VMware Tunnel (Per-App VPN) is configured with cascade settings in the Workspace ONE UEM console.

Two Tunnel server host names are configured in the Workspace ONE UEMconsole for the front-end and for the back-end. We can deploy two sets of nodes on Unified Access Gateway for front-end and back-end respectively.

The front-end nodes on Unified Access Gateway are configured with a front-end Tunnel server hostname. The HA settings on front-end nodes on Unified Access Gateway are configured with an external floating IP address. The front-end Tunnel server hostname gets resolved to the external floating IP address. The connections on this external floating IP address are distributed among the front-end nodes on Unified Access Gateway.

The back-end nodes on Unified Access Gateway are configured with the back-end Tunnel server hostname. The HA settings on back-end nodes on Unified Access Gateway are configured with an internal floating IP address. The VMware Tunnel (Per-App VPN) service on front-end nodes on Unified Access Gateway forwards the traffic to back-end using the back-end tunnel server hostname. The back-end Tunnel server hostname gets resolved to the internal floating IP address. The connections on this internal floating IP address are distributed among the back-end nodes on Unified Access Gateway.

Figure 1. VMware Tunnel (Per-App VPN) Connections in Cascade Mode

Mode and Affinity: Least connections algorithm is used for HA and load distribution. A new request is sent to the server with the fewest number of current connections to clients. Session affinity is not required as they are stateless connections.