As an admin, you can configure VMware Tunnel Proxy deployment to secure the network traffic between an end user device and a website through the VMware Browser mobile application from Workspace ONE UEM.

What can you do with the System Log Settings Page?

The path to the settings page on the UEM console is Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel Proxy.

Configure VMware Tunnel Proxy using the configuration wizard. The options configured in the wizard are packaged in the installer, which you can download from the Workspace ONE UEM console and move to your Tunnel servers. The wizard walks you through the installer configuration step-by-step. The options configured in the wizard are packaged in the installer, which you can download from the Workspace ONE UEM console and move to your Tunnel servers.

Changing the details in this wizard typically requires a reinstall of the VMware Tunnel with the new configuration.To configure the VMware Tunnel Proxy, you need the details of the server where you plan to install. Before configuration, determine the deployment model, hostnames and ports, and which features of VMware Tunnel to implement. You can consider to change the access log integration, SSL offloading, enterprise certificate authority integration, and so on.

Determine your Organization group hierarchy

Before you review and modify the settings, understand the two types of inheritance/override options for the organization group hierarchy available at the top and bottom of the settings page and determine your choice. For more information about these settings, see Override Versus Inherit Setting for Organization Groups.
  • Current Setting - Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.

VMware Tunnel Configuration Tab

If you are configuring VMware Tunnel for the first time, then select Configure and follow the configuration wizard screens.

If you are configuring VMwareTunnel for the first time, then select Override, then select the Enabled VMware Tunnel toggle switch, and then select Configure.

Setting Description
Deployment Type Select Enable Proxy (Windows & Linux) the toggle switch, and then select the components that you want to configure using the Proxy Configuration Type drop-down menu.

Details - Proxy (App Wrapping/Browser/SDK) Configuration

The options that are displayed on the Details screen depend on the configuration type you have selected in the Proxy Configuration Type drop-down menu.

If you choose, Basic Proxy Configuration Type, enter the following information:

Setting Description
Hostname The proxy service is installed on this port. Devices connect to the : to use the VMware Tunnel proxy feature. The default value is 2020.
Relay Port The proxy service is installed on this port. Devices connect to the : to use the VMware Tunnel proxy feature. The default value is 2020.
Relay Host Name (Relay-Endpoint Only). Enter the FQDN of the public host name for the Tunnel relay server, for example, tunnel.acmemdm.com. This hostname must be publicly available as it is the DNS that devices connect to from the Internet.
Enable SSL Offloading Select this check box if you want to use SSL Offloading to ease the burden of encrypting and decrypting traffic from the VMware Tunnel server.
Use Kerberos Proxy To allow access to Kerberos authentication for your target back-end Web services, select the Kerberos proxy support This feature does not currently support Kerberos Constrained Delegation (KCD). The Endpoint server must be on the same domain as KDC for the Kerberos Proxy to communicate successfully with the KDC.

If you choose Relay-Endpoint Proxy Configuration Type, enter the following information:

Setting Description
Relay Host Name (Relay-Endpoint Only). Enter the FQDN of the public host name for the Tunnel relay server, for example, tunnel.acmemdm.com. This hostname must be publicly available as it is the DNS that devices connect to from the Internet.
Endpoint Host Name The internal DNS of the Tunnel endpoint server. This value is the hostname that the relay server connects to on the relay-endpoint port. If you plan to install the VMware Tunnel on an SSL offloaded server, enter the name of that server in place of the Host Name. When you enter the Host Name, do not include a protocol, such as http://, https://, and so on.
Relay Port The proxy service is installed on this port. Devices connect to the : to use the VMware Tunnel proxy feature. The default value is 2020.
Endpoint Port (Relay-Endpoint only). This value is the port used for communication between the VMware Tunnel relay and VMware Tunnel endpoint. The default value is 2010. If you are using a combination of Proxy and Per-App Tunnel, the relay endpoint installs as part of the Front-End Server for Cascade mode. The ports must use different values.
Enable SSL Offloading Select this check box if you want to use SSL Offloading to ease the burden of encrypting and decrypting traffic from the VMware Tunnel server.
Use Kerberos Proxy To allow access to Kerberos authentication for your target back-end Web services, select the Kerberos proxy support This feature does not currently support Kerberos Constrained Delegation (KCD).

The Endpoint server must be on the same domain as KDC for the Kerberos Proxy to communicate successfully with the KDC. In the Realm text box, enter the Realm of the KDC server.

SSL - Proxy (App Wrapping/Browser/SDK) SSL Certificate

Configure the public SSL certificate that secures the client-server communication from the enabled application on a device to the VMware Tunnel. By default, this setup uses a AirWatch certificate for a secure server-client communication.

Setting Description
Use Public SSL Certificate Select the Use Public SSL Certificate option if you prefer to use a third-party SSL certificate for encryption between Workspace ONE Web or SDK-enabled apps and the VMware Tunnel server.
Public SSL Certificate Upload the Public SSL Certificate.

Authentication

Configure the following settings to select the certificates that devices use to authenticate to the VMware Tunnel. By default, all the components use AirWatch issued certificates. To use Enterprise CA certificates for the client-server authentication, select the Enterprise CA option.

Setting Description
Proxy Authentication Select the Use Public SSL Certificate option if you prefer to use a third-party SSL certificate for encryption between Workspace ONE Web or SDK-enabled apps and the VMware Tunnel server.
Certificate Authority Select the Certificate Authority from the drop-down menu.
Certificate Template Select the Certificate Template from the drop-down menu.
Root Certificate Upload the root certificate.

Miscellaneous

You can use access logs for the proxy or Per-App Tunnel components. Enable the Access Logs toggle switch to configure the feature.

If you intend to use this feature you must configure it as part of the configuration, as it cannot be enabled later without reconfiguring Tunnel and rerunning the installer.

Setting Description
Access Logs Access logs for the proxy or Per-App Tunnel components. Enable the Access Logs toggle switch to configure the feature.
Syslog Hostname Enter the URL of your syslog host in the Syslog Hostname field. This setting displays after you enable Access Logs.
UDP Port Enter the port over which you want to communicate with the syslog host in the UDP Port field.