Configure the VMware Tunnel installer in the UEM console under Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel . The wizard walks you through the installer configuration step-by-step. The options configured in the wizard are packaged in the installer, which you can download from the UEM console and move to your Tunnel servers. Changing the details in this wizard typically requires a reinstall of the VMware Tunnel with the new configuration.

To configure the VMware Tunnel, you need the details of the server where you plan to install. Before configuration, determine the deployment model, one or more hostnames and ports, and which features of VMware Tunnel to implement, such as access log integration, NSX integration, SSL offloading, enterprise certificate authority integration, and so on. Because the wizard dynamically displays the appropriate options based on your selections, the configuration screens may display different text boxes and options.

To configure the VMware Tunnel, perform the following steps:

  1. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel > Configuration .

    If this is your first time configuring VMware Tunnel, then select Configure and follow the configuration wizard screens. Otherwise, select Override, then select the Enable VMware Tunnel check box, and then select Configure.

  2. On the Configuration Type screen, select the components that you want to configure.

    Your options are Proxy and Per-App Tunnel. Depending on your selections, the following screens may display different text boxes and options. In the drop-down menus that display, select whether you are configuring a Cascade, Relay-Endpoint, or Basic deployment for each component. Select the information icon to see an example for the selected type.

  3. Select Next.
  4. On the Details screen, configure the following settings:

    Setting Description
    PROXY (APP WRAPPING / BROWSER / SDK) CONFIGURATION
    Relay Host Name (Relay-Endpoint Only). Enter the FQDN of the public host name for the Tunnel relay server, for example, tunnel.acmemdm.com. This hostname must be publicly available as it is the DNS that devices connect to from the Internet.
    Endpoint Host Name

    The internal DNS of the Tunnel endpoint server. This value is the hostname that the relay server connects to on the relay-endpoint port. If you plan to install the VMware Tunnel on an SSL offloaded server, enter the name of that server in place of the Host Name.

    When you enter the Host Name, do not include a protocol, such as http://, https://, etc.

    Relay Port (HTTPS)

    The proxy service is installed on this port. Devices connect to the <relayhostname>:<port> to use the VMware Tunnel proxy feature. The default value is 2020.

    Relay-Endpoint Port

    (Relay-Endpoint only). This value is the port used for communication between the VMware Tunnel relay and VMware Tunnel endpoint. The default value is 2010.

    If you are using a combination of Proxy and Per-App Tunnel, the relay endpoint installs as part of the Front-End Server for Cascade mode. The ports should be different values.

    Advanced Proxy Configuration Details
    Use Kerberos Proxy

    Enable Kerberos proxy support to allow access to Kerberos authentication for your target back end Web services. This feature does not currently support Kerberos Constrained Delegation (KCD). For more information, see Configure Kerberos Proxy Settings.

    The Endpoint server must be on the same domain as KDC for the Kerberos Proxy to communicate successfully with the KDC.

    Realm

    Enter the domain of the KDC server.

    This text box only displays if you enable Use Kerberos Proxy.

    PER - APP TUNNELING CONFIGURATION
    Basic Mode
    Hostname Enter the FQDN of the public host name for the Tunnel server, for example, tunnel.acmemdm.com. This hostname must be publicly available as it is the DNS that devices connect to from the Internet.
    Port

    Enter the port number assigned for communication with the VMware Tunnel component.

    The default value is 8443.

    Cascade Mode
    Front-end Hostname Enter the FQDN of the public host name for the Tunnel relay server, for example, tunnel.acmemdm.com. This hostname must be publicly available as it is the DNS that devices connect to from the Internet.
    Front-end Port

    Enter the port number assigned for communication with the VMware Tunnel component.

    The default value is 8443.

    Back-end Hostname

    Enter the hostname of the back-end server.

    When entering the hostname, do not include protocol (http://, https://, and so on).

    Back-end Port

    Enter the port used for communication between the VMware Tunnel relay and the Per-App Tunnel endpoint.

    The default value is 8443.

  5. Select Next.
  6. On the SSL screen, configure the following settings to select the certificates that secure client-server communication from enabled application on a device to the VMware Tunnel.

    Setting Description
    PROXY (APP WRAPPING / BROWSER / SDK) SSL CERTIFICATE
    Default By default, this setup uses a Workspace ONE UEM certificate for secure server-client communication. Workspace ONE UEM issues a certificate for the hostname configured on the Details screen.
    Use Public SSL Certificate

    Enable this option if you prefer to use a third-party SSL certificate for encryption between VMware Browser or SDK-enabled apps and the VMware Tunnel server.

    Upload a .PFX or .P12 certificate file and enter the password. This file must contain both your public and private key pair. CER and CRT files are not supported.

    PER - APP TUNNELING SSL CERTIFICATE
    Default

    By default, this setup uses a Workspace ONE UEM certificate for secure server-client communication. Workspace ONE UEM issues a unique certificate for the hostname configured on the Details screen.

    To use the Default option, select Next, and certificates are generated automatically.

    Use Public SSL Certificate

    Enable this option if you prefer to use a third-party SSL certificate for encryption between VMware Browser or SDK-enabled apps and the VMware Tunnel server.

    Upload a .PFX or .P12 certificate file and enter the password. This file must contain both your public and private key pair. CER and CRT files are not supported.

    SAN certificates are not currently supported. Certificates must be either issued to the VMware Tunnel Hostname or a valid wildcard certificate for the corresponding domain.

    The Tunnel Device Root Certificate is automatically generated when you select Next to continue to the Authentication section.

  7. Select Next.
  8. On the Authentication screen, configure the following settings to select the certificates that devices use to authenticate to the VMware Tunnel.

    Proxy Authentication / Per-App Tunnel Authentication - By default, all the components use Workspace ONE UEM issued certificates. To use Enterprise CA certificates for client-server authentication, select the Enterprise CA option.

    • Select Default to use Workspace ONE UEM issued certificates. The default Workspace ONE UEM issued client certificate does not automatically renew. To renew these certificates, re-publish the VPN profile to devices that have an expiring or expired client certificate. View the certificate status for a device by navigating to Devices > Device Details > More > Certificates.

    • Select Enterprise CA in place of Workspace ONE UEM-issued certificates for authentication between the VMware Browser, Per-App Tunnel-enabled apps, or SDK-enabled apps and the VMware Tunnel requires that a certificate authority and certificate template are set up in your Workspace ONE UEM environment before configuring VMware Tunnel.

      • Select the certificate authority and certificate template that are used to request a certificate from the CA.
      • Upload the full chain of the public key of your certificate authority to the configuration wizard.

      The CA template must contain CN=UDID in the subject name. Supported CAs are ADCS, RSA, and SCEP.

      Certificates auto-renew based on your CA template settings.

      For more information about integrating with your certificate provider, see Certificate Management Overview

  9. Select Next.
  10. On the Miscellaneous screen, you can enable access logs for the proxy or Per-App Tunnel components. If you intend to use this feature you must configure it now as part of the configuration, as it cannot be enabled later without reconfiguring Tunnel and rerunning the installer. For more information on these settings, see VMware Tunnel Access Logs and Syslog Integration and Configure Advanced Settings for VMware Tunnel.

    For Per-App Tunneling, you can also configure NSX Communication, which is the integration between Workspace ONE UEM and VMware NSX to achieve micro-segmentation. For more information on this integration, refer to the VMware AirWatch and VMware NSX Integration Guide.

  11. Select Next, review the summary of your configuration, confirm that all hostnames, ports and settings are correct, and select Save. The installer is now ready to download on the VMware Tunnel configuration screen.
  12. If you plan to use SSL offloading for the VMware Tunnel Proxy component, select the Advanced tab on the Tunnel Configuration screen and select Export Proxy Certificate. Then, import this certificate on the server performing SSL offloading. (This server can be a load balancer or reverse proxy.)

  13. Select the General tab and then select the Download Unified Access Gateway Appliance hyperlink. This button downloads the OVA or vhdx file.The download file also includes the PowerShell script and .ini template file for the PowerShell deployment method.

    For legacy installer methods, select Download Linux Installer. This button downloads a single TAR file used for deploying the relay and endpoints. You must also confirm a certificate password that is used during installation. The password must contain a minimum of six characters.

  14. Select Save.