VMware NSX is a network virtualization platform that allows you to programmatically provision a virtual network. With NSX, you have more flexibility in designing and securing a network due to significantly improved network provisioning speed and the ability to automate the provisioning of network and security rules. VMware NSX can be integrated with AirWatch to secure the full flow of data from the device to the internal network through microsegmentation. With microsegmentation, each network application can be isolated from all others, and the network requirements of that application are only applied to that segment. Essentially, instead of a single firewall protecting the entire network, you can imagine dedicated firewalls protecting each network application.
NSX integration with AirWatch
When using NSX, each application in a data center is assigned a set of IP Addresses, or an IPSet. When handling mobile traffic, the AirWatch Tunnel server will act as a proxy server and assigns a source IP for each allowed connection. This source IP corresponds to the IPSet of the application the mobile device is attempting to reach.
In the NSX console, IPSets are added to specific security groups for dynamic assignment. When the security group contains the tag @airwatch, AirWatch will automatically import it and apply it for mobile devices.
Configuring the AirWatch Console
In the AirWatch Console, NSX security groups can be identifying by navigating to Settings > System > Enterprise Integration > AirWatch Tunnel. Make sure that NSX Communication is enabled and that the appropriate URL and admin credentials are configured. After this, select the Sync NSX Security Groups option to pull in the groups. On this page you can also specify which mobile applications each security group will map to.
Additionally, when pushing an app through AirWatch you can choose to associate that app with a per-app VPN profile. This ensures only this application will have access to the VPN network; other applications on the device or the device in general cannot directly access the VPN network. Additionally, you should specify the appropriate NSX security group. This will ensure that the AirWatch Tunnel will appropriate route and secure traffic coming from this application.