Lab Architecture

This lab recreates a very basic scenario of micro-segmentation where you are allowing access to an internal web server endpoint for an app while blocking the other web server endpoint for the same app. We have defined Security Groups that contain virtual machines. These Security Groups will permit access to one or more virtual machines based on a series of rules.

Note: Please refer to NSX documentation for more details on Security Groups.

1. Network Addressing and Routing

Network Addressing and Routing

Note: This section assumes that you have a good understanding of IP sets and Security Groups from NSX. Please refer to NSX documentation for more details on IP sets and Security Groups.

AirWatch integrates with NSX by mapping security groups containing IP sets to mobile applications in AirWatch. For this integration, each security group must have an IP Set. When the vpnd service (responsible for per-app VPN) starts on the AirWatch Tunnel it creates an IP alias for each of the IP networks assigned to AirWatch. The IP alias interfaces are then used to to communicate with the network endpoints based on the assigned NSX Security Group for the application.

  1. The AirWatch tunnel mediates the connection from the device to the designated endpoint. When a managed app on the enrolled device makes connection via per-app tunnel, it is assigned an IP addresses belonging to the IP Sets defined in the diagram.
  2. Each of our applications (Firefox and Dolphin browser) require a separate range to communicate. In our lab scenario, Dolphin Browser communicates on the range: 10.10.20.x/254 (belonging to IP_SET1). This interface is tied to Edge Services Gateway on
  3. Similarly, Firefox Browser communicates on the range: 10.10.30.x/254 (belonging to IP_SET2). This interface it tied to Edge Services Gateway on
  4. We have our Web-01 setup on a different network with IP address This interface is tied to Edge Services Gateway on
  5. Similarly, we have our Web-02 setup on a different network with IP address This interface is tied to Edge Services Gateway on

With the above architecture, we have NSX Edge Gateway firewall routing traffic the following way:

  1. SG_IP1 (corresponding to IP_SET1) > SG_Web01 (corresponding to Web-01 server).
  2. SG_IP2 (corresponding to IP_SET2) > SG_Web01 (corresponding to Web-02 server).

The final piece of the integration is the mapping of AirWatch managed apps:

  1. Dolphin > SG_IP1 (so that we can access Web-01 server via Dolphin).
  2. Firefox > SG_IP2 (so that we can access Web-02 server via Chrome).

Important Note: The default access rule is to reject the traffic that does not belong to the above Security groups. This results in Dolphin browser having no access to Web-02 and Chrome browser having no to access Web-01.

2. Lab Flow

To limit the scope of this lab, we have already implemented NSX configuration to enable micro-segmentation. We will perform the following steps (in sequence) to complete this lab:

  1. Enable REST API Key for your AirWatch Organization Group and install Cloud Connector.
  2. Complete AirWatch Tunnel Configuration.
  3. Install AirWatch Tunnel on Linux machine.
  4. Configure routing on the Tunnel server to allow NSX Edge Gateway to route traffic.
  5. Enroll an iOS device.
  6. Validate AirWatch - NSX integration on the enrolled device using browser applications.