Route Configuration on AirWatch Tunnel Server

Now that we have AirWatch Tunnel installed on our Linux machine, we need to re-configure routes on the Linux machine. In this section, we are going to change the routing on the Linux VM so that we introduce Edge Gateway as an intermediate hop, before the requests from Tunnel Server reach web endpoints. This way, we ensure that NSX Edge Gateway firewall configurations are enforced and access is allowed as per the Security group mapping.

1. Default IP routing table

Default IP routing table

Enter "route" and hit enter.

You should see 5 routes on interface "eno16780032" and 2 routes on interface "eno50336512". Validate that route table matches the image before proceeding.

Note: In some scenarios, it may take around 2 - 3 minutes for the route tables to populate as shown in the image. Please wait until you validate that the default routes as per the screenshot before proceeding.

You can use the command "route" to check the routing table again.

1.1. Notice the routes on interface eno50336512

Notice the routes on interface eno50336512

Enter "route" and hit enter.

Note: In some scenarios, it may take around 2 - 3 minutes for the route tables to populate as shown in the image. Please wait until you validate that the default routes as per the screenshot before proceeding.

You can use the command "route" to check the routing table again.

Since we have NSX Interface configured on the interface "eno16780032", we are going to delete the routes on the interface "eno50336512" in the next steps.

1.2. Delete Routes

Delete Routes

Enter the following commands to delete routes:

route delete -net 192.168.30.0/24 dev eno50336512

and press "Enter".

Similarly,

route delete -net 10.10.20.0/24 dev eno50336512

and press "Enter".

1.3. Validate Route table

Validate Route table
  1. Enter "route" to display route table.
  2. Ensure that you now see all the routes (total 5) on the interface "eno16780032" only.

2. Route Configuration for Web01

2.1. From AW Tunnel to Web01

From AW Tunnel to Web01

Let us revisit our lab architecture diagram but only focus on Web01 endpoint. We have configured a firewall rule in Edge service gateway to allow traffic from SG_IP1 (10.10.20.x) to SG_Web01 (192.168.20.20 or web01).

  1. Also, Edge gateway is already configured to communicate with AW Tunnel on the interface 10.10.20.254/24.
  2. The other interface of Edge Gateway is configured to communicate with Web endpoint on the interface 192.168.20.254/24.

2.2. Add route for Web01

Add route for Web01

Now if we add the following route, it will complete the path shown by blue arrow:

route add -net 192.168.20.0/24 gw 10.10.20.254 dev eno16780032

and click "Enter".

2.3. traceroute to web01

traceroute to web01

If we enter the following command:

traceroute 192.168.20.20

then first hop is Edge Gateway Interface (10.10.20.254) and then it reaches the web01.corp.local.

3. Route Configuration for Web02

3.1. From AW Tunnel to Web02

From AW Tunnel to Web02

Similarly, We have configured a firewall rule in Edge service gateway to allow traffic from SG_IP2 (10.10.30.x) to SG_Web02 (192.168.30.30 or web02).

  1. Also, Edge gateway is already configured to communicate with AW Tunnel on the interface 10.10.30.254/24.
  2. The other interface of Edge Gateway is configured to communicate with Web endpoint on the interface 192.168.30.254/24.

3.2. Add route for Web02

Add route for Web02

Now if we add the following route, it will complete the path shown by blue arrow:

route add -net 192.168.30.0/24 gw 10.10.30.254 dev eno16780032

and click "Enter".

3.3. traceroute to web02

traceroute to web02

If we enter the following command:

traceroute 192.168.30.30

then first hop is Edge Gateway Interface (10.10.30.254) and then it reaches the web02.corp.local.

4. Final Route table

Final Route table
  1. If run the command route, we should see the above route table with 7 routes all on the interface "eno16780032".
  2. Enter "Exit" to close the SSH session.