Workspace One UEM Architecture

by | Apr 12, 2022 | MDM, VMware Workspace ONE

Home » MDM » VMware Workspace ONE » Workspace One UEM Architecture

Workspace One UEM Architecture is a framework that provides guidance on the deployment of Workspace ONE architecture, design considerations and carries out functions for policy enforcement regarding device compliance, a mobile application catalogue, device enrollment, a mobile application catalogue, and integration with key enterprise services, such as content, social media, and email.


With the development in cloud technology, increased capabilities in personal devices, and Bring Your Own Device(BYOD) policy, employees are using personal devices to perform corporate tasks. These personal devices are not secured, and corporate servers are accessed through local networks. This has led to the growth of Enterprise Mobility Management(EMM) solutions, allowing the admin to centrally and remotely manage, secure, and control all onboarded endpoint devices.

Workspace One is an Enterprise Mobility Management(EMM) solution that unifies all endpoint devices onto a single platform through Unified Endpoint Management(UEM) and offers Mobile Device Management(MDM) and Mobile Application Management(MAM) capabilities. The enterprise IT team can remotely secure, manage, and control endpoint devices.

Workspace One UEM Architecture

Workspace One UEM Architecture is a framework that provides guidance on the deployment of Workspace ONE architecture, design considerations and carries out functions for policy enforcement regarding device compliance, a mobile application catalogue, device enrollment, a mobile application catalogue, and integration with key enterprise services, such as content, social media, and email. Wherever, whenever, and from whatever device the users choose, frictionless and secure access to all the apps and data employees need to work is provided by VMware Workspace ONE, which combines identity and mobility management. An on-premises or a cloud-based (SaaS) model. The on-premise model can onboard up to 50000 devices which allow for additional growth over time without a redesign. The cloud-based model can be scaled seamlessly. Features of Workspace One Unified Endpoint Management(UEM) are:

  • Device Management Platform: On a wide variety of devices, including tablets, Windows 10, phones, and rugged and special-purpose devices, full lifecycle management is allowed.
  • Application Deployment Capabilities: Self-service application access or automatic deployment is provided for employees.
  • User and device profile services: For users and devices, the following configuration settings are ensured:
    • Enterprise security requirements are complied with.
    • End-user access to applications for employees is simplified.
  • Productivity Tools: A content management tool for securely storing and managing content, an email client with secure email functionality, and a web browser to ensure secure access to corporate information and tools are provided.

Workspace ONE UEM Integration Components

The Workspace ONE UEM software is implemented as a service (SaaS) with a cloud-based implementation. Internal resources such as a Certificate Authority or Active Directory can be synchronized with Workspace ONE, a separate cloud connector, which can be carried out using an AirWatch Cloud Connector is used. In an outbound-only connection mode, the separate connector can run within the internal network, implying no incoming connections are received by the connector from the DMZ. Implementation usually consists of the following two parts:

  • UEM tenant by Workspace ONE
  • Cloud Connector by VMware AirWatch

Components of Workspace One UEM:

  • Workspace ONE UEM Console: An Administration console for configuring policies within Workspace ONE UEM is provided to monitor and manage devices and the environment. Managed for the admin as a part of the SaaS offering, and this service is hosted in the cloud.
  • Workspace ONE UEM Device Services: or services that communicate with managed devices
  • for services that communicate with managed devices
  • Workspace ONE UEM relies on this component:
    • Workspace ONE UEM self-service catalogue is hosted
    • Device commands are delivered, and device data is received.
    • Provisioning for applications
    • Devices are enrolled.
  • APIs Endpoint: Allow external programs to use the core product functionality with a collection of RESTful APIs provided by Workspace ONE UEM by integrating the APIs with existing IT infrastructures and third-party applications. Various Workspace ONE UEM services, such as data gathering for interactions and Secure Email Gateway, also use Workspace ONE APIs. This service for the admin is offered as a part of the SaaS.
  • AWCM One Cloud Connector: The component that uses an on-premises resource such as Active Directory or a trusted Certificate Authority to perform directory sync and authentication. This service can be configured for automatic updates, and this service is hosted in the internal network in outbound-only mode.
  • Airwatch Cloud Messaging: Provides secure communication to your backend systems and works in conjunction with the Workspace Cloud Connector. To connect with the Workspace ONE UEM Console, AWCM is used by AirWatch Cloud Connector. By eliminating the need for end-users to access the public Internet or utilize consumer accounts, such as Google IDs, AWCM also streamlines the delivery of messages and commands from the Workspace ONE UEM Console. The only way for providing mobile device management (MDM) capabilities for Windows rugged devices is AWCM which serves as a comprehensive substitute for Google Cloud Messaging (GCM) for Android devices. AWCM is used for real-time notifications by Windows desktop devices that use the VMware Workspace ONE Intelligent Hub. This service is managed by the admin as a part of the SaaS offering and is hosted in the cloud.
  • VMWare Tunnel: For individual applications to access corporate resources hosted in the internal network, the VMWare Tunnel provides a secure and effective method. A unique X.509 certificate (Workspace ONE delivers it) is used by VMWare Tunnel to encrypt and authenticate traffic from applications to the tunnel. Proxy and Per-App VPN are the two components of the VMWare tunnel. The Proxy component is responsible for protecting traffic from endpoint devices to internal resources with enterprise apps that leverage the Workspace ONE SDK and through the VMware Workspace ONE® Web app. For managed applications on iOS, Android, macOS and Windows devices, the Per-App Tunnel component enables application-level tunnelling (as opposed to full device-level tunnelling).

Workspace One Directory Services Integration

To provide directory-based account access and to integrate the organization’s existing directory service – such as Active Directory, Lotus Domino, and Novell e-Director with the Workspace ONE UEM Powered by AirWatch, Workspace One Directory Services Integration is used. Enrol devices using their existing directory service credentials, and this type of account access lets users authenticate with Workspace ONE UEM apps. There is no need to create basic user accounts in the organization by integrating with directory services. By applying the information they already know, the enrollment process for end-users is simplified with such integration. Any changes within the system are detected by Ongoing LDAP synchronization. Necessary updates are updated across all devices for affected users during this synchronization. This synchronization obtains approval in cases where administrative approval is required before changes occur. Check against existing directory users, and also migrate Basic Users to LDAP Users.

Benefits of Workspace One Directory Services Integration

Following are the benefits of integrating Workspace ONE UEM with the directory service:

  • For both users and administrators, conduct enrollment
  • Directory groups can be mapped to Workspace ONE UEM user groups.
  • UEM console access can be controlled.
  • For VMware Content Locker access, apply existing credentials.
  • By user group, assign apps, profiles, and policies.
  • When they go inactive, automatically retire end users

Workspace One Certificate Authority Integration

System integrators, managed service providers, IT consultants, hosting providers, and others are enabled with a Certificate Authority to expand enterprise business by offering data security in addition to their products and services.

Conventionally, companies have believed that working with a CA is too time-consuming and difficult. There are ways to conduct SSL transactions by using open source implementations, but there are some security risks associated with this practice. However, providing tools and platforms that simplify certificate management for direct customers and partners working with the right publicly trusted CA will actually save time and reduce burdens. Partnering with a CA also relieves the burden of worrying about compliance, technicalities, or security issues, or maintaining a private CA, in addition to is beneficial for closing business deals. The right CA offers time, resources, and expertise that business partners may otherwise expend while maintaining a private CA. Platforms and tools already available additionally benefit partners to simplify SSL Certificate lifecycle management for their own clients.

Integrate your certificate authority with VMware Workspace ONE UEM Powered by AirWatch to help protect your infrastructure from brute force attacks, dictionary attacks, and employee error and increase stability, security, and authentication.

Workspace One UEM Console Email SMTP Integration

Many organizations are shifting to cloud-based email services(Google Apps, Office 365), and fewer email control options are provided than the on-premises models the enterprise has worked within the recent past. . Previously, the Secure Email Gateway (SEG) would have handled many aspects of secured email delivery to devices and would have been deployed inside a corporate firewall. In present times somewhat less control over email delivery and compliance is offered, although modern methods such as direct PowerShell integration to an Exchange Server or Office 365 offer simpler connectivity. The flexibility of choice is offered by Workspace One in matters of devices and email clients. Due to a lack of control of what happens to email messages after they reach a device, although this allows users to choose the client they prefer, it also opens the enterprise up to potential data leakage. Workspace One supports multiple methods of connecting email infrastructure to devices in order to address these considerations.

Connectivity models are described in the following section with their advantages and disadvantages.

Secure Email Gateway Proxy Model

A different server called the Secure Email Gateway (SEG) Proxy server is installed in line with the enterprise’s existing email server to proxy all email traffic going to mobile devices. Allow or block decisions based on the settings defined in the AirWatch Admin Console made by the SEG Proxy server for every mobile device it manages. Traffic from only approved devices is relayed to the SEG Proxy server. By prohibiting any devices from directly communicating with it, this relay protects the corporate email server. Every single communication request to the corporate email server is filtered by the SEG Proxy server instead.

The deployment model Proxy model with configuration mode Secure Email Gateway (proxy) for mail infrastructures Novel GroupWise (with EAS)Google Apps for Work Microsoft Exchange 2010, 2013, 2016IBM Domino with Lotus Notes. Additional configuration for the SEG proxy model is required for Office 365.


  • Hyperlink transformation
  • Real-time compliance
  • Attachment encryption


  • To prevent end-users from directly connecting to Office 365 (around SEG), ADFS must be configured. Additional servers are required.
  • For every on-premises email infrastructure with deployments of greater than 100,000 devices, AirWatch recommends using the Secure Email Gateway (SEG).

Direct Powershell Model

A PowerShell administrator role is adapted by Workspace, and commands are issued to the Exchange ActiveSync (EAS) infrastructure in the PowerShell mode to allow or deny email access based on the policies defined in the Workspace One Admin Console. The installation process is simpler, and PowerShell deployments do not require a separate email proxy server.

The deployment model Direct model with configuration mode PowerShell model for mail infrastructures Microsoft Office 365, Microsoft Exchange 2010, 2013, 2016.

The deployment model Direct model with configuration mode Google model for mail infrastructures Google Apps for Work. With cloud-based email servers, AirWatch recommends the Direct model of integration.


Before being routed to Office 365, Mail traffic is not routed to on-premises servers, so AFS is not required. For email management, no additional on-premises servers are required.


  • Real-time compliance sync is not required.
  • This deployment is not recommended for larger deployments (greater than 100,000 devices).
  • AirWatch Inbox must be used in AirWatch Content Locker and AirWatch Browser to containerise attachments and hyperlinks.
  • PowerShell is another option for email management for deployments of less than 100,000 devices or cloud-based email. The PowerShell model will be utilized, and the AirWatch Inbox will be used for mail because this design includes Office 365-based email. This provides the best protection available against data leakage of corporate information while this decision limits employee choice of mail client and removes native email access in the mobile productivity service.

SMTP (Email) server settings in the Workspace ONE UEM Console Configuration

In the Workspace ONE console or the enrollment emails for notification emails to be sent to the respective user accounts for on-premise Workspace ONE environments, an email (SMTP) server must be configured. Unless the admin has an AirWatch Cloud Connector (ACC) configured, no further action is required for SaaS environments to leverage the Workspace ONE SMTP server by default. No emails can be sent from the Workspace ONE Console If these settings have been incorrectly configured or not configured at all, and Workspace ONE Autodiscovery enrollment cannot be configured.

For on-premise environments, configure the Email SMTP server:

  1. Go to Groups & Settings, navigate to All Settings, click on Systems, select Enterprise Integration, and click on Email (SMTP).
  2. The Email SMTP settings have to be entered. All SMTP emails will be sent through the ACC server if ACC is being used.
  3. For SaaS environments, navigate to the Cloud Connector and click on Advanced settings, unless the admin is leveraging an internal SMTP server, and disable the SMTP (Email Relay) option.
  4. Disable the SMTP (Email Relay) option for an on-premise environment, and SMTP messages are not sent through ACC.

VMware AirWatch Secure Email Gateway

VMware AirWatch Mobile Email Management (MEM) functionalities are enabled by the Workspace ONE UEM Powered by AirWatchSecure Email Gateway V2 (SEG V2) and helps to protect enterprise mail infrastructure. Install the SEG and the existing email server to relay all ActiveSync email traffic to Workspace ONE UEM-enrolled devices. The SEG filters all communication requests from individual devices that connect to SEG based on the settings defined in the Workspace ONE UEM console.

By restricting access depending on the device status, Email policies enhance security and general mail client characteristics.

Note: On Windows Phone, mail client compliance is not supported. For SEGV2 architecture, the Sync Settings policy is not applicable.

General Email Policies

in the following table, the general email policies used to restrict email access to devices are described:

  • Sync Settings: Specific EAS folders and devices are prevented from syncing. Unlike other compliance policies, Workspace ONE UEM prevents devices from syncing with the selected folders. For the policy to take effect, republish the EAS profile to the devices, and devices are forced to re-sync with the email server.
  • Managed Device: Email access is restricted only to managed devices.
  • Mail Client: Email access is restricted to a set of mail clients.
  • User: Email access is restricted to a set of users based on the email user name.
  • EAS Device Type: Allow or block devices based on the EAS Device Type. As reported by the end-user device, the attribute is typed.

Managed Device Policies

The managed device policies that limit email access to devices are listed in the following section, depending on factors such as device status, model, and operating system.

  • Inactivity: Inactive and managed devices are prevented from accessing email. Before email access is disabled, specify the number of days a device shows up as inactive. The maximum accepted value is 32767, and the minimum accepted value is 1.
  • Device Compromised: Compromised devices are prevented from accessing email. This policy does not block email access for devices that have not communicated compromised status to VMware AirWatch.
  • Encryption: Email access for unencrypted devices is prevented. Devices that have communicated data protection status to VMware AirWatch only are eligible for this policy.
  • Model: Based on the platform and model of the device. Email access is restricted.
  • Operating Systems: For specific platforms, email access to a set of operating systems is restricted.
  • Active Sync Profile Requirement: Devices with no email management is managed through an Exchange ActiveSync profile, email access is restricted.

Email Security Policies

For devices accessing attachments and hyperlinks, the email security policies that take actions against these devices are described in the following section:

  • Email Security Classification: Emails with or without security tags can be acted on by defining actions for SEG. Either predefined tags or created own tags can be used. Based on these tags, enable restricted access to VMware AirWatch Inbox and Workspace ONE Boxer, and define the default behaviour for other email clients by either allowing or blocking mails. Replace the email contents using a helpful message with the available templates configured at Message Template settings in cases of blocking the mail. These configured templates can be selected from the Select Message Template drop-down menu. For the Block Email message template, lookup values are not supported.
  • Attachments (managed devices): In reference to selected file type, encrypt email attachments using an encryption key unique to the device-user combination. On the VMware AirWatch Content Locker, these attachments are secured on the device and are only available for viewing and only possible on Windows Phone managed iOS and Android devices with the VMware AirWatch Content Locker application. Either block attachments, allow encrypted attachments or allow unencrypted attachments for other managed devices.
  • Attachments (unmanaged devices): For unmanaged devices, allow encrypted attachments, block attachments, or unencrypted attachments. Attachments are encrypted for unmanaged devices to protect against data loss and maintain email integrity. In VMware AirWatch Content Locker, the attachments of unmanaged devices cannot be opened.
  • Hyperlink: Within an email, allow device users to open hyperlinks contained, with Airwatch Browser present on the device. To open in Airwatch Browser, the Secure Email Gateway dynamically modifies the hyperlink. All, Include, and Exclude are the modification types:
    • All: Open all the hyperlinks with Airwatch Browser is authorized.
    • Include: Open only the hyperlinks through the Airwatch Browse is authorized to users. Only customize hyperlinks for these domains field, and mention the included domains. The domain names can be bulk uploaded from a .csv file as well.
    • Exclude: The mentioned excluded domains through the Airwatch Browser do not allow the device users to open. Modify all hyperlinks, and mention the excluded domains, except for these domains field. The domain names from a .csv file can be bulk uploaded as well.

Activate Email Compliance Policy

To restrict email access to non-compliant, unmanaged, unencrypted, or inactive devices, Email compliance policies are used.

  1. Go to email, and click on Compliance Policies on the UEM console. Under the Active column, by default, the policies are disabled and are denoted by red colour.
  2. Select the grey button under the Active column to activate the compliance policy. Additional pages appear where the admin can specify their choices, depending on the email policy that they want to activate.
  3. Click on Save.

Under the Active column, the policy is activated and is denoted by green colour.

Under the Actions column, use the edit policy icon to allow or block a policy.

Email Dashboard

In the email, traffic gains visibility and monitors the devices with the Email Dashboard. The status of the devices linked to the email traffic is provided by Email Dashboard with a real-time summary. By navigating to email and clicking on Dashboard, access the Dashboard. Access the ListView page from the Email Dashboard, which allows the admin to:

  • Allow or deny access to email respectively by whitelisting or blacklisting a device.
  • View compliant, non-compliant, blocked, managed, unmanaged, or allowed devices.
  • Device details such as Phone Number, IMEI, IP address, OS, Model, and Platform can be viewed.

Use the available graphs to filter the search from the Email Dashboard. For instance, Select the Managed Devices graph to display the results to view all the managed devices of that organization group from the ListView screen.

List View

View all the real-time updates, with the ListView page on the UEM console, of the end-user devices that the admin manages with VMware AirWatch Mobile Email Management (MEM). The features of ListView are:

  • View the device or user-specific information by toggling between the Device and User tabs.
  • Using the Filter option, search and narrow down a device.
  • Based on the admin requirement, by changing the layout to either view the summary, user information or the detailed list of the device.
  • Multiple actions such as sync mailboxes or run compliance on the device can be executed.

Device and User details

On the List View page, switch between the Device and User tabs to view the information about the device and user. The option to show the information as a summary or as a detailed list is provided in the Layout drop-down menu.

  • Last Request: The last time a device synced mail-in SEG integration is shown by this column.
  • User: Name of the user account.
  • Friendly Name: Device Friendly Name is provided.
  • MEM Config: The configured MEM deployment managing the device is provided.
  • Email Address: The user account email address is provided.
  • Identifier: The unique alpha-numeric identification code used to identify a device is provided.
  • Mail Client: Syncing the emails on the device with Mail Client.
  • Last Command: the Last Request column is populated, and the Command triggers the last state change of the device.
  • Last Gateway Server: The device connected to the last server.
  • Status: Whether the email is blocked or allowed on it as per the defined policy and the real-time status of the device.
  • Reason: Allowing or blocking email on a device and providing a reason code for the same. Only in the case when the access state of the email is altered by an entity other than AirWatch (for example, an external administrator, the reason code displays Global and Individual.
  • EASDevice Type, IP Address, Platform, Model, OS, IMEI: The device information is displayed in these fields.
  • Mailbox Identity: In the Active Directory, the location of the user mailbox.

Note: When an EAS profile is pushed for other email clients or if, during the period of enrollment, a native email client is previously configured on the user device, an iOS device shows a mailbox record in the Email Dashboard. on the enrolled device when the email clients are installed or when a device enrols an Android device shows mailbox record except AirWatch Inbox.

Filters for Quick Search

Narrow the device search based on the Filter option:

  • Last Seen: All, less than 2 hours, 6 hours, 12 hours, and 24 hours.
  • Managed: Managed, unmanaged, and all devices.
  • Allowed: Allowed, blocked, or all devices.
  • Policy Override: Default, whitelisted, blacklisted, All devices are displayed
  • Policy violation: Unapproved EASDevice Type/Email Account/Mail Client/Model/OS, Not data Protected/Enrolled/MDM Compliant, Compromised, Device Inactive devices.
  • MEM Config: Filter devices are shown based on the configured MEM deployments.

Perform Actions:

Under the drop-down menu, the Override, Actions, and the Administration provides a single location to perform multiple actions on the device. Once these actions are performed, they cannot be undone.

  • Override: To perform actions on it, select the check box corresponding to a device.
    • Whitelist: A device is allowed to receive emails.
    • Blacklist: A device is blocked from receiving mail.
    • Default: Based on whether the device is compliant or non-compliant, allows or blocks a device.
  • Actions:
    • Run compliance: For the selected MEM configuration, triggers the compliance engine to run.
    • Enable test mode: Without applying them on devices, test email policies. View a message showing Test Mode Enabled on the ListView screen once enabled. The compliance engine does not need to run for the enabling /disabling Test Mode.
  • Administration:
    • Dx Mode on For the selected user mailbox, run the diagnostic.
    • Dx Mode off: Turn off the diagnostic for the selected user mailbox.
    • Update Encryption Key: Re-syncs the emails for the selected devices and resets the encryption.
    • Delete Unmanaged Devices: From the Dashboard, deletes the selected unmanaged device record. After the next sync, this record may reappear.

Configure and Deploy Email Profile

Exchange ActiveSync (EAS) is a communication protocol designed for email, calendar, and contacts synchronization between mobile devices and email servers. The devices fetch the mails through the SEG server instead of the EAS server by configuring the EAS profile on the UEM console.

  1. On the UEM console, go to the Devices, navigate to Profiles & Resources, select Profiles, and select Add to create a new profile.
  2. Choose Device Platform: Create a similar profile for each platform if the admin leverages the SEG for multiple device operating systems.
    1. The General tab section provides the information about the profile, and the profile has to be assigned to the applicable organization groups and smart groups. The assignment type should be kept as Auto or Optional.
    2. Click on configure under the Exchange ActiveSync. To access corporate mail through the SEG, configure the following parameters:
    3. From the drop-down menu, select the Mail Client that your organization intends for end-users to utilize. The users have to install the Lotus Notes manually for Android Hub 4.2 and above.
    4. The hostname of the SEG server has to be ensured as the Exchange ActiveSync Host and not the Exchange server.
    5. Every user can get their own distinct email by leveraging lookup values.
  1. The password field has to be left blank. Subsequently, after the profile is installed on the device, this prompts the end-user to enter a password.
  2. To begin using secure mobile email, click on Save and Publish.
    When the admin wants to provision mobile email, create additional profiles for each device platform.

VMware Unified Access Gateway

Allow secure remote access from an external network to various internal resources with VMware Unified Access Gateway within a VMware Workspace ONE and VMware Horizon deployment. Multiple-use cases supported by Unified Access Gateway are:

  • To protect access to internal resources through the VMware Tunnel service with Per-app tunnelling of web and native apps on desktop, mobile and platforms.
  • Based on managed policies, grant access only to authorized devices, users, and email applications by securing on-premises email infrastructure.
  • By running the Content Gateway service, access from VMware Workspace ONE Content to internal file shares or SharePoint repositories.
  • Web applications reverse proxying.
  • Legacy applications for on-premises that utilize Kerberos or header-based authentication, allowing Identity bridging for authentication
  • On VMware Horizon on vSphere and Microsoft Azure, secure external access to desktops and applications on VMware Horizon Cloud Service.

Unified Access Gateway can be deployed within the corporate DMZ or internal network when allowing access to internal resources and acts as a proxy host for connections to your company’s resources. To the appropriate resource, Authenticated requests are directed, and any unauthenticated requests are discarded by Unified Access Gateway. It can also perform the authentication itself by leveraging additional authentication methods when enabled.

Support is being deployed across Microsoft Azure, VMware vSphere, Amazon Web Services, Unified Access Gateway, and all its edge services. Only Secure Email Gateway and VMware Tunnel, and Content Gateway edge services are supported for Microsoft Hyper-V.

Deployment Model of VMware Unified Access Gateway

Basic and cascade-mode architecture models are offered for deployment by Unified Access Gateway. Load balancing is offered under both configurations for high availability and SSL/TLS offloading.

  • In the DMZ network, Unified Access Gateway is typically deployed. In the basic deployment model behind a load balancer.
  • Backend and Frontend instances of the Unified Access Gateway are included in the cascade-mode deployment model, which has separate roles. Iver the configured ports, from public DNS, the Unified Access Gateway frontend appliance resides in the DMZ and can be accessed.
    The Unified Access Gateway backend appliance is deployed in the internal network, which hosts internal resources. After complete authentication, forward valid traffic to the backend appliance with edge services enabled on the frontend. An internal DNS file that the backend appliance can rectify must be included in the frontend appliance. Publicly available appliances are separated from the appliance that connects directly to internal resources, with this deployment model providing an added layer of security. The cascade model is only supported for the following edge services: VMware Tunnel, Horizon and Content Gateway.
  • For Content Gateway edge services and VMWare tunnel, reasons to adopt cascade mode are:
    • It is difficult to resolve the internal FQDN or hostname, for an organization might have limited or no DNS access in the DMZ that the edge service requires
    • Access might be restricted from the DMZ directly to internal resources by the organization’s security policies.
  • A double DMZ cascade model is not required for a Horizon deployment. The backend appliance might have the Horizon edge service toggled as enabled, and the frontend Unified Access Gateway appliance can work as the Web Reverse Proxy in the DMZ for environments where a double DMZ is mandated.

Deployment Methods of VMware Unified Access Gateway

The two supported ways of deploying Unified Access Gateway and optimal solutions to satisfy the design requirements are described in the following sections:

VMware vSphere OVF Administration Console and Template

Respond to various deployment questions, and run the Import OVF (Open Virtualization Format) wizard with this option. An IT administrator needs to respond to deployment. On first boot, the Unified Access Gateway is not production-ready when using this method and requires post-deployment configuration using the administration console. The required configuration tasks can be performed by importing a configuration file or manually from another Unified Access Gateway appliance.

PowerShell Script

On the first boot, ensure that the Unified Access Gateway virtual appliance is production-ready with the PowerShell method. When deploying on vSphere, this method uses the VMware OVF Tool command-line utility in the background. By providing a simple deployment command in PowerShell (.\uagdeploy.ps1 .\<name>.ini), the IT administrator updates an INI file with the required customization settings and then deploys the Unified Access Gateway. The OVF tool is not required for deployments on Microsoft Azure, Hyper-V, and Amazon Web Services (AWS), because Unified Access Gateway leverages the PowerShell module for the respective hypervisor.

Required Deployment Information for VMware Unified Access Gateway

Make sure that certain prerequisites are met and provide the following information before deploying a Unified Access Gateway appliance:


For the user between the endpoint the Unified Access Gateway and the endpoint and between the Unified Access Gateway and internal resources, TLS/SSL certificates are used to secure communications. Reissue the default certificates with certificates that have been signed by a trusted certificate authority (CA-signed certificates), although Unified Access Gateway generates default self-signed certificates during deployment for production use. Either as part of the initial configuration or during deployment, replace the certificates. As preferred, the same certificate or separate certificates can be used for the user and the administrative interfaces.

Unified Access Gateway generates default certificates that apply only to the administrative UI, Horizon, and Web Reverse Proxy edge service. Self-signed certificates are issued by the AirWatch CA through the Workspace ONE UEM console for the Workspace ONE UEM edge services and can also be configured to use public third-party certificates.

The list of supported certificates is:

  • Using a unique server certificate for each Unified Access Gateway appliance via Single-server-name certificates.
  • Wildcard certificates
  • Subject alternate name (SAN) certificates

Provide certificates in either PFX or PEM format. On Unified Access Gateway, Security protocols and cypher suites are configured per service. After deployment using the Unified Access Gateway administration console or REST API, Administrators can update the security protocols and cypher suites.


Defining two passwords during installation is required by the IT admin in Unified Access Gateway. Access to the REST API. is secured by the first password, and access to the Unified Access Gateway appliance console is secured by the second password. Through the Unified Access Gateway admin UI, Users with administrator privileges can reset their passwords. Using the root user credentials, the user can log in to the Unified Access Gateway console (command line) if the admin user password is forgotten and reset the admin UI password.

VMware Tunnel

Provide secure access for connecting to corporate resources with Workspace ONE VMware Tunnel solution. Users can perform business-critical tasks from a single app and access critical information using applications on their devices, streamlining the user experience with Per-App Tunneling. MANAGE which applications are on a device and what internal resources the applications have by Leveraging Per-App Tunnel, automatically enable or disable Per-App VPN access, based on which applications are active. There is no need to provide a device-wide VPN on the devices by enabling remote access, allowing unintended or unauthorized apps or processes to access enterprise VPN. Enable remote work and enforce endpoint compliance as part of the Anywhere Workspace solution set with the VMWare tunnel. Replace both per-app and full device VPNs with a modern Zero Trust architecture as part of the features of VMware tunnel.

Components of VMWare tunnel

  • Workspace One Tunnel: To provide Per-App Tunnel functionality, the app used on the device to securely connect to the Unified Access Gateway, also referred to as Tunnel Client.
  • Unified Access Gateway: To which the tunnel client connects and the virtual appliance where the VMware Tunnel edge service is installed
  • Per-App Tunnel: Controlled and configured by the VPN profile payload and Device Traffic Rules, this component of VMware Tunnel edge service for connecting to a secure tunnel channel on a per-application basis
  • Device Traffic Rules and Per-App VPN Profile: The device that contains the Per-App Tunnel configurations receives the Workspace ONE UEM configuration. The Workspace ONE Tunnel client evaluates the Device Traffic Rules assigned to it every time a specified application is opened before making any routing decisions and makes a Per-App tunnel connection with the Unified Access Gateway depending on the Per-App VPN Profile configuration.

Architecture and Deployment Model

Physical or virtual servers that stay in either a secured internal network zone or the DMZ are used to install the VMware Tunnel. Proxy and Per-App Tunneling are two components of the VMWare tunnel, each with its architecture and security features.

VMware Tunnel Pre-Deployment Configuration

A smooth installation process is provided in VMware Tunnel installation. Installation requires setting up a server that meets the listed hardware, software, and network requirements and executing preliminary steps in the Workspace ONE UEM console. Single-tier and multi-tier are two architecture models offered for deployment.

Deploy VMware Tunnel with Unified Access Gateway

Workspace ONE services like Per-app Tunnel that is offered by VMWare are hosted by a hardened virtual appliance (Unified Access Gateway), and this ​​is the preferred deployment method. Either vSphere or Hyper-V may be used, deploying Tunnel on Unified Access Gateway can be done and be automated using PowerShell. The Linux installer provides the same service as the Tunnel service on Unified Access Gateway.

Deploy VMware Tunnel on a Linux Server

The Linux is offered by Workspace One UEM installer so the admin can configure, download, and install VMware Tunnel onto a server for customers who do not want to use the Unified Access Gateway deployment. Different prerequisites are required for the Linux installer than the Unified Access Gateway method. Before beginning installation, specific hardware, software, and general requirements should be met to run the Linux installer.

VMWare Tunnel Management

To enhance VMware Tunnel deployment, consider configuring additional functionality and more control over device access, and networking support are offered.

VMware Tunnel Troubleshooting

To aid in diagnosing issues in deployment, the VMware Tunnel supports troubleshooting logs.

Workspace One Content Gateway

AirWatch provides VMware Content Gateway as a service on the Unified Access Gateway, powered by the Workspace ONE UEM. The VMware Content Gateway provides a secure and effective medium for end-users to access internal repositories. Create access levels to the corporate content using the VMware Content Gateway with VMware Workspace ONE Content. Directly from internal file shares or content repositories, end-users can remotely access their documentation, financial documents, board books, etc. The changes immediately show in VMware Workspace ONE Content as files are added or updated within the existing content repository. Depending on the existing access control lists defined in the internal repository, users are granted access to their approved files and folders.

Deploy ContentGateway on Unified Access Gateway

Begin with providing the Unified Access Gateway (UAG) parameters to a configured node for ContentGateway deployment on Unified Access Gateway, on the Workspace ONE UEM console.


To configure ContentGateway, active deployment of the Unified Access Gateway either as an Appliance or using PowerShell is required.

Configure Content Gateway on the UEM Console

To create a node and pre-configure the settings that get bundled into the configuration file, customize Content Gateway configurations in the Workspace ONE UEM console. Do away with the need to configure the settings manually post-installation on the server with the pre-configured settings.

Uploading an SSL certificate, select the configuration model and associated ports are configuration options.

  1. Navigate to Groups & Settings, scroll to All Settings, go on the system, select Enterprise Integration, click on Content Gateway in the Organization Group of choice.
  2. Toggle Enable the Content Gateway to Enabled. To unlock Content Gateway settings, select override.
  3. Click on add
  4. To configure a Content Gateway instance, complete the text boxes that appear.
  • Installation Type
  • Installation Type: for Content Gateway, Unified Access Gateway appears as the default available platform.
  • Content Configuration settings:
  • Configuration Type: Basic- no relay component Endpoint configuration.
  • Active: A relay component Endpoint configuration.
  • Name: to select this Content Gateway instance, provide a unique name used when attaching it to a Repository Template, Content Repository, or RFS Node.
  • Content Gateway Relay Address: Enter the URL used to access the Content Gateway Relay from the Internet if implementing a relay configuration.
  • Content Gateway Relay Port: Enter the relay server port if implementing a relay configuration.
  • Content Gateway Endpoint Address: The Content Gateway endpoint hostname has to be provided. A valid entry must be made for the Public SSL certificate bound on the configured port.
  • Content Gateway Endpoint Port: The endpoint server port has to be entered.
  • The Content SSL Certificate settings
    A public SSL certificate (required for Linux requirements): to bind to the port, upload a PKCS12 (.pfx) certificate file with a complete chain for the Content Gateway Installer. Intermediates, root certificates, a private key, a password, and a server certificate are included in the full chain. Note: Run commands such as certificate -using command-line tools such as Certutil or OpenSSL, dump OpenSSL pkcs12 or myCertificate.pfx -in myCertificate.pfx -nokeys to ensure that the PFX file contains the entire certificate chain. The complete certificate information is displayed by these commands. Depending on platform and SSL configuration, requirements vary.
    Ignore SSL Errors (not recommended): enable this setting if using a self-signed certificate. If this setting is enabled, certificate name mismatches and certificate trust errors are ignored.
  • Certificate Authentication settings:
    Enabling Cross-domain KCD Authentication: To authenticate users with the PIV-D Derived Credentials, enable this setting instead of user names and passwords. Users who access the on-prem SharePoint repositories with their devices take advantage of PIV-D certificate authentication.
  • Client Certificate Chain: The certificate chain is used to issue client certificates.
  • Target SPN: Target service SPN
  • Service Account Username: A service account with delegation rights user name is provided.
  • Service Account Password: Service Account Password is provided.
  • Domain: The domain name is provided in the Active Directory (AD) comprised of the users.
  • Domain Controller: for the domain, the Hostname or IP address of the domain controller is provided.
  • Under the Custom Gateway Settings, enter the Content Gateway edge service values. This optional configuration can be used to overrule the default configuration values for Content Gateway. Each time the UAG is upgraded, the configuration file changes are automated and does not require manual updates to the configuration files with the edge service values set on the UEM console. From Workspace ONEUEM console version 9, ICAPProxy configurations are not supported. Existing configurations can, however, be edited.
  • Click on add & then select save.


Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.