The AirWatch Tunnel features include Tunnel Proxy and Per App Tunnel. These features run independently as two separate services on the Tunnel server.  to enable internal access for an end-user device.

The Tunnel Proxy feature provides internal access to end-users in VMware Browser or other AirWatch SDK enabled applications by securing traffic from the app to a web site with SSL encryption and certificate authentication. Enable Tunnel Proxy for internal applications enabled with the AirWatch SDK and VMware Browser in the AirWatch Admin Console using the default SDK profile.

This means the Tunnel Proxy feature is enabled through settings in an application-specific SDK profile, which is pushed from the AirWatch Admin Console along with the managed SDK-enabled app.

The Per App Tunnel feature enables an SSL VPN connection on a per-application basis for any public or internal application. This feature leverages the native Per-App VPN functionality of Android, iOS, and Windows 10 platforms along with a device side VPN client application to initiate a VPN connection when an enabled application is launched. The VMware Tunnel client application installed on the user's device maintains a whitelist of applications that should use VPN, handles certificates for enabled applications, and will initiate the VPN connection on behalf of the user.

Settings for the Per App Tunnel feature are pushed to the device in a device profile with the VPN payload configured. Each platform offers slightly different variations of the Per App Tunnel feature, but all platforms require the presence of the VMware Tunnel client to use Per App VPN functionality.

Note: Please click on the image to expand.

Basic Endpoint deployment model includes a single AirWatch Tunnel server, which requires a public hostname and a dedicated port for each feature. The default port for Tunnel Proxy is 2020 and the default Per App Tunnel port is 8443. These ports are secured with an AirWatch issued Tunnel certificate, issued from the Device Root Certificate of your AirWatch Environment or a Public Third-Party SSL certificate.

The AirWatch Tunnel server is deployed as a virtual appliance using VMware vSphere or Powershell. The appliance OVF template is VMware's Access Point product, which contains the AirWatch Tunnel server along with other AirWatch and VMware products. This appliance runs off VMware's standard hardened image.

AirWatch Tunnel can also be installed on RHEL or CentOS platforms. The AirWatch Tunnel Proxy server can also be installed on Windows Server 2008 or 2012.

This workshop will walk you through steps to configure and deploy the AirWatch Tunnel Virtual Appliance using vSphere. Instructions for alternative installation methods can be found on AirWatch Resources.

The AirWatch Tunnel Proxy can be installed on either a Windows or Linux server. The Per App Tunnel feature of AirWatch Tunnel is only supported on Linux. To streamline deployment and better manage the AirWatch Tunnel within your EMM architecture, the AirWatch Tunnel can now be deployed as a Virtual Appliance using vSphere 6+

This lab will guide you through the necessary AirWatch configuration along with the deployment steps in vSphere to implement the AirWatch Tunnel Virtual Appliance and use Per App VPN on an enrolled iOS device.