Network traffic rules allow you to set granular control over how the VMware Tunnel directs traffic from devices. Using the Per-App Tunnel of VMware Tunnel, create device traffic rules to control how devices handle traffic from specified applications and server traffic rules to manage network traffic when you have third-party proxies configured.

Device traffic rules force VMware Tunnel to send traffic through the tunnel, block all traffic to specified domains, bypass the internal network straight to the Internet, or send traffic to an HTTPS proxy site. The device traffic rules are created and ranked to give an order of execution. Every time a specified app is opened, VMware Tunnel checks the list of rules to determine which rule applies to the situation. If no set rules match the situation, VMware Tunnel applies the default action. The default action, set for all applications except for safari, applies to domains not mentioned in a rule. If no rules are specified, the default action applies to all domains. The device traffic rules created apply to all VPN VMware Tunnel profiles in the organization group the rules are created in.

Server traffic rules enable you to manage the network traffic when you have third-party proxies configured in your network. These rules apply to traffic originating from the VMware Tunnel. The rules force the VMware Tunnel to send traffic for specified destinations to either use the proxy or bypass it.

Supported Platforms

VMware Tunnel supports Network Traffic rules for the following platforms:

  • iOS devices with VMware Workspace ONE Tunnel for iOS.
  • macOS devices with VMware Workspace ONE Tunnel for macOS.
    Note:
    • For macOS you can add apps under Device Traffic Rules and assign Device Traffic Rules if you are using UEM console 1910 or above.
    • If you using UEM console 1910 or above, the VPN profile for macOS will not have the App Mapping section and the apps have to be added on the Device Traffic Rules page.
  • Android devices with VMware Workspace ONE Tunnel for Android.
  • Windows desktop devices with VMware Workspace ONE Tunnel desktop application.
    Note: Device Traffic Rules added are applicable only to Windows Tunnel Desktop Client and not for the Windows store App. Device wide VPN profile has to be enabled to use Windows Tunnel Desktop Client.

VMware Tunnel supports enforcing the Per-App VPN rules configured in the Windows Desktop and Windows Phone VPN profiles.

Create Device Traffic Rules

Add rules for how traffic is directed by the Workspace ONE Tunnel application. These rules allow you to configure Smart Group-specific policies to tunnel, block, or bypass traffic for individual apps

Before you create device traffic rules, verify the following:

  • Make sure you have configured VMware Tunnel with the Per-App Tunnel component enabled.

  • For iOS and Android applications, configure Per App VPN for VMware Tunnel. .

Watch a tutorial video explaining how to create device traffic rules: Configure the network traffic rules for Per-App Tunnel.

Complete the following steps to create device traffic rules:

  1. Navigate to Groups & Settings > Configurations > Tunnel.
  2. By default, the Device Traffic Rules settings of the Child OG are set to Override which allows you to Edit the settings of the current OG. Based on your configuration needs, you can also select Clear Override if you want to inherit the Device Traffic Rules settings of the current organization group's parent OG.
  3. Click Edit . The Manage Traffic Assignments window is displayed.The Default Device Traffic Rule is displayed. Click Add to enter a new Device Traffic Rule.
  4. The Default Device Traffic Rule is displayed. Click Add to enter a new Device Traffic Rule.
  5. Enter the Assignment Name.
  6. Configure the Device Traffic Rules.
    Settings Description
    Add Rule

    Select Add Rule to create a rule.

    These rules are only applicable to the Per-App Tunnel component of VMware Tunnel for Android, iOS, macOS, and Windows Desktop devices. For iOS, use the Workspace ONE Tunnel client application from the App store. For Windows Desktop, use the Workspace ONE Tunnel Desktop application.

    1. Rank: Select-and-drag the rule to rearrange the ranking of your network traffic rules.
    2. Application: Select Add to add a triggering application for the network rule.This drop-down menu is populated with applications with Per App VPN enabled and Safari for macOS. If you configure rules for the Safari app for macOS, the traffic rules override and disable any domain rules configured in existing profiles.
    3. Action: Select the action from the drop-down menu that VMware Tunnel applies to all network traffic from the triggering app when the app starts.
      • Tunnel – Sends app network traffic for specified domains through the tunnel to your internal network. All apps, except Safari, on the device configured for Per App VPN sends the network traffic through the tunnel. For example, set the Action to Tunnel to ensure all configured apps without a defined traffic rule use the VMware Tunnel for internal communications.

      • Block – Blocks all apps, except Safari, on the device configured for Per App VPN from sending the network traffic. For example, set the Default Action to Block to ensure that all configured apps without a defined traffic rule cannot send any network traffic regardless of destination.

      • Bypass – Bypasses all apps, except Safari, on the device configured for Per App VPN bypass the tunnel and connect to the Internet directly. For example, set the Default Action to Bypass to ensure all configured apps without a defined traffic rule bypass the VMware Tunnel to access their destination directly.

      • Proxy – Redirect traffic to the specified HTTPS proxy for the listed domains. The proxy must be HTTPS and must follow the correct format: https://example.com:port.

      • Tunnel+Proxy - Redirect traffic to a specified HTTP proxy that resides behind Tunnel.

        Note:

        This action is supported by the Tunnel SDK on iOS as used by the Workspace ONE Web app. The only configuration required here is the proxy host; the proxy destinations must be provided to the Workspace ONE Web app.

    4. Destination: Enter the hostname applicable to the action set for the rule. For example, enter all the domains to block traffic from accessing using the Block action.

      Use a comma (,) to distinguish between hostnames.

      You can use wildcard characters for your hostnames. Wildcards must follow the format:

      • *.<domain>.*

      • *<domain>.*

      • *.* — You cannot use this wildcard for Safari domain rules.

      • * — You cannot use this wildcard for Safari domain rules.

    5. Select Save to save your changes.

    Manage Applications
    1. Click Add.
    2. Select the Platform.
    3. For Windows Tunnel Desktop Client, complete the following steps:
      • Enter a Frienly Name for the application.

      • Select the App Type.

      • Enter the App Identifier.

        The App Identifier is the path or the package family name (PFN) of the application. For a Store App, the Package Friendly Name (PFN) is used and can be found using the PowerShell command Get-AppxPackage *<app_name>. For a Desktop App, the filepath is used. For example, you can use C:\Program Files (x86)\acme\app.exe.

        Note:

        macOS traffic rules can be created only if you are using UEM console 1910 or above.Older versions have to configure the rules via profile.

    4. For macOS applications, complete the following steps:
      • Enter the Friendly Name for the application.

      • Enter the Package ID.

      • Enter the Designated Requirement

      • Enter the Path.

        This text box is optional and is only applicable for macOS Catalina and above. Enter the Path when the whitelisting command-line utils are bundled inside an application. For example, executable vmware-remotemks has to be whitelisted with path details with the VMware Horizon Client application.

        Note:

        Currently for all the iOS devices only the default traffic rule is supported for IPs as we do not consider IP-based connections for evaluating the traffic rules. For Windows Desktop devices, the domains added to the destination must be added to the DNS Resolution via Tunnel Gateway section in the Windows Desktop device profile as well.

      • Select Save to save your changes.

    If you choose to make any changes to the application, in the Manage Applications window, select the application you like you edit and make changes.

    If you want to delete any application, in the Manage Applications window, select the application you like to delete and click Delete.

  7. Click Save .You are directed to the Manage Traffic Assignments window. Each assignment of Device Traffic Rules can be selected within your Tunnel profile. This allows you to create different policies for different types of personas based on user, device, or use-case.

Configure Server Traffic Rules using Outbound Proxy

You can configure server traffic rules for the VMware Tunnel to manage how traffic is directed through a third-party proxy. These rules allow you to bypass the proxy or send traffic through it. You can either add rules manually in the UEM console or via PAC files by using the VMware Tunnel PAC Reader.

Many organizations use outbound proxies to control the flow of traffic to and from their network. Outbound proxies can also be used for performing traffic filtering, inspection, and analysis.

It is not mandatory to use outbound proxies with VMware Tunnel, but your organization may choose to deploy them behind one or more VMware Tunnel servers based on recommendations from your security and network teams. For VMware Tunnel on Linux, Workspace ONE UEM supports outbound proxies for the two VMware Tunnel components: Proxy and Per-App Tunnel.

Only the basic and cascade deployment models support outbound proxies for the Per-App Tunnel through server traffic rules.

The following table illustrates outbound proxy support for the VMware Tunnel Per-App Tunnel on Linux: 

Proxy Configuration Supported?

Outbound Proxy with no auth

Outbound Proxy with basic auth

Outbound Proxy with NTLM auth

Multiple Outbound Proxies

PAC Support

Configure the rules for sending traffic to your outbound proxies using the server traffic rules.

If you want to send the requests to the API/AWCM servers through your outbound proxy as well, then you must enable the Default AWCM + API traffic via Server Traffic Rules Networking settings under Groups & Settings > All Settings > Configurations > Tunnel. Once enabled, add the respective web proxies for API/AWCM hostnames on the server traffic rules page.

Configure Server Traffic Rules from the UEM Console

Add rules for the VMware Tunnel to manage how traffic is directed through a third-party proxy. These rules allow you to bypass the proxy or send traffic through it.

The server traffic rules only apply to VMware Tunnel servers using the Per-App Tunnel component.
  1. Navigate to Groups & Settings > Configurations > Tunnel.
  2. Select Configure.
  3. In the Outbound Proxies section, select Edit and the select Add Outbound Proxy to add a third-party outbound proxy. You may add additional outbound proxies by selecting Add Outbound Proxy again.
    Settings Description
    Host Enter the proxy hostname.
    Port Enter the port the third-party proxy uses to listen to the VMware Tunnel.
    Authentication

    Select the proxy authentication method used.

    Select Basic or NTLM.

    User Name Enter the User name for proxy authentication.
    Password Enter the Password for proxy authentication.
  4. Select Save to save your changes.
  5. In the Server Traffic Rules section, you can configure the server traffic rule settings.
  6. Select Edit.
  7. Select Add Server Traffic Rule to add a new server traffic rule. Enter the following information:
    Settings Description
    Destination

    Enter the destination hostname that triggers the traffic rule.

    Rules for applications on Windows 10 and macOS (except Safari) devices must use IP address as the hostname.

    You cannot use regular expressions except specfic wildcard characters. Windows 10 and macOS devices support using the following wildcards:

    • 10.10.*
    • 10.10.0.0/16

    If you are entering multiple hostnames, separate them by commas.

    For domains you want to resolve on Windows 10 devices through the VMware Tunnel server, you must add the domains to the Windows Desktop VPN profile for VMware Tunnel.

    Action

    Select the action that the VMware Tunnel applies to server traffic for the destination hostname.

    • Bypass – Bypass the proxy and send all traffic directly to the destination hostname.
    • Proxy – Send server traffic through the outbound proxy.

      Selecting Proxy displays the Outbound Proxy menu.

    Proxy

    Select the Outbound proxy to handle server traffic for the destination hostname. If you select multiple outbound proxies, the proxies are used in a round-robin format.

    The proxies that populate this menu are those proxies added in the Outbound Proxies section.

  8. (Optional) Select Add Server Traffic Rule if you wish to add any additional server traffic rules.
  9. Select Apply to save your changes.
  10. Select Close.

Configure Server Traffic Rules using VMware Tunnel PAC Reader

The VMware Tunnel PAC Reader allows you to use PAC files to configure outbound proxies for the Per-App Tunnel component.

Complete the following steps before you configure the server traffic rules using the PAC reader:

  • Download the PAC Reader bundle from the Workspace ONE UEM Resources Portal. Install the PAC Reader on any Linux server such as your VMware Tunnel server. If the PAC file contains DNS resolution rules such as dnsresolve() or isInNet(), change the value of traffic_rule_post_dns in server.conf to 1 on your VMware Tunnel server.
    Note: Currently the PAC Reader has the following limitations:
    • Currently, the PAC Reader only supports Linux servers.
    • The PAC Reader currently does not support the following rules:
      • Nested if statements. Try to put the inner logic above the outer logic. This change makes the outer logic lower ranked than the inner logic.
      • Else-if statements. Try to convert these rules to if statements.
      • Regex
      • myapaddress()
      • Generic use of the AND operator
    • The PAC Reader only supports limited use of the variable declaration and use.

    Before you configure Outbound Proxy using VMware Tunnel PAC Reader, make sure that you meet the following network requirements:

    • Access to the Workspace ONE UEM API server: The PAC Reader requires access to the Workspace ONE UEM API server. The server is typically accessed over port 443. Consider installing the PAC Reader on your VMware Tunnel server as the server already has access to the Workspace ONE UEM API server.
    • Access to the PAC file. If you are hosting your PAC file on a Web server, the PAC Reader must have the access to that server.
    • RHEL 7 as the server OS.
Complete the following steps to configure the server traffic rules using the PAC reader:
  1. Download the installer from the Workspace ONE UEM Resources Portal.
  2. Create a dedicated install directory for the installer on the linux server. For example, you can create a dedicated install directory as /tmp/Install/ for the installer and copy the LinuxPacReaderInstaller.bin file to this location.
  3. Navigate to the directory you copied the file. Run chmod 750 LinuxPacReaderInstaller.bin command to assign the execute permission to the LinuxPacReaderInstaller.bin file.
  4. Run the BIN file by using the required command: sudo ./LinuxPacReaderInstaller.bin
  5. Configure the necessary properties in the pacreader.properties file.
    Setting Description
    API_SERVER_URL Enter the API server URL.
    API_KEY Enter the API key for the API server. Find this key by navigating to Groups & Settings > All Settings > System > Advanced > API  > REST API > API Key.

    Location group ID

    Location Group ID where the VMware Tunnel server is deployed.

    PAC Location

    Path to the PAC file if stored locally on the machine else use the http/https link

    If you configure PAC_LINK, do not configure PAC_PATH.

    API Certificate

    : The Admin API Certificate which can be obtained from UEM Console > Accounts > Administrators > > List View > Edit account > API > Certificates > Export Certificate

    If you configure PAC_PATH, do not configure PAC_LINK.

    API Certificate Password

    Password for pfx/p12 API certificate file.

    PAC Location

    This can be a PAC file placed at /opt/vmware/tunnel/pacreader or an http link to PAC.

Complete the following steps after you configure the server traffic rules using the PAC reader:

  • Open the bash shell.
  • Go to the pacreader installation directory. cmd: cd /opt/vmware/tunnel/pacreader.
  • Execute the following command to validate : ./pacreader validate.