Tunnel Virtual Appliance Introduction

Whether it is for a global sales staff member, a traveling executive, or any other employee trying to access the company intranet from outside of the office, mobile access to enterprise resources is becoming a necessity in today’s work environments. This access extends to far more than just corporate email access.

Companies are faced with the challenges of providing widespread levels of access to their users. They must also address the security concerns that arise with providing this level of access to a fleet of devices.

Many of the most common solutions such as SSL-VPN technology do not let you selectively provide access between different applications on mobile devices. To ensure that data-loss protection and infrastructure health are maintained, IT requires a solution to provide mobile access in a way that can provide access-control so that only approved and compliant devices may access the corporate network, allow access to only business applications to prevent data-leakage as a result of unauthorized personal applications accessing corporate resources.

The AirWatch Tunnel allows individual applications to authenticate and securely communicate with back-end resources over HTTP(S) for proxy and HTTP(S) or TCP for per app tunneling. The AirWatch Tunnel also helps to enable BYOD in your organization. By separating access between personal and business applications and data on your device, a device can be thought of as having two owners: an employee with business needs and an ordinary user with personal needs.

1. AirWatch Tunnel Deployment Options

Before we get started with the lab, let us understand the features of the AirWatch Tunnel and the two deployment models  available for implementing this product to provide secure internal access to your device fleet.

1.1. AirWatch Tunnel Features

AirWatch Tunnel Features

The AirWatch Tunnel features include Tunnel Proxy and Per App Tunnel. These features run independently as two separate services on the Tunnel server.  to enable internal access for an end-user device.

The Tunnel Proxy feature provides internal access to end-users in VMware Browser or other AirWatch SDK enabled applications by securing traffic from the app to a web site with SSL encryption and certificate authentication. Enable Tunnel Proxy for internal applications enabled with the AirWatch SDK and VMware Browser in the AirWatch Admin Console using the default SDK profile.

This means the Tunnel Proxy feature is enabled through settings in an application-specific SDK profile, which is pushed from the AirWatch Admin Console along with the managed SDK-enabled app.

The Per App Tunnel feature enables an SSL VPN connection on a per-application basis for any public or internal application. This feature leverages the native Per-App VPN functionality of Android, iOS, and Windows 10 platforms along with a device side VPN client application to initiate a VPN connection when an enabled application is launched. The VMware Tunnel client application installed on the user's device maintains a whitelist of applications that should use VPN, handles certificates for enabled applications, and will initiate the VPN connection on behalf of the user.

Settings for the Per App Tunnel feature are pushed to the device in a device profile with the VPN payload configured. Each platform offers slightly different variations of the Per App Tunnel feature, but all platforms require the presence of the VMware Tunnel client to use Per App VPN functionality.

Note: Please click on the image to expand.

2. AirWatch Tunnel Deployment Options

AirWatch Tunnel Deployment Options

The AirWatch Tunnel can be deployed in one of two configurations. The Basic-Endpoint model consists of a single Tunnel server, typically situated in the DMZ, where devices can connect to the appropriate port for each feature, authenticate with a certificate issued from the AirWatch Console, and connect to internal sites.  Alternatively, the AirWatch Tunnel can be deployed as a Relay-Endpoint configuration.  This option allows devices to authenticate to the Relay server in the DMZ, then connect to the Tunnel Endpoint over a single port and then access internal resources. This option

Note: Please click on the image to expand.

2.1. Basic Endpoint

Basic Endpoint

Basic Endpoint deployment model includes a single AirWatch Tunnel server, which requires a public hostname and a dedicated port for each feature. The default port for Tunnel Proxy is 2020 and the default Per App Tunnel port is 8443. These ports are secured with an AirWatch issued Tunnel certificate, issued from the Device Root Certificate of your AirWatch Environment or a Public Third-Party SSL certificate.


2.2. Relay-Endpoint


2.3. AirWatch Tunnel Server

The AirWatch Tunnel server is deployed as a virtual appliance using VMware vSphere or Powershell. The appliance OVF template is VMware's Access Point product, which contains the AirWatch Tunnel server along with other AirWatch and VMware products. This appliance runs off VMware's standard hardened image.

AirWatch Tunnel can also be installed on RHEL or CentOS platforms. The AirWatch Tunnel Proxy server can also be installed on Windows Server 2008 or 2012.

This workshop will walk you through steps to configure and deploy the AirWatch Tunnel Virtual Appliance using vSphere. Instructions for alternative installation methods can be found on AirWatch Resources.

2.4. AirWatch Tunnel Virtual Appliance

AirWatch Tunnel Virtual Appliance

The AirWatch Tunnel Proxy can be installed on either a Windows or Linux server. The Per App Tunnel feature of AirWatch Tunnel is only supported on Linux. To streamline deployment and better manage the AirWatch Tunnel within your EMM architecture, the AirWatch Tunnel can now be deployed as a Virtual Appliance using vSphere 6+

This lab will guide you through the necessary AirWatch configuration along with the deployment steps in vSphere to implement the AirWatch Tunnel Virtual Appliance and use Per App VPN on an enrolled iOS device.

3. Prerequisites

In order to permit the successful deployment of AirWatch Tunnel the following prerequisites are required:

  1. AirWatch Console v8.4+ with AWCM
  2. vSphere 6+

4. Lab Flow

To limit the scope of this lab, we have setup a unique hostname and single port for the Per App VPN component of the AirWatch Tunnel. We will perform the following steps (in sequence) to complete this lab:

  1. Configure API key and Device Root Certificate in the console
  2. Configure AirWatch Tunnel settings in the console
  3. Deploy virtual appliance OVF in the vSphere web client
  4. Complete Tunnel Server configuration from Tunnel Admin UI
  5. Configure public application and device profile to use Per App VPN
  6. Validate the virtual appliance deployment on your enrolled iOS device.