Configure the network traffic rules so that the AirWatch Tunnel client routes traffic to the HTTPS proxy for Android devices. You list the Android apps that are configured with the per app VPN option to the traffic rules, and configure the proxy server address and the destination host name.

About this task

Configure the device traffic rules to control how devices handle traffic from specified applications. Device traffic rules force the AirWatch Tunnel app to send traffic through the tunnel, block all traffic to specified domains, bypass the internal network straight to the Internet, or send traffic to an HTTPS proxy site.

For detailed information about creating network traffic rules, see the VMware AirWatch Tunnel Guide on the AirWatch Resources Web site.

Prerequisites

  • The AirWatch Tunnel option configured with the per-app tunnel component installed.

  • Android VPN profile created.

  • Per-App VPN enabled for each Android App that is added to the Network Traffic rules.

Procedure

  1. In the AirWatch admin console, navigate to System > Enterprise Integration > AirWatch Tunnel > Network Traffic Rules.
  2. In the Device Traffic Rules tab, configure the device traffic rules settings as described in the AirWatch Tunnel Guide. Specific to the Mobile SSO for Android configuration, configure the following settings.
    1. Select the default action.

      Option

      Description

      Tunnel

      For the VPN configuration with single-sign on to Android, select Tunnel as the default action. All apps on the device configured for Per App VPN send the network traffic through the tunnel.

      Bypass

      For single sign-on to Android, select Bypass as the default action.

      Important:

      With Bypass as the default action, all apps configured for Per App VPN on the device bypass the tunnel and connect to the Internet directly. With this implementation, no traffic is sent to the Tunnel server when the Tunnel client is used only for single sign-on.

      For single sign-on to Android with using VPN, select Bypass as the default action.

      Important:

      With Bypass as the default action, all apps configured for Per App VPN on the device bypass the tunnel and connect to the Internet directly. With this implementation, no traffic is sent to the Tunnel server when the Tunnel client is used only for single sign-on.

    2. In the Application column, add the Android apps that are configured with the per app VPN profile.
    3. In the Action column, select Proxy and specify the HTTPS proxy information. Enter certproxy.vmwareidentity.com:5262.
    4. In the Action column, select Proxy and specify the HTTPS proxy information. Enter the VMware Identity Manager host name and port. For example login.example.com:5262.
      Note:

      If you are providing external access to the VMware Identity Manager host, the firewall port 5262 must be opened or port 5262 traffic must be proxied through reverse proxy in the DMZ.

    5. In the Destination Hostname column, enter your destination VMware Identity Manager host name. Enter as <tenant>.vmwareidentitymanager.<region>. The address choices are vmwareidentity.com, vmwareidentity.eu, or vmwareidentity.asia. The AirWatch Tunnel client routes the traffic to the HTTPS proxy from the VMware Identity Manager host name.
    6. In the Destination Hostname column, enter your destination VMware Identity Manager host name. For example myco.example.com. The AirWatch Tunnel client routes the traffic to the HTTPS proxy from the VMware Identity Manager host name.
  3. Click Save.

What to do next

Publish these rules. After the rules are published, the device receives an update VPN profile and the AirWatch Tunnel application is configured to enable SSO.

Go the VMware Identity Manager administration console and configure Mobile SSO for Android in the Built-in Identity Provider page. See the VMware Identity Manager Administration Guide.