VMware Tunnel provides granular access control to applications and services both in your network and in the cloud. The VMware Tunnel client provides per-app management, permitting explicit trust of individual applications you want to manage, and domain-based filtering for the easy definition of access control and split-tunneling policies.

VMware Tunnel is built on native frameworks provided across all major platforms. When an application is launched or creates a network request, that request is forwarded to the Tunnel client for routing. In this way, Tunnel provides local filtering for determining what traffic must be tunneled into your network, sent to the Internet or another proxy, or blocked from leaving the device.

Data that is passed to the Tunnel gateway leverages TLS and DTLS algorithms to perform the following checks as part of authentication:
  • VMware Tunnel uses SSL pinning to ensure that the server identity is correct.

  • VMware Tunnel performs TLS mutual authentication with a client certificate that uniquely identifies the device.
  • VMware Tunnel gateway validates that the client certificate is on a whitelist of trusted certificates within the Workspace ONE UEM Console, and performs a device compliance check to ensure the integrity of the user’s device.

For internal routing of traffic, it is required that the Tunnel gateway has properly configured DNS, as routing policies for Tunnel are defined on hostnames and not IP address. If internal DNS is not exposed in the DMZ, then it is recommended to deploy VMware Tunnel in a cascade mode to make use of the internal DNS controllers.