EUCEUC: Horizon Integrations 2020/21 Extra Value ADD MaterialSecuring Applications with Per APP VPN Tunnelling

Securing Applications with Per APP VPN Tunnelling

Introduction

Workspace ONE Tunnel enables secure access for mobile workers and devices. Users have a simple experience and need not enable or interact with Tunnel, and IT organization's may take a least-privilege approach to enterprise access, ensuring only defines apps and domains have access to the network.

Tunnel provides industry-best security and builds on TLS 1.2+ libraries, implements SSL Pinning to ensure no MITM attacks, and client certificate whitelisting, to ensure identity integrity. Combined with explicit definitions of managed applications and integration with Workspace ONE compliance engine, Tunnel can help customers attain Zero Trust goals for their workforce.

Prerequisites

Before you can perform the steps in this tutorial, you must install and configure the following components:

  • VMware Unified Access Gateway with VMware Tunnel edge service configured
    • UAG  has been deployed. We will configure the Edge service
      • Your UAG is on representative on-premises infrastructure and is UAG-UEM.euc-livefire.com.
        • It is on an NSX-T managed  172.16.20.x subnet. This subnet is representative of DMZ infrastructure
  • Workspace ONE UEM 1909 and later
    • You have a Workspace ONE UEM Tenant.
  • A device for the platform you plan to use (Windows 10, macOS, Android, or iOS)
    • You will be using the W10Ext01a virtual machine for testing purposes (This was enrolled to Workspace ONE UEM on Day1)
    • This virtual machine is on a VPN segment (172.16.30.x ) which is NSX-T managed and we will refer to it as External

Note! Due to constraints in VMware Firewall rules we are not able configure a client outside the training environment and W10EXT01a will represent this.

 

Part 1- Configuring VMware Tunnel Settings in the Unified Access Gateway UI

  1. On your ControlCenter server, open your Chrome Browser and select the UAG-UEM shortcut.
    • In the UAG Admin Console Login
      • Enter admin for username
      • Enter  VMware1! for password
      • Select Login
  1. Under Configure Manually
    • Click the Select button
  1. Next to Edge Service Settings
    • Select Show
    • Next to Tunnel Settings the Gear icon
  1. In the Tunnel Settings window, next to Enable Tunnel Settings, change the setting from NO to YES
  1. Now that Tunnel Settings are enabled, we have a list of configurations to do,  Use your Datasheet to get this information
    • Enter the following next to:
      • API Server URL * enter : https://dw-livefire.awmdm.com
      • API Server Username * enter : your custom UEM Admin account
      • API Server Password * enter : your custom UEM Admin password
      • Organization Group ID* enter :   your custom UEM Group ID
      • Tunnel Server Hostname *  enter uag-uem.euc-livefire.com
      • At the bottom of the Tunnel Settings window, expand More
  1. Find the Trusted Certificates, section
    • To the right of Trusted Certificates, click the + icon
    • Click the Select button
  1. In the address bar,
    • Enter the following path \\Horizon.euc-livefire.com\software\certificates\Euc-Livefire 2021
    • In Open Files window, change Custom Files (*.crt;*.cer) to All Files (*.*)
    • Select the _euc-livefire_com.pem file and select Open
    • At the bottom of the Tunnel Settings window select Save

Part 2: - Configuring the VMware Tunnel Edge Service

  1. On your ControlCenter server,
    • Open your Chrome browser
    • In the address bar type https://dw-livefire.awmdm.com .
    • Under Username enter your custom UEM username
    • Select Next
    • Under Password enter VMware1! and select Log In
  1. In the Workspace ONE UEM Console:
    • Select Groups & Settings.
    • Select Configurations.
  1. Under Configurations, in the Enter a name or category type Tunnel
    • When Tunnel shows under Configuration Name select Tunnel
  1. Under Name select Tunnel
  1. In the New Tunnel Configuration add the following:
    • Next to Hostname enter uag-uem.euc-livefire.com
    • Next to Port enter 443
    • Select SAVE in the top left of the page
  1. In the Tunnel Configuration page select TEST CONNECTION,
    • You should have two responses
      • Console to AWCM
      • Tunnel to API
      • Status should read Success on both, but if you see one, carry on with your labs, it can take a while for this to show
  1. Revert back to your UAG Console Edge Service settings and  select the refresh next to Active Sessions.
    • You will now notice you have a green light next to Tunnel Settings
      • Note! Sometimes it takes a while for this to show green. Move on and come back to check your status if necessary.

Part 3: Configuring Device Traffic Rules for Windows 10

  1. If necessary log in to your Workspace ONE UEM console
    • Log in using your custom username custom username and password custom password
    • Select Log In
  1. In the UEM Console,
    • Select GROUPS & SETTINGS,
    • Select Configurations
  1. In the Configurations for Groups & Settings, scroll down until you find Tunnel,
    • Select Tunnel
  1. In the Tunnel Configuration window under Device Traffic Rules select EDIT
  1. Under Manage Traffic Assignments
    • Select ADD
  • Select MANAGE APPLICATIONS
    • In Manage Applications window
      • Select ADD
  1. In the Add Applicationwindow we have to add the following information, next to:-
    • Platform * (Leave as default) Windows
    • Friendly Name * type Livefire Chrome Tunnel
    • App Type * select  Desktop App 
    • App Identifier *  C:\Program Files\Google\Chrome\Application\chrome.exe
    • Select SAVE
  1. In the Manage Applications window
    • Select ADD
  1. We will now add the Remote Desktop client. This allows end users to connect to Remote Desktop Hosts located behind the corporate firewall.
    • In the Add Application window we have to add the following information, next to:-
      • Platform * (Leave as default) Windows
      • Friendly Name * type RDP
      • App Type * (Leave as default) Desktop App
      • App Identifier * type:  C:\Windows\System32\mstsc.exe
      • Select SAVE
  1. In the Manage Applications  window
    • Select ADD
  1. We add support for tunneling SMB traffic from system to allow users to map network shares and network printers. This allows end users to connect to file shares and printers that are located behind the corporate firewall. As the SMB protocol built into the Windows Operating system, the App Identifier is not a executable, instead you defined System as the App Identifier.

In the Add Application window we have to add the following information, next to:-

  • Platform * (Leave as default) Windows
  • Friendly Name * type System
  • App Type * (Leave as default) Desktop App
  • App Identifier * type:  System
  • Select SAVE
  1. In the Manage Applications window,
    • Select CANCEL
  1. In the Device Traffic Rules window,
    • Under Assignment Name
      • Type Livefire Tunnel
    • Select ADD RULE
  1. In the row of Rank 1 under Application
    • Select the drop-down
      • Select the following checkboxes
        • Livefire Chrome Tunnel
        • RDP - Livefire
        • System - Livefire
  1. Under Destination enter the following:-
    • Type: rdsh-01a.euc-livefire.com
      • Select SAVE
        • In the Are you sure you want to continue? window
          • select OK
  1. In the Manage Traffic Assignments window
    • Select CLOSE

Part 4: Distributing Workspace ONE Tunnel Application, for Windows 10

The Goal of the first few steps is to Identify the Windows Desktop W10EXT01a

  1. On your ControlCenter server
    • Log in to Workspace ONE UEM with your custom credentials
    • Select Devices > List View
    • Select the equivalent of your xxxx Desktop Windows Desktop 10.0.18363 1 8c
    • Under Device Info, confirm that the computer name is W10EXT01a
      • Once validated, make a note of the computer Device Enrollment under List View. In this example its
        • Mark Desktop Windows Desktop 10.0.18363 1 8c
  1. In the Workspace ONE UEM admin console
    • Select GROUPS & SETTINGS > Groups > Assignment Groups
  1. In the Assignment Groups window
    • Select ADD SMART GROUP

 

  1. In the Create New Smart Group window
    • Add the following, next to:
      • Name: W10EXT01a
  1. Next to Choose type
    • Select DEVICES OR USERS
      • Under Devices, in the box , select your  eg Mark Windows Desktop (for W10EXT01a)
        • (The example in the screenshot is what this test environment looks like, ensure you are select yours)
      • Select ADD
    • To the right of the window,
      • Next to Device Preview, select ENABLED
    • Select SAVE
  1. On your ControlCenter server
    • If necessary Login https://dw-livefire.awmdm.com
      • with your custom username and password
    • Select APPS & BOOKS > Native
    • Under Native, select Internal
  1. Under Internal
    • Select the dropdown next to ADD
    • Select Application File
  1. In the Add Application window,
    • Select UPLOAD
  1. In the Add window select the Choose File button
  1. In the File upload window
    • Browse to \\horizon.euc-livefire.com\software\UEM\TunnelApp
    • Select the VMwareTunnelInstaller_2.1.2.exe APP
    • At the bottom of the window select Open
  1. In the Add window ,
    • Select SAVE
  1. In the Add Application window,
    • Select CONTINUE
  1. In the Edit Application - VMwareTunnelInstaller_2.1.2.exe  window
    • In the Details tab
      • Next to Supported Architecture, change it from 32-bit to 64-bit
    • Select the  Files  tab
      • Scroll down to Unistall Command *  ,
      • Copy and paste the following box to the right of Uninstall Command *
        • VMwareTunnelInstaller_2.1.2.exe /uninstall /Passive
  1. Select the Deployment Options Tab.
    • Scroll down to find the How To Install section.
    • Next to Install Command *, enter the following
      • VMwareTunnelInstaller_2.1.2.exe  /Install /Passive
    • Ensure Admin Privileges is set to YES.
    • Next to Device Restart , from the dropdown,  select User Engaged Restart.
  1. In the Deployment Options Tab.
    • Scroll down to  and next to
      • Installer Reboot Exit Code, enter 3010
      • Installer Success Exit Code, enter 0
  1. In the Deployment Options Tab.
    • Scroll further down
      • In the When to Call Install Complete section, under DEFINING CRITERIA
    • Select + ADD
  1. In the Add Criteria window
    • Next to Criteria Type select File Exists
    • Next to Path, enter C:\Program Files\VMware\Workspace ONE Tunnel\VMwareTunnel.exe
    • Select ADD.
  1. In the Edit Application - VMwareTunnelInstaller_2.1.2.exe  window
    • Select Images  tab
    • Select the  Icon tab
    • Select Click or drag files here area
  1. In the Open window,
    • Select the xxxxx.png file
    • Select Open
  1. In the Edit Application window
    • Select SAVE & ASSIGN
  1. In the VMwareTunnelInstaller_2.1.2.exe - Assignment window
    • Under Distribution enter and configure the following next to
      • Name: VMware Tunnel
      • Assignment Groups : select W10EXT01a
      • Deployment begins : Enter a time about 5 minutes ahead of your time. (Note the time is in Eastern Time)
      • App Delivery Method :  Select the Auto radio button
      • Select CREATE
  1. On the VMwareTunnelInstaller_2.1.1.exe - Assignment window
    • Select SAVE
    • On the VMwareTunnelInstaller_2.0.4.exe - Assignment Devices window
    • Select PUBLISH

Part 5: Creating Per-App VPN Profile for Windows 10

  1. In Workspace ONE UEM inventory
    • Select DEVICES > Profile & Resources
    • Select Profiles
  1. Under Profiles
    • Select ADD
    • Select Add Profile
  1. In the Add Profile window
    • Select Windows
  1. In the Select Device Type window
    • Select Windows Desktop
  1. In Select Context window
    • Select Device Profile
  1. In the Add  Profile window,
    • Under General, configure the following next to:
      • Name * type Per APP VPN
      • Smart Groups select your Custom org
  1. In the Add  Profile  window inventory ,
    • Select VPN ,
      • Select CONFIGURE
  1. In the VPN window, configure the following next to:-
    • Connection Name * type, Livefire Intranet vPN
    • Connection Type * select , Workspace ONE Tunnel
    • Device Traffic Rule Sets : Livefire Tunnel
    • Server * (should already be configured)
    • Desktop Client, ensure ENABLE is selected
  1. In the VPN window, next to:
    • Custom Configuration XML, enter the following
      • <CustomConfiguration> <ServerCertSN>*.euc-livefire.com</ServerCertSN></CustomConfiguration>
    • Under Domain,
      • Select + ADD NEW DOMAIN , enter euc-livefire.com
    • Select SAVE AND PUBLISH
    • Select PUBLISH

Part 6:  Testing Per APP VPN Tunneling with Windows 10

  1. In the Workspace ONE UEM console
    • Select DEVICES > List View
    • Under List View,
      • Select  Your. Windows Desktop 10.0.1863 (W10EXT01a enrolled device)
  1. In the Mark VMware7,1. Windows Desktop 10.0.1863 window,
    • To the right under Device Info, ensure you are looking at W10EXT01A, (if not select the other windows 10 profile)
    • Select Apps
    • Notice the VMware Workspace ONE Tunnel App Status is Installed
      • If it is not installed
        • Select the radio button next to VMwareTunnelInstaller_2.1.2.exe
        • Select INSTALL
  1. Switch to your W10EXT01a virtual machine.
    • Select the Start Menu and scroll down to Workspace ONE Tunnel under Recently added
      • Note
  1. In the Workspace ONE Tunnel application notice your Application Access configurations
    • We will now proceed with a test
  1. From the w10EXT01a Desktop launch the Google Chrome browser
  1. In the Google Chrome Address bar.
    • Enter http://rdsh-01a.euc-livefire.com and select Enter
      • You should now see the default IIS web services web page
  1. On the W10Ext01a Desktop
    • Select the Start button, right-click, select Run,
    • Next to Open: type \\rdsh-01a.euc-livefire.com\corpdocs
    • Select OK
    • Notice that you are now leveraging the SMB based functionality in VMware Workspace ONE Tunnel. This too might considered in-secure, this has now been secured using VMware Workspace ONE Tunnel
  1. In the Run window next to Open: delete the text from step 7,  type mstsc.exe and select OK
  1. In the Remote Desktop Connection window, next to
    • Computer: type rdsh-01a.euc-livefire.com
    • User name: type EUC-livefire\administrator
    • Select Connect
  1. In the Enter your credentials enter VMware1! as the password
    • Select OK
  1. Notice you have now have a secure tunnel with RDP.
  1. On your W10EXT01a Desktop,
    • In the Type here to Search area enter services.msc
    • Under the Services shortcut, select Open
    • Select Yes
  1. In the Services MMC
    1. Scroll down until you find the VMware Workspace ONE Tunnel Service ,
    2. select > right click and select Stop
  1. Notice your RDP  connection just got disconnected!
    • Refresh your Chrome browser and notice you are unable to reach your website on the RDSH-01a.euc-livefire.com server.
  1. In the Run window, next to Open: type \\rdsh-01a.euc-livefire.com\c$\
    • Notice SMB is no longer working to the RDSH-01a server
  1. Switch back to Services and select Start against the VMware Workspace ONE Tunnel service
  1. On the W10EXT01a desktop, perform the following
    • Refresh your chrome browser
    • Retest SMB to RDSH-01a.euc-livefire.com
    • Retest RDP to RDSH-01a.euc-livefire.com

This Concludes this section in our Series of labs Securing the Transport as one of the pillars in Zero-Trust with Windows 10

Acknowledgements

We would like to thank the VMware Tech Marketing Team for the use of their guidance in the creation this content

We would like to thank Mark Benson from the EUC CTO Office for his support and content

If you were interested in learning how to secure other Platforms using the VMware Workspace ONE Tunnel, visit the following VMware TechZone page for further step-by-step Guidance

https://techzone.vmware.com/deploying-vmware-workspace-one-tunnel-vmware-workspace-one-operational-tutorial#1214601

About the author Reinhart Nel

https://www.livefire.solutions/meet-the-team/reinhartnel/

For any questions related to this session, email Reinhart at [email protected]>

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.