To configure the VMware Tunnel, you need the details of the server where you plan to install. Know whether or not you plan to use certain features, such as syslog integration, NSX integration, SSL offloading, and so on, since these features are enabled during configuration.

To configure the VMware Tunnel, perform the following steps:

  1. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel > Configuration .

    If this is your first time configuring VMware Tunnel, then select Configure and follow the configuration wizard screens. Otherwise, select Override, then select the Enable VMware Tunnel check box, and then select Configure.

  2. On the Configuration Type screen, select the components that you want to configure.

    Your options are Proxy and Per-App Tunnel. Depending on your selections, the following screens may display different text boxes and options. In the drop-down menus that display, select whether you are configuring a Cascade, Relay-Endpoint, or Basic deployment for each component. Select the information icon to see an example for the selected type.

  3. Select Next.
  4. On the Details screen, configure the following settings:

    Setting Description
    PROXY (APP WRAPPING / BROWSER / SDK) CONFIGURATION
    Relay Host Name (Relay-Endpoint Only). Enter the FQDN of the public host name for the Tunnel relay server, for example, tunnel.acmemdm.com. This hostname must be publicly available as it is the DNS that devices connect to from the Internet.
    Endpoint Host Name

    The internal DNS of the Tunnel endpoint server. This value is the hostname that the relay server connects to on the relay-endpoint port. If you plan to install the VMware Tunnel on an SSL offloaded server, enter the name of that server in place of the Host Name.

    When you enter the Host Name, do not include a protocol, such as http://, https://, etc.

    Relay Port (HTTPS)

    The proxy service is installed on this port. Devices connect to the <relayhostname>:<port> to use the VMware Tunnel proxy feature. The default value is 2020.

    Relay-Endpoint Port

    (Relay-Endpoint only). This value is the port used for communication between the VMware Tunnel relay and VMware Tunnel endpoint. The default value is 2010.

    If you are using a combination of Proxy and Per-App Tunnel, the relay endpoint installs as part of the Front-End Server for Cascade mode. The ports should be different values.

    Advanced Proxy Configuration Details
    Use Kerberos Proxy

    Enable Kerberos proxy support to allow access to Kerberos authentication for your target back end Web services. This feature does not currently support Kerberos Constrained Delegation (KCD). For more information, see Kerberos KDC Proxy Support.

    The Endpoint server must be on the same domain as KDC for the Kerberos Proxy to communicate successfully with the KDC.

    Realm

    Enter the domain of the KDC server.

    This text box only displays if you enable Use Kerberos Proxy.

    PER - APP TUNNELING CONFIGURATION
    Basic Mode
    Hostname Enter the FQDN of the public host name for the Tunnel server, for example, tunnel.acmemdm.com. This hostname must be publicly available as it is the DNS that devices connect to from the Internet.
    Port

    Enter the port number assigned for communication with the VMware Tunnel component.

    The default value is 8443.

    Cascade Mode
    Front-end Hostname Enter the FQDN of the public host name for the Tunnel relay server, for example, tunnel.acmemdm.com. This hostname must be publicly available as it is the DNS that devices connect to from the Internet.
    Front-end Port

    Enter the port number assigned for communication with the VMware Tunnel component.

    The default value is 8443.

    Back-end Hostname

    Enter the hostname of the back-end server.

    When entering the hostname, do not include protocol (http://, https://, and so on).

    Back-end Port

    Enter the port used for communication between the VMware Tunnel relay and the Per-App Tunnel endpoint.

    The default value is 8443.

  5. Select Next.
  6. On the SSL screen, configure the following settings to select the certificates that secure client-server communication from enabled application on a device to the VMware Tunnel.

    Setting Description
    PROXY (APP WRAPPING / BROWSER / SDK) SSL CERTIFICATE
    Default By default, this setup uses an AirWatch certificate for secure server-client communication. AirWatch issues a certificate for the hostname configured on the Details screen.
    Use Public SSL Certificate

    Enable this option if you prefer to use a third-party SSL certificate for encryption between VMware Browser or SDK-enabled apps and the VMware Tunnel server.

    Upload a .PFX or .P12 certificate file and enter the password. This file must contain both your public and private key pair. CER and CRT files are not supported.

    PER - APP TUNNELING SSL CERTIFICATE
    Default

    By default, this setup uses an AirWatch certificate for secure server-client communication. AirWatch issues a unique certificate for the hostname configured on the Details screen.

    To use the Default option, select Next, and certificates are generated automatically.

    Use Public SSL Certificate

    Enable this option if you prefer to use a third-party SSL certificate for encryption between VMware Browser or SDK-enabled apps and the VMware Tunnel server.

    Upload a .PFX or .P12 certificate file and enter the password. This file must contain both your public and private key pair. CER and CRT files are not supported.

    SAN certificates are not currently supported. Certificates must be either issued to the VMware Tunnel Hostname or a valid wildcard certificate for the corresponding domain.

    The Tunnel Device Root Certificate is automatically generated when you select Next to continue to the Authentication section.

  7. Select Next.
  8. On the Authentication screen, configure the following settings to select the certificates that devices use to authenticate to the VMware Tunnel.

    • Proxy Authentication / Per-App Tunnel Authentication – By default, all the components use AirWatch issued certificates. To use Enterprise CA certificates for client-server authentication, select the Enterprise CA option.
      • Select Default to use AirWatch issued certificates. The default AirWatch issued client certificate does not automatically renew. To renew these certificates, re-publish the VPN profile to devices that have an expiring or expired client certificate. View the certificate status for a device by navigating to Devices > Device Details > More > Certificates.

      • Select Enterprise CA in place of AirWatch-issued certificates for authentication between the VMware Browser, Per-App Tunnel-enabled apps, or SDK-enabled apps and the VMware Tunnel requires that a certificate authority and certificate template are set up in your AirWatch environment before configuring VMware Tunnel.

        • Select the certificate authority and certificate template that are used to request a certificate from the CA.
        • Upload the full chain of the public key of your certificate authority to the configuration wizard.

        The CA template must contain CN=UDID in the subject name. Supported CAs are ADCS, RSA, and SCEP.

        Certificates auto-renew based on your CA template settings.

        For more information about integrating with your certificate provider, see Certificate Management Overview.

  9. Select Next.
  10. On the Profile Association screen, you can optionally create a new iOS or Android VPN profile or select an existing one. For a device to take advantage of Per-App Tunnel functionality, it must be issued with a device profile with a VPN payload configured that uses VMware Tunnel as the VPN provider. These profiles can also be created after the VMware Tunnel configuration is complete.

    Select the platform, then select whether to Create New Profile or Use Existing. The Create New Profile option creates a device profile in Devices > Profiles > List View. This profile is assigned to the organization group where you configure VMware Tunnel and the deployment type is set to On Demand. If you choose to create one or more profiles now, refer to the Configuring Per-App Tunneling with VMware Tunnel section of the VMware Tunnel Admin Guide for more details.

    The profile is only created with this step – you still must publish it manually. By default any profiles you create on this screen are assigned to all devices at the current organization group. You can edit these profiles manually after completing VMware Tunnel configuration.

  11. Select Next.
  12. On the Miscellaneous screen, you can enable access logs for the proxy or Per-App Tunnel components. If you intend to use this feature you must configure it now as part of the configuration, as it cannot be enabled later without reconfiguring Tunnel and rerunning the installer. For more information on these settings, see Access Logs and Syslog Integration and Configure Advanced Settings.

    For Per-App Tunneling, you can also configure NSX Communication, which is the integration between AirWatch and VMware NSX to achieve micro-segmentation. For more information on this integration, refer to the VMware AirWatch and VMware NSX Integration Guide.

  13. Select Next, review the summary of your configuration, confirm that all hostnames, ports and settings are correct, and select Save. The installer is now ready to download on the VMware Tunnel configuration screen.
  14. If you plan to use SSL offloading for the VMware Tunnel proxy component, select the Advanced tab on the Tunnel Configuration screen and select Export Proxy Certificate. Then, import this certificate on the server performing SSL offloading. (This server can be a load balancer or reverse proxy.)

  15. Select the General tab and then select the Download Virtual Appliance hyperlink. This button downloads the OVA file used for deploying VMware Tunnel on to relays and endpoints. The download file also includes the PowerShell script and .ini template file for the PowerShell deployment method.

    For legacy installer methods, select Download Linux Installer. This button downloads a single TAR file used for deploying the relay and endpoints. You must also confirm a certificate password that is used during installation. The password must contain a minimum of six characters.

  16. Select Save.

Continue with the steps to Deploy VMware Tunnel using vSphere or PowerShell Virtual Appliance Deployment, depending on the deployment method you use.

For legacy deployment methods, continue with the steps for Install the AirWatch Tunnel Relay Server (Linux) or Install the AirWatch Tunnel Endpoint Server (Linux), depending on the configuration that you selected.