AirWatch Tunnel Admin UI

The AirWatch Tunnel virtual appliance is

ccess Point 2.8 separates the appliance deployment and product configuration steps when using vSphere to deploy AirWatch Tunnel.

Rather than entering all information in the OVF deployment template, this version provides a GUI-based Admin Page to configure and manage the product.

Access Point 2.8 supports multiple Edge Services such as AirWatch Per App Tunnel & Proxy , SEG, Horizon, and IDM. This guide walks you through manually configuring AirWatch Tunnel from the Admin UI. The following section will show additional features and options in the UI as well as troubleshooting steps for AirWatch Tunnel.

AirWatch 9.0+ console allows you to change log levels remotely without needing to restart services. Ideally, the new web-based tools should allow the administrator to manage, configure or troubleshoot without having to log in to the Tunnel server.

Access Point Login

Access Point Login

After completing the OVF deployment in vSphere, complete the following steps to complete the Tunnel setup.  

  1. Navigate to https://Tunnel_IP:9443/admin
  2. Enter "admin" in the User Name field
  3. Enter the password configured for the API during deployment
  4. Click Login

Select Configure Manually

Select Configure Manually

Click Select under Configure Manually

Configure Edge Services

Configure Edge Services
  1. Click the slider to "Show" Edge Service Settings
  2. Click the Settings Gear next to Per App Tunnel and Proxy Settings

Configure Tunnel Settings

  1. Enter "" in the API field
  2. Enter "yourAdminUsername" in API Server Username field
  3. Enter the Password for that account
  4. Enter the "GroupID" for your Organization Group (case-sensative).
  5. Enter the hostname for this server that matches what was configured in the AirWatch console

Note: the Admin UI reaches out to the AirWatch API server to retrieve settings based on the hostname entered in the AirWatch Server Hostname field. This should match what you configured in the console for the Tunnel hostname.


Once settings are saved, the Tunnel server will retrieve the configuration details and servies will startup on that server. One of the easiest ways to validate the setup completed successfully is to run the "Test Connection" from the AirWatch console. This test shows results for the Tunnel Proxy service ONLY. There is no independent test for Per App Tunnel from the console. This is a very high level test and should not be considered the final validation step.

In addition to Test Connection, you can validate the setup by logging in to the server and confirming whether the Tunnel services are running. Ru

Open server from vSphere

Return to the vSphere client

Navigate to "VMs and Templates"

Select the Tunnel server from the list of VMs

Click More Actions, and click Open Console

Login to Server

Enter username: "root"

Enter password for the root account concigured during vsphere deployment


Check Services

After log in, run the command: netstat -tlpn

The response should include services running on 8443 and 2020 (ont he Relay server or Basic Endpoint) Endpoint server will only show the one on 2020.

If you do not see both of these servies, run the following commands to start and check status:

systemctl status vpnd

systemctl status proxy

Confirm Files are downloaded

If the APi call awas successful, you will find all of the configuration files downloaded to the Tunnel folder.

Run: ls -l /opt/airwatch/tunnel/vpnd

Make sure the server.conf file is listed in the folder. Without this file, the Per App Tunnel service cannot run and the API call was not successful. Return to the Admin UI and check your configuration settings. Confirm they are correct, resave, and then repeat this step. If there is still no file, go to the bottom of the Admin UI page and click "Download Log Archive"