The VMware Tunnel supports deploying a single-tier model and a multi-tier model. Both SaaS and on-premises Workspace ONE environments support the single-tier and multi-tier models. You can use the deployment model that best fits your needs.

Single-Tier Deployment Model

Single-tier models have a single instance of VMware Tunnel configured with a public DNS. In the Workspace ONE UEM console and the installer, this deployment model uses the basic-endpoint model.

Multi-Tier Deployment Model

Multi-tier networks have a separation between servers with firewalls between the tier. Typical Workspace ONE multi-tier deployments have a DMZ that separates the Internet from the internal network. VMware Tunnel supports deploying a front-end server in the DMZ that communicates with a back-end server in the internal network. The multi-tier deployment model includes two instances of the VMware Tunnel with separate roles. The VMware Tunnel front-end server resides in the DMZ and can be accessed from public DNS over the configured ports. The servers in this deployment model communicate with your API and AWCM servers. For SaaS deployments, Workspace ONE hosts the API and AWCM components in the cloud. For an on-premises environment, the AWCM component is typically installed in the DMZ with the API.

The cascade deployment model architecture includes two instances of the VMware Tunnel with separate roles. In cascade mode, the front-end server resides in the DMZ and communicates to the back-end server in your internal network.

If you are using a multi-tier deployment model and the Proxy component of the VMware tunnel, use the relay-endpoint deployment mode. The relay-endpoint deployment mode architecture includes two instances of the VMware Tunnel with separate roles. The VMware Tunnel relay server resides in the DMZ and can be accessed from public DNS over the configured ports.