Tunnel all Microsoft 365 traffic with VMware Tunnel

This blog post detail how to tunnel all traffic for Microsoft 365 applications on iOS and Android, it explains what the necessary steps are to be able to do so.

I assume that VMware Unified Access Gateway is deployed with Tunnel services activated and proven to be functional.

Technical detail

Microsoft 365 applications can all be tunnelled entirely, however the support for authentication requires to have a specific deployment. Microsoft 365 applications always use Authenticator code even if Authenticator is not installed by doing so the application name is changed to Authenticator this enforce the need to add Authenticator to the Device Traffic Rules, also each application may behave differently if Authenticator is not installed. As a result, it’s highly recommended to deploy Authenticator, it will also be used as anchor point for authentication across all Microsoft 365 applications.

Flows

Network flow

Authentication Flow

Pre-requisite

  • Workspace ONE UEM any supported version
  • Unified Access Gateway (UAG) any supported version
  • VMware Tunnel

Applications Deployment

The only requirement is to have Microsoft Authenticator and any other Microsoft application deployed automatically via MDM as the VPN profile need to be applied to the application before adding the application to the device traffic rules.

If applications can be installed by the user directly make sure the “Make App MDM Managed if User Installed” is enabled, so management is taken upon enrolment.

Device Traffic Rules

There are 2 options to configure the Device Traffic Rules:

  1. Have a dedicated rule to tunnel all traffic Microsoft 365 applications and Microsoft Authenticator
  2. Use the default rule to tunnel all traffic

If Android Mobile SSO is used, keep Mobile SSO traffic rule take priority over any other rule.

Dedicated Rule

Add a rule with all Microsoft applications with TUNNEL as the action and * (wildcard) for destination.

Default rule

On the default traffic rule change the default action to TUNNEL instead of BYPASS

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*
You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Theme BCF By aThemeArt - Proudly powered by WordPress .
BACK TO TOP