Configure the fundamental VMware Tunnel architecture to establish connectivity and trust within your environment.

Procedure

  1. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel. Select a Current Setting or Override to make new settings for the child.
    Note: Overriding tunnel configuration does not override VMware Tunnel Proxy settings.
  2. Under Deployment Details, select whether you are deploying VMware Tunnel in Basic or Cascade mode.

    When deploying in Basic mode, supply the public-facing Hostname and the Port number that is assigned for communication with the VMware Tunnel component.

    When deploying in Cascade mode, enter the Frontend Hostname and Port as well as the Backend Hostname and Port.

    Note: Make sure that you configure Tunnel and Tunnel Proxy with different ports.
  3. Under Server Authentication, select the SSL provider of your choice.
    By default, AirWatch provides a certificate, however third-party certificates are also supported. When using a third-party certificate, make sure to include both public and private keys in either .PFX or .P12 format.
  4. Under Client Authentication, select either AirWatch or a Third Party CA as the authentication provider for VMware Tunnel users.
    To use a third-party certificate authority, select the Certificate Authority and Certificate Template that are used to request a certificate from the CA.

    In order for the VMware Tunnel gateway to trust certificates issued by a third-party CA, Upload the full chain of the public key of your certificate authority to the configuration wizard.

    The CA template must contain CN={DeviceUid} in the subject name and a Subject Alternate Name (SAN) certificate. If the Windows desktop Tunnel client is used with the Per-App Tunnel, then the template must contain CN={DeviceUid}:vpn.air-watch.com, SAN:upn={UserPrincipalName}.

    Certificates auto-renew based on your CA template settings.

  5. Under Networking, define how VMware Tunnel communicates with Workspace ONE UEM and how the device traffic flows through your network.
    1. Select Manage Server Traffic Rules with VMware Tunnel PAC Reader if you are using the PAC Reader to manage the traffic rules.
    2. Select Default AWCM + API traffic via Server Traffic Rules if the communication between the VMware Tunnel and Workspace ONE UEM API or AWCM uses the outbound proxy.
  6. Under Logging, you can configure settings related to the server logs.
    1. Select the level of logging for the VMware Tunnel from the Service Logs drop-down menu. As a best practice, select the Service Logs as Error or Warning unless you are troubleshooting. Selecting Info or Debug can impact the server performance. It is recommended to not enable Info or Debug log level if the server is busy during peak hours.
    2. Access Logs provide a high-level record of users and devices using VMware Tunnel. In a cascade deployment, the back-end server performs the syslog transport.
      From the Access Logs drop-down, you can select the following:
      • Syslog Hostname : If you make this selection, enter the URL of your syslog host and the UDP Port over which you want to communicate. Ensure that the logging level for access logs is set appropriately in rsyslog.conf on the syslog server.
      • File : If you make this selection, the filename is set to /var/log/vmware/tunnel/vpnd/access.log.

      There is no correlation between this syslog integration and the integration accessed on Groups & Settings > All Settings > System > Enterprise Integration > Syslog.

  7. Under Custom Settings, select Add Custom Setting and add the Configuration Key, and the Configuration Value.
    You can configure the following Configuration Key and the Configuration Value:
    Field Syntax Example Description
    log_file_append log_file_append <value> log_file_append 1 Setting the log_file_append <value> to 0 will truncate the tunnel.log or reporter.log on service restart and delete tunnel.log.1 or reporter.log.1, tunnel.log.2, or reporter.log.2, and so on if the logs are present.

    Setting this value to 1 will append logs to tunnel.log or reporter.log and the backed up files (tunnel.log.1 or reporter.log.1 etc) will not be deleted.

    • 0 - Do not append logs
    • 1 – Append logs
    log_file_backup_count log_file_backup_count <value> log_file_backup_count 4 Specify the maximum number of backup log files to be created once the max file size is reached.
    log_backup_strategy log_backup_strategy <value> log_backup_strategy 0 Specify a periodic log backup strategy.
    • 0 - No backup
    • 1 - Daily backup. Log files are backed up daily.
    • 2 - Weekly backup. Log files are backed up weekly.
    log_backup_hour log_backup_hour <value> log_backup_hour 0 Specify the time in hour when the log backup is performed. For example, if you enter the value as 4, then log backup is performed at 04:00. This settings applies only when the log_backup_strategy is daily (1) or weekly (2). Enter a value within the range 0 to 23.
    log_backup_day log_backup_day <value> log_backup_day 0 Specify the day when the log backup is performed. For example, if you enter the value as 3 then the log backup is performed on Wednesday at a specified hour. This setting applies only when the log_backup_strategy is 2 (weekly). The value can be 0-6 for Sunday to Saturday.
    log_archive_count log_archive_count <value> log_archive_count 1 Specify the maximum number of archive files to be created for the backup logs. The archive files can be found at: /var/log/vmware/tunnel/vpnd/backup.
    log_file_size log_file_size <file size> log_file_size 20 Specify the maximum file size (in MB) of the log file. The file size must be an integer within the range 1 to 80.
    use_internal_dns_for_domains *.domain1.com, *.domain2.com *.internaldomain.com, *.acme.com Ability to override the device traffic rules for split DNS. Internal DNS resolution can be specified through the use_internal_dns_for_domains key-value pair. The domains specified here are resolved internally and all other domains are resolved externally.
    Note: You can only enter 800 characters in this field. Use a comma (,) to distinguish between the domains. You can use wildcard characters for your domains/hostnames. Wildcards must follow the format:
    • *.<domain>.*
    • *<domain>.*
    allowed_compliance_states allowed_compliance_states <allowed state 1, allowed state 2, ...> allowed_compliance_states 3,5 Compliance states of the devices that are allowed to connect.
    Note: You can configure the following possible compliance status:
    • 1 - Allowed
    • 2 - Blocked
    • 3 - Compliant
    • 4 - NonCompliant
    • 5 - NotAvailable
    • 6 - NotApplicable
    • 7 - PendingComplianceCheck
    • 8 - PendingComplianceCheckForAPolicy
    • 9 - RegistrationActive
    • 10 - RegistrationExpired
    • 11 - Quarantined
    keepalive_timeout keepalive_timeout <time in seconds>

    Default Value= 300

    		 keepalive_timeout 300 Time (in seconds) before disconnecting the device's connection without receiving a TCP keepalive.
    client_ip_traffic client_ip_traffic <value>

    Default Value= 1

    		 client_ip_traffic 1 Set client-side IP mode:
    • 0= Dual IPv4/IPv6. Both IPv4 and IPv6 traffic are enabled on the device side.
    • 1 = IPv4 Only. Only IPv4 traffic is enabled on the device side.
    • 2 = IPv6 Only. Only IPv6 traffic is enabled on the device side.
    dns_ip_mode dns_ip_mode <value>

    Default Value= 1

    		 dns_ip_mode 0 Set DNS IPv4/IPv6 query mode:
    • 0 = Dual IPv4/IPv6. Both IPv4 and IPv6 results are allowed in the DNS query result.

    • 1 = IPv4 Only. Only allows IPv4 addresses in the DNS query result.

    • 2 = IPv6 Only. Only allow IPv6 addresses in the DNS query result.
    dns_server_address_1, dns_server_address_2... dns_server_address_1 <ip address or domain name> dns_server_address_1 1.2.3.4 Specifies different DNS servers that devices uses for the DNS lookup. If not specified, settings from the /etc/resolv.conf is used. Up to 4 addresses can be specified using _1, _2, _3 and _4 suffix.

    Note: This key has to be used in along with the dns_server_port KVP. If IP address is not specified or dns_server_port KVP is not added, settings from the /etc/resolv.conf are used.

    dns_server_port

    dns_server_port <port>

    dns_server_port 53

    Specifies DNS server port that devices will use for DNS lookup. If port is not specified, settings from "/etc/resolv.conf" will be used.
    api_configuration_fetch_interval api_configuration_fetch_interval <min>

    Default Value= 60

    		 api_configuration_fetch_interval 60 Specifies the interval in minutes to redownload configuration including Server traffic rules from API (minimum=15)
    dtls_channel dlts_channel <value>

    Default Value= 1

    		 dlts_channel 1 Specifies if a secondary DTLS channel must be enabled for device UDP traffic, this also requires additional firewall modification to allow the UDP port.
    openssl_cipher_list openssl_cipher_list <value>
    Default Value= 
    ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
    		 
    openssl_cipher_list ECDHE-ECDSA-AES256-GCM-SHA384:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-RSA-AES128-GCM-SHA256
    		 Specifies the cipher suites allowed in TLS handshakes between servers and devices. Supports the format supported by OpenSSL ciphers command: https://www.openssl.org/
    nsx_ethernet_interface 
    nsx_ethernet_interface <interface name>
    		 nsx_ethernet_interface eth1 Specifies the ethernet interface where traffic to NSX will be routed to. Virtual interface is created based on this Ethernet interface.

    For example, if nsx_host_id is 2 and nsx_ethernet_interface is eth1. If two security groups with two IP sets (192.168.0.0/24 and 192.168.1.0/24) are defined, two virtual interfaces are needed. As a result, eth1:001 will be created with 192.168.0.2 and eth1:002 is created with 192.168.1.2.
    access_log_events access_log_events <events to log>

    Default Value= 1,2,3,4,5

    		 access_log_events 1,2,3,4,5

    Specifies the events that must be logged in the access log.

    • 1 - Session connect : Logs when a device connects to the tunnel server.
    • 2- Session disconnect : Logs when a device disconnects from the tunnel server.
    • 3 - Stream connect : Logs when a TCP connection is established between an application on the device and a host.
    • 4 - Stream disconnect : Logs when a TCP connection is disconnected. 5 - HTTP request/response: Logs when an HTTP traffic is detected (unencrypted traffic only).
    access_log_format access_log_format <format>
    Default Value= 
    %h %l %u %t "%r" %>s %b 
"%{Referer}i" "%{User-Agent}i" 
"%{Device-UID}e"
    		 
    access_log_format %h %l %u %t "%r" %>s %b 
"%{Referer}i" "%{User-Agent}i" "%{Device-UID}e"
    		 Access log format. Supported log variables:
    • %h - Remote host
    • %l - remote logname
    • %u - remote user
    • %t - time
    • %r - first line of request
    • %s - status
    • %b - size of response
    • %{variable}i - HTTP request header variables
    • %{variable}e- HTTP request response variables
    access_log_custom_format_session_connect access_log_custom_format_session_connect <format>
    Default Value= 
    %{Connection}v %{Connection-ID}v 
%{Connection-Type}v 
%{Connection-Status}v %{Connection-Time}v 
%{Device-Uid}v 
%{Device-Name}v 
%{Device-IP}v->%{Cascade-IP}v 
%{Device-Vpn-IP}v 
%{VPN-Server-Connection-Availability}v
    		 
    access_log_custom_format_session_connect 
%{Connection}v 
%{Connection-ID}v
 %{Connection-Type}v
 %{Connection-Status}v 
%{Connection-Time}v 
%{Device-Uid}v 
%{Device-Name}v 
%{Device-IP}v 
%{Device-Vpn-IP}v 
%{VPN-Server-Connection-Availability}v
    		 This setting defines access log message format when a new session is connected. See access_log_format for a list of supported specifiers.
    access_log_custom_format_session_disconnect access_log_custom_format_session_disconnect <format>
    Default Value= 
    %{Connection}v 
%{Connection-ID}v
 %{Connection-Time}v
 %{Device-Uid}v
 %{Device-Name}v 
%{Device-App}v 
%{Remote-Connection-Status}v 
%{Remote-Host-Name}v
 %{Remote-Host-IP}v 
%{Remote-Bytes-Transferred}v
    		 
    access_log_custom_format_session_disconnect 
 %{Connection}v 
%{Connection-ID}v 
%{Connection-Time}v 
%{Device-Uid}v 
%{Device-Name}v 
%{Device-App}v 
%{Remote-Connection-Status}v 
%{Remote-Host-Name}v 
%{Remote-Host-IP}v %{Remote-Bytes-Transferred}v
    		 This setting defines access log message format when a session is disconnected. See access_log_format for a list of supported specifiers.
    access_log_custom_format_stream_connect access_log_custom_format_stream_connect <format>
    Default Value= 
    %{Connection}v 
%{Connection-ID}v 
%{Connection-Type}v 
%{Connection-Time}v 
%{Device-Uid}v 
%{Device-Name}v 
%{Device-Username}v 
%{Device-App}v 
%{Remote-Connection-Status}v
 %{Remote-Host-Name}v 
%{Remote-Host-IP}v
    		 
    access_log_custom_format_stream_connect
 %{Connection}v 
%{Connection-ID}v 
%{Connection-Type}v 
%{Connection-Time}v 
%{Device-Uid}v %{Device-Name}v 
%{Device-Username}v 
%{Device-App}v %{Remote-Connection-Status}v 
%{Remote-Host-Name}v %
    		 This setting defines access log message format when a new stream is connected. See access_log_format for a list of supported specifiers.
    access_log_custom_format_stream_disconnect access_log_custom_format_stream_disconnect <format>
     %{Connection-ID}v 
%{Connection-Time}v 
%{Device-Uid}v 
%{Device-Name}v 
%{Device-App}v 
%{Remote-Connection-Status}v 
%{Remote-Host-Name}v 
%{Remote-Host-IP}v 
%{Remote-Bytes-Transferred}v
    		 
    access_log_custom_format_stream_disconnect
 %{Connection-ID}v 
%{Connection-Time}v 
%{Device-Uid}v 
%{Device-Name}v 
%{Device-App}v 
%{Remote-Connection-Status}v 
%{Remote-Host-Name}v 
%{Remote-Host-IP}v
 %{Remote-Bytes-Transferred}v
    		 This setting defines access log message format when a stream is disconnected. See access_log_format for a list of supported specifiers.
    vpn_mode 
    socks,nat
    		 vpn_mode nat,socks

    Supported modes:

    socks: Per-App Tunnel with SOCKS Proxy for Android, iOS and MacOS devices

    nat: Per-App Tunnel with NAT Protocol for Windows devices

    tun (experimental): Per-App Tunnel using Linux TUN driver for Windows devices. Cannot be used together with 'nat' mode. This mode requires more configuration such as iptables NAT setup or corporate routing setup for the return traffic so customers are recommended to use 'nat' mode instead.
    Note: The Custom Settings that is used for defining the Configuration Key and the Configuration Value is available only in Workspace ONE UEM console 2003 or later. For older versions of the Workspace ONE UEMconsole, the server.conf file has to be manually modified. The service restart removes the configuration from Unified Access Gateway 3.7+.
  8. Select Save.

What to do next

  • Edit, Deactivate, or Delete the VMware Tunnel configuration.
  • Download the Installer and XML to finish the setup.
  • Once the Tunnel Server component is deployed, verify the UEM Console, AWCM and API connectivity through theTest Connection action.

You can now configure your advanced settings for the VMware Tunnel component.