Many organizations use outbound proxies to control the flow of traffic to and from their network. Outbound proxies can also be used for performing traffic filtering, inspection, and analysis.

It is not mandatory to use outbound proxies with VMware Tunnel, but your organization may choose to deploy them behind one or more VMware Tunnel servers based on recommendations from your security and network teams. For VMware Tunnel on Linux, Workspace ONE UEM supports outbound proxies for the two VMware Tunnel components: Proxy and Per-App Tunnel. For VMware Tunnel on Windows, Workspace ONE UEM supports outbound proxies for the Proxy component.

The following table illustrates outbound proxy support for the VMware Tunnel Proxy component on Linux: 

Proxy Configuration Supported?

Outbound Proxy with no auth

Outbound Proxy with basic auth

Outbound Proxy with NTLM auth

Multiple Outbound Proxies

✓ (Use Proxy Tool)

PAC Support

✓ (Use Proxy Tool)

During installation, the installer prompts you whether to use an outbound proxy. For relay-endpoint configurations, the outbound proxy communication is configured on the endpoint server that resides in your internal network and can communicate with the outbound proxy.

Outbound Proxy with Authentication

If you want to use an outbound proxy, then enter ‘Yes’ when prompted during Tunnel installation, which then prompts you for the following information:

  • Proxy Host
  • Proxy Port
  • Whether the proxy requires any authentication (Basic/NTLM) and appropriate credentials

Entering this information and completing the installer enables outbound proxy support. This sends all traffic from the VMware Tunnel Proxy server – except requests to the Workspace ONE UEM API/AWCM servers – to the outbound proxy you configure. If you want to send the requests to the API/AWCM servers through your outbound proxy as well, then you must enable the Enable API and AWCM outbound calls via proxy setting on the VMware Tunnel > Advanced settings page.

PAC Files and Multiple Outbound Proxies

A PAC file is a set of rules that a browser checks against to determine where traffic is routed. If you want to use a proxy auto configuration (PAC) file, then provide the path to the PAC file location when prompted during Tunnel installation. If you want to use a PAC file for an outbound proxy that requires authentication, or if you want to use multiple proxies with different hostnames, or if some proxies require authentication (basic/NTLM) and some do not, then refer to Use the Proxy Tool for PAC Files and Multiple Outbound Proxies.