Use SSL Offloading to ease the burden of encrypting and decrypting traffic from the VMware Tunnel server. Only the VMware Tunnel Proxy component supports SSL Offloading.

SSL Offloading and SSL re-encryption is not supported for the Per-App Tunnel component because this component uses SSL certificate pinning on the client and server side, creating an end-to-end encrypted tunnel. No SSL maniuplation is supported for the Per-App Tunnel component because this component uses SSL certificate pinning between the client and server side. This creates an end-to-end encrypted tunnel that can only be decrypted by the server itself. All traffic to the Per-App Tunnel component on port 8443 must be allowed to pass through to the VMware Tunnel server.

The Tunnel Proxy encrypts traffic to HTTP endpoints using HTTP tunneling with an SSL certificate and sends that traffic over port 2020 as HTTPS. To enable SSL Off loading for this component, enable SSL Offloading in the VMware Tunnel console configuration and select SSL Offloading during installation on the Relay server. Enabling this setting ensures the relay expects all unencrypted traffic to the port you configured. The original host headers of the request must be forwarded to the tunnel server from wherever traffic is SSL off loaded.

You can perform SSL offloading with products such as F5's BIG-IP Local Traffic Manager (LTM), or Microsoft Forefront Unified Access Gateway, Threat Management Gateway (TMG) or Internet Security and Acceleration Server (ISA) solutions. Support is not exclusive to these solutions. VMware Tunnel Proxy is compatible with general SSL offloading solutions if the solution supports the HTTP CONNECT method. In addition, ensure that your SSL offloading solution is configured to forward original host headers to the VMware Tunnel relay server. The SSL Certificate configured in the Workspace ONE UEM console for the Tunnel Proxy must be imported to the SSL Termination Proxy.

Ensure settings are configured properly in the UEM console, VMware Tunnel server, and your SSL Off loading solution in order to successfully implement SSL Offloading for the Tunnel Proxy.

SSL Offloading Requirements

  • HTTP CONNECT method supported by SSL offloading solution
  • SSL Offloading solution configured to forward original host headers
  • VMware Tunnel Proxy SSL certificate installed on your SSL termination proxy.

    If you are using a Workspace ONE UEM Certificate and not a public SSL certificate, then you can export the SSL certificate from the UEM console by navigating to Settings > System > Enterprise Integration > VMware Tunnel > Configuration then selecting the Advanced tab and selecting the Export Certificate button under Authentication.

The following diagram illustrates how SSL offloading affects traffic in a relay-endpoint configuration.

SSLOffloadingTunnel

Note:

SSL offloading for basic configuration has communication from the SSL termination proxy going directly to the VMware Tunnel endpoint.

SSL Offloading Traffic Flow

  1. A device requests access to internal resources from AirWatch Software Development Kit enabled application, which can be either an HTTP or HTTPS endpoint.

    • Requests to HTTP and HTTPS endpoints are sent over port 2020 by default, which is the port you configure in the Workspace ONE UEM console during VMware Tunnel Proxy configuration.

  2. The traffic reaches an SSL Termination Proxy (customers use their own SSL termination proxy), which must meet the SSL Offloading requirements.

    If you are using a Workspace ONE UEM Certificate and not a public SSL certificate, then you can export the SSL certificate from the UEM console by navigating to Settings > System > Enterprise Integration > VMware Tunnel > Configuration then selecting the Advanced tab and selecting the Export Certificate button under Authentication.

  3. Requests to HTTP(S) endpoints have their SSL certificate offloaded and are sent to the relay server unencrypted over port 2020 by default. Traffic sent to the endpoint over port 2010 is encrypted with the UEM issued Tunnel certificate. SSL Offloading between the Relay and Endpoint is not supported for VMware Tunnel Proxy.

  4. The traffic continues from the relay server to the endpoint server on port 2010 by default.

  5. The endpoint server communicates with your back end systems to access the requested resources.