The Essential Role of Omnissa Workspace ONE Tunnel
Traditional VPN solutions are not the most secure and flexible solutions for modern day organizations. Recent cybersecurity events and lack of granularities are some of the many reasons customers are looking for alternative solutions. Namely, customers are searching for solutions that are more rigorous in verification of all access requests to minimize the potential for unauthorized access by enhancing security posture. Today, threats can originate from both outside and inside the network. Requiring constant verification of who, what and where becomes crucial. In the market, this “never trust, always verify” model is called the Zero Trust model. 
Industries such as healthcare, manufacturing, and financial services, where security is crucial, are shifting from traditional VPNs to Zero Trust architecture. Omnissa Workspace ONE Tunnel is the optimal solution for these security-focused sectors.
Comparing traditional VPNs to Workspace ONE Tunnel reveals recent incidents involving a competing VPN appliance that suffered a zero-day vulnerability. In contrast, Omnissa ONE Tunnel is deployed through a hardened appliance to minimize risks. This underscores ongoing cybersecurity challenges, particularly the dangers of zero-day vulnerabilities, and the need for timely updates and patches.
The beauty of Workspace ONE Tunnel is that it supports both device-based and per-app VPN configurations, enabling precise access control. By limiting access to only authorized applications and compliant devices through integration with the Workspace ONE UEM device compliance engine, the attack surface is significantly reduced. This is in contrast to solutions that provide broad network access, which can be exploited to gain unauthorized access to sensitive resources.
The simplicity of deployment of Workspace ONE Tunnel also means there are fewer complexities where configuration errors could introduce security weaknesses. Recently, we added a new, more secure option for deployment: The Tunnel Container. The Tunnel Container enables you to run the Tunnel server in an isolated container, offering benefits such as simplified deployment, management, and upgrade processes.
This blog will show you the benefits of Workspace ONE Tunnel from an iOS and Windows platform perspective, so let’s dive into the technical details.
More information on this new Tunnel server container deployment can be found here:
Omnissa Docs - Workspace ONE Tunnel Container Release Notes
Figure 1: Workspace ONE Tunnel communication flow
Device Platforms
Omnissa Workspace ONE Tunnel app is available for managed and unmanaged devices providing Per-App and Full Device Tunnel across multiple platforms. Only TCP and UDP traffic will be routed to the Workspace ONE Tunnel App. On most platforms Workspace ONE Tunnel now supports Standalone enrollment without Workspace ONE Intelligent Hub or any device management.
Tunnel Mode (Per-App and Full-Device) is available based on the device platform and how it is managed as described in the following table. This is the current situation, but the support modes and platforms keep expanding.
Management | Tunnel Mode | Windows | macOS | iOS | Android | ChromeOS | Linux |
UEM Managed | Per-App | ✔ | ✔ | ✔ | ✔ | ✖ | ✖ |
Full Device | ✔ | ✔ | ✔ | ✔ | ✖ | ✖ | |
Registered Mode (unmanaged) | Per-App | ✔ | N/A1 | ✔* | ✔* | ✖ | ✖ |
Full Device | ✔ | N/A1 | N/A2 | N/A2 | ✖ | ✖ | |
App Level (MAM/Standalone) | Per-App | ✔** | ✔** | ✔* | ✔* | ✖ | ✔** |
Full Device | ✔** | ✔** | ✔** | ✔** | ✔** | ✔** |
* MAM requires use of the Tunnel module (Tunnel SDK) available on Workspace ONE SDK.
** Standalone method does not require Intelligent Hub; enrollment is done through the Workspace ONE Tunnel App.
N/A1 – Management mode not supported on the specific platform.
N/A2 – Not applicable for the specific Tunnel mode.
More information on the latest platform supported by Workspace ONE Tunnel can be found here
Omnissa is the only vendor that can provide app tunneling / per-app VPN without any device management (Registered Mode in the table above).
Configuration
Now let’s spend some time looking at the configuration of Tunnel and some technical details.
The Tunnel client can authenticate using SAML or certificates. On managed devices the Tunnel client will auto-connect using a certificate for authentication, however in Registered Mode it requires interactive user auth (SAML). In addition, you can strengthen authentication with the Workspace ONE compliance engine that enables device trust. This is how you will know the device is passing all of requirements for device trust.
Figure 2: Rules for allowed applications and destinations in Workspace ONE Tunnel Desktop Client (Windows)
The Tunnel can be configured in two VPN modes: Per-Application or Full Device.
- Per-App Tunnel restricts tunnel traffic only to authorized applications and destinations specified by the UEM administrator when configuring the Device Traffic Rules.
- On Full Device Tunnel configuration, traffic is restricted based on the authorized destinations, regardless of the application.
Below you can see what we call Device Traffic Rules (DTR) – these are the rules that are exposed to the admin for configuring the App Tunnelling and Split Tunnelling rules. As you can see in the picture, we can define different apps from all different platforms, as well as a set of actions and destinations.
- Device Traffic Rules provides actions to TUNNEL traffic into the network, to BYPASS traffic out the device’s default gateway, as well as actions to BLOCK / blackhole traffic or connect to a specific PROXY.
Figure 3: Device Traffic Rules configuration example
- With Device Traffic Rules you can create multiple sets of rules and apply them to different profiles or groups of users. The following screenshot shows what this looks like in the Workspace ONE UEM admin console.
Figure 4: Multiple Device Traffic Rule Sets, ready for assignment
From a Least Privilege perspective, we can assign apps and routes and privilege with granular scope, ensuring only certain users and devices have access to specific resources. We can combine both identity and device properties to formulate these rules.
Assignment of these DTR sets to the different devices in your organization is done using Workspace ONE UEM Profiles and Assignment Groups. An example of this can be seen below.
Figure 5: In the VPN profile you can specify the DRT set to assign to each group of users/devices
This first impression on Workspace ONE Tunnel shows its benefits and capabilities. If you are looking for more detailed technical guidance on how to deploy the Workspace ONE Tunnel in your environment, I recommend using this guide on TechZone:
Omnissa TechZone: Deploying Workspace ONE Tunnel Operational Tutorial
As an integral part of the Workspace ONE product offering, the Workspace ONE Tunnel allows us to utilize the Workspace ONE platform for real-time threat detection and automated response capabilities. This ensures that Workspace ONE Tunnel helps organizations stay ahead of emerging threats, making it crucial for identifying and mitigating vulnerabilities before they can be exploited.
You could show a report of the most active devices, count of applications using Workspace ONE Tunnel and much more.
Figure 6: Example report of applications using the Tunnel
Workspace ONE Tunnel is a key enabler of Zero Trust for many of our customers. Numerous enterprises beginning to support mobile devices are adopting Tunnel because it meets all their needs. Additionally, organizations looking to modernize the management of their Windows and macOS desktops can use it as part of their transition from traditional full-device L3 VPNs to the modern app-aware, app-centric approach that Workspace ONE Tunnel facilitates.
Workspace ONE Tunnel can be both a starting point for Zero Trust, as well as a sophisticated enhancement to any Zero Trust deployment to help you responsibly move towards Zero Trust in phases.
Although Workspace ONE Tunnel secures Data-in-Transit (DiT), the evolving mobile threat landscape requires a Defense-in-Depth (DiD) strategy. This is where Mobile Threat Defense becomes invaluable as it extends security onto the endpoints themselves—protecting against Device, Network, Application & Phishing threats which are mobile-specific.
Summary
In summary, Omnissa provides a secure remote access solution that supports Zero Trust capabilities for your enterprise. Workspace ONE Tunnel serves as the primary client for this solution and can be regarded as a modern VPN alternative with Zero Trust features.
Let’s review the list of reasons discussed in this blog to choose Omnissa Workspace ONE Tunnel over other VPN solutions:
- Cost savings: no VPN / network hardware, so you can stop paying additional VPN vendor, since Workspace ONE Tunnel is included in most Workspace ONE licenses.
- Evaluation: Alternatives due to recent vulnerabilities with Ivanti, Cisco, Fortinet.
- Compliance + Conditional Access: Workspace ONE Tunnel is distinguished from legacy VPN solutions, providing differentiated value and integration with Workspace ONE compliance.
- Platform and management support: Workspace ONE Tunnel provides extensive support across multiple OS platforms (Windows, macOS, iOS, Android, ChromeOS and Linux) in addition to support for managed and unmanaged devices
- Simplified User Experience: Tunnel offers a transparent, zero-touch experience on mobile and has extended this seamless interaction to all platforms, ensuring that your VPN remains unobtrusive for users.
- Mobile Threat Defense Integration: Workspace ONE Tunnel is part of the Mobile Threat Defense (MTD) solution, providing Secure DNS for Phishing Detection, as well as Content Protection.
If you want to start with Workspace ONE Tunnel, checkout the following technical articles in Tech Zone:
- Deploy and configure the Tunnel Edge Service on Unified Access Gateway
- Deploying Workspace ONE Tunnel Client
- Understand and Troubleshoot Tunnel Connections for Load Balancing
If you’re a Workspace ONE customer, you may already have access to the feature today and if not, checkout Workspace ONE by contacting us at https://www.omnissa.com/contact-us/.