VMware Tunnel updates in AirWatch 9.1

In AirWatch 9.1, the VMware Tunnel will feature enhancements to the existing architecture of the Relay-Endpoint deployment model for Per-App Tunnel to improve the overall performance and usability of the product. Additionally, the security model has been enhanced, with a focus on the growing number of enterprise use cases of this product.

With this release, the Relay-Endpoint deployment model has been rebranded to the Cascade deployment model.  The Relay server is now called the Frontend server, and the Endpoint server is now called the Backend server. 

 

What are the benefits of Cascade mode?

  • Overall performance improvements - Better request-response times when compared to the previous architecture.
  • Scalability improvements - The updated architecture makes the product highly scalable for enterprise use, requiring fewer servers to handle more load compared to the previous model.
  • Security improvements - Certificate authentication is performed between the Frontend and Backend servers, instead of the Basic authentication previously performed.
  • Outbound proxies can be easily managed through Server-Side Traffic Rules. This also allows dynamic changes to traffic rules.

 

New requirements for VMware Tunnel deployed in Cascade mode (formerly Relay-Endpoint mode)

Note: These requirements only apply to environments that upgrade the VMware Tunnel software to the versions introduced in AirWatch 9.1.  There are no new requirements (or change in functionality) for environments that upgrade the AirWatch software but do not upgrade the VMware Tunnel software.

  • In any environment using Per-App Tunnel in Relay-Endpoint mode, after upgrading AirWatch the administrator must navigate in the AirWatch Console to Settings > Enterprise Integration > VMware Tunnel > Configuration and select the Configure button.  This will generate a new certificate used for authentication between the Frontend and Backend servers.  In many deployments, no further configuration is needed (see next step for exceptions), so the administrator can save the settings after the certificate is generated.  Finally, the updated Frontend and Backend server software must be installed on the appropriate Tunnel servers.
  • Once the reconfiguration is done to enable Cascade mode, as long as the hostnames for Per-App Tunnel have not been changed a re-publish of the Tunnel profile is not required. If the hostname changes during reconfiguration then a re-publish of the Tunnel profile is required since new certs will be generated for the new hostname.
    Note: Changing the hostnames will cause a downtime since the devices won’t be able to connect to the Tunnel server using the existing certificates. Republishing the Tunnel profile will install new certificates on the devices to connect to the Tunnel server.

There are updated port requirements to use the VMware Tunnel in Cascade mode:

  • If you are using the VMware Tunnel Proxy and Per-App Tunnel on the same servers in Relay-Endpoint mode, then after upgrading the VMware Tunnel, separate ports will be required for communication between the Frontend and Backend servers for both Proxy and Per-App Tunnel traffic. If you are only using Per-App Tunnel then no new port is required between the Frontend and Backend servers. This port can be updated in the AirWatch Console when you generate the authentication certificate as described in the previous step.
  • In Cascade mode, both the Backend and Frontend servers must be able to communicate with the AirWatch API and AWCM servers. 

All required network ports are shown below.  Rows in red show new requirements:

From To Default Port Notes

Frontend

API

443

 

Frontend

AWCM

443

This might be 2001 for an on-prem environment

Backend

API

443

 

Backend

AWCM

443

This might be 2001 for an on-prem environment

Frontend

Backend

8443 (per-app tunnel)

Custom port, only required if using both Proxy and Per-App Tunnel.

Device

Frontend

8443

Custom port, used for Per-App Tunnel

 

How can I prepare right now if I am using Per-App Tunnel in Relay-Endpoint mode?

  • The best way to prepare for this change is to have the required network ports opened prior to the upgrade. This will also help in preventing and/or minimizing any downtime during and after the upgrade.
  • When the AirWatch Console is upgraded, your existing deployment of VMware Tunnel will continue to function as it is until you decide to re-configure VMware Tunnel settings in the AirWatch Console and upgrade the VMware Tunnel software. AirWatch recommends upgrading as soon as possible to take advantage of the new functionality.
Have more questions? Submit a request

0 Comments

Article is closed for comments.