EUCZero Trust 2020 Transport SecuritySecuring Applications with Per APP VPN Tunnelling

Securing Applications with Per APP VPN Tunnelling

Introduction

Workspace ONE Tunnel enables secure access for mobile workers and devices. Users have a simple experience and need not enable or interact with Tunnel, and IT organizations's may take a least-privilege approach to enterprise access, ensuring only defines apps and domains have access to the network.

Tunnel provides industry-best security and builds on TLS 1.2+ libraries, implements SSL Pinning to ensure no MITM attacks, and client certificate whitelisting, to ensure identity integrity. Combined with explicit definitions of managed applications and integration with Workspace ONE compliance engine, Tunnel can help customers attain Zero Trust goals for their workforce.

Prerequisites

Before you can perform the steps in this tutorial, you must install and configure the following components:

  • VMware Unified Access Gateway 3.9 with VMware Tunnel edge service configured
    • UAG 3.9 has been deployed. We will configure the Edge service
  • Workspace ONE UEM 1909 and later
    • Workspace ONE UEM has been deployed.
  • A device for the platform you plan to use (Windows 10, macOS, Android, or iOS)

Ensure the following settings are enabled in the Workspace ONE UEM Console:

  • Organization Group created and set as Customer Type
  • Device Root Certificate issued
  • VMware Tunnel configured

Part 1- Configuring VMware Tunnel Settings in the Unified Access Gateway UI

  1. On your ControlCenter2 server, open your Chrome Browser and select the UAG-UEM shortcut.
    • In the UAG Admin Console Login
      • Enter admin for username
      • Enter  VMware1! for password
      • Select Login
  1. Under Configure Manually click the Select button
  1. Next to Edge Service Settings select Show
    • Select the Gear icon next to Tunnel Settings
  1. In the Tunnel Settings window, next to Enable Tunnel Settings, change the setting from NO to YES
  1. Now that Tunnel Settings are enabled, we have a list of configurations to do, enter the following next to:
    • API Server URL * enter : https://uem.euc-livefire.com
    • API Server Username * enter : admin_livefire
    • API Server Password * enter : VMware1!
    • Organization Group ID* enter : livefire
    • Tunnel Server Hostname *  enter uag-uem.euc-livefire.com
    • At the bottom of the Tunnel Settings window, expand More
  1. Find the Trusted Certificates, section
    • To the right of Trusted Certificates, click the + icon
    • Click the Select button
  1. In the address bar, enter the following path \\cs1-pd1.euc-livefire.com\software\certificates
    • In Open Files window, change Custom Files (*.crt;*.cer) to All Files (*.*)
    • Select the wildcard.pem file and select Open
    • At the bottom of the Tunnel Settings window select Save

Part 2: - Configuring the VMware Tunnel Edge Service

  1. On your ControlCenter2 server, open your Chrome browser and select the Workspace ONE UEM shortcut in the Favourites Bar.
    • Under Username enter admin_livefire and select Next
    • Under Password enter VMware1! and select Log In
  1. In the Workspace ONE UEM Console:
    • Select Groups & Settings.
    • Select Configurations.
      • Please Note! When authoring these steps. I got a blank screen the first time I selected Configurations. I then re-selected Groups & Settings and selected Configurations, a second time, and the page loaded.
  1. Under Configurations, in the Enter a name or category type Tunnel
    • When Tunnel shows under Configuration Name select Tunnel
  1. Under Name select Tunnel
  1. In the New Tunnel Configuration add the following:
    • Next to Hostname enter uag-uem.euc-livefire.com
    • Next to Port enter 443
    • Select SAVE in the top left of the page
  1. In the Tunnel Configuration page select TEST CONNECTION,
    1. You should have two responses
      • Console to AWCM
      • Tunnel to API
      • Status should read Success on both
      • If you dont have messages you might have to loop back to your UAG server and wait for the Edge Service Tunnel Settings to go Green. I had to open and close , refresh for about 5 min before it went into effect.
      • Go back to your Tunnel Configuration in Workspace ONE UEM and TEST Connection
    2. If you the result you have is reflected in the second screenshot move on with the rest of the lab.
      • In a second round of testing, it seems that the per APP VPN Does not fail even though we only get back one result.
  1. Revert back to your UEM Console Edge Service settings and  select the refresh next to Active Sessions.
    • You will now notice you have a green light next to Tunnel Settings
      • Note! Sometimes it takes a while for this to show green. Move on and come back to check your status if neccesary.

Part 3: Configuring Device Traffic Rules for Windows 10

  1. Log in to your Workspace ONE UEM console by selecting the UEM shortcut in your browser
    • Log in using the username admin_livefire and password VMware1!
    • Select Log In
  1. In the UEM Console, select GROUPS & SETTINGS,
    • Select Configurations
  1. In the Configurations for Groups & Settings, scroll down until you find Tunnel,
    • Select Tunnel
  1. In the Tunnel Configuration window under Device Traffic Rules select EDIT
  1. In Device Traffic Rules select ADD WINDOWS OR MACOS APPLICATION
  1. In the Add Application window we have to add the following information, next to:-
    • Platform * (Leave as default) Windows
    • Friendly Name * type Livefire Chrome Tunnel
    • App Type * (Leave as default) Desktop App
    • App Identifier *  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    • Select SAVE
  1. In the Device Traffic Rules window
    • Select ADD WINDOWS OR MACOS APPLICATION
  1. We will now add the Remote Desktop client. This allows end users to connect to Remote Desktop Hosts located behind the corporate firewall.
    • In the Add Application window we have to add the following information, next to:-
    • Platform * (Leave as default) Windows
    • Friendly Name * type RDP
    • App Type * (Leave as default) Desktop App
    • App Identifier * type:  C:\Windows\System32\mstsc.exe
    • Select SAVE
  1. In the Device Traffic Rules window
    • Select ADD WINDOWS OR MACOS APPLICATION
  1. We add support for tunneling SMB traffic from system to allow users to map network shares and network printers. This allows end users to connect to file shares and printers that are located behind the corporate firewall. As the SMB protocol built into the Windows Operating system, the App Identifier is not a executable, instead you defined System as the App Identifier.

In the Add Application window we have to add the following information, next to:-

  • Platform * (Leave as default) Windows
  • Friendly Name * type System
  • App Type * (Leave as default) Desktop App
  • App Identifier * type:  System
  • Select SAVE
  1. In the Device Traffic Rules window, change the default Action from Tunnel to BYPASS
  1. In the Device Traffic Rules window, select ADD DEVICE TRAFFIC RULE
  1. In the row of Rank 1 under Application select the drop-down
    • Select the following checkboxes
      • Livefire Chrome Tunnel
      • RDP - Livefire
      • System - Livefire
  1. Under Destination enter the following:-
    • rdsh-01a.euc-livefire.com
    • Select SAVE AND PUBLISH
    • In the Are you sure you want to continue? window select OK

Part 4: Enrolling a Windows 10 Device into Workspace ONE UEM

Introduction:

For the purpose of this lab, we will enroll a Windows 10 virtual machine that is configured to run on external "Untrusted Network" . The name of the virtual machine is W10EXT01a

 

  1. On your ControlCenter2 Desktop
    • Open the Remote Desktops Folder
    • Launch W10EXT01a.rdp (you should be logged in as User4 automatically)
  1. On your W10EXT01a Desktop
    • Select Start > Run
    • From the Run window, enter the following UNC \\cs1-pd1.euc-livefire.com\software\UEM
  1. On your W10EXT01a Desktop
    • Double click the AirwatchAgent.msi file
      • Select Run > Select Next >
      • Select the Radio button next to,  I accept the terms of the License agreement, select Next
      • Select Install
      • In the User Account Control, in the Username area type administrator, in the password area, VMware1!, select Yes
      • Select Finish
  1. On your W10EXT01a Desktop
    • From the Start Menu, Launch the Workspace ONE Intelligent Hub
    • Under Email or Server Address  area type UEM.euc-livefire.com
    • Select Next
  1. On your W10EXT01a Desktop
    • Under Group ID enter Livefire, select Next
  1. On your W10EXT01a Desktop
    • Under Username enter user4
    • Under Password enter VMware1!
    • Select Sign In
  1. On your W10EXT01a Desktop
    • In the Workspace ONE Intelligent Hub window select I Agree, select Done

Part 5: Distributing Workspace ONE Tunnel Application, for Windows 10

  1. Log in to Workspace ONE UEM as admin_livefire with the password VMware1!
    • Select APPS & BOOKS > Native
    • Under Native, select Internal
  1. Under Internal select + ADD APPLICATION
  1. In the Add Application window, select UPLOAD
  1. In the Add window select the Choose File button
  1. Browse to \\cs1-pd1.euc-livefire.com\software\UEM\TunnelApp
    • Select the VMware Workspace ONE Tunnel 1.2.... APP
    • At the bottom of the window select Open
  1. In the Add window , select SAVE
  1. In the Add Application window, select CONTINUE
  1. In the Edit Application - VMware Workspace ONE Tunnel 1.2 window
    • Select Files and scroll down to Unistall Command *  , copy and paste the following box to the right of Uninstall Command *
      • VMware Workspace ONE Tunnel 1.2 for Win10_Desktop.exe /uninstall /Passive
  1. Select the Deployment Options Tab. Scroll down to find the How To Install section.
    • Next to Install Command *, enter the following
      • VMware Workspace ONE Tunnel 1.2 for Win10_Desktop.exe /Install /Passive
    • Ensure Admin Privileges is set to YES.
    • Next to Device Restart , select User Engaged Restart.
  1. Scroll down to  Installer Reboot Exit Code, enter 3010
    • Next to Installer Success Exit Code, enter 0
  1. In the When to Call Install Complete section, under DEFINING CRITERIA
    • Select + ADD
  1. In the Add Criteria window
    • Next to Criteria Type select File Exists
    • Next to Path, enter C:\Program Files\VMware\Workspace ONE Tunnel\VMwareTunnel.exe
    • Select ADD.
  1. In the Edit Application - VMware Workspace ONE Tunnel  1.2 window
    • Select Images > Icon
    • Select Click or drag files here area
  1. In the Open window, select the xxxxx.png file and select Open
  1. In the Edit Application window select SAVE & ASSIGN
  1. In the VMware  Workspace ONE Tunnel 1.2  for Win10 window
    • Select + ADD ASSIGNMENT
  1. Add the following:-
    • Next to Select Assignment Groups, select Livefire (Livefire)
    • Next to App Delivery Method *, select AUTO
    • Select ADD
  1. Select the radio button next to Livefire
    • Select SAVE AND PUBLISH
  1. In Preview Assigned Devices select PUBLISH

Part 6: Creating Per-App VPN Profile for Windows 10

  1. In Workspace ONE UEM inventory select DEVICES > select Profiles
  1. Under Profiles select ADD
    • Select Add Profile
  1. In the Add Profile window select Windows
  1. In the Select Device Type window select Windows Desktop
  1. In Select Context window select Device Profile
  1. In the Add a New Windows Desktop Profile window, under General, configure the following next to:
    • Name * type Per APP VPN
    • Smart Groups select Livefire
  1. In the Add a New Windows Desktop Profile inventory , select VPN , select CONFIGURE
  1. In the VPN window, configure the following next to:-
    • Connection Name * type, Livefire Intranet vPN
    • Connection Type * select , Workspace ONE Tunnel
    • Server * (should already be configured)
    • Desktop Client, select ENABLE
  1. In the VPN window, next to:
    • Custom Configuration XML, enter the following

<CustomConfiguration> <ServerCertSN>*.euc-livefire.com</ServerCertSN></CustomConfiguration>

  • Under Domain, select + ADD NEW DOMAIN , enter euc-livefire.com
  • Select SAVE AND PUBLISH
  • Select PUBLISH

Part 7:  Testing Per APP VPN Tunneling with Windows 10

  1. In the Workspace ONE UEM console select DEVICES > List View
    • Under List View, select  the User4 Desktop Windows Desktop 10.0
  1. In the User4 Desktop Windows Desktop 10.0 window, select Apps
    • Notice the VMware Workspace ONE Tunnel App Status is Intalled
  1. Switch to your W10EXT01a virtual machine. Use your W10EXT01a.RDP connection from the Remote desktops Folder on your Controlcenter server
    • Ensure you login as [email protected] with the password VMware1!
    • Select the Start Menu and scroll down to Workspace ONE Tunnel under Recently added
      • Note
  1. In the Workspace ONE Tunnel application notice your Application Access configurations
    • We will now proceed with a test
  1. From the w10EXT01a Desktop launch the Google Chrome browser
  1. In the Google Chrome Address bar.
    • Enter http://rdsh-01a.euc-livefire.com and select Enter
      • You should now see the default IIS web services web page
  1. Select the Start button, right-click, select Run, next to Open: type \\rdsh-01a.euc-livefire.com\c$
    • In the Windows Security window in the Username area, enter administrator, in the password area enter VMware1!
    • Select OK
    • Notice that you are now leveraging the SMB based functionality in VMware Workspace ONE Tunnel. This too might considered in-secure, this has now been secured using VMware Workspace ONE Tunnel
  1. In the Run window next to Open: delete the text from step 7,  type mstsc.exe and select OK
  1. In the Remote Desktop Connection window, next to
    • Computer: type rdsh-01a.euc-livefire.com
    • User name: type EUC-livefire\user4
    • Select Connect
  1. In the Enter your credentials enter VMware1! as the password
    • Select OK
  1. Notice you have now have a secure tunnel with RDP.
  1. On your W10EXT01a Desktop, on your keyboard, keep your finger on the SHIFT button,
    • Select and right-click the Services shortcut
    • In the Username section, type Administrator, in the Password section type VMware1!
    • Select Yes
  1. Scroll down until you find the VMware Workspace ONE Tunnel Service , select > right click and select Stop
  1. Notice your RDP  connection just got disconnected!
    • Refresh your Chrome browser and notice you are unable to reach your website on the RDSH-01a.euc-livefire.com server.
  1. In the Run window, next to Open: type \\rdsh-01a.euc-livefire.com\c$\
    • Notice SMB is no longer working to the RDSH-01a server
  1. Switch back to Services and select Start against the VMware Workspace ONE Tunnel service
  1. On the W10EXT01a desktop, perform the following
    • Refresh your chrome browser
    • Retest SMB to RDSH-01a.euc-livefire.com
    • Retest RDP to RDSH-01a.euc-livefire.com

This Concludes this section in our Series of labs Securing the Transport as one of the pillars in Zero-Trust with Windows 10

Acknowledgements

We would like to thank the VMware Tech Marketing Team for the use of their guidance in the creation this content

If you were interested in learning how to secure other Platforms using the VMware Workspace ONE Tunnel, visit the following VMware TechZone page for further step-by-step Guidance

https://techzone.vmware.com/deploying-vmware-workspace-one-tunnel-vmware-workspace-one-operational-tutorial#1214601

About the author Reinhart Nel

https://www.dropbox.com/s/cf32s1ddeyt5zx4/Reinhart%20Nel.pdf?dl=0

For any questions related to this session, email Reinhart at [email protected]

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.