Network traffic rules allow you to set granular control over how the VMware Tunnel directs traffic from devices. Using the Per-App Tunnel of VMware Tunnel, create device traffic rules to control how devices handle traffic from specified applications and server traffic rules to manage network traffic when you have third-party proxies configured.
Device traffic rules force VMware Tunnel to send traffic through the tunnel, block all traffic to specified domains, bypass the internal network straight to the Internet, or send traffic to an HTTPS proxy site. The device traffic rules are created and ranked to give an order for running the rules. Every time a specified application is opened, VMware Tunnel checks the list of rules to determine which rule applies to the situation. If no set rules match the situation, VMware Tunnel applies the default action. The default action, set for all applications except for safari, applies to domains not mentioned in a rule. The device traffic rules created apply to all VPN VMware Tunnel profiles in the organization group the rules are created in.
Server traffic rules enable you to manage the network traffic when you have third-party proxies configured in your network. These rules apply to traffic originating from the VMware Tunnel. The rules force the VMware Tunnel to send traffic for specified destinations to either use the proxy or bypass it.
Supported Platforms
VMware Tunnel supports Network Traffic rules for the following platforms:
- iOS devices with VMware Workspace ONE Tunnel for iOS.
- macOS devices with VMware Workspace ONE Tunnel for macOS.
- Android devices with VMware Workspace ONE Tunnel for Android.
- Windows desktop devices with VMware Workspace ONE Tunnel desktop application.
Note: Device Traffic Rules added are applicable only to Windows Tunnel Desktop Client and not for the Windows store App. Device wide VPN profile has to be enabled to use Windows Tunnel Desktop Client.
Create Device Traffic Rules
The Device Traffic Rules define how traffic from specified applications is routed by the Workspace ONE Tunnel application. The device traffic rules serve as a locally enforced Access Control List, defining which apps and destinations should be blocked, tunneled, proxied, or bypass the tunnel completely.
Before you create device traffic rules, verify the following:
-
Make sure you have configured VMware Tunnel with the Per-App Tunnel component enabled.
-
For iOS and Android applications, configure Per App VPN for VMware Tunnel.
Watch a tutorial video explaining how to create device traffic rules: Configure the network traffic rules for Per-App Tunnel.
Administrators can create multiple Device Traffic Rules sets through Manage Traffic Assignments to segment traffic to internal resources, such as rules for employees devices that as less restricted them access to contractor devices.
Manage Traffic Assignments requires Workspace ONE UEM 2011, otherwise, a single Device Traffic Rule set can be created.
Complete the following steps to create device traffic rules:
- Navigate to .
- By default, the Device Traffic Rules settings of the Child OG are set to Inherit . You can override the DTR settings which allows to Edit the DTR settings for the current OG. Based on your configuration needs, you can also select Clear Override if you want to set it back to inherit the Device Traffic Rules settings of the current organization group's parent OG.
- Click Edit . Click Add to create a new DTR set or you can edit the default DTR set.
Settings Description Tunnel Mode - Per Application : Only the application configured for VPN would be consider and take action based on destination FQDN/IP
- Full Device: Directs all application & all traffic from the device through an encrypted tunnel to the corporate data centre based on the destination FQDN/IP.
Note:- Full device tunnel mode is supported only on Windows Tunnel Desktop Client 2.1 above above and Android Tunnel 21.12 above for AE.
- Enabling full device, also known as container-wide tunnel, on Android AE devices requires UEM console 2111.
- We suggest to bypass the VMware Workspace one DS URL, while using Full device VPN with default action as Tunnel.
Add Rule Select Add Rule to create a rule.
These rules are only applicable to the Per-App Tunnel component of VMware Tunnel for Android, iOS, macOS, and Windows Desktop devices. For iOS, use the Workspace ONE Tunnel client application from the App store. For Windows Desktop, use the Workspace ONE Tunnel Desktop application.
- Rank: Select-and-drag the rule to rearrange the ranking of your network traffic rules.
- Application: Select Add to add a triggering application for the network rule.This drop-down menu is populated with applications with Per App VPN enabled and Safari for macOS. If you configure rules for the Safari app for macOS, the traffic rules override and deactivate any domain rules configured in existing profiles.
- Action: Select the action from the drop-down menu that VMware Tunnel applies to all network traffic from the triggering app when the app starts.
-
Tunnel – Sends app network traffic for specified domains through the tunnel to your internal network. All apps, except Safari, on the device configured for Per App VPN sends the network traffic through the tunnel. For example, set the Action to Tunnel to ensure all configured apps without a defined traffic rule use the VMware Tunnel for internal communications.
-
Block – Blocks all apps, except Safari, on the device configured for Per App VPN from sending the network traffic. For example, set the Default Action to Block to ensure that all configured apps without a defined traffic rule cannot send any network traffic regardless of destination.
-
Bypass – Bypasses all apps, except Safari, on the device configured for Per App VPN bypass the tunnel and connect to the Internet directly. For example, set the Default Action to Bypass to ensure all configured apps without a defined traffic rule bypass the VMware Tunnel to access their destination directly.
-
Proxy – Redirect traffic to the specified HTTPS proxy for the listed domains. The proxy must be HTTPS and must follow the correct format: https://example.com:port.
-
Tunnel+Proxy - Redirect traffic to a specified HTTP proxy that resides behind Tunnel.
Note:This action is supported by the Tunnel SDK on iOS and Android as used by the Workspace ONE Web app. The only configuration required here is the proxy host; the proxy destinations must be provided to the Workspace ONE Web app.
-
- Destination: Enter the hostname applicable to the action set for the rule. For example, enter all the domains to block traffic from accessing using the Block action.
Use a comma (,) to distinguish between hostnames.
You can use wildcard characters for your hostnames. Wildcards must follow the format:
-
*.<domain>.*
-
*<domain>.*
-
*.* — You cannot use this wildcard for Safari domain rules.
-
* — You cannot use this wildcard for Safari domain rules.
- For Android, iOS, and macOS devices, we do not support the IP range, IP subnet, or Port match. In case you want to take any action for a particular IP then add the IP in the device traffic rules. For example, App > Tunnel > 10.10.10.10.
-
Use of IPs and port ranges are only supported for Device Traffic Rules on Windows 10 devices. The following list contains supported formats for the IPv4 and port range when applying the Device Traffic Rules (DTR).
- Single IP - 10.10.0.1 or 10.10.10.1/32
- IP range or subnet
- 10.10.10.1/24
- 10.10.0.0/16
- Single Port
- *.example.com:80, 10.10.10.1:80,10.10.11.1/32:80
- *.example.com:[443], 10.10.11.1/24:[443]
- Port Range
- *.example.com:[80-443], 10.10.10.1:[80-443],10.10.11.1/32:[80-443]
- 10.10.11.1/24:[80-443]
- List of Ports
- example.com:[80,443], 10.10.10.1:[80,443],10.10.11.1/32:[80,443]
- 10.10.11.1/24:[80,443]
- List of ports and port ranges
- *.example.com:[80,443, 8080-8085], 10.10.10.1:[80,443,8080-8085], 10.10.11.1/32:[80,443,8080-8085]
- 10.10.11.1/24:[80,443,8080-8085]
-
-
Select Save to save your changes.
Manage Applications - Click Add.
- Select the Platform.
- For Windows Tunnel Desktop Client, complete the following steps:
-
Enter a Frienly Name for the application.
-
Select the App Type.
-
Enter the App Identifier.
The App Identifier is the path or the package family name (PFN) of the application. For a Store App, the Package Friendly Name (PFN) is used and can be found using the PowerShell command
Get-AppxPackage *<app_name>
. For a Desktop App, the filepath is used. For example, you can use C:\Program Files (x86)\acme\app.exe.Note:macOS traffic rules can be created only if you are using UEM console 1910 or above.Older versions have to configure the rules via profile.
-
- For macOS applications, complete the following steps:
-
Enter the Friendly Name for the application.
-
Enter the Package ID.
-
Enter the Designated Requirement
-
Enter the Path.
This text box is optional and is only applicable for macOS Catalina and above. Enter the Path when the allowlisting command-line utils are bundled inside an application. For example,
vmware-remotemks
has to be allowlisted with path details with the VMware Horizon Client application. -
Select Save to save your changes.
-
If you choose to make any changes to the application, in the Manage Applications window, select the application you like you edit and make changes.
If you want to delete any application, in the Manage Applications window, select the application you like to delete and click Delete.
- Enter the Device Traffic Rule SET Name.
- Configure the Device Traffic Rules.
- Click Save or Save and Publish.
- When the administrator changes the Device Traffic Rules and click Save, the Device Traffic Rules gets mapped to the profile, but the updated Device Traffic Rules is not replaced for the devices where the VPN profile is already installed. Device Traffic Rules is only updated for the newly enrolled devices or for the devices that have the VPN profile reinstalled.
- To send the updated Device Traffic Rules to the devices post modifying the Device Traffic Rules, administrators must click Save and Publish. Save and Publish adds a version to the VPN profile and republishes Device Traffic Rules to all the devices
- You cannot delete the Default Traffic Rule set.
- Save and Publish option is available only for the Default Traffic Rule set
- If an administrator changes the Android application in the Device Traffic Rules and clicks Save and Publish, the VPN profiles for both iOS, Android profiles gets a version update and the VPN profile installs are queued for all the assigned devices.
- Reinstalling the profile reissues the client certificate to the device with a new thumbprint.
Each assignment of Device Traffic Rules can be selected within your Tunnel profile. This allows you to create different policies for different types of personas based on user, device, or use-case.
Configure Server Traffic Rules using Outbound Proxy
You can configure server traffic rules for the VMware Tunnel to manage how traffic is directed through a third-party proxy. These rules allow you to bypass the proxy or send traffic through it. You can either add rules manually in the UEM console or via PAC files by using the VMware Tunnel PAC Reader.
Many organizations use outbound proxies to control the flow of traffic to and from their network. Outbound proxies can also be used for performing traffic filtering, inspection, and analysis.
It is not mandatory to use outbound proxies with VMware Tunnel, but your organization may choose to deploy them behind one or more VMware Tunnel servers based on recommendations from your security and network teams.
The following table illustrates outbound proxy support for the VMware Tunnel Per-App Tunnel on Linux:
Proxy Configuration | Supported? |
---|---|
Outbound Proxy with no auth |
✓ |
Outbound Proxy with basic auth |
✓ |
Outbound Proxy with NTLM auth |
✓ |
Multiple Outbound Proxies |
✓ |
PAC Support |
✓ |
Configure the rules for sending traffic to your outbound proxies using the server traffic rules.
If you want to send the requests to the API/AWCM servers through your outbound proxy as well, then you must enable the Default AWCM + API traffic via Server Traffic Rules Networking settings under . Once enabled, add the respective web proxies for API/AWCM hostnames on the server traffic rules page.
Configure Server Traffic Rules from the UEM Console
Add rules for the VMware Tunnel to manage how traffic is directed through a third-party proxy. These rules allow you to bypass the proxy or send traffic through it.
- Navigate to .
- Select Configure.
- In the Outbound Proxies section, select Edit and the select Add Outbound Proxy to add a third-party outbound proxy. You may add additional outbound proxies by selecting Add Outbound Proxy again.
Settings Description Host Enter the proxy hostname. Port Enter the port the third-party proxy uses to listen to the VMware Tunnel. Authentication Select the proxy authentication method used.
Select Basic or NTLM.
User Name Enter the User name for proxy authentication. Password Enter the Password for proxy authentication. - Select Save to save your changes.
- In the Server Traffic Rules section, you can configure the server traffic rule settings.
- Select Edit.
- Select Add Server Traffic Rule to add a new server traffic rule. Enter the following information:
Settings Description Destination Enter the destination hostname that triggers the traffic rule.
Rules for applications on Windows 10 and macOS (except Safari) devices must use IP address as the hostname.
You cannot use regular expressions except specfic wildcard characters. Windows 10 and macOS devices support using the following wildcards:
- 10.10.*
- 10.10.0.0/16
If you are entering multiple hostnames, separate them by commas.
For domains you want to resolve on Windows 10 devices through the VMware Tunnel server, you must add the domains to the Windows Desktop VPN profile for VMware Tunnel.
Action Select the action that the VMware Tunnel applies to server traffic for the destination hostname.
- Bypass – Bypass the proxy and send all traffic directly to the destination hostname.
-
Proxy – Send server traffic through the outbound proxy.
Selecting Proxy displays the Outbound Proxy menu.
Proxy Select the Outbound proxy to handle server traffic for the destination hostname. If you select multiple outbound proxies, the proxies are used in a round-robin format.
The proxies that populate this menu are those proxies added in the Outbound Proxies section.
- (Optional) Select Add Server Traffic Rule if you wish to add any additional server traffic rules.
- Select Apply to save your changes.
- Select Close.
Configure Server Traffic Rules using VMware Tunnel PAC Reader
The VMware Tunnel PAC Reader allows you to use PAC files to configure outbound proxies for the Per-App Tunnel component.
Complete the following steps before you configure the server traffic rules using the PAC reader:
- Download the PAC Reader bundle from the Workspace ONE UEM Resources Portal. Install the PAC Reader on any Linux server such as your VMware Tunnel server. If the PAC file contains DNS resolution rules such as
dnsresolve()
orisInNet()
, change the value oftraffic_rule_post_dns
in server.conf to1
on your VMware Tunnel server.Note: Currently the PAC Reader has the following limitations:- Currently, the PAC Reader only supports Linux servers.
- The PAC Reader currently does not support the following rules:
- Nested
if
statements. Try to put the inner logic above the outer logic. This change makes the outer logic lower ranked than the inner logic. -
Else-if
statements. Try to convert these rules toif
statements. - Regex
myapaddress()
- Generic use of the AND operator
- Nested
- The PAC Reader only supports limited use of the variable declaration and use.
Before you configure Outbound Proxy using VMware Tunnel PAC Reader, make sure that you meet the following network requirements:
- Access to the Workspace ONE UEM API server: The PAC Reader requires access to the Workspace ONE UEM API server. The server is typically accessed over port 443. Consider installing the PAC Reader on your VMware Tunnel server as the server already has access to the Workspace ONE UEM API server.
- Access to the PAC file. If you are hosting your PAC file on a Web server, the PAC Reader must have the access to that server.
- RHEL 7 as the server OS.
- Download the installer from the Workspace ONE UEM Resources Portal.
- Create a dedicated install directory for the installer on the linux server. For example, you can create a dedicated install directory as /tmp/Install/ for the installer and copy the LinuxPacReaderInstaller.bin file to this location.
- Navigate to the directory you copied the file. Run
chmod 750 LinuxPacReaderInstaller.bin
command to assign the run permission to the LinuxPacReaderInstaller.bin file. - Run the BIN file by using the required command:
sudo ./LinuxPacReaderInstaller.bin
- Configure the necessary properties in the pacreader.properties file.
Setting Description API_SERVER_URL Enter the API server URL. API_KEY Enter the API key for the API server. Find this key by navigating to .Location group ID
Location Group ID where the VMware Tunnel server is deployed.
PAC Location Path to the PAC file if stored locally on the machine else use the http/https link
If you configure PAC_LINK, do not configure PAC_PATH.
API Certificate
: The Admin API Certificate which can be obtained from
If you configure PAC_PATH, do not configure PAC_LINK.
API Certificate Password
Password for pfx/p12 API certificate file. PAC Location
This can be a PAC file placed at /opt/vmware/tunnel/pacreader or an http link to PAC.
Complete the following steps after you configure the server traffic rules using the PAC reader:
- Open the
bash shell
. - Go to the pacreader installation directory. cmd:
cd /opt/vmware/tunnel/pacreader
. - Run the following command to validate : ./pacreader validate.