VPN with WS1 Tunnel


Talking Points

  • Workspace ONE Tunnel enables secure access for all workers and devices working anywhere with an internet connection outside the office.
  • Users never have a 'no-touch' Tunnel experience. Its setup and configuration are 100% managed by Workspace ONE UEM.
  • IT organizations can take a least-privilege approach to enterprise access, ensuring only managed devices, defined apps and domains have access to the internal network.
  • Zero Trust goals can be reached by combining explicit definitions for managed applications and integration with the Workspace ONE compliance engine. 

VMware Tunnel Provisioning

Workspace ONE UEM will automatically push both the Workspace ONE Tunnel app, the Tunnel app's device profile, and Google Chrome to your device. Workspace ONE UEM manages Chrome as the per-app Tunnel app.

Workspace ONE UEM also manages the VMware Tunnel's fundamental configurations which establish connectivity and trust within an organization's environment.  Inside this UEM system settings area—elemental to the Workspace ONE Tunnel app's configuration—are the Device Traffic Rules.  

VMware Tunnel configuration/Device Traffic Rules are restricted by Workspace ONE UEM RBAC in testdrive.awmdm.com.

Tunnel Intranet

Launch Chrome and navigate to the below site using the Hub's Intranet web app.


Next, try to go to the same site using an unmanaged browser (e.g., Microsoft Edge). Since Edge is not configured as a managed Workspace ONE Tunnel app, Edge has no access to the internal site.

Launch the Workspace ONE Tunnel app to see its configuration which displays its connected state, managed domains (i.e., domains accessible via the Tunnel), and blocked domains.

Blocked Domains

Attempt to load one of the blocked domains. The connection will be refused by the Workspace ONE Tunnel.   

Video hosted on Intranet

Next, play the VMware SASE video from the intranet site. The video is hosted on the internal server inside the demo organization.  Note the high performance and no observable lag.

Alternate "full tunnel" demo flow.

The default demo flow is per-app tunnel.  This section provides full tunnel demo flow info.

With full Tunnel, all device traffic is subject to SASE management, namely Cloud Web Security.

Follow these steps to change to full Tunnel:

  1. In UEM, find your device and remove the WWE - Windows - WS1 Tunnel profile.
  2. In profiles, push the WWE - Windows - WS1 Tunnel Full profile.

A few moments may be required for the device to sync and update with the new Tunnel profile.

Previous Article Auto Provision Windows Apps
Next Article Cloud Web Security