Many organizations use outbound proxies to control the flow of traffic to and from their network. Outbound proxies can also be used for performing traffic filtering, inspection, and analysis.

It is not mandatory to use outbound proxies with VMware Tunnel, but your organization may choose to deploy them behind one or more VMware Tunnel servers based on recommendations from your security and network teams. For VMware Tunnel on Linux, Workspace ONE UEM supports outbound proxies for the two VMware Tunnel components: Proxy and Per-App Tunnel.

The following table illustrates outbound proxy support for the VMware Tunnel Proxy on Linux: 

Proxy Configuration Supported?

Outbound Proxy with no auth

Outbound Proxy with basic auth

Outbound Proxy with NTLM auth

Multiple Outbound Proxies

✓ (Use Proxy Tool)

PAC Support

✓ (Use Proxy Tool)

During installation, the installer prompts you whether to use an outbound proxy. For relay-endpoint configurations, the outbound proxy communication is configured on the endpoint server that resides in your internal network and can communicate with the outbound proxy.

The Tunnel Proxy encrypts traffic to HTTP endpoints using HTTP tunneling with an SSL certificate and sends that traffic over port 2020 as HTTPS. To enable SSL Off loading, enable SSL Offloading in the VMware Tunnel console configuration and select SSL Offloading during installation on the Relay server. Enabling this setting ensures the relay expects all unencrypted traffic to the port you configured. The original host headers of the request must be forwarded to the tunnel server from wherever traffic is SSL off loaded.

You can perform SSL offloading with products such as F5's BIG-IP Local Traffic Manager (LTM), or Microsoft Forefront Unified Access Gateway, Threat Management Gateway (TMG) or Internet Security and Acceleration Server (ISA) solutions. Support is not exclusive to these solutions. VMware Tunnel Proxy is compatible with general SSL offloading solutions if the solution supports the HTTP CONNECT method. In addition, ensure that your SSL offloading solution is configured to forward original host headers to the VMware Tunnel relay server. The SSL Certificate configured in the Workspace ONE UEM console for the Tunnel Proxy must be imported to the SSL Termination Proxy.

Ensure settings are configured properly in the UEM console, VMware Tunnel server, and your SSL Off loading solution in order to successfully implement SSL Offloading for the Tunnel Proxy.

Outbound Proxy with Authentication

If you want to use an outbound proxy, then enter ‘Yes’ when prompted during Tunnel installation, which then prompts you for the following information:

  • Proxy Host
  • Proxy Port
  • Whether the proxy requires any authentication (Basic/NTLM) and appropriate credentials

Entering this information and completing the installer enables outbound proxy support. This sends all traffic from the VMware Tunnel Proxy server – except requests to the Workspace ONE UEM API/AWCM servers – to the outbound proxy you configure. If you want to send the requests to the API/AWCM servers through your outbound proxy as well, then you must enable the Enable API and AWCM outbound calls via proxy setting on the VMware Tunnel >  Advanced settings page.

PAC Files and Multiple Outbound Proxies

A PAC file is a set of rules that a browser checks against to determine where traffic is routed. If you want to use a proxy auto configuration (PAC) file, then provide the path to the PAC file location when prompted during Tunnel installation. If you want to use a PAC file for an outbound proxy that requires authentication, or if you want to use multiple proxies with different hostnames, or if some proxies require authentication (basic/NTLM) and some do not, then use the Proxy Tool for PAC Files and Multiple Outbound Proxies.

Use the Proxy Tool for PAC Files and Multiple Outbound Proxies for VMware Tunnel Proxy

You can use the proxy tool if VMware Tunnel routes its outbound requests through an outbound proxy that has rules set in a PAC file that also requires authentication.

Complete the following steps before you use the proxy Tool for PAC Files and Multiple Outbound Proxies for VMware Tunnel Proxy:
  • To use the PAC file, edit the proxy.properties file and change the PROXY_SEARCH_STRATEGY to 2.
  • Uncomment the PAC_URL and enter the PAC file URL or the absolute path of the PAC file on the VMware Tunnel server.
Complete the following steps to use the Proxy Tool for PAC Files and Multiple Outbound Proxies for VMware Tunnel Proxy:
  1. Within Linux CLI mode, navigate to /opt/vmware/tunnel/proxy/tools.
  2. Convert the proxy tool to an executable file by using the following command:
    chmod a+x proxytool.sh
  3. Run proxy-tools by using the following command:
    sudo sh Proxytools.sh
  4. Select your authentication method, which can be None, Basic, or NTLM for a single service account. Also enter your credentials, if applicable, and the URI of the proxy for testing.
  5. Select Save.
  6. To restart the Proxy service, run the following command : sudo systemctl restart proxy.service.
    After saving, run the following command to check if the proxy settings is updated correctly:
    cat /opt/vmware/tunnel/proxy/conf/proxy-credentials.xml

VMware Tunnel Proxy Tools

The Proxy Tool is an application you can run to configure multiple outbound proxies for the VMware Tunnel.

Use the following commands to navigate the application:

  • Use arrows, tab, shift+tab to navigate.
  • Use Enter or spacebar to select/deselect a proxy.
  • Use Alt+Enter to see details of the highlighted proxy.
  • Use Ctrl+V to paste on text controls.
  • Use F1 to invoke context-sensitive help.
  • Use Esc to exit a window.

Use SSL Offloading for the VMware Tunnel Proxy

Use SSL Offloading to ease the burden of encrypting and decrypting traffic from the VMware Tunnel server. Only the VMware Tunnel Proxy supports SSL Offloading. SSL Offloading and SSL re-encryption is not supported for the Per-App Tunnel because it uses SSL certificate pinning on the client and server side, creating an end-to-end encrypted tunnel. No SSL maniuplation is supported for the Per-App Tunnel because it uses SSL certificate pinning between the client and server side. This creates an end-to-end encrypted tunnel that can only be decrypted by the server itself. All traffic to the Per-App Tunnel on port 8443 must be allowed to pass through to the VMware Tunnel server.

The Tunnel Proxy encrypts traffic to HTTP endpoints using HTTP tunneling with an SSL certificate and sends that traffic over port 2020 as HTTPS. To enable SSL Off loading, enable SSL Offloading in the VMware Tunnel console configuration and select SSL Offloading during installation on the Relay server. Enabling this setting ensures the relay expects all unencrypted traffic to the port you configured. The original host headers of the request must be forwarded to the tunnel server from wherever traffic is SSL off loaded.

You can perform SSL offloading with products such as F5's BIG-IP Local Traffic Manager (LTM), or Microsoft Forefront Unified Access Gateway, Threat Management Gateway (TMG) or Internet Security and Acceleration Server (ISA) solutions. Support is not exclusive to these solutions. VMware Tunnel Proxy is compatible with general SSL offloading solutions if the solution supports the HTTP CONNECT method. In addition, ensure that your SSL offloading solution is configured to forward original host headers to the VMware Tunnel relay server. The SSL Certificate configured in the Workspace ONE UEM console for the Tunnel Proxy must be imported to the SSL Termination Proxy.

Ensure settings are configured properly in the UEM console, VMware Tunnel server, and your SSL Off loading solution in order to successfully implement SSL Offloading for the Tunnel Proxy.

SSL Offloading Requirements

  • HTTP CONNECT method supported by SSL offloading solution
  • SSL Offloading solution configured to forward original host headers
  • VMware Tunnel Proxy SSL certificate installed on your SSL termination proxy.

    If you are using a Workspace ONE UEM Certificate and not a public SSL certificate, then you can export the SSL certificate from the UEM console by navigating to Settings > System > Enterprise Integration > VMware Tunnel > Configurationthen selecting the Advanced tab and selecting the Export Certificate button under Authentication.

The following diagram illustrates how SSL offloading affects traffic in a relay-endpoint configuration.

Note: SSL offloading for basic configuration has communication from the SSL termination proxy going directly to the VMware Tunnel endpoint.

SSL Offloading Traffic Flow

  1. A device requests access to internal resources from AirWatch Software Development Kit enabled application, which can be either an HTTP or HTTPS endpoint.
    • Requests to HTTP and HTTPS endpoints are sent over port 2020 by default, which is the port you configure in the Workspace ONE UEM console during VMware Tunnel Proxy configuration.

  2. The traffic reaches an SSL Termination Proxy (customers use their own SSL termination proxy), which must meet the SSL Offloading requirements.

    If you are using a Workspace ONE UEM Certificate and not a public SSL certificate, then you can export the SSL certificate from the UEM console by navigating to Settings > System > Enterprise Integration > VMware Tunnel > Configuration then selecting the Advanced tab and selecting the Export Certificate button under Authentication.

  3. Requests to HTTP(S) endpoints have their SSL certificate offloaded and are sent to the relay server unencrypted over port 2020 by default. Traffic sent to the endpoint over port 2010 is encrypted with the UEM issued Tunnel certificate. SSL Offloading between the Relay and Endpoint is not supported for VMware Tunnel Proxy.
  4. The traffic continues from the relay server to the endpoint server on port 2010 by default.
  5. The endpoint server communicates with your back end systems to access the requested resources.