Domain Join via Workspace ONE Tunnel

January 14, 2021   |   by bgarmon

Updated January 20, 2021

A disclaimer: a Network guru I am not.

End goal: Get a Windows 10 laptop enrolled in Workspace ONE UEM and provide a method to join to Active Directory from a remote network.

Components needed to make this work:

  • Active Directory Domain Controller (AD)
  • Access to internal DNS Server
  • Access to public DNS records
  • Workspace ONE UEM Console version 20.10 or higher (UEM)
  • Airwatch Cloud Connector (ACC)
  • VMware Unified Access Gateway Appliance (UAG)

Some caveats:

This is a home lab which means my solution is limited to both the networking hardware I have at my disposal as well as the amount of money I’m willing to throw at this problem. In a corporate network there are more sophisticated ways to achieve some of this configuration.

Active Directory sits behind the firewall of my network. To join a domain the device must have line-of-sight to a Domain Controller. What does line-of-sight mean? It means the device must be able to use NSLookup to find the DNS name of a Domain Controller and receive a valid reply. Being able to PING the Domain Controller via DNS Netbios name and FQDN are also a requirement.

A common approach to enabling support for domain join off network is to place a Read-Only-Domain-Controller (RODC) in a DMZ then make public DNS records that point to the RODC. I don’t have a DMZ and don’t like that approach so instead I’m going to establish line-of-sight by using a per-app VPN solution (VMware Workspace ONE Tunnel) that loads prior to Windows login to gain line-of-sight.

VMware Workspace One Tunnel is an agent that is installed on Windows 10. The agent communicates back to a virtual appliance running on vCenter named Unified Access Gateway (UAG). The UAG is running the Vmware Tunnel Service. In short we call this Per-App VPN.

The last caveat is that VMware is in the process of developing a couple of features that will come to market very soon under the name “Drop-Ship-Provisioning (online)” and “Drop-Ship-Provisioning (offline).” To add to the confusion the process VMware will be recommending for automation of domain join will change slightly from the process documented below however it will be referenced as a feature named Offline Domain Join (ODJ). These Vmware offerings are currently in Beta and requires a beta version of UEM, a beta version of ACC, and some additional steps which I am not documenting here at the moment. What’s important to call out here is that the process below does not automatically join the domain. The automation of the domain join will come when the VMware features go GA. That said, the work done below will lay the foundation to support these upcoming features so it’s good to go ahead and complete these steps now so you are ready for these upcoming enhancments. I will be updating this blog when the VMware Offline Domain join feature goes GA.

Let’s start by Configuring DNS Records for the UAG

  1. Login to the AD DNS Server
  2. Launch Windows Server DNS manager
  3. I have 2 forward lookup zones configured in DNS:
    I make use of a CNAME (Alias) record named www in the lookup zone, which is how you are reading this blog.
    AD DNS records live in, so in the configuration below you’ll find that publicly * are the names I use, but internally the network uses *
  4. Confirm that a Reverse Lookup Zone exists for the subnet that UAG will be installed on.
  5. Select the forward lookup zone where the AD DC records reside, in my example that’s
  6. Right-click on the Forward Lookup zone and select “New Host (A or AAA)…”
    1. Define an internal DNS name for the UAG
    2. Assign this an internal IP address
    3. Enable “Create associated pointer (PTR) record (this creates the Reverse Lookup record).
  7. Click on the Refresh icon at the top of the DNS manager and confirm both the forward lookup zone and reverse lookup zone were successfully created.
  8. At this point it’s also a good idea to use nslookup from another device on the subnet and validate DNS resolution is working properly by doing a lookup of the records you just created.

Next Setup Public DNS Records for the UAG:

You need to put in place a method for the Internet to find the UAG via DNS. Preferably this involves a static public IP address, maybe a proxy server, or load balancer or other network front end device. I use a Ubiquiti UDM Pro at the edge and Ubiquiti has decided the UDMP doesn’t need to support more than 1 public IP thus I’m forced to use port forwarding. Thus I need to create a DNS name and an A record that points the internet to my UDMP.

  1. Network Solutions hosts the public DNS records for my domain. While your hosting providers process will vary, navigate to the hosting providers admin portal and find Advanced DNS settings.
  2. In the Advanced DNS settings, create a new A Record, for example mine is
    1. For the IP address, use the public IP address of your edge router, in my case it’s the public IP address of the UDMP.
    2. The host name defined here will become the name used in the configuration of the Vmware Tunnel service.
  3. With the public A record created, head over to your routers configuration page for port forwarding and setup port forwarding.
    1. By default VMware Tunnel uses Port 8443 for Per-App VPN and it uses Port 2020 for Proxy. I use both so I have 2 port forward rules.
    2. The destination IPs would be the IP you previously defined in your internal DNS.
  4. The end result of this exercise is that a device on the internet looking for is now able to reach the internal IP address of the UAG to establish the connection.

Next Enable Tunnel in Workspace ONE UEM Console:

  1. In UEM Console choose Groups and Settings > Configurations > Tunnel
  2. Create your Tunnel.
    1. Deployment Type = Basic (Cascade is supported just not in use in my example)
    2. Hostname = the public DNS name you defined with your hosting provider. In my case it’s
    3. Port = 8443
    4. Server Authentication = Airwatch SSL
    5. Client Authentication = Airwatch SSL
    6. Networking = Enabled with “Default AWCM + API traffic via Server Traffic Rules
    7. Logging = Disabled
    8. Custom Settings not configured
    9. Save the configuration
  3. While you’re in the UEM settings go ahead and configure the Device Traffic Rule Sets that enable Domain Join as follows:
    1. Under the Device Traffic Rule Sets choose Edit to bring up the “Manage Traffic Assignments”
    2. Select the Default Assignment to bring up the Device Traffic Rules menu
    3. Choose “Manage Applications”
    4. Add the following 5 Windows applications:
This rule enables access to network shares like SYSVOL
This rule enables Group Policy to continue to function off network
This rule enables access to Netlogon
While not specific to domain join, this rule is helpful for accessing mapped network drives
This rule is not related to domain join, but is helpful for your IT Admins who need to use RDP for server management off network.

5. Now that the apps are created, from the Device Traffic Rules page choose Add Rule and add each of the apps to tunnel as illustrated below.

6. Define the domain name in the Destination. In my example machines need to join my AD domain so I’m using a wildcard of *

Configure Tunnel for your AD Domain name

6. Choose Save and Publish

Next enable the UAG Tunnel

The next step is to link the UAG to the UEM Tunnel configuration. This is done using the UAG Admin portal:

  1. Launch the UAG admin portal from your web browser by opening https://yourUAGDNSname:9443/admin
  2. Under General Settings > Edge Service Settings > click Show and then click the Gear icon under Tunnel Settings
  3. Choose Enable Tunnel Settings
  4. Define the API Server URL in the format
    where xxx equals the UEM Console url.
    For example if UEM is use
  5. The API Server username and password is any account on the UEM server that has been granted API access rights. By default the role “Console Administrator” has this permission. Note that what you type here must match the login format used for UEM. In my lab that means the username typed in here is lab\bgarmon
  6. The Org Group ID also comes from the UEM server, find it by hovering over the OG name in the UEM Console and use the value found in “Group ID”
  7. The Tunnel Server Hostname is the PUBLIC DNS name you defined at the ISP. In my example it’s
  8. BEFORE clicking SAVE, I recommend to SSH into the UAG and tail the log files to confirm what happens next succeeds. If you have a typo in your config you won’t really see any indication in the UAG admin portal that something didn’t work but you’ll spot it immediately in the SSH logs if you do the following:
    1. From your SSH client, SSH as root to the UAG
    2. Type in (but do not press enter):

      tail -f /var/log/vmware/appliance-agent/appliance-agent.log

      The reason you can’t hit enter yet is that this log file doesn’t exist until the first time the SAVE button is pressed in the Tunnel Settings page.
    3. Make sure both SSH and Tunnel Settings page are visible on your screen at the same time. In the Tunnel Settings click SAVE and immediately switch to SSH and press enter to send the tail command. You should immediately see text scrolling in SSH. The screenshot below shows what you should be looking for to confirm success
  9. Flip back to the UAG General Settings page you should find a Green icon under the Edge Service Settings next to Tunnel.
  10. You’ve completed the UAG Tunnel Configuration. Next up are the Windows 10 device settings configuration.
SSH output for Tunnel Settings showing successful configuration

Next Add VMware Tunnel for Windows to UEM Console

  1. Download VMware Tunnel for Windows version 2.0.4 from
  2. Browse and download an app icon for Workspace One Tunnel to use later in this process.
  3. In the UEM Console choose Apps & Books > Applications > Native > choose Add Application > Upload
  4. On the Edit Application fill out the tabs as follows:
    1. Details tab: Name > Change this to VMware Tunnel for Windows
    2. Details tab: Supported Processor Architecture: 64-bit
    3. Details tab: App Version: 2.0.4
    4. Details tab: Current UEM Version (this might read Version if you are on a UEM build prior to 21.01)
    5. Files tab: App Uninstall Process: Custom Script Type: Input
    6. Files tab: App Uninstall Process: Uninstall Command:
      VMwareTunnelInstaller_2.0.4.exe /uninstall /Passive
    7. Deployment Options tab: How to Install > Install Command:
      VMwareTunnelInstaller_2.0.4.exe /install /Passive
    8. Deployment Options tab: How to Install > Installer Reboot Exit Code: 3010
    9. Deployment Options tab: How to Install > Installer Success Exit Code: 0
    10. Deployment Options tab: When To Call Install Complete: Choose Defining Criteria and select Add select Criteria Type File Exists with a path of C:\Program Files\VMware\Workspace ONE Tunnel\VMwareTunnel.exe
      Version of Any
    11. Images Tab: Choose Icon Tab > Upload an image file for Tunnel app
    12. Choose Save & Assign
    13. In the Assignment Distribution menu give it a name like “Tunnel for Windows Default
    14. Choose an Assignment Group
    15. Change the App Delivery Method to Auto
    16. Choose the Restrictions menu on the left and enable “Make App MDM Managed if user installed”
    17. Enable “Desired State Management”
    18. Choose Create
    19. Choose Save
    20. Choose Publish

Next Create a UEM Device Profile for VPN

  1. In the UEM Console choose Devices > Profiles & Resources > Profiles
  2. Choose Add > Add Profiles > Windows > Windows Desktop > DEVICE Profile
  3. Under General give the profile a name and assign it a SmartGroup
  4. Choose VPN Payload and fill out the following:
    1. Connection Name: Per-App VPN for Windows 10
    2. Connection Type: Workspace ONE Tunnel
    3. Device Traffic Rule Sets: Default – Default
    4. Under Custom Configuration XML add the following
<?xml version='1.0' encoding='utf-16'?>
Windows 10 Device Profile for Custom Tunnel Configuration

5. Configure the Trusted Network Detection to be the name of your domain.

6. Under DNS Resolution via Tunnel Gateway define how you want DNS to be resolved. In my example * and are the two values defined.

Next Configure Airwatch Cloud Connector (ACC)

The ACC is what links the UEM Console to the local AD Domain for the purpose of AD user account and user group import into the UEM Console. The ACC also is responsible for delivering Certificates to devices. Soon it will gain a new feature which is the ability to deliver an Offline Domain Join blob file. For the purpose of this article, it’s assumed that you have previously configured ACC and that you have it working with your existing UEM configuration. I will be updating this section because a future version of ACC might require a few changes in order to support the new feature Offline Domain Join. If you are starting from scratch and do not yet have an ACC, follow the standard Vmware documentation to get one installed and connected.

  1. To be continued…

Congratulations. You’ve completed the setup and should now be able to:

  • Join the Windows 10 devices to the domain via Starbucks
  • Map network drives and access them off network
  • Use RDP off network
  • GPO’s will now apply off network

Recent Comments

  1. Lukas D.

    January 27, 2021 @ 7:11 am

    Hi there,

    thank you for this interesting article, if it works this would be exactly what I’ve been searching for.
    Is the version 2010 really the minimum for this? I’d like to test this with 2005.

    Is there any kind of documentation where this snippet is described for the pre logon connection and is this eventually the reason why it has to be version 2010?


    Thanks and greetings,


    • bgarmon

      January 27, 2021 @ 8:07 am

      Device Traffic Rules were re-designed both in the Server side configuration of them, and in how they are now applied to Personas, thus a newer console version of the Workspace ONE UEM Console is recommended.

      The pre-login connection is effectively telling the Tunnel Agent to load before a user logs onto Windows thus allowing the connection to be established before the user login.

Leave Your Comment