Route Configuration on AirWatch Tunnel Server
Now that we have AirWatch Tunnel installed on our Linux machine, we need to re-configure routes on the Linux machine. In this section, we are going to change the routing on the Linux VM so that we introduce Edge Gateway as an intermediate hop, before the requests from Tunnel Server reach web endpoints. This way, we ensure that NSX Edge Gateway firewall configurations are enforced and access is allowed as per the Security group mapping.
1. Default IP routing table
Enter "route" and hit enter.
You should see 5 routes on interface "eno16780032" and 2 routes on interface "eno50336512". Validate that route table matches the image before proceeding.
Note: In some scenarios, it may take around 2 - 3 minutes for the route tables to populate as shown in the image. Please wait until you validate that the default routes as per the screenshot before proceeding.
You can use the command "route" to check the routing table again.
1.1. Notice the routes on interface eno50336512
Enter "route" and hit enter.
Note: In some scenarios, it may take around 2 - 3 minutes for the route tables to populate as shown in the image. Please wait until you validate that the default routes as per the screenshot before proceeding.
You can use the command "route" to check the routing table again.
Since we have NSX Interface configured on the interface "eno16780032", we are going to delete the routes on the interface "eno50336512" in the next steps.
1.2. Delete Routes
Enter the following commands to delete routes:
route delete -net 192.168.30.0/24 dev eno50336512
and press "Enter".
Similarly,
route delete -net 10.10.20.0/24 dev eno50336512
and press "Enter".
1.3. Validate Route table
- Enter "route" to display route table.
- Ensure that you now see all the routes (total 5) on the interface "eno16780032" only.
2. Route Configuration for Web01
2.1. From AW Tunnel to Web01
Let us revisit our lab architecture diagram but only focus on Web01 endpoint. We have configured a firewall rule in Edge service gateway to allow traffic from SG_IP1 (10.10.20.x) to SG_Web01 (192.168.20.20 or web01).
- Also, Edge gateway is already configured to communicate with AW Tunnel on the interface 10.10.20.254/24.
- The other interface of Edge Gateway is configured to communicate with Web endpoint on the interface 192.168.20.254/24.
2.2. Add route for Web01
Now if we add the following route, it will complete the path shown by blue arrow:
route add -net 192.168.20.0/24 gw 10.10.20.254 dev eno16780032
and click "Enter".
2.3. traceroute to web01
If we enter the following command:
traceroute 192.168.20.20
then first hop is Edge Gateway Interface (10.10.20.254) and then it reaches the web01.corp.local.
3. Route Configuration for Web02
3.1. From AW Tunnel to Web02
Similarly, We have configured a firewall rule in Edge service gateway to allow traffic from SG_IP2 (10.10.30.x) to SG_Web02 (192.168.30.30 or web02).
- Also, Edge gateway is already configured to communicate with AW Tunnel on the interface 10.10.30.254/24.
- The other interface of Edge Gateway is configured to communicate with Web endpoint on the interface 192.168.30.254/24.
3.2. Add route for Web02
Now if we add the following route, it will complete the path shown by blue arrow:
route add -net 192.168.30.0/24 gw 10.10.30.254 dev eno16780032
and click "Enter".
3.3. traceroute to web02
If we enter the following command:
traceroute 192.168.30.30
then first hop is Edge Gateway Interface (10.10.30.254) and then it reaches the web02.corp.local.
4. Final Route table
- If run the command route, we should see the above route table with 7 routes all on the interface "eno16780032".
- Enter "Exit" to close the SSH session.