Enabling Secure and Optimized Access for Remote Workers with SASE for Anywhere Workspace

Updated on

With VMware SASE for Anywhere Workspace, VMware has combined the consistent, secure cloud application access functionality of VMware SD-WAN, Secure Access, and Cloud Web Security with the capability of Workspace ONE to allow only trusted devices and users to access applications hosted on-premises or in the cloud. 

This guide will walk you through demonstrating SASE for Anywhere Workspace in the ready to use TestDrive environment.

Before You Begin

In order to complete a VMware Secure Access Walkthrough, you'll need the following:

  • A valid VMware TestDrive account with Workspace ONE UEM enabled in the VMware TestDrive portal.
  • A recommended device: Recent, updated Windows 10 physical or VM.  Windows 10 Enterprise evaluation ISO is available via Microsoft download. Maintain a clean VM snapshot, or System Restore point on a physical device, for a fast roll back.
  • Tip! To keep your VM in tip-top shape, first build a new completely updated Windows VM, then create a snapshot.  At intervals, revert to the snapshot, update it, then create a new snapshot. 
  • You can also use an iOS, Android, or macOS device.  If using one of those, enrollment and Workspace ONE experience is the same.  Windows is covered herein. 
  • Access to the ready to use Workspace ONE UEM Console.
    • Workspace ONE UEM administrator role: Device Administrator at World Wide Enterprises 
    • For the console-side discussion, be sure you have the UEM console open with the necessary console views already loaded in your browser's tabs.
  • A Dropbox account. Any Dropbox account will do.
  • Network access from your device and TCP 443 enabled on your local network.


VMware Secure Access enables secure, optimized, and high-performance access for remote and mobile workers.

The VMware Secure Access solution is designed to address enterprise concerns over inconsistent access, poor user experience, and stress on enterprise infrastructure. It will provide a multi-region, per-app VPN service for iOS, Android, Windows and MacOS clients, with role-specific policies allowing for persona-based controls.

VMware Secure Access is delivered as a service through a global network of VMware SASE points of presence (PoPs).


Hub-initiated enrollment is currently the recommended Windows enrollment method for a Windows device with an existing user profile. 

  • Go to https://getwsone.com. Download the Workspace ONE Intelligent Hub (Hub) and install it.
  • When prompted, enter your Workspace ONE enrollment email address to be automatically routed to testdrive.awmdm.com, choose the enrollment OG, and authenticate into Workspace ONE.
  • Proceed through accepting all prompts until enrollment is completed.

    Enrollment email: <username>@vmtestdrive.com
    Organization Group:  Enterprise - Corporate Owned Demo
    Enrollment credentials:     TestDrive username  & password

The Enterprise - Corporate Owned Demo flow (corp) supports modern Windows management including the functionality showcase for VMware Secure Access integrated with Workspace ONE. Alternatively, Enterprise - BYOD Demo (BYOD) flow is also set up for VMware Secure Access. However, the BYOD flow is sensitive to a user's privacy where restrictions of any type would be considered intrusive on a personal device, therefore BYOD contains minimal management.

Check your device in the Workspace ONE UEM console to verify that enrollment has completed.

Workspace ONE UEM Console Overview

Talking Points

  • An enrolled device will receive a set of automatically delivered profiles. Those profiles represent a baseline configuration how the PC should be set up, and additional profiles can be applied to meet specific requirements.
  • Profiles are the settings, when combined with compliance policies, that help enforce organizational security policies.
  • Passcode, Wi-Fi, certificate issuance, app whitelist/blacklist, and device restrictions are just a few profile types that may be created for Windows 10.

Go to Resources > Profiles on the left-side console menu.  On the far right, in the Search List box, enter "WWE - Windows" to quickly filter your view to list only Windows 10 profiles. You can identify the WWE – Windows – WS1 Tunnel profile, which enables Per-App Tunnel access on your enrolled device. 

If you wish, click through individual profiles to see review its payload.  Use any pre-configured optional device profiles as needed.

Switch to your browser tab open with the device list. Find your device by filtering by your username. Drill into your device details and discuss profiles, apps, content and other features your audience would find important.

On the profiles tab, note the installed statuses and the assignment types, automatic vs optional, from this view. Again, use optional profiles to aid your discussion.

Workspace ONE Intelligent Hub

Talking Points

  • VMware Workspace ONE is the enterprise platform that enables organizations to deliver a digital workspace that empowers users to securely bring the technology of their choice—devices and apps—without sacrificing productivity or security at a cost the business needs.
  • The Unified App Catalog transforms employee on-boarding. Simply accessing the Workspace ONE Intelligent Hub app on the PC (or any platform) provides employees with a complete, self-service enterprise app catalog that can be easily customized and branded for your organization.
  • Delivers any application from the latest mobile cloud apps to legacy enterprise apps. Simple, one-stop access to all apps: native, web, virtual desktops (VDI) and applications (RDSH).
    • Internal web apps through a secured browser
    • SaaS apps with SAML-based SSO and provisioning framework
    • Native public mobile apps through brokerage of public app stores
    • Modern Windows apps through the Windows Business Store
    • Legacy Windows apps through Windows app package delivery
  • Single Sign-On (SSO) that federates the most complex on-premises Active Directory topologies and support for multi-factor authentication, like RSA.

After enrollment, Workspace ONE Intelligence Hub automatically launches, preconfigured with the Workspace ONE Access tenant.

With Workspace ONE UEM managed authentication, the user's access into Workspace ONE Intelligent Hub is seamless. Manual user authentication is not required, but can be configured as a fallback method.

Proceed into Workspace ONE Intelligent Hub. Review the streamlined user access to all assigned apps: native, web, or virtual.

Once inside Workspace ONE Intelligent Hub, go to Apps > Categories.

Categories are configurable and provide quick filters for sorting various app types. 

Note the rapid and seamless access Workspace ONE Intelligent Hub provides for VDI and RDSH under the Virtual Apps category.

Finally, in categories, select  Windows Apps at the top.  More details on those are next.

Automatic Provisioning of Windows Apps

Talking Points

  • No longer do PCs need to be tied to local area network (LAN) computer management systems for native Windows app management. Both Windows 10 desktops and Windows 10 mobile devices can now have Windows apps managed over-the-air (OTA) by Workspace ONE UEM.
  • Workspace ONE UEM provides a variety of different application distribution options to meet the variety of installation scenarios found in an enterprise. The application deployment framework supports MSI, EXE and ZIP based deployments, public apps from the Windows Store, as well as complex script-based applications through product provisioning.
  • Content Delivery Network (CDN) integration globally extends your organization's app deployment for fast and secure app delivery.

The following Windows apps are configured to automatically deploy: 

  • Workspace ONE Tunnel
  • VMware Horizon Client
  • Carbon Black Cloud Sensor
  • Google Chrome
  • Zoom

These apps are configured in Workspace ONE UEM and delivered by UEM's software distribution over CDN (powered by Akamai).

Workspace ONE UEM's Windows app distribution and management is doing the same thing that traditional LAN-based tools, like SCCM, have done with native apps. However, Workspace ONE UEM is doing it over the air. Devices no longer have to be tied to the organization's LAN.

Several additional Windows Apps are set up for software distribution. Select Windows Apps to filter out all Windows apps, both Windows Desktop and UWP apps:

Optionally, choose one of the Windows Apps and push it to your device. 7-Zip is a good one to pick as it’s small deployment.  You’ll receive a notifications on the device regarding the installation.

In Workspace ONE UEM, apps delivered via software delivery are set up through the familiar UEM workflow.  Additionally with Windows Apps, comprehensive deployment, install, dependency, detection, and uninstall settings are configured to suit enterprises' various complex app deployment needs.

VPN with the Workspace ONE Tunnel

Talking Points

  • Workspace ONE Tunnel enables secure access for all workers and devices working anywhere with an internet connection outside the office.
  • Users never have a 'no-touch' Tunnel experience. Its setup and configuration are 100% managed by Workspace ONE UEM.
  • IT organizations can take a least-privilege approach to enterprise access, ensuring only managed devices, defined apps and domains have access to the internal network.
  • Zero Trust goals can be reached by combining explicit definitions for managed applications and integration with the Workspace ONE compliance engine. 
Expand for alternate "full tunnel" demo flow.

The default demo flow is per-app tunnel.  This section provides full tunnel demo flow info.

With full Tunnel, all device traffic is subject to SASE management, namely Cloud Web Security.

Follow these steps to change to full Tunnel:

  1. In UEM, find your device and remove the WWE - Windows - WS1 Tunnel profile.
  2. In profiles, push the WWE - Windows - WS1 Tunnel Full profile.

A few moments may be required for the device to sync and update with the new Tunnel profile.

Workspace ONE UEM will automatically push both the Workspace ONE Tunnel app, the Tunnel app's device profile, and Google Chrome to your device. Workspace ONE UEM manages Chrome as the per-app Tunnel app.

Workspace ONE UEM also manages the VMware Tunnel's fundamental configurations which establish connectivity and trust within an organization's environment.  Inside this UEM system settings area—elemental to the Workspace ONE Tunnel app's configuration—are the Device Traffic Rules.  

VMware Tunnel configuration/Device Traffic Rules are restricted by Workspace ONE UEM RBAC in testdrive.awmdm.com.

Launch Chrome and navigate to the below site using the Hub's Intranet web app (intranet.vmtestdrive.com).

Next, try to go to the same site using an unmanaged browser (e.g., Microsoft Edge). Since Edge is not configured as a managed Workspace ONE Tunnel app, Edge has no access to the internal site.

Launch the Workspace ONE Tunnel app to see its configuration which displays its connected state, managed domains (i.e., domains accessible via the Tunnel), and blocked domains.

Attempt to load one of the blocked domains. The connection will be refused by the Workspace ONE Tunnel.   

Next, play the VMware SASE video from the intranet site. The video is hosted on the internal server inside the demo organization.  Note the high performance and no observable lag.

Preventing Undesirable Content with Cloud Web Security

To perform this demo, you either need the Dropbox service enabled on your TestDrive account or your own Dropbox account. 

A custom security policy, Block Dropbox Operations, is configured in the SASE Cloud Web Security environment.  

Using the managed, tunneled browser app (Chrome on Windows), launch Dropbox.com.

Attempt to CREATE a document. Create > Document > Word Document

The CREATE action is blocked by the Dropbox-specific Cloud Web Security policy.

To view the logged "block" action, view TestDrive's instance of VMware SD-WAN Orchestrator where you have read only access. 

Either click here to SSO with your TestDrive account into VMware SD-WAN Orchestrator or use the VMware SD-WAN Orchestrator web app in the Workspace ONE user portal. 

Initially in VMware SD-WAN Orchestrator you'll have the SD-WAN view, switch to Cloud Web Security.

In Cloud Web Security, select Web Logs.

  • Change the view to past 60 minutes.
  • Filter the list to "action is block".  

You should see the blocked action in Dropbox.  

Cloud Web Security Integration with Workspace ONE Access

Instead of unknown or anonymous users listing in Web Logs, Cloud Web Security can be integrated with Workspace ONE Access and other third party IdPs for authentication and username resolution, as seen below. In TestDrive this integration is disabled for security reasons.

Next, we'll inspect the network traffic on the WAN.

Securing & Optimizing Network Traffic with VMware SD-WAN Orchestrator

Talking Points

  • VMware SD-WAN is an integral part of the VMWare Secure Access.
  • As traffic integrates into the SD-WAN overlay, Dynamic Multipath Optimization (DMPO) benefits are applied, reducing latency, packet loss, and jitter while improving bandwidth utilization.
  • VMware SD-WAN also provides visibility into the applications accessed by the remote mobile users on their devices.

Go back to VMware SD-WAN Orchestrator.

After you successfully authenticate, the orchestrator console will look like below.

In Edges, go to Secure-Access-Edge > Applications tab.  All of the tunneled applications that are accessed by managed mobile devices are displayed. 

Filter your view to hone in on your performed demo activities by changing the following:

  • View Past 60 Minutes.
  • Select Destinations and FQDN.
  • In the bottom destination list, select intranet.vmtestdrive.com.

Previously, you played this SASE video from the demo intranet site. You can see the activity spike caused by the high bandwidth activity of the HD video.

Activity is shown as a spike when the traffic hits the SD-WAN buffer. As SD-WAN optimizes the traffic, the spike subsides and resources are normalized.


Another important aspect of VMware SD-WAN is the user experience. To enhance user experience, QoS is automatically applied to the traffic. Time sensitive traffic like voice and video are automatically identified and classified a high priority. VMware SD-WAN also automatically chooses the best path to the Data Center or SaaS and apply remediation from latency, jitter and packet loss induced from internet to enhance user experience.

Click the QoE tab. The tab shows how the application faired with and without VMware SD-WAN. 

Below is an example of SD-WAN QoE enhancements from another environment which illustrious dramatic discrepancies with and without SD-WAN.

Next Article Securing Web Traffic from Horizon Virtual Desktops & Apps with SASE Cloud Web Security