Using VMware Workspace ONE Tunnel in Per-App VPN mode with Domain Joined Windows clients

Last Updated July 21, 2022

VMware now publishes 2 incompatible versions of the Tunnel app for Windows. Version 2.1.7 is the version you need if you are going to be using Workspace ONE UEM to manage the device. Version 3.0 is intended for no MDM management and was purpose built for VMware SASE use cases. Here’s the KB from VMware for more info: https://kb.vmware.com/article/88311

The VMware Workspace ONE Tunnel app supports two methods of virtual private networking: per-device or per-app. When the Tunnel app is operating in per-device mode the VPN connects the operating system and every application and service on the device back to the corporate network.

Per-device VPN is what most VPN apps have been doing since the technology was invented. The risk with per-device VPN is that if a bad actor gains access to the laptop they have full access to the corporate network.

Per-app VPN’s allow individual applications to VPN without requiring the entire device to connect back to the corporate network. If you are following zero-trust security principals where you want to provide the least amount of access to the corporate network as possible, per-app VPN continues to be the recommended approach.

The purpose of this blog is to demonstrate the 5 steps necessary to configure per-app VPN to allow Windows Active Directory joined machines to have line-of-site to the Domain Controller when using Per-App VPN Mode.

Special Note: The process described below is NOT intended to be used to join a computer to a domain. The domain join operations should already be completed.

Pre-requisistes required:

  • Microsoft Active Directory Domain Controller (AD)
  • Access to edit internal and external DNS records
  • Workspace ONE UEM Console version 2102 or higher (UEM)
  • VMware Unified Access Gateway Appliance (UAG)
  • VMware Tunnel for Windows client

There are 5 parts to the setup. Follow them in the order defined below:

Part 1: Set up a public/external facing DNS name for UAG

When the Vmware Tunnel application launches it will create a VPN tunnel using the public/external DNS name defined in the Unified Access Gateway configuration. In my lab I use vpn.aftersixcomputers.com as that DNS name. Many people have asked exactly how this part gets configured. If you need that assistance keep reading. If you don’t need this assistance, skip to Part 2.

Disclaimer: I am not a networking guru. There are dozens of different ways to configure DNS so treat this as one example.

In my lab I use a pair of Microsoft AD integrated DNS Servers. I have configured two forward lookup zones:

aftersixcomputers.com
lab.aftersixcomputers.com

In the forward lookup zone aftersixcomputers.com I created a New Alias (CNAME) record named “vpn” that points back to the internal DNS name of the Unified Access Gateway. To configure the DNS records in your environment (using Windows Server 2022 as a guide) here are the steps:

  1. Login to a Windows Active Directory Domain Controller running DNS
  2. From the Windows Start Menu, on the right-hand pane of tiles, choose Windows Administrative Tools to launch the Control Panel > System and Security > Administrative Tools.
  3. Choose DNS to launch DNS Manager
  4. Expand Forward Lookup Zones
  5. In the existing Forward Lookup Zone create a new Host (A or AAA) record for the UAG and define the internal DNS name for the UAG and assign the UAG an internal IP address. Enable “Create associated pointer (PTR) record to create the Reverse Lookup Record
  6. If you need to, add a new Forward Lookup Zone by right-clicking on the Forward Lookup Zone and choose New Zone. For my lab this is where I defined aftersixcomputers.com.
  7. With the New Zone created, right-click on the zone and create a New Alias (CNAME) record
  8. Click on the Refresh icon at the top of the DNS manager and confirm both the forward lookup zone and reverse lookup zone were successfully created.
  9. At this point it’s a good idea to use nslookup from another device on the subnet and validate DNS resolution is working properly by doing a lookup of the records you just created.

The previous steps allow your internal devices to find the UAG via DNS but you now need a method for the Internet to find your UAG via DNS. My public DNS provider hosts the DNS records that redirect the Internet to my network. Preferably this process involves a static public IP address, maybe a proxy server, or load balancer, or some other network magic. In my lab I use a Ubiquiti UDM Pro (UDMP) at the edge. When I deployed the UDMP, the device did not support more than one public IP address but software updates from Ubiquiti now allow this, I have just not gone back and changed it, so at the moment I’m using port forwarding. For port forwarding to function I need to create a public DNS name and an A record that points the Internet to the UDMP’s WAN interface.

While your public DNS hosting providers process will vary, navigate to the hosting providers admin portal and find Advanced DNS settings and create a new A Record that matches the name you defined in your DNS forward lookup zone. For example mine is vpn.aftersixcomputers.com and for the IP address, use the public IP address of your edge router, in my case it’s the WAN IP address of the UDMP. The key point here is that the host name defined in the Public DNS entry will become the name used in the configuration of the Vmware Tunnel service.

With the public A record created, head over to your routers configuration page for port forwarding and setup port forwarding. By default VMware Tunnel uses Port 8443 for Per-App VPN and Port 2020 for Proxy so I have 2 port forward rules. The destination IPs would be the internal IP address you previously defined in your internal DNS for the UAG.

Note: VMware announced end of support for the Proxy functionality of Tunnel, so Port 2020 is not something I would recommend moving forward with.

The end result of this configuration is that a device on the Internet looking for vpn.aftersixcomputers.com is now able to reach the internal IP address of the UAG to establish the connection.

Part 2: Configure the Tunnel in the UEM Console

With the Public DNS name from Part 1 now available for use the next step is to configure the Tunnel using the Workspace ONE UEM Console.

  1. In UEM Console choose Groups and Settings > Configurations > Tunnel
  2. Create your Tunnel.
    1. Deployment Type = Basic (Cascade is supported just not in use in my example)
    2. Hostname = the public DNS name you defined with your hosting provider. In my case it’s vpn.aftersixcomputers.com
    3. Port = 8443
    4. Server Authentication = Airwatch SSL
    5. Client Authentication = Airwatch SSL
    6. Networking = Enabled with “Default AWCM + API traffic via Server Traffic Rules
    7. Logging = Disabled
    8. Custom Settings not configured
    9. Save the configuration
  3. While you’re in the UEM settings configure the Device Traffic Rule Sets that enable Windows domain joined devices to function as if they were on the corporate LAN:
    1. Under the Device Traffic Rule Sets choose Edit to bring up the “Manage Traffic Assignments”
    2. Select the Default Assignment to bring up the Device Traffic Rules menu
    3. Choose “Manage Applications”
    4. Add the following 5 Windows applications:
This rule enables access to network shares like SYSVOL
This rule enables Group Policy to continue to function off network
This rule enables access to Netlogon
While not specific to domain join, this rule is helpful for accessing mapped network drives
This rule is not related to domain join, but is helpful for your IT Admins who need to use RDP for server management off network.

4. Now that the apps are created, from the Device Traffic Rules page choose Add Rule and add each of the apps to tunnel as illustrated below:

Configure Tunnel for your AD Domain name

5. Define the domain name in the Destination. For example I’m using a wildcard of *.lab.aftersixcomputers.com

6. Choose Save and Publish

Part 3: Enable Unified Access Gateway Tunnel

The next step is to link the UAG to the UEM Tunnel configuration. This is done using the UAG Admin portal:

  1. Launch the UAG admin portal from your web browser by opening https://yourUAGDNSname:9443/admin
  2. Under General Settings > Edge Service Settings > click Show and then click the Gear icon under Tunnel Settings
  3. Choose Enable Tunnel Settings
  4. Define the API Server URL in the format
    https://ASxxx.awmdm.com
    where xxx equals the UEM Console url.
    For example if UEM is https://CN135.awmdm.com use https://AS135.awmdm.com
  5. The API Server username and password is any account on the UEM server that has been granted API access rights. By default the role “Console Administrator” has this permission. Note that what you type here must match the login format used for UEM. In my lab that means the username typed in here is lab\bgarmon
  6. The Org Group ID also comes from the UEM server, find it by hovering over the OG name in the UEM Console and use the value found in “Group ID”
  7. The Tunnel Server Hostname is the PUBLIC DNS name you defined at the ISP. In my example it’s vpn.aftersixcomputers.com
  8. BEFORE clicking SAVE, I recommend to SSH into the UAG and tail the log files to confirm what happens next succeeds. If you have a typo in your config you won’t really see any indication in the UAG admin portal that something didn’t work but you’ll spot it immediately in the SSH logs if you do the following:
    1. From your SSH client, SSH as root to the UAG
    2. Type in (but do not press enter):

      tail -f /var/log/vmware/appliance-agent/appliance-agent.log

      The reason you can’t hit enter yet is that this log file doesn’t exist until the first time the SAVE button is pressed in the Tunnel Settings page.
    3. Make sure both SSH and Tunnel Settings page are visible on your screen at the same time. In the Tunnel Settings click SAVE and immediately switch to SSH and press enter to send the tail command. You should immediately see text scrolling in SSH. The screenshot below shows what you should be looking for to confirm success
  9. Flip back to the UAG General Settings page you should find a Green icon under the Edge Service Settings next to Tunnel.
  10. You’ve completed the UAG Tunnel Configuration. Next up are the Windows 10 device settings configuration.
SSH output for Tunnel Settings showing successful configuration

Part 4: Deploy the Windows Tunnel client app from UEM

A brief history lesson to make sense of the different Tunnel versions for Windows:

  • Versions 2.0 and below support per-app VPN and MDM management
  • Version 2.1 through Version 2.7.1 support per-app VPN and MDM management and added per-device VPN
  • Version 3.0 support per-app VPN and per-device VPN but NO MDM management – so don’t use this version for this configuration.

Make sure your UEM Console is updated to 2102 or higher. The instructions below reference Tunnel version 2.1.1 using Per-App Tunnel. Consult VMware’s production documentation if you will be leveraging the full device based tunnel configuration for any configuration changes that might be required.

Note: VMware continues to release updates to the Tunnel client application with the 2.1 through 2.7.1 updates mostly being bug fixes. Adjust the meta-data in the instructions below to match the latest version of the client you download.

  1. Download version 2.7.1 of VMware Tunnel for Windows from https://My.workspaceone.com
  2. Browse https://images.google.com and download an app icon for Workspace One Tunnel to use later in this process.
  3. In the UEM Console choose Apps & Books > Applications > Native > choose Add Application > Upload
  4. On the Edit Application fill out the tabs as follows:
    1. Details tab: Name > Change this to VMware Tunnel for Windows
    2. Details tab: Supported Processor Architecture: 64-bit
    3. Details tab: App Version: 2.7.1
    4. Details tab: Current UEM Version 2.7.1 (this might read Version if you are on a UEM build prior to 21.01)
    5. Files tab: App Uninstall Process: Custom Script Type: Input
    6. Files tab: App Uninstall Process: Uninstall Command:
      VMwareTunnelInstaller_2.7.1.exe /uninstall /Passive
    7. Deployment Options tab: How to Install > Install Command:
      VMwareTunnelInstaller_2.7.1.exe /install /Passive /norestart
    8. Deployment Options tab: How to Install > Installer Reboot Exit Code: Leave this blank
    9. Deployment Options tab: How to Install > Installer Success Exit Code: Leave this blank
    10. Deployment Options tab: When To Call Install Complete: Choose Defining Criteria and select Add select Criteria Type File Exists with a path of
      C:\Program Files\VMware\Workspace ONE Tunnel\VMwareTunnel.exe
      Version 2.7.1.0
    11. Images Tab: Choose Icon Tab > Upload an image file for Tunnel app
    12. Choose Save & Assign
    13. In the Assignment Distribution menu give it a name like “Tunnel for Windows Default
    14. Choose an Assignment Group
    15. Change the App Delivery Method to Auto
    16. Choose the Restrictions menu on the left and enable “Make App MDM Managed if user installed”
    17. Enable “Desired State Management”
    18. Choose Create
    19. Choose Save
    20. Choose Publish

Part 5: Create UEM Console Profile for VPN

Note that beginning with Tunnel version 3.0 the UEM console now supports providing Configurations and Device Traffic Rules through Configurations and not profiles. The instructions below assume you are using Tunnel 2.7.1 and the current Profile configuration.

  1. In the UEM Console choose Devices > Profiles & Resources > Profiles
  2. Choose Add > Add Profiles > Windows > Windows Desktop > Device Profile
  3. Under General give the profile a name and assign it a SmartGroup
  4. Choose the VPN payload and fill out the following:
    1. Connection Name: It now defaults to “Default VPN”
    2. Connection Type: Workspace ONE Tunnel
    3. Device Traffic Rule Sets: Default – Default
    4. Under Custom Configuration XML add the following XML which is how the Tunnel is configured to launch before the Windows 10 Login screen appears:
<?xml version='1.0' encoding='utf-16'?>
<CustomConfiguration>
  <StartTunnelPreLogon>true</StartTunnelPreLogon>
</CustomConfiguration>

5. Configure the Trusted Network Detection to be the name of your domain. What this setting does is to ensure that when your device is on the trusted network, the Tunnel will not be established.

6. Under DNS Resolution via Tunnel Gateway you must define how DNS will be resolved. The end goal is to make Tunnel aware of when it will use the internal DNS servers. This area of the product has been enhanced in the latest UEM Console release so you now have two options to choose from: Enable Enhanced Domain Resolution, or Disable Enhanced Domain Resolution and define the Domains.

If you enable Enhanced Domain Resolution, Tunnel will read the Device Traffic Rules and use the Device Traffic Rules to define the domains. I suspect this may be a better method to use in production, but it’s a new setting I haven’t worked with much so experiment at will. In my example I set Enhanced Domain Resolution to Disabled and I’m defining *.lab.aftersixcomputers.com and lab.aftersixcomputers.com in the domain list.

The end result of your profile should look similar to this (taken from Workspace ONE UEM Console 2102):

Windows 10 Device Profile for Custom Tunnel Configuration

Final Steps

Congratulations on completing the configuration. With this configuration in place Windows devices will be able to:

  • Map Network Drives
  • Establish RDP Sessions
  • Apply Active Directory Group Policy updates
Author: bgarmon

5 thoughts on “Using VMware Workspace ONE Tunnel in Per-App VPN mode with Domain Joined Windows clients

  1. Hi there,

    thank you for this interesting article, if it works this would be exactly what I’ve been searching for.
    Is the version 2010 really the minimum for this? I’d like to test this with 2005.

    Is there any kind of documentation where this snippet is described for the pre logon connection and is this eventually the reason why it has to be version 2010?

    true

    Thanks and greetings,

    Lukas

    1. Device Traffic Rules were re-designed both in the Server side configuration of them, and in how they are now applied to Personas, thus a newer console version of the Workspace ONE UEM Console is recommended.

      The pre-login connection is effectively telling the Tunnel Agent to load before a user logs onto Windows thus allowing the connection to be established before the user login.

  2. Thanks for sharing. It’s helpful. I’m trying to set it up but stuck in the step where ACC service > Properties > Logon tab and add AD username/password. After that, service won’t start. I’m getting error message related to logon info. When i removed the username/password, service can start. Cloud connector log shows error msg “query with error time out 12000”.

    Do you have any idea why? Thanks.

    1. Re-run through Part 7, starting at Step 7 which is where you set the permissions for the account. That it is not starting indicates you’ve got something wrong with the permissions set.

  3. Hi ,
    Thanks for the share.
    i got a small issue regarding connection to external website.
    I want to block all connection to website but access only for youtube for example but no success.
    I am using chrome enterprise and blocked * and Bypass *.youtube.com
    But still blocking youtube, any idea why?

    Thanks

Leave a Reply

Your email address will not be published.