To configure the VMware Tunnel, you need the details of the server where you plan to install. Know whether or not you plan to use certain features, such as syslog integration, SSL offloading, and so on, since these features are enabled during configuration.

Note: It is considered to be a best practice to deploy VMware Tunnel with Unified Access Gateway or on a Linux server. All the existing end-users who are configuring VMware Tunnel Proxy with the legacy software can deploy VMware Tunnel Proxy on modern installers with zero downtime. To migrate from the VMware Tunnel Proxy (Legacy MAG) , to the Linux Proxy, install VMware Tunnel on a new machine and move the networking configuration with DNS or load balancing. For more information on deploying VMware Tunnel with Unified Access Gateway or on a Linux server refer to the VMware Tunnel Guide for Linux.

Procedure

  1. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel.
    • If this is your first time configuring VMware Tunnel Proxy, then select Configure and follow the configuration wizard screens.
    • If this is not your first time configuring VMware Tunnel Proxy, select the Override radio button, ensure the Enable VMware Tunnel check box is selected, and then select Configure to configure the following settings.
  2. On the Configuration Type screen, enable the Proxy component only, because Per-App Tunnel is not available for a VMware Tunnel for Windows deployment. In the drop-down menu that displays, select whether you are configuring a Relay-Endpoint or Basic deployment.
    Select the information icon to view an example for the selected type.
  3. Select Next.
  4. On the Details screen, configure the following settings.
    Setting Description
    Relay Host Name This text box only displays if you select Relay-Endpoint as your configuration type. Enter the relay server host name, for example, awtunnel.acmemdm.com.
    Endpoint Host Name

    The name given to the server where the VMware Tunnel Proxy is installed. If you plan to install the VMware Tunnel Proxy on an SSL offloaded server, enter the name of that server in place of the Host Name.

    When entering the Host Name, do not include a protocol such as http://, https://, etc.

    Relay Port (HTTPS) The port number automatically assigned for HTTPS communication with the VMware Tunnel Proxy. The default value is 2020.
    Relay-Endpoint Port This text box only displays if you select Relay-Endpoint as your configuration type. This value is the port used for traffic between the VMware Tunnel Proxy relay and VMware Tunnel Proxy endpoint. The default value is 2010.
    Use Kerberos Proxy

    Enable Kerberos proxy support to allow access to Kerberos authentication, typically only available inside the corporate network, for your target back end Web services. This feature does not currently support Kerberos Constrained Delegation (KCD). For more information, see Kerberos KDC Proxy Support.

    The Endpoint server must be on the same domain as KDC for the Kerberos Proxy to communicate successfully with the KDC.

    Realm This text box only displays if you enable Use Kerberos Proxy. Enter the domain of the KDC server.
  5. Select Next.
  6. If you are using third-party public SSL certificates for encryption between wrapped apps, VMware Browser, or SDK-enabled apps and the VMware Tunnel Proxy, select the Use Public SSL Certificate check box on the SSL screen. Select Upload to browse for and upload your certificate file (.pfx or .p12).
    This certificate file must contain both your public and private key pair.
  7. Select Next.
  8. On the Authentication screen, select whether to use an enterprise Certificate Authority (CA) in place of Workspace ONE UEM issued certificates for authentication between wrapped apps, VMware Browser, or SDK-enabled apps and the VMware Tunnel Proxy.
    • Select Default to use Workspace ONE UEM issued certificates.
    • Select Enterprise CA to display drop-down menus for your certificate authority and certificate template that you have configured in Workspace ONE UEM. Also upload your root certificate of your CA.
    The CA template must contain CN=UDID in the subject name. Supported CAs are ADCS, RSA, and SCEP.
  9. Select Next.
  10. On the Miscellaneous screen, you can configure whether to enable access logs for the Proxy component.
    You must enable this log before you install the VMware Tunnel Proxy.
  11. Review the summary of your VMware Tunnel Proxy configuration and select Save.
    You are navigated back to the VMware Tunnel Proxy configuration page.
  12. If you plan to install the VMware Tunnel Proxy on an SSL offloaded server, select Export VMware Tunnel Certificate from the Workspace ONE UEM console once the certificate has been generated. Then, import the certificate on the server performing SSL offload.
    This server can be a load balancer or reverse proxy.
  13. Select the General tab and then select the Download Windows Installer hyperlink.

    This button downloads a single EXE file used for installation of both a relay server and endpoint.

    If you want to enable Access Logs using syslog, you must enable this feature through the Advanced tab before you download and run the installer.

  14. Enter and confirm a certificate password and then select Download.
    The VMware Tunnel Proxy password must contain a minimum of six characters and is used during installation.
  15. Select Save.