VMware Tunnel uses certificates to authenticate communication among the Workspace ONE UEM console, VMware Tunnel, and end-user devices. The following workflows show the initial setup process and certificate integration cycle.
Initial Setup Workflow
- VMware Tunnel connects to the Workspace ONE UEM API and authenticates with an API Key and a Certificate.
- Traffic requests are SSL encrypted using HTTPS.
- Setup authorization is restricted to admin accounts with a role enabled for the VMware Tunnel setup role (see preliminary steps).
- Workspace ONE UEM generates a unique identity certificate pair for both the Workspace ONE UEM and VMware Tunnel environments.
- The Workspace ONE UEM certificate is unique to the group selected in the Workspace ONE UEM console.
- Both certificates are generated from a trusted Workspace ONE UEM root.
- Workspace ONE UEM generates a unique self-signed certificate to be used as the server certificate. Optionally, you can also use your own Public SSL certificate instead of the self-signed certificate on the Front-end VMware Tunnel server (if VMware Tunnel is deployed using the cascade mode) or on the backend server (if VMware Tunnel is deployed using the basic mode).
- Workspace ONE UEM sends the unique certificates and trust configuration back to the VMware Tunnel server over HTTPS.
The VMware Tunnel configuration trusts only messages signed from the Workspace ONE UEM environment. This trust is unique per group.
Any additional VMware Tunnel servers set up in the same Workspace ONE UEM group as part of a highly available (HA) load-balanced configuration are issued the same unique VMware Tunnel certificate.
For more information about high availability, refer to the VMware Workspace ONE UEM Recommended Architecture Guide.
Certificate Integration Cycle
- Workspace ONE UEM generates Device Root Certificates that are unique to every instance during the installation process.
For Proxy: The Device Root Certificate is used to generate client certificates for each of the applications and devices.
For Per-App Tunnel: The VMware Tunnel Device Root Certificate is used to generate client certificates for each device.
- For Proxy: The certificate an application uses to authenticate with the VMware Tunnel is only provided after the application attempts to authenticate with the Workspace ONE UEM enrollment credentials for the first time.
For Per-App Tunnel: The certificate is generated at the time of profile delivery.
- VMware Tunnel gets the chain during installation. The VMware Tunnel installer is dynamically packaged and picks these certificates at the time of download.
- VMware Tunnel makes an outbound call to the AWCM/API server to receive updated details on the device and certificates. The following details are exchanged during this process: DeviceUid, CertThumbprint, applicationBundleId, EnrollmentStatus, complianceStatus.
- VMware Tunnel maintains a list of devices and certificates and only authenticates the communication if it sees a certificate it recognizes.
X.509 (version 3) digitally signed client certificates are used for authentication.