As an admin, you can configure VMware Tunnel to secure access for connecting to corporate resources.

What can you do with the VMware Tunnel Configuration Settings Page?

The path to the settings page on the UEM console is Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel.

VMware Tunnel offers secure method for individual applications to access corporate resources. VMware Tunnel authenticates and encrypts traffic from individual applications on compliant devices to the back-end system they are trying to reach. VMware Tunnel serves as a relay between your mobile devices and enterprise systems by authenticating and encrypting traffic from individual applications to back-end systems.

New Tunnel Configuration Tab

The following table lists the details for VMware Tunnel configuration.

Setting Description
Deployment Type Select whether you are deploying VMware Tunnel in Basic or Cascade mode. When deploying in Basic mode, enter the public-facing hostname and the port number that is assigned for communication with the VMware Tunnel component. When deploying in Cascade mode, enter the hostname of the back-end server and the port number.
Hostname Enter the hostname for the deployment. When deploying in Basic mode, enter the public-facing hostname and when deploying in Cascade mode, enter the hostname of the back-end server.
Port Enter the port number that is assigned for communication with the VMware Tunnel component.
Server Authentication Under Server Authentication, select the SSL provider of your choice. By default, AirWatch provides a certificate, however third-party certificates are also supported. When using a third-party certificate, make sure to include both public and private keys in either .PFX or .P12 format.
Client Authentication Under Client Authentication, select either AirWatch or a Third Party CA as the authentication provider for VMware Tunnel users.

To use a third-party certificate authority, select the Certificate Authority and Certificate Template that are used to request a certificate from the CA.

In order for the VMware Tunnel gateway to trust certificates issued by a third-party CA, Upload the full chain of the public key of your certificate authority to the configuration wizard.

The CA template must contain CN={DeviceUid} in the subject name and a Subject Alternate Name (SAN) certificate. If the Windows desktop Tunnel client is used with the Per-App Tunnel, then the template must contain CN={DeviceUid}:vpn.air-watch.com, SAN:upn={UserPrincipalName}.

Certificates auto-renew based on your CA template settings.

Networking Under Networking, define how VMware Tunnel communicates with Workspace ONE UEM and how the device traffic flows through your network.
  1. Select Manage Server Traffic Rules with VMware Tunnel PAC Reader if you are using the PAC Reader to manage the traffic rules.
  2. Select Default AWCM + API traffic via Server Traffic Rules if the communication between the VMware Tunnel and Workspace ONE UEM API or AWCM uses the outbound proxy.
Logging Under Logging, you can configure settings related to the server logs.
  1. Select the level of logging for the VMware Tunnel from the Service Logs drop-down menu. As a best practice, select the Service Logs as Error or Warning unless you are troubleshooting. Selecting Info or Debug can impact the server performance. It is recommended to not enable Info or Debug log level if the server is busy during peak hours.
  2. Access Logs provide a high-level record of users and devices using VMware Tunnel. In a cascade deployment, the back-end server performs the syslog transport. From the Access Logs drop-down, you can select the following:
    • Syslog Hostname : If you make this selection, enter the URL of your syslog host and the UDP Port over which you want to communicate. Ensure that the logging level for access logs is set appropriately in rsyslog.conf on the syslog server.
    • File : If you make this selection, the filename is set to /var/log/vmware/tunnel/vpnd/access.log.
Custom Settings Under Custom Settings, select Add Custom Setting and add the Configuration Key, and the Configuration Value.