Deploying VMware Tunnel using the Unified Access Gateway appliance provides a secure and effective method for individual applications to access corporate resources.

VMware Tunnel provides granular access control to applications and services, both in your network and in the cloud. The Tunnel client provides per-app management, with explicit trust of individual applications you want to manage. Domain-based filtering is used for easy definition of access control and split-tunneling policies. It is built on native frameworks and is provided across all major platforms. When an application is either launched, or creates a network request, that request is forwarded to the VMware Tunnel client for routing. In this way, local filtering is provided to determine what traffic must be tunneled into your network, sent to the Internet or another proxy, or blocked from leaving the device. Data that is passed to the VMware Tunnel gateway leverages TLS and DTLS algorithms to perform the following checks as part of authentication.
  • It uses SSL pinning to ensure that the server identity is correct.
  • It performs TLS mutual authentication with a client certificate that uniquely identifies the device.
  • The Tunnel gateway validates that the client certificate is on an allowlist of trusted certificates within the Workspace ONE UEM Console and performs a device compliance check to ensure the integrity of the user’s device.

For more information on supported platforms and VMware Tunnel capabilities, see VMware Tunnel in the VMware Workspace ONE UEM documentation at VMware Docs.

Configure VMware Tunnel

Configure VMware Tunnel in the Workspace ONE UEM Console, and set up a server that meets the hardware, software, and network requirements. For more information, see Configure VMware Tunnel in the VMware Workspace ONE UEM documentation at VMware Docs.

VMware Tunnel Deployment Model

VMware Tunnel supports deploying a single-tier model and a multi-tier model. Both SaaS and on-premises Workspace ONE environments support the single-tier and multi-tier models. For more information, see VMware Tunnel Deployment Model in the VMware Workspace ONE UEM documentation at VMware Docs.

Deployment of VMware Tunnel with Unified Access Gateway

Unified Access Gateway hosts Workspace ONE services like per-app VMware Tunnel, and is the preferred method of deployment. Deploying VMware Tunnel on Unified Access Gateway can be done from either vSphere or Hyper-V and can be automated using PowerShell. The VMware Tunnel service on Unified Access Gateway is same as what the Linux installer provides. For more information, see Installing VMware Tunnel with Unified Access Gateway in the VMware Workspace ONE UEM documentation at VMware Docs.

Deployment of VMware Tunnel with PowerShell

You can use PowerShell to deploy the VMware Tunnel for Workspace ONE UEM. For more information, see Install VMware Tunnel using PowerShell Script in the VMware Workspace ONE UEM documentation at VMware Docs.