This month a new minor version 2.1 of the VMware Tunnel for Windows has been released. But don’t be fooled by the minor version bump, there are three new features in this release, that I’ve all heard as requests from my customers. In this blogpost I want to explain the details and use cases for these features.
Let’s have a quick look at the release notes first:
- Full Device Tunnel
- VMware Tunnel now supports tunneling all device traffic regardless of the source application. This may be used by customers still transitioning to Zero Trust access architectures enabled with per-app tunneling.
- Enabling full tunneling requires UEM console 2102. Admins may create new Device Traffic Rules and select the “Full Device” mode. This Device Traffic Rule policy may then be selected within a VPN profile for Tunnel.
- IPv4 based routing for Device Traffic Rules
- Tunnel supports routing based on IP addresses, ranges, and subnets.
- Simplified DNS configuration
- To simplify configuration for DNS resolution, Tunnel can pick up the internal domains directly from Device Traffic Rules.
You can also find these release notes online:
Let’s dive into the details of these new features and start with the Simplified DNS configuration.
Simplified DNS configuration
For those who haven’t seen it yet, since a while it’s possible to create multiple Device Traffic Rule sets in the WS1 UEM console. This will allow easier administration. You can define multiple DTR sets and assign them with the Tunnel Profile to different groups of users. The management of these DTR sets is done in the WS1 UEM console as you can see here:
Once you defined the DTR sets, it’s time to create a VPN Tunnel profile in the WS1 UEM console. As you can see in the screenshot below you can choose which DTR set you want to use in the VPN Tunnel profile:
And here you can also see how you can enable the new feature ‘Simplified DNS configuration’. Instead of defining all the DNS domains in the VPN Tunnel Profile, you can now choose to enable ‘Enhanced Domain Resolution’. This will configure the Tunnel Client to use domain resolution based on the destinations defined in the Device Traffic Rule sets.
More information on this feature can be found in the documentation:
Full Device Tunnel
This is a feature that I’ve heard as a request from some accounts. This feature is interesting for customers that are moving to a modern management approach, but still have a lot of on-premises resources they need to access. Most customers are adopting cloud and SaaS services fast, but some resources will stay on-prem for a long time. Maybe even for years, depending on the customer and local laws for instance. Accessing file shares, printer mappings and client-server applications can be complex to configure in the per-app VPN model. That is why a full-device VPN mode has been added to the Tunnel for Windows. You can simply create a new set of Device Traffic Rules and choose the new ‘Full Device’ Tunnel Mode as you can see in the picture below. Next to the new Tunnel 2.1 client, this does require the UEM console 2102.
The best practice is still to embrace the per-app VPN tunnel approach, since this will split the internet traffic by default, providing a better user experience. But for those customers not ready to go there yet, the Full Device Tunnel Mode is a good intermediate solution.
IPv4 based routing for Device Traffic Rules
And finally, the last new feature: IPv4 based routing. This might sound old school, but there are applications that do not work correct with just DNS. Sometimes hardcoded IP addresses are needed to make internal applications work. And a good example I recently bumped into is Kerberos and Hello4Business. The initial negotiation about Kerberos tickets is done using DNS, but during the process the traffic switches to IPv4 based traffic. This new VMware Tunnel configuration makes it possible to support such use cases.
To start using this new feature simply configure IP addresses or subnets in the destination fields of the DTR set as you can see here:
The result is a Tunnel client that will show IP based destinations and will connect on-demand then these IP targets are accessed:
Personally, I’m very happy with this release since it supports so many new use cases. If you have questions, feel free to leave a comment and let me know your thoughts.