per App VPN connections with NSX micro segmentation prevent the ability for the Per-App VPN application to connect to any other host or device on the terminating subnet. This secures the VPN communication to a single host or device removing the risk associated to “hopping” or “traversing” to other hosts or devices on the corporate network.

In highly regulated and security focused organization this model substantiates the ability to demonstrate that every effort has been made to “lock down” access to corporate resources from third party networks.

Note: Please click on the image to expand.

2. Prerequisites

In order to permit the successful deployment of AirWatch with VMware NSX integration the following prerequisites are required:

  1. AirWatch Console v8.3+
  2. AirWatch Tunnel Server v2.0+ – Linux Server, appliance not currently supported
  3. AirWatch Cloud Connector – SaaS Customers
  4. VMware Tools installed on Virtual Machines to permit access
  5. ESXi 6+
  6. vCenter 6+
  7. VMware NSX for vSphere 6.1+
  8. NSX Manager integrated with vCenter