Deploying VMware Tunnel using the Unified Access Gateway appliance provides a secure and effective method for individual applications to access corporate resources. Unified Access Gateway 3.0 supports deployment on either ESXi or Microsoft Hyper-V environments.

VMware Tunnel is composed of two independent components: Tunnel Proxy and Per-App Tunnel. You deploy VMware Tunnel using either of two network architecture models: single or multi-tier.

Both Tunnel Proxy and Per-App Tunnel deployment models can be used for a multi-tier network on the UAG appliance. The deployment consists of a front-end Unified Access Gateway server deployed in the DMZ and a back-end server deployed in the internal network.

The Tunnel Proxy component secures the network traffic between an end user device and a website through the VMware Browser or any AirWatch SDK-enabled application deployed from AirWatch. The mobile application creates a secure HTTPS connection with the Tunnel Proxy server and protects the sensitive data. Devices are authenticated to the Tunnel Proxy with a certificate issued via the SDK as configured in the AirWatch Admin Console. Typically, this component should be used when there are un-managed devices that need secured access to internal resources.

For fully enrolled devices, the Per-App Tunnel component allows devices to connect to internal resources without needing the AirWatch SDK. This component leverages the native Per-App VPN capabilities of the iOS, Android, Windows 10, and macOS operating systems. For more information on these platforms and VMware Tunnel component capabilities, please refer to the VMware Tunnel Guide at

Deploying the VMware Tunnel for your AirWatch environment involves setting up the initial hardware, configuring the VMware Tunnel hostname and port information in the AirWatch Admin Console, downloading and deploying the Unified Access Gateway OVF template, and manually configuring the VMware Tunnel. See ConfigureVMware Tunnel Settings for Workspace ONE UEM for details.

Figure 1. VMware Tunnel Multi-Tier Deployment: Proxy and Per-App Tunnel

AirWatch v9.1 and above supports Cascade Mode as the Multi-Tier deployment model for VMware Tunnel. Cascade Mode requires a dedicated inbound port for each Tunnel component from the internet to the front-end Tunnel server. Both the front-end and back-end servers must be able to communicate with the AirWatch API and AWCM servers. VMware Tunnel Cascade mode supports the multi-tier architecture for the Per-App Tunnel component.

For more details, including those on Relay Endpoint Deployment for use with the Tunnel Proxy component, see the VMware Tunnel documentation at