Domain Join via Workspace One Tunnel
January 14, 2021 | by bgarmon
A disclaimer: a Network guru I am not.
End goal: Get a Windows 10 laptop enrolled in Workspace ONE UEM and joined to Active Directory from Starbucks.
This is a home lab which means my solution is limited to both the networking hardware I have at my disposal as well as the amount of money I’m willing to throw at this problem. In a corporate network there are more sophisticated ways to achieve this.
Let’s get started.
Active Directory sits behind the firewall of my network. To join a domain the device must have line-of-sight to a Domain Controller. A common approach to this is to place a Read-Only-Domain-Controller in a DMZ. I don’t have a DMZ and don’t like that approach so instead I’m going to use a per-app VPN solution (VMware Workspace One Tunnel) that loads prior to Windows login to gain line-of-sight.
VMWare Workspace One Tunnel is an agent that is installed on Windows 10. The agent communicates back to an on-prem virtual appliance running on vCenter named Unified Access Gateway (UAG). The UAG is running the Vmware Tunnel Service. For this setup to function, you’re going to need both public and private DNS records and you’re going to be doing port forwarding on your edge router.
Before installing UAG, login to your AD DNS server and create a DNS host record for the UAG:
- Launch Windows Server DNS manager
- Select your forward lookup zone.
- Right-click on the Forward Lookup zone and select “New Host (A or AAA)…”
- Define the internal DNS name of the UAG, assign this an internal IP address and make sure you have enabled “Create associated pointer (PTR) record
Now you are ready to install the UAG using vSphere. I’m not going to go into those details here, but during the UAG appliance import, you’ll be prompted to define the IP address of the appliance. Make sure the IP matches what you defined in the DNS record. Post installation, you’ll know this worked if you login to vSphere client, choose your UAG from the “Hosts and Clusters” menu and look under the “Guest OS” pane. If you see a DNS Name reading “localhost” you messed up. Delete the appliance and start over. If you see a DNS name matching the DNS entry you created you are ready to proceed.
The next step for the UAG is to login to the admin portal and enable the Tunnel service by pointing the UAG back to the UEM Server. Before doing this, you need to put in place a method for the Internet to find the UAG via DNS. Preferably this involves a static public IP address. While I have 5 public IP addresses available, Ubiquity has decided the UDMP doesn’t need to support more than 1 public IP so this forces me to use port forwarding. Here’s how I set this up:
Network Solutions hosts the public DNS records for my domain. While your hosting providers process will vary, navigate to the hosting providers admin portal and find Advanced DNS settings. In the Advanced DNS settings, create a new A Record, for example mine is vpn.aftersixcomputers.com. For the IP address, use the public IP address of your edge router, in my case it’s the public IP address of the UDMP. The host name defined here will become the name used in the configuration of the Vmware Tunnel service. With the public A record created, head over to your routers configuration page for port forwarding and setup port forwarding for Port 2020 and Port 8443 with the destination being the IP address you previously defined in your internal DNS. The end result is that anyone on the internet looking for vpn.aftersixcomputers.com is now able to reach the internal IP address of the UAG to establish the connection.
Now login to Workspace ONE UEM to configure the Tunnel:
- Groups and Settings > Configurations > Tunnel
- Create your Tunnel. For the hostname, this is the public DNS name you defined with your hosting provider. In my case it’s vpn.aftersixcomputers.com
- While you’re in here configure the Device Traffic Rules that enable Domain Join as follows:
- Under the Device Traffic Rule Sets choose Edit to bring up the “Manage Traffic Assignments”
- Edit the Default Assignment
- Choose “Manage Applications”
- Create the following rules:
5. Now that the apps are added, create a Device Traffic rule to Tunnel these apps. In the example below the AD domain my devices need to join is lab.aftersixcomputers.com.
Save and Publish
Now you are ready to link the On Prem UAG back to the UEM configuration by completing the UAG tunnel configuration.
- Launch the admin portal for the UAG from your web browser by opening https://yourUAGDNSname:9443/admin
- Under General Settings > Edge Service Settings > click Show and then click the Gear icon under Tunnel Settings
- I find it most helpful at this point to SSH into the UAG and tail the log files to confirm this next step succeeds. I’ve seen this next step take anywhere from 30 seconds to 5 minutes. And if it fails, you’ll be able to see the error immediately. To do this open your SSH to the UAG and run
tail -f /var/log/vmware/appliance-agent/appliance-agent.log
- Back in the UAG portal, fill out the Tunnel Settings configuration making sure that the “Tunnel Server Hostname” is the public DNS name you defined with your hosting provider. In my case it’s vpn.aftersixcomputers.com choose Save and then watch the SSH session for any errors. You’ll know it worked in SSH when you see a long string of encrypted text scroll by that is the Tunnel Certs being downloaded and shortly after that if you flip back to the UAG General Settings page you should find a Green icon under the Edge Service Settings next to Tunnel.
- You’ve completed the UAG and Tunnel Configuration.
Back in Workspace ONE UEM Console you need to add the Workspace One Tunnel app to Apps & Books for deployment. Use the following for the install command:
VMwareTunnelInstaller_2.0.4.exe /install /Passive