VMware Tunnel on Unified Access Gateway Introduction

Whether it is for a global sales staff member, a traveling executive, or any other employee trying to access the company intranet from outside of the office, mobile access to enterprise resources is becoming a necessity in todays work environments. This access extends to far more than just corporate email access.

Companies are faced with the challenges of providing widespread levels of access to their users. They must also address the security concerns that arise with providing this level of access to a fleet of devices.

Many of the most common solutions such as SSL-VPN technology do not let you selectively provide access between different applications on mobile devices. To ensure that data-loss protection and infrastructure health are maintained, IT requires a solution to provide mobile access in a way that can provide access-control so that only approved and compliant devices may access the corporate network, allow access to only business applications to prevent data-leakage as a result of unauthorized personal applications accessing corporate resources.

The VMware Tunnel allows individual applications to authenticate and securely communicate with back-end resources over HTTP(S) for proxy and HTTP(S) or TCP for Per App Tunneling. The VMware Tunnel also helps to enable BYOD in your organization. By separating access between personal and business applications and data on your device, a device can be thought of as having two owners: an employee with business needs and an ordinary user with personal needs.

1. VMware Tunnel Components

Before we get started with this exercise, it's important that you understand the VMWare Tunnel components available for implementing this product to provide secure internal access to your device fleet.

The VMware Tunnel consists of two major components: Tunnel Proxy and Per App Tunnel. These components run independently as two separate services on the Unified Access Gateway Appliance to enable internal access for an end-user device.

The Tunnel Proxy feature provides internal access to end-users in VMware Browser or other AirWatch SDK enabled applications by securing traffic from the app to a web site with SSL encryption and certificate authentication. Enable Tunnel Proxy for internal applications enabled with the AirWatch SDK and VMware Browser in the Workspace ONE UEM Admin Console using the default SDK profile.

This means the Tunnel Proxy feature is enabled through settings in an application-specific SDK profile, which is pushed from the Workspace ONE UEM Console along with the managed SDK-enabled app, also user can have access through internal websites using VMware Browser from non-managed devices, using Workspace ONE App in MAM mode only.

The Per App Tunnel feature enables an SSL VPN connection on a per-application basis for any public or internal application. This feature leverages the native Per-App VPN functionality of Android, iOS, and Windows 10 platforms along with a device side VPN client application to initiate a VPN connection when an enabled application is launched. The VMware Tunnel client application installed on the user's device maintains a whitelist of applications that should use VPN, handles certificates for enabled applications, and will initiate the VPN connection on behalf of the user.

Settings for the Per App Tunnel feature are pushed to the device in a device profile with the VPN payload configured. Each platform offers slightly different variations of the Per App Tunnel feature, but all platforms require the presence of the VMware Tunnel client to use Per App VPN functionality.

VMware Tunnel Features

2. VMware Tunnel Edge Service on Unified Access Gateway

The VMware Tunnel works as a edge service on Unified Access Gateway, and can automatically be configured during deploying of the appliance via PowerShell or after using the Unified Access Gateway administration console.

The VMware's Unified Access Gateway appliance OVF template product, contains several edge services, beyond VMware Tunnel, it includes: Content Gateway, Web Reverse Proxy and Horizon. This appliance runs off VMware's standard hardened image.

This exercise will guide you through the necessary Workspace ONE UEM configuration, along with the Unified Access Gateway deployment steps in vSphere via PowerShell, configuration of VMware Tunnel Edge Service, and use of Per App VPN and Tunnel Proxy on an enrolled iOS device. Instructions for alternative installation methods can be found on VMware Workspace ONE Resources.

3. VMware Tunnel Deployment Model on Unified Access Gateway

Now, let's go through the Deployment Models available when using Tunnel as a service on the Unified Access Gateway Appliance.

Tunnel Single and Multi-tier SaaS Model

The VMware Tunnel can be deployed in one of two configurations:

  • The Basic Mode consists of a single Unified Access Gateway Appliance, typically situated in the DMZ, where devices can connect to the appropriate port for each feature, authenticate with a certificate issued from the Workspace ONE UEM Console, and connect to internal sites.
  • Alternatively, the VMware Tunnel can be deployed on a Cascade Mode configuration.  This option allows devices to authenticate to the Front-end Tunnel on the Unified Access Gateway Appliance located on the DMZ, then connect to the Tunnel Back-end enabled on another Unified Access Gateway Appliance over a single port and then access internal resources.

3.1. TLS Port Sharing

TLS port sharing is important component on Unified Access Gateway that allows the use of single port (443) for multiple edge services, it's enabled by default on Unified Access Gateway whenever multiple edge services are configured to use TCP port 443. Supported edge services are VMware Tunnel, Content Gateway and Web reverse proxy.

When enabling Per App Tunnel and Content Gateway edge services with TLS Port Sharing, a TLS SNI rule is automatically created and to redirect the incoming traffic on 443 to the respect edge service port 10443 for Content Gateway and 8443 for Per App Tunnel. The Tunnel Proxy edge service doesn't route through TLS and stays on port 2020.


Note: If you want TCP port 443 to be shared, ensure that each configured edge service has a unique external hostname pointing to Unified Access Gateway. When port sharing is not enable, it edge service will be assigned to different port and can use the same external name.

3.2. Basic Model

Tunnel Single-tier Model

Basic deployment model includes a single Unified Access Gateway Appliance, which requires a public hostname and a dedicated port for each component.

The default port for Tunnel Proxy is 2020 and for Per App Tunnel port is 443, when TLS Port Sharing is disabled Per App Tunnel default port is 8443.

These ports are secured with an AirWatch issued Tunnel certificate, issued from the Device Root Certificate of your Workspace ONE UEM Environment or a Public Third-Party SSL certificate.

Note: Starting on Unified Access Gateway 3.3, TLS Port Sharing is enabled by default.

3.3. Cascade Model

Tunnel Multi-tier Model

The Cascade deployment model architecture includes two instances of Unified Access Gateways with VMware Tunnel enabled on each. In cascade mode, the front-end server resides in the DMZ and communicates to the back-end server in your internal network.

The Per App Tunnel requests come from port 443 when TLS Port Sharing is enabled on the Front-End Unified Access Gateway, internally Unified Access Gateway redirect the request to HAProxy, which redirects the request to VMware Tunnel edge service on port 8443, then authenticate the device and forward the request to the Back-End Tunnel, which redirect to the specific internal resource port.

Tunnel Proxy requests goes through 2020 at Tunnel Proxy Front-End, which validate the device and forward the traffic to the Back-end Tunnel Proxy via 2010, TLS Port Sharing doesn't apply to Tunnel Proxy.

4. Prerequisites

In order to permit the successful deployment of VMware Tunnel the following prerequisites are required:

  1. AirWatch 8.4+ or Workspace ONE UEM 9.5+
  2. VMware Unified Access Gateway 3.4 Appliance
  3. vSphere 6+

5. Exercise Flow

To limit the scope of this exercise, we have setup a unique hostname and single port for the Per App VPN component of the VMware Tunnel. We will perform the following steps (in sequence) to complete this lab:

  1. Configure API key and Device Root Certificate in the console.
  2. Configure VMware Tunnel settings in the console.
  3. Deploy Unified Access Gateway Appliance enabling VMware Tunnel Edge Services through PowerShell based on a Single-Tier Architecture.
  4. Review the VMware Tunnel Edge Service configuration from the Unified Access Gateway administration console.
  5. Configure whitelisted Safari domains by leveraging Device Traffic Rules .
  6. Validate the internal access to intranet website from your enrolled iOS device.