VMware Tunnel provides granular access control to applications and services both in your network and in the cloud. This allows Tunnel to be able to integrate with other tools to help you meet your company specific requirements.

Integrations could be used for many use cases, such as to work with Workspace ONE Web and other SDK-Built Apps, or to extend security policies from the data center to mobile application endpoints by using VMware NSX.

Using VMware Tunnel with Workspace ONE Web and other SDK-Built Apps

Using Workspace ONE Web for VMware Tunnel controls how the end users access internal sites by configuring communication between the application and Tunnel. Once configured, access to URLs you specify (using Workspace ONE Web) goes through the VMware Tunnel.

Note:

Consider using Workspace ONE Web with the Tunnel component of VMware Tunnel. The Per-App Tunnel component provides better performance and functionality than the Proxy component. Workspace ONE Web with the Per-App Tunnel component does not require additional configuration.

Caveats and Known Limitations - For VMware Tunnel, the current authentication scheme requires the use of a chunk aggregator of fixed size. A low value puts restrictions on the amount of data that is sent from the devices in a single HTTP request. By contrast, a high value causes extra memory to be allocated for this operation. Workspace ONE UEM uses a default optimum value of 1 MB, which you can configure based on your maximum expected size of upload data. Configure this value in the proxy.properties file on the Tunnel server in the /conf directory.

  1. Go to Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies.

    highlights the navigation path in the UEM Console to set security policies.

  2. Select Enabled for AirWatch App Tunnel and specify the App Tunnel Mode as VMware Tunnel – Proxy.

  3. (Optional) Enable the split tunnel for iOS devices by entering URLs into the App Tunnel Domains text box. Leave the text box empty to send all requests through the VMware Tunnel.

    If a URL that is about to be invoked contains a domain that matches the list in the settings, this URL request goes through the VMware Tunnel.

    If the URL domain does not match the domain in the list, it goes directly to the Internet.

  4. Select Save.

  5. Ensure the Workspace ONE Web is using the Shared SDK profiles for iOS and Android by navigating to Groups & Settings > All Settings > Apps > Workspace ONE Web and selecting them under SDK Profile.

Integrating VMware Tunnel with RSA Adaptive Authentication

VMware Tunnel can still integrate with RSA Adaptive Authentication. While Security Assertion Markup Language (SAML) has now become more popular way to authenticate, some RSA tokens are still in used and they allow end users to access internal endpoints using step-up authentication. There are two main workflows to consider when using step-up authentication with this integration:

  • Users who have not set their SecurID PIN

  • Users who have set their SecurID PIN

For users who have not set their SecurID PIN

In this scenario, when a user initiates a connection with the VMware Tunnel for the first time (for example, when attempting to access an internal website), the Tunnel automatically enrolls the user in the RSA Adaptive Authentication database with the Adaptive Auth User identifier value set in the Workspace ONE UEM console. Next, the user is prompted to set the SecurID PIN. The user must remember this PIN, because it is the combination of this PIN and the SecurID token number that makes the final passcode that is required to authenticate against the authentication manager to get intranet access. On subsequent requests, users are asked to enter their passcode (PIN + token).

After the user sets the SecurID PIN for the first time and authenticates against the manager, RSA Adaptive Authentication may or may not challenge the user again for several hours. The RSA Adaptive Authentication algorithm decides when to challenge users after the initial authentication. This system is adaptive and studies the user and device patterns. Based on the data that it collects about the user and device; it then decides whether or not to challenge users on subsequent access attempts.

For users who have set their SecurID PIN

Users who have set their SecurID PIN are not asked to set their PIN again and can continue using their existing PIN. The VMware Tunnel enrolls such users in the RSA Adaptive Authentication database, and they are prompted to enter their passcode (a combination of their PIN + token).

Configure RSA Authentication in the Workspace ONE UEM Console

In the UEM console, you must enter some of the basic information related to your RSA Adaptive Authentication environment, such as host names, admin credentials, and an Adaptive Auth user identifier, which is a unique identifier for every user in your Active Directory and Authentication Manager.

  1. Go to Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel > Configuration and select the Advanced tab.

  2. Configure the following RSA Adaptive Authentication settings.

    Setting

    Description

    RSA Adaptive Auth Integration

    Enable this setting if you want to integrate the Proxy component with RSA authentication for comprehensive Web browsing security.

    Adaptive Auth Server URL

    Enter your RSA Adaptive Auth server URL.

    This setting displays after you enable RSA Adaptive Auth Integration.

    Adaptive Auth Admin Username

    Enter the RSA admin account user name. This setting displays after you enable RSA Adaptive Auth Integration.

    Adaptive Auth Admin Password

    Enter the RSA admin account password for the user name you entered.

    This setting displays after you enable RSA Adaptive Auth Integration.

    Adaptive Auth Version

    Enter your RSA Adaptive Authentication version.

    This setting displays after you enable RSA Adaptive Auth Integration.

    Adaptive Auth User Identifier

    Enter the RSA Adaptive Auth user identifier. This setting displays after you enable RSA Adaptive Auth Integration.

  3. Select Save.

Integrating VMware Tunnel with NSX

You can integrate VMware Tunnel with the VMware NSX to extend security policies from the data center to mobile application endpoints. Integrating Tunnel and NSX enhances network micro-segmentation by providing explicit mappings between network segments and mobile apps. By creating policies that dynamically follow mobile applications, you can eliminate complex and time-consuming firewall provisioning.

Integrate Tunnel with NSX to match per-app policies with security groups defined in NSX. This enhances the network and app security by minimizing the attack surface into your network. Complete the following steps to integrate Tunnel with NSX.

Shows the NSX Integration configuration and highlights the navigation path to the Tunnel Configuration Page.

  1. Go to Groups & Settings > Configurations > VMware Tunnel.

  2. Under the NSX section, select Configure and Enable NSX Integration.

  3. Select your NSX version. Both NSX-V and NSX-T are supported.

  4. Enter the NSX Manager URL. The destination URML must contain the protocol and hostname or IP address.

  5. Enter the Admin Username and Password.

  6. Select Sync with NSX.

Workspace ONE UEM adds the tagged groups to the page after successfully syncing with NSX. You may now assign mobile apps to their appropriate NSX security groups.