Many organizations use outbound proxies to control the flow of traffic to and from their network. Outbound proxies can also be used for performing traffic filtering, inspection, and analysis.

It is not mandatory to use outbound proxies with VMware Tunnel, but your organization may choose to deploy them behind one or more VMware Tunnel servers based on recommendations from your security and network teams. For VMware Tunnel on Linux, Workspace ONE UEM supports outbound proxies for the two VMware Tunnel components: Proxy and Per-App Tunnel.

The following table illustrates outbound proxy support for the VMware Tunnel Proxy on Linux: 

Proxy Configuration Supported

Outbound Proxy with no auth

Outbound Proxy with basic auth

Outbound Proxy with NTLM auth

Multiple Outbound Proxies

✓ (Use Proxy Tool)

PAC Support

✓ (Use Proxy Tool)

During installation, the installer prompts you whether to use an outbound proxy. For relay-endpoint configurations, the outbound proxy communication is configured on the endpoint server that resides in your internal network and can communicate with the outbound proxy.

The Tunnel Proxy encrypts traffic to HTTP endpoints using HTTP tunneling with an SSL certificate and sends that traffic over port 2020 as HTTPS. To enable SSL Off loading, enable SSL Offloading in the VMware Tunnel console configuration and select SSL Offloading during installation on the Relay server. Enabling this setting ensures the relay expects all unencrypted traffic to the port you configured. The original host headers of the request must be forwarded to the tunnel server from wherever traffic is SSL off loaded.

You can perform SSL offloading with products such as F5's BIG-IP Local Traffic Manager (LTM), or Microsoft Forefront Unified Access Gateway, Threat Management Gateway (TMG) or Internet Security and Acceleration Server (ISA) solutions. Support is not exclusive to these solutions. VMware Tunnel Proxy is compatible with general SSL offloading solutions if the solution supports the HTTP CONNECT method. In addition, ensure that your SSL offloading solution is configured to forward original host headers to the VMware Tunnel relay server. The SSL Certificate configured in the Workspace ONE UEM console for the Tunnel Proxy must be imported to the SSL Termination Proxy.

Ensure settings are configured properly in the UEM console, VMware Tunnel server, and your SSL Off loading solution in order to successfully implement SSL Offloading for the Tunnel Proxy.

Outbound Proxy with Authentication

If you want to use an outbound proxy, then enter ‘Yes’ when prompted during Tunnel installation, which then prompts you for the following information:

  • Proxy Host
  • Proxy Port
  • Whether the proxy requires any authentication (Basic/NTLM) and appropriate credentials

Entering this information and completing the installer enables outbound proxy support. This sends all traffic from the VMware Tunnel Proxy server – except requests to the Workspace ONE UEM API/AWCM servers – to the outbound proxy you configure. If you want to send the requests to the API/AWCM servers through your outbound proxy as well, then you must enable the Enable API and AWCM outbound calls via proxy setting on the VMware Tunnel >  Advanced settings page.

PAC Files and Multiple Outbound Proxies

A PAC file is a set of rules that a browser checks against to determine where traffic is routed. If you want to use a proxy auto configuration (PAC) file, then provide the path to the PAC file location when prompted during Tunnel installation. If you want to use a PAC file for an outbound proxy that requires authentication, or if you want to use multiple proxies with different hostnames, or if some proxies require authentication (basic/NTLM) and some do not, then use the Proxy Tool for PAC Files and Multiple Outbound Proxies.

Use the Proxy Tool for PAC Files and Multiple Outbound Proxies for VMware Tunnel Proxy

You can use the proxy tool if VMware Tunnel routes its outbound requests through an outbound proxy that has rules set in a PAC file that also requires authentication.

Complete the following steps before you use the proxy Tool for PAC Files and Multiple Outbound Proxies for VMware Tunnel Proxy:
  • To use the PAC file, edit the proxy.properties file and change the PROXY_SEARCH_STRATEGY to 2.
  • Uncomment the PAC_URL and enter the PAC file URL or the absolute path of the PAC file on the VMware Tunnel server.
Complete the following steps to use the Proxy Tool for PAC Files and Multiple Outbound Proxies for VMware Tunnel Proxy:
  1. Within Linux CLI mode, navigate to /opt/vmware/tunnel/proxy/tools.
  2. Convert the proxy tool to an executable file by using the following command: 
    chmod a+x proxytool.sh
  3. Run proxy-tools by using the following command: 
    sudo sh Proxytools.sh
  4. Select your authentication method, which can be None, Basic, or NTLM for a single service account. Also enter your credentials, if applicable, and the URI of the proxy for testing. Image of the Proxy tool showing Credentials and Test URI
  5. Select Save.
  6. To restart the Proxy service, run the following command : sudo systemctl restart proxy.service.
    After saving, run the following command to check if the proxy settings is updated correctly: 
    cat /opt/vmware/tunnel/proxy/conf/proxy-credentials.xml

VMware Tunnel Proxy Tools

The Proxy Tool is an application you can run to configure multiple outbound proxies for the VMware Tunnel.

Use the following commands to navigate the application:

  • Use arrows, tab, shift+tab to navigate.
  • Use Enter or spacebar to select/deselect a proxy.
  • Use Alt+Enter to see details of the highlighted proxy.
  • Use Ctrl+V to paste on text controls.
  • Use F1 to invoke context-sensitive help.
  • Use Esc to exit a window.