Configure the fundamental VMware Tunnel architecture to establish connectivity and trust within your environment with the Per-App Tunnel.

Procedure

  1. Navigate to Groups & Settings > All Settings > Configurations > Tunnel. Select a Current Setting or Override to make new settings for the child.
    Note: Overriding Tunnel configuration does not override VMware Tunnel Proxy settings.
  2. Under Deployment Details, select whether you are deploying VMware Tunnel in Basic or Cascade mode.

    When deploying in Basic mode, supply the public-facing Hostname and the Port number that is assigned for communication with the VMware Tunnel component.

    When deploying in Cascade mode, enter the Hostname of the back-end server and the Port number.

    Note: Make sure that you configure Per-App Tunnel and Tunnel Proxy with different ports.
  3. Under Server Authentication, select the SSL provider of your choice.
    By default, AirWatch provides a certificate, however third-party certificates are also supported. When using a third-party certificate, make sure to include both public and private keys in either .PFX or .P12 format. Currently, server authentication does not support SAN certificates. All certificates must be either issued to the VMware Tunnel hostname or be a valid wildcard certificate for the corresponding domain.
  4. Under Client Authentication, select either AirWatch or a Third Party CA as the authentication provider for VMware Tunnel users.
    To use a third-party certificate authority, select the Certificate Authority and Certificate Template that are used to request a certificate from the CA.

    In order for the VMware Tunnel gateway to trust certificates issued by a third-party CA, Upload the full chain of the public key of your certificate authority to the configuration wizard.

    The CA template must contain CN={UDID} in the subject name. If the Windows desktop Tunnel client is used with the Per-App Tunnel, then the template must contain CN={UDID}:vpn.air-watch.com.

    Certificates auto-renew based on your CA template settings.

  5. Under Networking, define how VMware Tunnel communicates with Workspace ONE UEM and how the device traffic flows through your network.
    1. Select Manage Server Traffic Rules with VMware Tunnel PAC Reader if you are using the PAC Reader to manage the traffic rules.
    2. Select Default AWCM + API traffic via Server Traffic Rules if the communication between the VMware Tunnel and Workspace ONE UEM API or AWCM uses the outbound proxy. For more information see, Configure Server Traffic Rules from the UEM Console.
  6. Under Logging, you can configure settings related to the server logs.
    1. Select the level of logging for the VMware Tunnel from the Service Logs drop-down menu. It is considered to be a best practice to select the Service Logs as Error or Info unless you are troubleshooting.
    2. Access Logs provide a high-level record of users and devices using VMware Tunnel. In a cascade deployment, the back-end server performs the syslog transport.
      From the Access Logs drop-down, you can select the following:
      • Syslog Hostname : If you make this selection, enter the URL of your syslog host and the UDP Port over which you want to communicate. Ensure that the logging level for access logs is set appropriately in rsyslog.conf on the syslog server.
      • File : If you make this selection, the filename is hardcoded to /var/log/vmware/tunnel/vpnd/access.log.

      There is no correlation between this syslog integration and the integration accessed on Groups & Settings > All Settings > System > Enterprise Integration > Syslog.

  7. Under Custom Settings, select Add Custom Setting and add the Configuration Key, and the Configuration Value.
    You can configure the following Configuration Key and the Configuration Value:
    Field Syntax Example Description
    keepalive_timeout keepalive_timeout <time in seconds>

    Default Value= 300

    keepalive_timeout 300 Time (in seconds) before disconnecting the device's connection without receiving a TCP keepalive.
    client_ip_traffic client_ip_traffic <value>

    Default Value= 1

    client_ip_traffic 1 Set client-side IP mode:
    • 0= Dual IPv4/IPv6. Both IPv4 and IPv6 traffic are enabled on the device side.
    • 1 = IPv4 Only. Only IPv4 traffic is enabled on the device side.
    • 2 = IPv6 Only. Only IPv6 traffic is enabled on the device side.
    dns_ip_mode dns_ip_mode <value>

    Default Value= 1

    dns_ip_mode 0 Set DNS IPv4/IPv6 query mode:
    • 0 = Dual IPv4/IPv6. Both IPv4 and IPv6 results are allowed in the DNS query result.
    • 1 = IPv4 Only. Only allows IPv4 addresses in the DNS query result.

    • 2 = IPv6 Only. Only allow IPv6 addresses in the DNS query result.

    dns_server_address_1, dns_server_address_2... dns_server_address_1 <ip address or domain name> dns_server_address_1 1.2.3.4 Specifies different DNS servers that devices uses for the DNS lookup. If not specified, settings from the /etc/resolv.conf is used. Up to 4 addresses can be specified using _1, _2, _3 and _4 suffix.
    api_configuration_fetch_interval api_configuration_fetch_interval <min>

    Default Value= 60

    api_configuration_fetch_interval 60 Specifies the interval in minutes to redownload configuration including Server traffic rules from API (minimum=15)
    dtls_channel dlts_channel <value>

    Default Value= 1

    dlts_channel 1 Specifies if a secondary DTLS channel must be enabled for device UDP traffic, this also requires additional firewall modification to allow the UDP port.
    openssl_cipher_list openssl_cipher_list <value>
    Default Value=
    ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:
    ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
    openssl_cipher_list ECDHE-ECDSA-AES256-GCM-SHA384:
    ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:
    ECDHE-RSA-AES128-GCM-SHA256
    Specifies the cipher suites allowed in TLS handshakes between servers and devices. Supports the format supported by OpenSSL ciphers command: https://www.openssl.org/docs/man1.0.2/man1/ciphers.html
    nsx_ethernet_interface
    nsx_ethernet_interface <interface name>
    nsx_ethernet_interface eth1 Specifies the ethernet interface where traffic to NSX will be routed to. Virtual interface is created based on this Ethernet interface.

    For example, if nsx_host_id is 2 and nsx_ethernet_interface is eth1. If two security groups with two IP sets (192.168.0.0/24 and 192.168.1.0/24) are defined, two virtual interfaces are needed. As a result, eth1:001 will be created with 192.168.0.2 and eth1:002 is created with 192.168.1.2.

    access_log_events access_log_events <events to log>

    Default Value= 1,2,3,4,5

    access_log_events 1,2,3,4,5

    Specifies the events that must be logged in the access log.

    • 1 - Session connect : Logs when a device connects to the tunnel server.
    • 2- Session disconnect : Logs when a device disconnects from the tunnel server.
    • 3 - Stream connect : Logs when a TCP connection is established between an application on the device and a host.
    • 4 - Stream disconnect : Logs when a TCP connection is disconnected. 5 - HTTP request/response: Logs when an HTTP traffic is detected (unencrypted traffic only).
    access_log_format access_log_format <format>
    Default Value=
    %h %l %u %t "%r" %>s %b 
    "%{Referer}i" "%{User-Agent}i" 
    "%{Device-UID}e"
    access_log_format %h %l %u %t "%r" %>s %b 
    "%{Referer}i" "%{User-Agent}i" "%{Device-UID}e"
    Access log format. Supported log variables:
    • %h - Remote host
    • %l - remote logname
    • %u - remote user
    • %t - time
    • %r - first line of request
    • %s - status
    • %b - size of response
    • %{variable}i - HTTP request header variables
    • %{variable}e- HTTP request response variables
    access_log_custom_format_session_connect access_log_custom_format_session_connect <format>
    Default Value=
    %{Connection}v %{Connection-ID}v 
    %{Connection-Type}v 
    %{Connection-Status}v %{Connection-Time}v 
    %{Device-Uid}v 
    %{Device-Name}v 
    %{Device-IP}v->%{Cascade-IP}v 
    %{Device-Vpn-IP}v 
    %{VPN-Server-Connection-Availability}v
    access_log_custom_format_session_connect 
    %{Connection}v 
    %{Connection-ID}v
     %{Connection-Type}v
     %{Connection-Status}v 
    %{Connection-Time}v 
    %{Device-Uid}v 
    %{Device-Name}v 
    %{Device-IP}v 
    %{Device-Vpn-IP}v 
    %{VPN-Server-Connection-Availability}v
    This setting defines access log message format when a new session is connected. See access_log_format for a list of supported specifiers.
    access_log_custom_format_session_disconnect access_log_custom_format_session_disconnect <format>
    Default Value=
    %{Connection}v 
    %{Connection-ID}v
     %{Connection-Time}v
     %{Device-Uid}v
     %{Device-Name}v 
    %{Device-App}v 
    %{Remote-Connection-Status}v 
    %{Remote-Host-Name}v
     %{Remote-Host-IP}v 
    %{Remote-Bytes-Transferred}v
    access_log_custom_format_session_disconnect 
     %{Connection}v 
    %{Connection-ID}v 
    %{Connection-Time}v 
    %{Device-Uid}v 
    %{Device-Name}v 
    %{Device-App}v 
    %{Remote-Connection-Status}v 
    %{Remote-Host-Name}v 
    %{Remote-Host-IP}v %{Remote-Bytes-Transferred}v
    This setting defines access log message format when a session is disconnected. See access_log_format for a list of supported specifiers.
    access_log_custom_format_stream_connect access_log_custom_format_stream_connect <format>
    Default Value=
    %{Connection}v 
    %{Connection-ID}v 
    %{Connection-Type}v 
    %{Connection-Time}v 
    %{Device-Uid}v 
    %{Device-Name}v 
    %{Device-Username}v 
    %{Device-App}v 
    %{Remote-Connection-Status}v
     %{Remote-Host-Name}v 
    %{Remote-Host-IP}v
    access_log_custom_format_stream_connect
     %{Connection}v 
    %{Connection-ID}v 
    %{Connection-Type}v 
    %{Connection-Time}v 
    %{Device-Uid}v %{Device-Name}v 
    %{Device-Username}v 
    %{Device-App}v %{Remote-Connection-Status}v 
    %{Remote-Host-Name}v %
    This setting defines access log message format when a new stream is connected. See access_log_format for a list of supported specifiers.
    access_log_custom_format_stream_disconnect access_log_custom_format_stream_disconnect <format>
     %{Connection-ID}v 
    %{Connection-Time}v 
    %{Device-Uid}v 
    %{Device-Name}v 
    %{Device-App}v 
    %{Remote-Connection-Status}v 
    %{Remote-Host-Name}v 
    %{Remote-Host-IP}v 
    %{Remote-Bytes-Transferred}v
    access_log_custom_format_stream_disconnect
     %{Connection-ID}v 
    %{Connection-Time}v 
    %{Device-Uid}v 
    %{Device-Name}v 
    %{Device-App}v 
    %{Remote-Connection-Status}v 
    %{Remote-Host-Name}v 
    %{Remote-Host-IP}v
     %{Remote-Bytes-Transferred}v
    This setting defines access log message format when a stream is disconnected. See access_log_format for a list of supported specifiers.
    vpn_mode
    socks,nat
    vpn_mode nat,socks

    Supported modes:

    socks: Per-App Tunnel with SOCKS Proxy for Android, iOS and MacOS devices

    nat: Per-App Tunnel with NAT Protocol for Windows devices

    tun (experimental): Per-App Tunnel using Linux TUN driver for Windows devices. Cannot be used together with 'nat' mode. This mode requires more configuration such as iptables NAT setup or corporate routing setup for the return traffic so customers are recommended to use 'nat' mode instead.
    Note: The Custom Settings that is used for defining the Configuration Key and the Configuration Value is available only in Workspace ONE UEM console 2003 or later. For older versions of the Workspace ONE UEMconsole, the server.conf file has to be manually modified. The service restart removes the configuration from Unified Access Gateway 3.7+.
  8. Select Save.

What to do next

  • Edit, Disable, or Delete the VMware Tunnel configuration.
  • Download the Installer and XML to finish the setup.
  • Test Connection to verify the server reachability.

You can now configure your advanced settings for the VMware Tunnel component. For more information, see Configure Network Traffic Rules for the Per-App Tunnel.