Workspace ONE Web supports the ability to tunnel websites through the Tunnel gateway component, without the Tunnel Proxy component.

The Tunnel gateway provides stronger encryption and authentication, increased browsing speed, and more detailed traffic controls. This does not require the use of the Workspace ONE Tunnel App for SDK-built applications, but other third-party applications still need support from the Tunnel App.

To take advantage of the improved tunneling capabilities, make sure you have deployed the Tunnel gateway and are using Workspace ONE UEM Console 1905 or higher version.

Migrate Proxy App Tunnel URLs to Tunnel SDK

VMware Tunnel with the Per-App Tunnel (Tunnel SDK) provides a unique feature called Device Traffic Rules. You can set individual traffic policies for tunneling, blocking, and bypassing traffic for each of your apps with the Device Traffic Rules. For information on Device Traffic Rules, see Create Device Traffic Rules in VMware Tunnel
  1. If you migrate from VMware Tunnel - Proxy to Tunnel SDK (Per-App Tunnel) and want to keep the domains that use the tunnel, enter the App Tunnel URLs from the Proxy to the Device Traffic Rules settings for Tunnel SDK.
  2. Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies > App Tunnel Mode > VMware Tunnel - Proxy and record the entries in the App Tunnel URLs field.
  3. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel > Network Traffic Rules > Device Traffic Rules
  4. Select the applicable SDK application (like Workspace ONE Web).
  5. Add multiple applications. This configuration differs from the default SDK setting because you need to enter the domains to tunnel by the app rather than as a blanket entry for all SDK-built apps.
  6. Select Tunnel for the Action.
  7. Enter the app tunnel URLs from the VMware Tunnel - Proxy option in Destination Hostname.
  8. Define a default policy for domains that do not match patterns with your destination host names.
  9. Navigate to Groups & Settings > All Settings > Apps > Settings and Policies and select App Tunnel Mode and change from VMware Tunnel - Proxy to VMware Tunnel.

Configure App Tunnel for the Default SDK Profile

Use App Tunnel to allow an application to communicate through a VPN or reverse proxy to access internal resources, such as a SharePoint or intranet sites.

You must set up the menu items for VMware Tunnel-Proxy or VMware Tunnel before using them.

To set up configurations and device traffic rules for the VMware Tunnel - Proxy or the VMware Tunnel, see VMware Tunnel.

If you are replacing the VMware Tunnel - Proxy with Tunnel SDK, migrate the App Tunnel URLs entries. See Migrate Proxy App Tunnel URLs to Tunnel SDK.

Configuring VMware Cloud Web Security (CWS)

Workspace ONE Web supports routing all its traffic through VMware Cloud Web Security (CWS) to provide additional web security through CWS's capabilities like URL filtering, content filtering and more. Admins can configure Web's in-built tunnel to route the traffic through a Secure Access service instance and attach CWS security policy with that. For more information about CMS, see VMware Cloud Web Security Documentation.