Tunnel Edge Scan For Workspace ONE UEM

Tunnel Edge Scan is a compliment to the Test Connection option available from the Tunnel Configuration page on the Workspace ONE UEM console.  As a service hosted in Google Cloud, Tunnel Edge Scan performs remote scans of Tunnel hostnames to confirm Tunnel instances presents to the external world as expected.   The scans validate port connectivity and SSL attributes that are key requirements for successful Tunnel connections from endpoint devices.  Admins then cross reference Tunnel Edge Scan results with their Tunnel Configuration page to confirm general availability of their Tunnel service.  In a nutshell, Tunnel Edge Scan helps validate that the real world implementation on UAG infrastructure matches the intention set for VMware Tunnel within the WS1 UEM console.   

Anatomy Of A Successful Connection 

At a very high level, there's roughly 4 general network paths to consider for a successful Tunnel connection.  A functional deployment starts off with communication from the UAG appliance to the UEM tenant.  Over an outbound 443 connection to the WS1 tenant the UAG appliance not only retrieves it's  initial Tunnel configuration, but it also maintains this connection for updates on trusted endpoint devices.   With Tunnel Edge up and running on a UAG appliance, the next step is to push out not only Tunnel clients to endpoint devices, but also network traffic rules that control routing of traffic on the endpoints.  This entire configuration occurs through outbound 443 connections from clients to the WS1 UEM tenant, as it does for MDM management in general.  Next and most notably, there's the VPN connection itself from the endpoint device to the Tunnel server.  By default, this is over port 8443, but can be configured for any other port, even port 443 through a feature called port sharing.  Further, traffic can flow over UDP as well.  Finally, there's the last leg of the journey from the UAG appliance to the internal resource or from the UAG appliance to a back-end UAG appliance and then onto the internal resource.

Tunnel Edge Scan focuses on validating the path between endpoints devices and the Tunnel server, where the VPN connection happens.   This compliments the Test Connection option available from UEM console, which primarily validates the connection from the UAG appliance to WS1 tenant.  

Test Connection Under Tunnel Configuration

Within the WS1 UEM console, under the Tunnel Configuration page, lies the useful but often misunderstood Test Connection option.   

What this tool primarily confirms is a successful connection from the UAG appliance to the WS1 UEM tenant.  This is an absolutely critical connection for the functionality of Tunnel, as UAG reaches back out the tenant for not only it's basic configuration, but also for a list of acceptable clients endpoints that is constantly updated. 

But it doesn't validate the accessibility of the configured Tunnel hostname to mobile clients. You can a have a completely successful Test Connection scan, but have a Tunnel server that is completely unavailable to the world due to connectivity challenges.  For instance, you could have a successful Test Connection test but not have the DNS or port connectivity in place required for external access to Tunnel. It's a gap that's confused a many number of customers, not to mention a VMware employee or two.  

Tunnel Edge Scan attempts to bridge this gap by validating the external accessibility of the configured Tunnel hostname. While we can't fully simulate the exact network path clients will require for VPN connectivity, we can at least confirm general availability of Tunnel through a scan executed from Google Cloud where Tunnel Edge Scan is hosted.  

Tunnel Edge Scan coupled with the built-in Test Connection feature provides a more holistic view of Tunnel health.  Test Connection validates communication from the UAG appliance to the WS1 tenant, while Tunnel Edge Scan confirms that external devices will view the Tunnel hostname as expected.  

Collectively, both tests will help admins navigate common initial configuration challenges regarding networking and SSL communication. 

Interpreting Tunnel Edge Scan Results

To begin with, it's important to confirm that the Tunnel hostname falls within the SSL subject returned from the SSL cert used by Tunnel.

Generally speaking you need to cross reference the scan results with the Tunnel Configuration, Server Authentication, section in the UEM console.   In particular we're validating the outside world is receiving the expected SSL cert from the Tunnel hostname as expected. 

Of further interest is the Acceptable Client Cert CA Name reported by Tunnel Edge Scan.   It's a telltale sign of a VMware Tunnel deployment, often yielding some interesting confirmation.   In cases where customers are leveraging WS1 UEM's built in cert authority, the Acceptable Client Cert CA Name will include, "AwVPNDeviceRoot," within the name, along with information of about the tenant and OG the Tunnel instance supports.  When folks use their own certificates for authentication this attribute isn't nearly as revealing, but often folks go with the built-in certs, which yields this bit of transparency.  

Performing Checks Manually Against Your Tunnel Edge 

While it's easier to leverage Tunnel Edge Scan for an initial diagnosis, it's good to have these openssl commands in your back pocket for further troubleshooting and investigation. Simulating the results of Tunnel Edge Scan is all about getting crafty with openssl.  

As far as basic port connectivity goes there's tools like nmap, powershell port query or even good old fashion telnet.  Further, to get absolute certainty that packets are making it to specific ports on the UAG appliance you can leverage Test Packets.  Once port connectivity is sorted out, then it's time to move on to the openssl commands.  

For a deployment that leverages default port of 8443, you could go with:

openssl s_client -connect tunnel-pt.airwlab.com:8443

Along with validating that SSL is functioning properly on the 8443 port, buried in the output you'll see the Acceptable client certificate CA names output. 

Holly cow!  Talk about some palm reading.  This SSL attributes tells us a heck of a lot about the deployment a Tunnel instance is associated with, including the tenant URL and customer OG. 

Next, to validate the SSL thumbprint yielded by the Tunnel service, here's the command: 

openssl s_client -connect tunnel-pt.airwlab.com:8443 | openssl x509 -fingerprint -sha1

Less than halfway down the output you'll see the Sh1 fingerprint. 

Sha1 is the same format used for the thumbprint reported by the Tunnel Configuration within the UEM console.  

Finally, for an environment that leverages port sharing over 443, you'd need to specific SNI as well.

openssl s_client -connect tunnel-pt.airwlab.com:443 -servername tunnel-pt.airwlab.com

For a wonderful overview on Tunnel connections, check out the Tech Zone Article, Understand And Troubleshoot Tunnel Connections

I'll Be Your Mirror 

Fundamentally, Tunnel Edge Scan is providing a mirror for your UAG based Tunnel deployment.  "This is how you're Tunnel instance presents to the world and most likely to all your endpoint devices unless something unusual is going on."  If something is amiss with your Tunnel Edge Scan, then you're endpoints are likely to encounter similar challenges and you should troubleshoot accordingly. 

No comments:

Post a Comment