Configure Network Traffic Rules for the Per-App Tunnel

Network traffic rules allow you to set granular control over how the VMware Tunnel directs traffic from devices. Using the Per-App Tunnel of VMware Tunnel, create device traffic rules to control how devices handle traffic from specified applications and server traffic rules to manage network traffic when you have third-party proxies configured.

Device traffic rules force VMware Tunnel to send traffic through the tunnel, block all traffic to specified domains, bypass the internal network straight to the Internet, or send traffic to an HTTPS proxy site. The device traffic rules are created and ranked to give an order for running the rules. Every time a specified application is opened, VMware Tunnel checks the list of rules to determine which rule applies to the situation. If no set rules match the situation, VMware Tunnel applies the default action. The default action, set for all applications except for safari, applies to domains not mentioned in a rule. The device traffic rules created apply to all VPN VMware Tunnel profiles in the organization group the rules are created in.

Server traffic rules enable you to manage the network traffic when you have third-party proxies configured in your network. These rules apply to traffic originating from the VMware Tunnel. The rules force the VMware Tunnel to send traffic for specified destinations to either use the proxy or bypass it.

Supported Platforms

VMware Tunnel supports Network Traffic rules for the following platforms:

• iOS devices with

  VMware Workspace ONE Tunnel

  for iOS.

• macOS devices with

  VMware Workspace ONE Tunnel

  for macOS.

• Android devices with

  VMware Workspace ONE Tunnel

  for Android.

• Windows desktop devices with

  VMware Workspace ONE Tunnel

  desktop application.

  Note:

  Device Traffic Rules added are applicable only to Windows Tunnel Desktop Client and not for the Windows store App. Device wide VPN profile has to be enabled to use Windows Tunnel Desktop Client.

Create Device Traffic Rules

The Device Traffic Rules define how traffic from specified applications is routed by the Workspace ONE Tunnel application. The device traffic rules serve as a locally enforced Access Control List, defining which apps and destinations should be blocked, tunneled, proxied, or bypass the tunnel completely.

Before you create device traffic rules, verify the following:

• Make sure you have configured VMware Tunnel with the Per-App Tunnel component enabled.

• For iOS and Android applications, configure Per App VPN for VMware Tunnel.

Watch a tutorial video explaining how to create device traffic rules: Configure the network traffic rules for Per-App Tunnel.

Administrators can create multiple Device Traffic Rules sets through Manage Traffic Assignments to segment traffic to internal resources, such as rules for employees devices that as less restricted them access to contractor devices.

Manage Traffic Assignments requires Workspace ONE UEM 2011, otherwise, a single Device Traffic Rule set can be created.

Complete the following steps to create device traffic rules:

1. Navigate to

   Groups & Settings

   >

   Configurations

   >

   Tunnel

   .

2. By default, the

   Device Traffic Rules

   settings of the Child OG are set to

   Inherit

   . You can override the DTR settings which allows to

   Edit

   the DTR settings for the current OG. Based on your configuration needs, you can also select Clear Override

   if you want to set it back to inherit the

   Device Traffic Rules

   settings of the current organization group’s parent OG.

3. Click

   Edit

   . Click

   Add

   to create a new DTR set or you can edit the default DTR set.

   Settings
   Description

   Tunnel Mode

   • Per Application : Only the application configured for VPN would be consider and take action based on destination FQDN/IP
   • Full Device: Directs all application & all traffic from the device through an encrypted tunnel to the corporate data centre based on the destination FQDN/IP.

   Note:

   • Full device tunnel mode is supported only on Windows Tunnel Desktop Client 2.1 above above and Android Tunnel 21.12 above for AE.
   • Enabling full device, also known as container-wide tunnel, on Android AE devices requires UEM console 2111.
   • We suggest to bypass the VMware Workspace one DS URL, while using Full device VPN with default action as Tunnel.

   Add Rule

   Select Add Rule to create a rule.

   These rules are only applicable to the Per-App Tunnel component of VMware Tunnel for Android, iOS, macOS, and Windows Desktop devices. For iOS, use the Workspace ONE Tunnel client application from the App store. For Windows Desktop, use the Workspace ONE Tunnel Desktop application.

   1. Rank

      : Select-and-drag the rule to rearrange the ranking of your network traffic rules.

   2. Application

      : Select

      Add

      to add a triggering application for the network rule.This drop-down menu is populated with applications with Per App VPN enabled and Safari for macOS. If you configure rules for the Safari app for macOS, the traffic rules override and deactivate any domain rules configured in existing profiles.

   3. Action

      : Select the action from the drop-down menu that

      VMware Tunnel

      applies to all network traffic from the triggering app when the app starts.

      • Tunnel – Sends app network traffic for specified domains through the tunnel to your internal network. All apps, except Safari, on the device configured for Per App VPN sends the network traffic through the tunnel. For example, set the Action to Tunnel to ensure all configured apps without a defined traffic rule use the VMware Tunnel for internal communications.

      • Block – Blocks all apps, except Safari, on the device configured for Per App VPN from sending the network traffic. For example, set the Default Action to Block to ensure that all configured apps without a defined traffic rule cannot send any network traffic regardless of destination.

      • Bypass – Bypasses all apps, except Safari, on the device configured for Per App VPN bypass the tunnel and connect to the Internet directly. For example, set the Default Action to Bypass to ensure all configured apps without a defined traffic rule bypass the VMware Tunnel to access their destination directly.

      • Proxy – Redirect traffic to the specified HTTPS proxy for the listed domains. The proxy must be HTTPS and must follow the correct format: https://example.com:port.

      • Tunnel+Proxy – Redirect traffic to a specified HTTP proxy that resides behind Tunnel.

        Note:

        This action is supported by the Tunnel SDK on iOS and Android as used by the Workspace ONE Web app. The only configuration required here is the proxy host; the proxy destinations must be provided to the Workspace ONE Web app.

   4. Destination

      : Enter the hostname applicable to the action set for the rule. For example, enter all the domains to block traffic from accessing using the Block action.

      Use a comma (,) to distinguish between hostnames.

      You can use wildcard characters for your hostnames. Wildcards must follow the format:

      • *.<domain>.*

      • *<domain>.*

      • *.* — You cannot use this wildcard for Safari domain rules.

      • * — You cannot use this wildcard for Safari domain rules.

      • For Android, iOS, and macOS devices, we do not support the IP range, IP subnet, or Port match. In case you want to take any action for a particular IP then add the IP in the device traffic rules. For example, App > Tunnel > 10.10.10.10.

      • Use of IPs and port ranges are only supported for Device Traffic Rules on Windows 10 devices. The following list contains supported formats for the IPv4 and port range when applying the Device Traffic Rules (DTR).

        • Single IP – 10.10.0.1 or 10.10.10.1/32
        • IP range or subnet
          • 10.10.10.1/24
          • 10.10.0.0/16
        • Single Port
          • *.example.com:80, 10.10.10.1:80,10.10.11.1/32:80
          • *.example.com:[443], 10.10.11.1/24:[443]
        • Port Range
          • *.example.com:[80-443], 10.10.10.1:[80-443],10.10.11.1/32:[80-443]
          • 10.10.11.1/24:[80-443]
        • List of Ports
          • example.com:[80,443], 10.10.10.1:[80,443],10.10.11.1/32:[80,443]
          • 10.10.11.1/24:[80,443]
        • List of ports and port ranges
          • *.example.com:[80,443, 8080-8085], 10.10.10.1:[80,443,8080-8085], 10.10.11.1/32:[80,443,8080-8085]
          • 10.10.11.1/24:[80,443,8080-8085]

   5. Select Save to save your changes.

   Manage Applications

   1. Click

      Add

      .

   2. Select the

      Platform

      .

   3. For Windows Tunnel Desktop Client, complete the following steps:

      • Enter a Frienly Name for the application.

      • Select the App Type.

      • Enter the App Identifier.

        The App Identifier is the path or the package family name (PFN) of the application. For a Store App, the Package Friendly Name (PFN) is used and can be found using the PowerShell command Get-AppxPackage *<app_name>. For a Desktop App, the filepath is used. For example, you can use C:\Program Files (x86)\acme\app.exe.

        Note:

        macOS traffic rules can be created only if you are using UEM console 1910 or above.Older versions have to configure the rules via profile.

   4. For macOS applications, complete the following steps:

      • Enter the Friendly Name for the application.

      • Enter the Package ID.

      • Enter the Designated Requirement

      • Enter the Path.

        This text box is optional and is only applicable for macOS Catalina and above. Enter the Path when the allowlisting command-line utils are bundled inside an application. For example, vmware-remotemks has to be allowlisted with path details with the VMware Horizon Client application.

      • Select Save to save your changes.

   If you choose to make any changes to the application, in the Manage Applications window, select the application you like you edit and make changes.

   If you want to delete any application, in the Manage Applications window, select the application you like to delete and click Delete.

4. Enter the

   Device Traffic Rule SET Name

   .

5. Configure the Device Traffic Rules.
6. Click

   Save

   or

   Save and Publish

   .

7. When the administrator changes the Device Traffic Rules and click

   Save

   , the Device Traffic Rules gets mapped to the profile, but the updated Device Traffic Rules is not replaced for the devices where the VPN profile is already installed. Device Traffic Rules is only updated for the newly enrolled devices or for the devices that have the VPN profile reinstalled.

8. To send the updated Device Traffic Rules to the devices post modifying the Device Traffic Rules, administrators must click

   Save and Publish

   .

   Save and Publish

   adds a version to the VPN profile and republishes Device Traffic Rules to all the devices

Note:

• You cannot delete the Default Traffic Rule set.

• Save and Publish

  option is available only for the Default Traffic Rule set

• If an administrator changes the Android application in the Device Traffic Rules and clicks

  Save and Publish

  , the VPN profiles for both iOS, Android profiles gets a version update and the VPN profile installs are queued for all the assigned devices.

• Reinstalling the profile reissues the client certificate to the device with a new thumbprint.

Each assignment of Device Traffic Rules can be selected within your Tunnel profile. This allows you to create different policies for different types of personas based on user, device, or use-case.

Configure Server Traffic Rules using Outbound Proxy

You can configure server traffic rules for the VMware Tunnel to manage how traffic is directed through a third-party proxy. These rules allow you to bypass the proxy or send traffic through it. You can either add rules manually in the UEM console or via PAC files by using the VMware Tunnel PAC Reader.

Many organizations use outbound proxies to control the flow of traffic to and from their network. Outbound proxies can also be used for performing traffic filtering, inspection, and analysis.

It is not mandatory to use outbound proxies with VMware Tunnel, but your organization may choose to deploy them behind one or more VMware Tunnel servers based on recommendations from your security and network teams.

The following table illustrates outbound proxy support for the VMware Tunnel Per-App Tunnel on Linux: 

Proxy Configuration
Supported?

Outbound Proxy with no auth

✓

Outbound Proxy with basic auth

✓

Outbound Proxy with NTLM auth

✓

Multiple Outbound Proxies

✓

PAC Support

✓

Configure the rules for sending traffic to your outbound proxies using the server traffic rules.

If you want to send the requests to the API/AWCM servers through your outbound proxy as well, then you must enable the Default AWCM + API traffic via Server Traffic Rules Networking settings under Groups & Settings > All Settings > Configurations > Tunnel. Once enabled, add the respective web proxies for API/AWCM hostnames on the server traffic rules page.

Configure Server Traffic Rules from the UEM Console

Add rules for the VMware Tunnel to manage how traffic is directed through a third-party proxy. These rules allow you to bypass the proxy or send traffic through it.

VMware Tunnel

servers using the Per-App Tunnel component.

1. Navigate to

   Groups & Settings

   >

   Configurations

   >

   Tunnel

   .

2. Select

   Configure

   .

3. In the Outbound Proxies section, select

   Edit

   and the select

   Add Outbound Proxy

   to add a third-party outbound proxy. You may add additional outbound proxies by selecting

   Add Outbound Proxy

   again.

   Settings
   Description

   Host
   Enter the proxy hostname.

   Port
   Enter the port the third-party proxy uses to listen to the VMware Tunnel.

   Authentication

   Select the proxy authentication method used.

   Select Basic or NTLM.

   User Name
   Enter the

   User name

   for proxy authentication.

   Password
   Enter the

   Password

   for proxy authentication.

4. Select

   Save

   to save your changes.

5. In the Server Traffic Rules section, you can configure the server traffic rule settings.
6. Select

   Edit

   .

7. Select

   Add Server Traffic Rule

   to add a new server traffic rule. Enter the following information:

   Settings
   Description

   Destination

   Enter the destination hostname that triggers the traffic rule.

   Rules for applications on Windows 10 and macOS (except Safari) devices must use IP address as the hostname.

   You cannot use regular expressions except specfic wildcard characters. Windows 10 and macOS devices support using the following wildcards:

   • 10.10.*
   • 10.10.0.0/16

   If you are entering multiple hostnames, separate them by commas.

   For domains you want to resolve on Windows 10 devices through the VMware Tunnel server, you must add the domains to the Windows Desktop VPN profile for VMware Tunnel.

   Action

   Select the action that the VMware Tunnel applies to server traffic for the destination hostname.

   • Bypass – Bypass the proxy and send all traffic directly to the destination hostname.

   • Proxy – Send server traffic through the outbound proxy.

     Selecting Proxy displays the Outbound Proxy menu.

   Proxy

   Select the Outbound proxy to handle server traffic for the destination hostname. If you select multiple outbound proxies, the proxies are used in a round-robin format.

   The proxies that populate this menu are those proxies added in the Outbound Proxies section.

8. (Optional) Select

   Add Server Traffic Rule

   if you wish to add any additional server traffic rules.

9. Select

   Apply

   to save your changes.

10. Select

    Close

    .

The server traffic rules only apply toservers using the Per-App Tunnel component.

Configure Server Traffic Rules using

VMware Tunnel

PAC Reader

The VMware Tunnel PAC Reader allows you to use PAC files to configure outbound proxies for the Per-App Tunnel component.

Complete the following steps before you configure the server traffic rules using the PAC reader:

• Download the PAC Reader bundle from the Workspace ONE UEM Resources Portal. Install the PAC Reader on any Linux server such as your

  VMware Tunnel

  server. If the PAC file contains DNS resolution rules such as dnsresolve() or isInNet(), change the value of traffic_rule_post_dns in server.conf to 1 on your

  VMware Tunnel

  server.

  Note:

  Currently the PAC Reader has the following limitations:

  • Currently, the PAC Reader only supports Linux servers.
  • The PAC Reader currently does not support the following rules:
    • Nested if statements. Try to put the inner logic above the outer logic. This change makes the outer logic lower ranked than the inner logic.
    • Else-if statements. Try to convert these rules to if statements.
    • Regex
    • myapaddress()
    • Generic use of the AND operator
  • The PAC Reader only supports limited use of the variable declaration and use.

  Currently the PAC Reader has the following limitations:

  Before you configure Outbound Proxy using VMware Tunnel PAC Reader, make sure that you meet the following network requirements:

  • Access to the Workspace ONE UEM API server: The PAC Reader requires access to the Workspace ONE UEM API server. The server is typically accessed over port 443. Consider installing the PAC Reader on your

    VMware Tunnel

    server as the server already has access to the Workspace ONE UEM API server.

  • Access to the PAC file. If you are hosting your PAC file on a Web server, the PAC Reader must have the access to that server.
  • RHEL 7 as the server OS.

Complete the following steps to configure the server traffic rules using the PAC reader:

1. Download the installer from the Workspace ONE UEM Resources Portal.
2. Create a dedicated install directory for the installer on the linux server. For example, you can create a dedicated install directory as

   /tmp/Install/

   for the installer and copy the

   LinuxPacReaderInstaller.bin

   file to this location.

3. Navigate to the directory you copied the file. Run chmod 750 LinuxPacReaderInstaller.bin command to assign the run permission to the

   LinuxPacReaderInstaller.bin

   file.

4. Run the BIN file by using the required command: sudo ./LinuxPacReaderInstaller.bin
5. Configure the necessary properties in the pacreader.properties file.

   Setting
   Description

   API_SERVER_URL
   Enter the API server URL.

   API_KEY
   Enter the API key for the API server. Find this key by navigating to

   Groups & Settings

   >

   All Settings

   >

   System

   >

   Advanced

   >

   API 

   >

   REST API

   >

   API Key

   .

   Location group ID

   Location Group ID where the VMware Tunnel server is deployed.

   PAC Location

   Path to the PAC file if stored locally on the machine else use the http/https link

   If you configure PAC_LINK, do not configure PAC_PATH.

   API Certificate

   : The Admin API Certificate which can be obtained from UEM Console > Accounts > Administrators > > List View > Edit account > API > Certificates > Export Certificate

   If you configure PAC_PATH, do not configure PAC_LINK.

   API Certificate Password

   Password for pfx/p12 API certificate file.

   PAC Location

   This can be a PAC file placed at

   /opt/vmware/tunnel/pacreader

   or an http link to PAC.

Complete the following steps to configure the server traffic rules using the PAC reader:

Complete the following steps after you configure the server traffic rules using the PAC reader:

• Open the bash shell.
• Go to the

  pacreader installation directory. cmd:

  cd /opt/vmware/tunnel/pacreader.

• Run the following command to validate :

  ./pacreader validate

  .