Network traffic rules allow you to set granular control over how the VMware Tunnel directs traffic from devices. Create device traffic rules to control how devices handle traffic from specified applications and server traffic rules to manage network traffic when you have third-party proxies configured.
Device traffic rules force VMware Tunnel to send traffic through the tunnel, block all traffic to specified domains, bypass the internal network straight to the Internet, or send traffic to an HTTPS proxy site. The device traffic rules are created and ranked to give an order for running the rules. Every time a specified application is opened, VMware Tunnel checks the list of rules to determine which rule applies to the situation. If no set rules match the situation, Tunnel applies the default action. The default action, set for all applications except for safari, applies to domains not mentioned in a rule. The device traffic rules created apply to all VPN VMware Tunnel profiles in the organization group the rules are created in.
Server traffic rules enable you to manage the network traffic when you have third-party proxies configured in your network. These rules apply to traffic originating from the VMware Tunnel. The rules force VMware Tunnel to send traffic for specified destinations to either use the proxy or bypass it.
VMware Tunnel supports Network Traffic rules for the following platforms:
iOS devices with VMware Workspace ONE Tunnel for iOS.
macOS devices with VMware Workspace ONE Tunnel for macOS.
Android devices with VMware Workspace ONE Tunnel for Android.
Windows desktop devices with VMware Workspace ONE Tunnel desktop application.Note:
Device Traffic Rules added are applicable only to Windows Tunnel Desktop Client and not for the Windows store App. Device wide VPN profile has to be enabled to use Windows Tunnel Desktop Client.
Create Device Traffic Rules
The Device Traffic Rules (DTR) define how traffic from specified applications is routed by the Workspace ONE Tunnel application. The device traffic rules serve as a locally enforced Access Control List, defining which apps and destinations should be blocked, tunneled, proxied, or bypass the tunnel completely.
Administrators can create multiple Device Traffic Rules sets through Manage Traffic Assignments to segment traffic to internal resources, such as rules for employee's devices that as less restricted them access to contractor devices.
Complete the following steps to create device traffic rules:
By default, the Device Traffic Rules settings of the Child OG (organization group) are set to Inherit. You can override the DTR settings which allows to Edit the DTR settings for the current OG. Based on your configuration needs, you can also select Clear Override if you want to set it back to inherit the Device Traffic Rules settings of the current organization group's parent OG.
Click Edit . Click Add to create a new DTR set or you can edit the default DTR set.
Per Application : Only the application configured for VPN would be consider and take action based on destination FQDN/IP
Full Device: Directs all application & all traffic from the device through an encrypted tunnel to the corporate data center based on the destination FQDN/IP.
Full device tunnel mode is supported only on Windows Tunnel Desktop Client 23.02 and above and Android Tunnel 21.12 above for AE.
We suggest bypassing the VMware Workspace one DS URL, while using Full device VPN with default action as Tunnel.
Select Add Rule to create a rule.
These rules are only applicable to the Per-App Tunnel component of VMware Tunnel for Android, iOS, macOS, and Windows Desktop devices. For iOS, use the Workspace ONE Tunnel client application from the App store. For Windows Desktop, use the Workspace ONE Tunnel Desktop application.
Rank: Select-and-drag the rule to rearrange the ranking of your network traffic rules.
Application: Select Add to add a triggering application for the network rule. This drop-down menu is populated with applications with Per App VPN enabled and Safari for macOS. If you configure rules for the Safari app for macOS, the traffic rules override and deactivate any domain rules configured in existing profiles.
Action: Select the action from the drop-down menu that Tunnel applies to all network traffic from the triggering app when the app starts.
Tunnel – Sends app network traffic for specified domains through the tunnel to your internal network. All apps, except Safari, on the device configured for Per App VPN sends the network traffic through the tunnel. For example, set the Action to Tunnel to ensure all configured apps without a defined traffic rule use the Tunnel for internal communications.
Block – Blocks all apps, except Safari, on the device configured for Per App VPN from sending the network traffic. For example, set the Default Action to Block to ensure that all configured apps without a defined traffic rule cannot send any network traffic regardless of destination.
Bypass – Bypasses all apps, except Safari, on the device configured for Per App VPN bypass the tunnel and connect to the Internet directly. For example, set the Default Action to Bypass to ensure all configured apps without a defined traffic rule bypass the Tunnel to access their destination directly.
Proxy – Redirect traffic to the specified HTTPS proxy for the listed domains. The proxy must be HTTPS and must follow the correct format: https://example.com:port.
Tunnel+Proxy - Redirect traffic to a specified HTTP proxy that resides behind Tunnel.Note:
This action is supported by the Tunnel SDK on iOS and Android as used by the Workspace ONE Web app. The only configuration required here is the proxy host; the proxy destinations must be provided to the Workspace ONE Web app.
Destination: Enter the hostname applicable to the action set for the rule. For example, enter all the domains to block traffic from accessing using the Block action.
Use a comma (,) to distinguish between hostnames.
You can use wildcard characters for your hostnames. Wildcards must follow the format:
*.* — You cannot use this wildcard for Safari domain rules.
* — You cannot use this wildcard for Safari domain rules.
For Android, iOS, and macOS devices, we do not support the IP range, IP subnet, or Port match. In case you want to take any action for a particular IP then add the IP in the device traffic rules. For example, App > Tunnel > 10.10.10.10.
Use of IPs and port ranges are only supported for Device Traffic Rules on Windows 10 devices. The following list contains supported formats for the IPv4 and port range when applying the Device Traffic Rules (DTR).
Single IP - 10.10.0.1 or 10.10.10.1/32
IP range or subnet
List of Ports
List of ports and port ranges
*.example.com:[80,443, 8080-8085], 10.10.10.1:[80,443,8080-8085], 10.10.11.1/32:[80,443,8080-8085]
Select Save to save your changes.
Select the Platform.
For Windows Tunnel Desktop Client, complete the following steps:
Enter a Friendly Name for the application.
Select the App Type.
Enter the App Identifier.
The App Identifier is the path or the package family name (PFN) of the application. For a Store App, the Package Friendly Name (PFN) is used and can be found using the PowerShell command
Get-AppxPackage *<app_name>. For a Desktop App, the file path is used. For example, you can use C:\Program Files (x86)\acme\app.exe.Note:
macOS traffic rules can be created only if you are using UEM console 1910 or above. Older versions must configure the rules via profile.
For macOS applications, complete the following steps:
Enter the Friendly Name for the application.
Enter the Package ID.
Enter the Designated Requirement
Enter the Path.
This text box is optional and is only applicable for macOS Catalina and above. Enter the Path when the allowlisting command-line utils are bundled inside an application. For example,
vmware-remotemksmust be allowlisted with path details with the VMware Horizon Client application.
Select Save to save your changes.
If you choose to make any changes to the application, in the Manage Applications window, select the application you like you edit and make changes.
If you want to delete any application, in the Manage Applications window, select the application you like to delete and click Delete.
Enter the Device Traffic Rule SET Name.
Configure the Device Traffic Rules.
Click Save or Save and Publish.
When the administrator changes the Device Traffic Rules and click Save, the Device Traffic Rules gets mapped to the profile, but the updated Device Traffic Rules is not replaced for the devices where the VPN profile is already installed. Device Traffic Rules is only updated for the newly enrolled devices or for the devices that have the VPN profile reinstalled.
To send the updated Device Traffic Rules to the devices post modifying the Device Traffic Rules, administrators must click Save and Publish. Save and Publish adds a version to the VPN profile and republishes Device Traffic Rules to all the devices.
You cannot delete the Default Traffic Rule set.
Save and Publish option is available only for the Default Traffic Rule set.
If an administrator changes the Android application in the Device Traffic Rules and clicks Save and Publish, the VPN profiles for both iOS, Android profiles gets a version update and the VPN profile installs are queued for all the assigned devices.
Reinstalling the profile reissues the client certificate to the device with a new thumbprint.
Each assignment of Device Traffic Rules can be selected within your Tunnel profile. This allows you to create different policies for different types of personas based on user, device, or use-case.
Wildcard Guidelines and Use of Asterisk
When defining the Device Traffic Rules destination, the administrator can enter a list of domains to allow, block, or bypass traffic. The wildcard is supported for the hostnames and multiple entries must be separated by comma (,).
- Includes primary domain and subdomains - for example, www.example.com, example.com, store.example.com
- *.* — You cannot use this wildcard for Safari domain rules (iOS and macOS specific)
- * — You cannot use this wildcard for Safari domain rules (iOS and macOS specific)
Configure Server Traffic Rules using Outbound Proxy
You can configure server traffic rules for the VMware Tunnel to manage how traffic is directed through a third-party proxy. These rules allow you to bypass the proxy or send traffic through it. You can either add rules manually in the UEM console or via PAC files by using the VMware Tunnel PAC Reader.
Many organizations use outbound proxies to control the flow of traffic to and from their network. Outbound proxies can also be used for performing traffic filtering, inspection, and analysis.
It is not mandatory to use outbound proxies with VMware Tunnel, but your organization may choose to deploy them behind one or more Tunnel servers based on recommendations from your security and network teams.
The following table illustrates outbound proxy support for the Per-App Tunnel on Linux:
Outbound Proxy with no auth
Outbound Proxy with basic auth
Outbound Proxy with NTLM auth
Multiple Outbound Proxies
Configure the rules for sending traffic to your outbound proxies using the server traffic rules.
If you want to send the requests to the API/AWCM servers (VMware AirWatch Cloud Messaging) through your outbound proxy as well, then you must enable the Default AWCM + API traffic via Server Traffic Rules Networking settings under . Once enabled, add the respective web proxies for API/AWCM hostnames on the server traffic rules page.
Configure Server Traffic Rules from the UEM Console
Add rules for the VMware Tunnel to manage how traffic is directed through a third-party proxy. These rules allow you to bypass the proxy or send traffic through it.
The server traffic rules only apply to VMware Tunnel servers using the Per-App Tunnel component.
In the Outbound Proxies section, select Edit and the select Add Outbound Proxy to add a third-party outbound proxy. You may add additional outbound proxies by selecting Add Outbound Proxy again.
Enter the proxy hostname.
Enter the port the third-party proxy uses to listen to the VMware Tunnel.
Select the proxy authentication method used.
Select Basic or NTLM.
Enter the User name for proxy authentication.
Enter the Password for proxy authentication.
Select Save to save your changes.
In the Server Traffic Rules section, you can configure the server traffic rule settings.
Select Add Server Traffic Rule to add a new server traffic rule. Enter the following information:
Enter the destination hostname that triggers the traffic rule.
Rules for applications on Windows 10 and macOS (except Safari) devices must use IP address as the hostname.
You cannot use regular expressions except specific wildcard characters. Windows 10 and macOS devices support using the following wildcards:
If you are entering multiple hostnames, separate them by commas.
For domains you want to resolve on Windows 10 devices through the VMware Tunnel server, you must add the domains to the Windows Desktop VPN profile for VMware Tunnel.
Select the action that the VMware Tunnel applies to server traffic for the destination hostname.
Bypass – Bypass the proxy and send all traffic directly to the destination hostname.
Proxy – Send server traffic through the outbound proxy.
Selecting Proxy displays the Outbound Proxy menu.
Select the Outbound proxy to handle server traffic for the destination hostname. If you select multiple outbound proxies, the proxies are used in a round-robin format.
The proxies that populate this menu are those proxies added in the Outbound Proxies section.
(Optional) Select Add Server Traffic Rule if you wish to add any additional server traffic rules.
Select Apply to save your changes.
Configure Server Traffic Rules using VMware Tunnel PAC Reader
The PAC Reader allows you to use PAC files to configure outbound proxies for the Per-App Tunnel component.
Complete the following steps before you configure the server traffic rules using the PAC reader:
Download the PAC Reader bundle from the Workspace ONE UEM Resources Portal. Install the PAC Reader on any Linux server such as your Tunnel server. If the PAC file contains DNS resolution rules such as
isInNet(), change the value of
traffic_rule_post_dnsin server.conf to
1on your Tunnel server.Note:
Currently the PAC Reader has the following limitations:
Currently, the PAC Reader only supports Linux servers.
The PAC Reader currently does not support the following rules:
ifstatements. Try to put the inner logic above the outer logic. This change makes the outer logic lower ranked than the inner logic.
Else-ifstatements. Try to convert these rules to
Generic use of the AND operator.
The PAC Reader only supports limited use of the variable declaration and use.
Before you configure Outbound Proxy using the PAC Reader, make sure that you meet the following network requirements:
Access to the Workspace ONE UEM API server: The PAC Reader requires access to the Workspace ONE UEM API server. The server is typically accessed over port 443. Consider installing the PAC Reader on your VMware Tunnel server as the server already has access to the Workspace ONE UEM API server.
Access to the PAC file. If you are hosting your PAC file on a Web server, the PAC Reader must have the access to that server.
RHEL 7 as the server OS.
Complete the following steps to configure the server traffic rules using the PAC reader:
Download the installer from the Workspace ONE UEM Resources Portal.
Create a dedicated install directory for the installer on the Linux server. For example, you can create a dedicated install directory as /tmp/Install/ for the installer and copy the LinuxPacReaderInstaller.bin file to this location.
Go to the directory you copied the file. Run
chmod 750 LinuxPacReaderInstaller.bincommand to assign the run permission to the LinuxPacReaderInstaller.bin file.
Run the BIN file by using the required command:
Configure the necessary properties in the pacreader.properties file.
Enter the API server URL.
Enter the API key for the API server. Find this key by navigating to.
Location group ID
Location Group ID where the VMware Tunnel server is deployed.
Path to the PAC file if stored locally on the machine else use the http/https link
If you configure PAC_LINK, do not configure PAC_PATH.
: The Admin API Certificate which can be obtained from
If you configure PAC_PATH, do not configure PAC_LINK.
API Certificate Password
Password for pfx/p12 API certificate file.
This can be a PAC file placed at/opt/vmware/tunnel/pacreader or an http link to PAC.
Complete the following steps after you configure the server traffic rules using the PAC reader:
Go to the pacreader installation directory. cmd:
Run the following command to validate : ./pacreader validate.