Configure VMware Tunnel Proxy using the configuration wizard. The options configured in the wizard are packaged in the installer, which you can download from the Workspace ONE UEM console and move to your Tunnel servers. Configure the VMware Tunnel Proxy in the UEM console under Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel Proxy. The wizard walks you through the installer configuration step-by-step. The options configured in the wizard are packaged in the installer, which you can download from the Workspace ONE UEM console and move to your Tunnel servers. Changing the details in this wizard typically requires a reinstall of the VMware Tunnel with the new configuration.To configure the VMware Tunnel Proxy, you need the details of the server where you plan to install. Before configuration, determine the deployment model, hostnames and ports, and which features of VMware Tunnel to implement. You can consider to change the access log integration, SSL offloading, enterprise certificate authority integration, and so on.

Complete the following steps to configure advanced settings for the VMware Tunnel Proxy:

Note:
The wizard dynamically displays the appropriate options based on your selections, the configuration screens may display different text boxes and options.
  1. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel > Proxy.
    • If you are configuring VMware Tunnel for the first time, then select Configure and follow the configuration wizard screens.
    • If you are configuring VMwareTunnel for the first time, then select Override, then select the Enabled VMware Tunnel toggle switch, and then select Configure.
    • Note:
      Overriding VMware Tunnel Proxy settings does not override VMware Tunnel configuration settings.
  2. On the Deployment Type screen, select Enable Proxy (Windows & Linux) the toggle switch, and then select the components that you want to configure using the Proxy Configuration Type drop-down menu.
  3. In the drop-down menus that display, select whether you are configuring a Relay-Endpoint, or the Proxy Configuration Type deployment. To see an example for the selected type, select the information icon.
  4. Select Next.
  5. On the Details screen, configure the following settings. The options that are displayed on the Details screen depend on the configuration type you have selected in the Proxy Configuration Type drop-down menu.
    • Basic Proxy Configuration Type, enter the following information:
    Setting Description
    Hostname Enter the FQDN of the public host name for the Tunnel server, for example, tunnel.acmemdm.com. This hostname must be publicly available as it is the DNS that devices connect to from the Internet.
    Relay Port The proxy service is installed on this port. Devices connect to the <relayhostname>:<port> to use the VMware Tunnel proxy feature. The default value is 2020.
    Relay Host Name (Relay-Endpoint Only). Enter the FQDN of the public host name for the Tunnel relay server, for example, tunnel.acmemdm.com. This hostname must be publicly available as it is the DNS that devices connect to from the Internet.
    Enable SSL Offloading Select this check box if you want to use SSL Offloading to ease the burden of encrypting and decrypting traffic from the VMware Tunnel server.
    Use Kerberos Proxy

    To allow access to Kerberos authentication for your target back-end Web services, select the Kerberos proxy support This feature does not currently support Kerberos Constrained Delegation (KCD).

    The Endpoint server must be on the same domain as KDC for the Kerberos Proxy to communicate successfully with the KDC.

    • If you choose Relay-Endpoint Proxy Configuration Type, enter the following information:
    Setting Description
    Relay Host Name (Relay-Endpoint Only). Enter the FQDN of the public host name for the Tunnel relay server, for example, tunnel.acmemdm.com. This hostname must be publicly available as it is the DNS that devices connect to from the Internet.
    Endpoint Host Name

    The internal DNS of the Tunnel endpoint server. This value is the hostname that the relay server connects to on the relay-endpoint port. If you plan to install the VMware Tunnel on an SSL offloaded server, enter the name of that server in place of the Host Name.

    When you enter the Host Name, do not include a protocol, such as http://, https://, and so on.

    Relay Port The proxy service is installed on this port. Devices connect to the <relayhostname>:<port> to use the VMware Tunnel proxy feature. The default value is 2020.
    Endpoint Port

    (Relay-Endpoint only). This value is the port used for communication between the VMware Tunnel relay and VMware Tunnel endpoint. The default value is 2010.

    If you are using a combination of Proxy and Per-App Tunnel, the relay endpoint installs as part of the Front-End Server for Cascade mode. The ports must use different values.

    Enable SSL Offloading Select this check box if you want to use SSL Offloading to ease the burden of encrypting and decrypting traffic from the VMware Tunnel server.
    Use Kerberos Proxy

    To allow access to Kerberos authentication for your target back-end Web services, select the Kerberos proxy support This feature does not currently support Kerberos Constrained Delegation (KCD).

    The Endpoint server must be on the same domain as KDC for the Kerberos Proxy to communicate successfully with the KDC.

    In the Realm text box, enter the Realm of the KDC server.

  6. Select Next.
  7. On the SSL screen, you can configure Public SSL Certificate that secures the client-server communication from the enabled application on a device to the VMware Tunnel. By default, this setup uses a AirWatch certificate for a secure server-client communication.
    1. Select the Use Public SSL Certificate option if you prefer to use a third-party SSL certificate for encryption between Workspace ONE Web or SDK-enabled apps and the VMware Tunnel server.
    2. Select Upload to upload a .PFX or .P12 certificate file and enter the password. This file must contain both your public and private key pair. CER and CRT files are not supported.
  8. Select Next.
  9. On the Authentication screen, configure the following settings to select the certificates that devices use to authenticate to the VMware Tunnel.By default, all the components use AirWatch issued certificates. To use Enterprise CA certificates for the client-server authentication, select the Enterprise CA option.
    1. Select Default to use AirWatch issued certificates. The default AirWatch issued client certificate does not automatically renew. To renew these certificates, republish the VPN profile to devices that have an expiring or expired client certificate. View the certificate status for a device by navigating to Devices > Device Details > More > Certificates.
    2. Select Enterprise CA in place of AirWatch issued certificates for authentication between the Workspace ONE Web, Per-App Tunnel-enabled apps, or SDK-enabled apps and the VMware Tunnel requires that a certificate authority and certificate template are set up in your Workspace ONE UEM environment before configuring VMware Tunnel.
    3. Select the Certificate Authority and Certificate Template that are used to request a certificate from the CA.
    4. Select Upload to upload the full chain of the public key of your certificate authority to the configuration wizard.

      The CA template must contain CN=UDID in the subject name. Supported CAs are ADCS, RSA, and SCEP.

      Certificates auto-renew based on your CA template settings.

  10. Click Add to add an Intermediate Certificate.
  11. Select Next.
  12. On the Miscellaneous screen, you can use access logs for the proxy or Per-App Tunnel components. Enable the Access Logs toggle switch to configure the feature.

    If you intend to use this feature you must configure it now as part of the configuration, as it cannot be enabled later without reconfiguring Tunnel and rerunning the installer. For more information on these settings, see access logs and syslog integration and configure advanced settings for VMware Tunnel.

    1. Enter the URL of your syslog host in the Syslog Hostname field. This setting displays after you enable Access Logs.
    2. Enter the port over which you want to communicate with the syslog host in the UDP Port field.
  13. Select Next, review the summary of your configuration, confirm that all hostnames, ports and settings are correct, and select Save.The installer is now ready to download on the VMware Tunnel Configuration screen.
  14. On the Configuration screen, select the General tab. The General tab allows you to do the following:
    1. You can select Test Connection to verify the connectivity.
    2. You can select Download Configuration XML to retrieve the existing VMware Tunnel instance configuration as an XML file.
    3. You can select the Download Unified Access Gateway hyperlink. This button downloads the non-FIPS OVA file. The download file also includes the PowerShell script and .ini template file for the PowerShell deployment method. You must download the VHDX or FIPS OVA from My Workspace ONE.
    4. For legacy installer methods, you can select Download Windows Installer.This button downloads a single BIN file used for deploying the VMware Tunnel server. Configuration XML file required for installation can be downloaded from the Workspace ONE UEM console after confirming the certificate password.
  15. Select Save.

Configure Advanced Settings for the VMware Tunnel Proxy

The Advanced on the Configuration screen lets you configure more settings that are optional for the VMware Tunnel Proxy. Except where noted, you can configure these settings before or after installation.

  1. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel > Configuration and select the Advanced tab.
  2. Configure the following VMware Tunnel Proxy settings.
    Setting Description
    RSA Adaptive Auth Integration Enable this setting if you want to integrate VMware Tunnel Proxy with the RSA authentication for a comprehensive Web browsing security.
    Access Logs

    Enable this setting to tell VMware Tunnel to write access logs to syslog for any of your own purposes. These logs are not stored locally. They are pushed to the syslog host over the port you define. Communication to the syslog server occurs over UDP, so ensure that UDP traffic is allowed over this port.

    In relay-endpoint deployments, the relay server writes the access logs and in a basic deployment, the basic server writes the access logs.

    There is no correlation between this syslog integration and the integration accessed on Groups & Settings > All Settings > System > Enterprise Integration > Syslog.

    This feature can be enabled during the initial configuration in the Advanced settings tab in the Workspace ONE UEMconsole. If configured after installation, you must reinstall VMware Tunnel.

    Syslog Hostname: Enter the URL of your syslog host and the UDP Port over which you want to communicate. Ensure that the logging level for access logs is set appropriately in rsyslog.conf on the syslog server.

    UDP Port: Enter the port over which you want to communicate with the syslog host. This setting displays after you enable Access Logs.

    API and AWCM outbound calls via proxy Enable this option if the communication between the VMware Tunnel and Workspace ONE UEM API or AWCM is through an outbound proxy.
    Show detailed errors Enable this option to ensure client applications (for example, Workspace ONE Web) are informed when the VMware Tunnel fails to authenticate a device.
    Log Level Set the appropriate logging level, which determines how much data is reported to the LOG files.
    Authentication

    Maintain your SSL certificates. If you are using AirWatch SSL, select Regenerate to regenerate the certificates.

  3. If you are using a AirWatch certificate and not a public SSL certificate, then you can export the SSL certificate. Select Export if you choose to export the certificate.
  4. Select View Configuration XML to view the configuration XML. You can also Download a local copy if required.
  5. If applicable, configure the Relay-endpoint authentication credentials settings, which are used for authentication between the relay and endpoint servers. These text boxes are pre-populated for you after configuration, but you can change them, for example, to meet your organization password strength requirements.
    Table 1.
    Setting Description
    Username Enter the user name used to authenticate the relay and endpoint servers.
    Password Enter the password used to authenticate the relay and endpoint servers. Select Change if you choose to change your password credentials.
  6. Select Save.

Enable Kerberos VMware Tunnel Proxy Settings

Kerberos KDC Proxy is supported for the VMware Tunnel Proxy that supports Kerberos authentication in the requesting application. Kerberos KDC proxy (KKDCP) is installed on the endpoint server.

Workspace ONE UEM KKDCP acts as a proxy to your internal KDC server. Workspace ONE UEM-enrolled and compliant devices with a valid Workspace ONE UEM issued identity certificate can be allowed to access your internal KDC. For a client application to authenticate to Kerberos- enabled resources, all the Kerberos requests must be passed through KKDCP.

The basic requirement for Kerberos authentication is to make sure that you install the Endpoint with the Kerberos proxy setting enabled during configuration in a network where it can access the KDC server.

Complete the following steps before you enable Kerberos VMware Tunnel Proxy Settings.

  • For HTTPS sites, Workspace ONE Web for Android supports Kerberos authentication only when the site also has NTLM authentication enabled. This requirement is because the Android WebView, on which the Workspace ONE Web is built, does not support Kerberos authentication natively.
  • HTTP Sites do not require NTLM authentication as the VMware Tunnel can perform Kerberos authentication without NTLM being enabled.
  • Currently, this functionality is only supported with the Workspace ONE Web v2.5 and higher for Android.

Complete the following steps to enable Kerberos VMware Tunnel Proxy Settings:

  1. During the configuration, check the box Use Kerberos proxy and enter the Realm of the KDC server.
  2. If the Realm is not reachable, then you can configure the KDC server IP on the Advanced settings tab in system settings. Only add the IP if the Realm is not reachable, as it takes precedence over the Realm value entered in the configuration.

    By default the Kerberos proxy server uses port 2040, which is internal only. Therefore, no firewall changes are required to have external access over this port.

    On Windows, once the VMware Tunnel Proxy is installed, you can see that a new Windows service called AirWatch Kerberos Proxy has been added.

  3. Save the settings and download the installer to install VMware Tunnel Proxy.
  4. Enable Kerberos from the SDK settings in the Workspace ONE UEM console so the requesting application is aware of the KKDCP.
    • Navigate to Groups & Settings > All Settings > Apps > Settings And Policies and select Security Policies.
    • Under Integrated Authentication, select Enable Kerberos.
    • Save the settings.

Configure Kerberos VMware Tunnel Proxy Settings

You can configure Kerberos KDC Proxy for the proxy component. The basic requirement for Kerberos authentication is to make sure that you install the Endpoint with the Kerberos proxy setting enabled during configuration in a network where it can access the KDC server.

Complete the following steps to Configure Kerberos VMware Tunnel Proxy Settings:

  1. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel Proxy > Configuration and select the Advanced tab to configure the Kerberos Proxy settings, which display only if you select Use Kerberos Proxy during the VMware Tunnel configuration.
  2. If the realm info you entered during configuration does not work properly, you can enter the KDC IP address here, which overrides the information that you provided during configuration. You must reinstall the VMware Tunnel after changing these settings. A restart does not work.
  3. Complete the following settings to configure Kerberos proxy settings.
    Table 2.
    Setting Description
    KDC Server IP

    Enter your KDC Server IP address.

    This text box displays only if you select Use Kerberos Proxy during VMware Tunnel configuration.

    Kerberos Proxy Port

    Enter the port over which VMware Tunnel can communicate with your Kerberos Proxy.

    This text box displays only if you select Use Kerberos Proxy during VMware Tunnel configuration.