Configure VMware Tunnel Proxy using the configuration wizard. The options configured in the wizard are packaged in the installer, which you can download from the Workspace ONE UEM console and move to your Tunnel servers.
Configure the VMware Tunnel Proxy in the UEM console under Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel Proxy. The wizard walks you through the installer configuration step-by-step. The options configured in the wizard are packaged in the installer, which you can download from the Workspace ONE UEM console and move to your Tunnel servers. Changing the details in this wizard typically requires a reinstall of the VMware Tunnel with the new configuration.
Procedure
- Navigate to Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel > Proxy.
- If you are configuring VMware Tunnel for the first time, then select Configure and follow the configuration wizard screens.
- If you are configuring VMwareTunnel for the first time, then select Override, then select the Enabled VMware Tunnel toggle switch, and then select Configure.
Note: Overriding VMware Tunnel Proxy settings does not override VMware Tunnel configuration settings.
- On the Deployment Type screen, select Enable Proxy (Windows & Linux) the toggle switch, and then select the components that you want to configure using the Proxy Configuration Type drop-down menu.
- In the drop-down menus that display, select whether you are configuring a Relay-Endpoint, or the Proxy Configuration Type deployment. To see an example for the selected type, select the information icon.
- Select Next.
- On the Details screen, configure the following settings. The options that are displayed on the Details screen depend on the configuration type you have selected in the Proxy Configuration Type drop-down menu.
- Basic Proxy Configuration Type, enter the following information:
Setting Description Hostname Enter the FQDN of the public host name for the Tunnel server, for example, tunnel.acmemdm.com. This hostname must be publicly available as it is the DNS that devices connect to from the Internet. Relay Port The proxy service is installed on this port. Devices connect to the <relayhostname>:<port> to use the VMware Tunnel proxy feature. The default value is 2020. Relay Host Name (Relay-Endpoint Only). Enter the FQDN of the public host name for the Tunnel relay server, for example, tunnel.acmemdm.com. This hostname must be publicly available as it is the DNS that devices connect to from the Internet. Enable SSL Offloading Select this check box if you want to use SSL Offloading to ease the burden of encrypting and decrypting traffic from the VMware Tunnel server. Use Kerberos Proxy To allow access to Kerberos authentication for your target back-end Web services, select the Kerberos proxy support This feature does not currently support Kerberos Constrained Delegation (KCD).
The Endpoint server must be on the same domain as KDC for the Kerberos Proxy to communicate successfully with the KDC.
- If you choose Relay-Endpoint Proxy Configuration Type, enter the following information:
Setting Description Relay Host Name (Relay-Endpoint Only). Enter the FQDN of the public host name for the Tunnel relay server, for example, tunnel.acmemdm.com. This hostname must be publicly available as it is the DNS that devices connect to from the Internet. Endpoint Host Name The internal DNS of the Tunnel endpoint server. This value is the hostname that the relay server connects to on the relay-endpoint port. If you plan to install the VMware Tunnel on an SSL offloaded server, enter the name of that server in place of the Host Name.
When you enter the Host Name, do not include a protocol, such as http://, https://, and so on.
Relay Port The proxy service is installed on this port. Devices connect to the <relayhostname>:<port> to use the VMware Tunnel proxy feature. The default value is 2020. Endpoint Port (Relay-Endpoint only). This value is the port used for communication between the VMware Tunnel relay and VMware Tunnel endpoint. The default value is 2010.
If you are using a combination of Proxy and Per-App Tunnel, the relay endpoint installs as part of the Front-End Server for Cascade mode. The ports must use different values.
Enable SSL Offloading Select this check box if you want to use SSL Offloading to ease the burden of encrypting and decrypting traffic from the VMware Tunnel server. Use Kerberos Proxy To allow access to Kerberos authentication for your target back-end Web services, select the Kerberos proxy support This feature does not currently support Kerberos Constrained Delegation (KCD).
The Endpoint server must be on the same domain as KDC for the Kerberos Proxy to communicate successfully with the KDC.
In the Realm text box, enter the Realm of the KDC server.
- Select Next.
- On the SSL screen, you can configure Public SSL Certificate that secures the client-server communication from the enabled application on a device to the VMware Tunnel. By default, this setup uses a AirWatch certificate for a secure server-client communication.
- Select the Use Public SSL Certificate option if you prefer to use a third-party SSL certificate for encryption between Workspace ONE Web or SDK-enabled apps and the VMware Tunnel server.
- Select Upload to upload a .PFX or .P12 certificate file and enter the password. This file must contain both your public and private key pair. CER and CRT files are not supported.
- Select Next.
- On the Authentication screen, configure the following settings to select the certificates that devices use to authenticate to the VMware Tunnel.
By default, all the components use AirWatch issued certificates. To use Enterprise CA certificates for the client-server authentication, select the Enterprise CA option.
- Select Default to use AirWatch issued certificates. The default AirWatch issued client certificate does not automatically renew. To renew these certificates, republish the VPN profile to devices that have an expiring or expired client certificate. View the certificate status for a device by navigating to Devices > Device Details > More > Certificates.
- Select Enterprise CA in place of AirWatch issued certificates for authentication between the Workspace ONE Web, Per-App Tunnel-enabled apps, or SDK-enabled apps and the VMware Tunnel requires that a certificate authority and certificate template are set up in your Workspace ONE UEM environment before configuring VMware Tunnel.
- Select the Certificate Authority and Certificate Template that are used to request a certificate from the CA.
- Select Upload to upload the full chain of the public key of your certificate authority to the configuration wizard.
The CA template must contain CN=UDID in the subject name. Supported CAs are ADCS, RSA, and SCEP.
Certificates auto-renew based on your CA template settings.
- Click Add to add an Intermediate Certificate.
- Select Next.
- On the Miscellaneous screen, you can use access logs for the proxy or Per-App Tunnel components. Enable the Access Logs toggle switch to configure the feature.
If you intend to use this feature you must configure it now as part of the configuration, as it cannot be enabled later without reconfiguring Tunnel and rerunning the installer. For more information on these settings, see access logs and syslog integration and configure advanced settings for VMware Tunnel.
- Enter the URL of your syslog host in the Syslog Hostname field. This setting displays after you enable Access Logs.
- Enter the port over which you want to communicate with the syslog host in the UDP Port field.
- Select Next, review the summary of your configuration, confirm that all hostnames, ports and settings are correct, and select Save.
The installer is now ready to download on the VMware Tunnel Configuration screen.
- On the Configuration screen, select the General tab. The General tab allows you to do the following:
- You can select Test Connection to verify the connectivity.
- You can select Download Configuration XML to retrieve the existing VMware Tunnel instance configuration as an XML file.
- You can select the Download Unified Access Gateway hyperlink. This button downloads the non-FIPS OVA file. The download file also includes the PowerShell script and .ini template file for the PowerShell deployment method. You must download the VHDX or FIPS OVA from My Workspace ONE.
- For legacy installer methods, you can select Download Windows Installer.
This button downloads a single BIN file used for deploying the VMware Tunnel server. Configuration XML file required for installation can be downloaded from the Workspace ONE UEM console after confirming the certificate password.
- Select Save.