By Product Technical Guides

VMware AirWatch 101: AirWatch-NSX Integration

Integrate VMware AirWatch enterprise mobility management with the VMware NSX network virtualization and security platform to extend security policies from the data center to mobile application endpoints. AirWatch-NSX integration brings speed and simplicity to networking and micro-segmentation capabilities. By creating policies that dynamically follow mobile applications, it eliminates the need to do time-consuming network provisioning.

Keep reading to learn how to integrate NSX with AirWatch.
VMware AirWatch - NSX Integration

Next Level Per-App VPN

While per-app VPN addresses some of the security concerns of device-level VPN, it still exposes all the domain’s endpoints and services to an application. In comparison,micro-segmentation takes endpoint management to the next level, restricting application-level access to a specified endpoint on the data center.

[Related: VMware AirWatch 101: Per-App VPN]

Architecture Diagram of a Per-App VPN Connection

What is NSX Micro-Segmentation?

NSX micro-segmentation is a logical, bi-directional firewall that monitors inbound and outbound access controls for individual endpoints. It uses the NSX virtualization tool, making it a streamlined, cost-effective alternative to a physical firewall.

Architecture Diagram of a Per-App VPN with Micro-Segmentation Connection

AirWatch-NSX Integration Healthcare Use Case

Consider a doctor referencing patient health records from an enterprise health app. In this use case, only the health app, and not any of the device’s other applications, can establish a per-app VPN connection. Then, micro-segmentation dictates a designated endpoint (in this case, a patient database) for the health app.
Architecture Diagram of a Healthcare App using Micro-Segmentation to access a specified server.

This level of restriction means that the healthcare app cannot access the e-mail server, an inventory database or other unrelated services. The application’s assigned groups also mean that data access gets filtered on an employee level, as well. Nurses or doctors from a different department using the same health app cannot access the specified database without permission.

[box type=”shadow”]

Additional Use Cases

  • Enhanced network security and granular controls for mobile workflows
  • Accelerated digital workspace and bring-your-own-device (BYOD) deployments
  • Policy-defined network access for mobile apps and users
  • Reduced mobile access footprint to data center, minimizing attack surface
  • Accelerated mobile app delivery, testing and automation


AirWatch-NSX Integration Solution Overview

Starting with a sucessfully installed instance of NSX:

  1. Sync the NSX Security Groups that represent data center endpoints and services in the AirWatch Console. This action shares data center logic with AirWatch.
  2. Then, configure and install the VMware Per-App Tunnel. This server establishes the secure connection between mobile applications and the network.
  3. Next, configure a Per-App VPN profile to direct managed applications to specified endpoints.
  4. Finally, configure applications.

[box type=”shadow”]

VMware Tunnel Application

Device communication with the VMware Per-App Tunnel server goes through the VMware Tunnel application. Without this application,  a per-app VPN connection cannot establish. Therefore, the VMware Tunnel Application is the most important application to configure and deploy.[/two_third]

[one_third_last]Store view of the VMware Tunnel App[/one_third_last]


The other applications you configure depend on the specific scenario and use case, but are generally the apps that end users access internal resources from. When configuring these apps, consider using Assignment Groups within the AirWatch Console to control access on a user level.

 Plan VMware NSX Implementation


  • Determine the types of devices accessing your network.
  • Identify the endpoints (apps) in your network access.
  • Group applications by level of vulnerability/risk.
  • Define the security requirements for each level of access.


[two_third_last]NSX Integration Preliminary Steps[/two_third_last]

Install VMware NSX for vSphere 6.1.x+

  • Designate a separate network range for each Security Level to identify incoming traffic
  • Define IP set-based Security Groups in NSX
  • Define internal resource based Security Groups in NSX
  • Determine firewall rules for Security Groups
  • Identify application endpoint addresses
  • Set traffic routing patterns

Meet AirWatch-NSX Integration Requirements

  • AirWatch Admin Console v8.3+
  • AirWatch Tunnel server using the Linux Installer. The AirWatch Tunnel virtual appliance deployment method is currently not supported for NSX integration.
  • AirWatch Cloud Connector (For SaaS Customers)
  • Managed Android or iOS devices

AirWatch-NSX Integration Steps

This post highlights the configurations most important for AirWatch integration with NSX. For comprehensive instructions in AirWatch Console v9.1, click the suggested links.

[learn_more caption=”Step 1: Configure and Download the Linux Installer for VMware Per-App Tunnel”]
To Configure VMware Tunnel , you need the details of the server where you plan to install. Before configuration determine the deployment model, hostname(s), port(s), and which VMware Tunnel features to implement.


Available VMware Tunnel Features:

Micro-Segmentation with NSX requires NSX integration and installation of the Per-App VPN component. However, other configuration options remain. Available features include: access log integration, SSL offloading, enterprise certificate authority integration, and more.[/box]

Then, use the configuration wizard to go through the installer settings step-by-step. Next, download the installer from the AirWatch Console, for use during Linux server installation. Please note, changing the details in this wizard creates a new configuration, and requires a reinstall of the VMware Tunnel.

AirWatch Console Configurations:
  1. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel > Network Accessibility.
  2. Select Enable AirWatch Tunnel.
  3. Click Enabled for NSX Communication and provide the NSX Manager URL and Admin Username and Password.


4. Sync Security Groups and block all non-compliant devices from the same configuration screen.


5. Select Download Linux Installer. This button downloads a single TAR file used for deploying the relay and endpoints.

6. Select Save.


[learn_more caption=”Step 2: Install VMware Per-App Tunnel with NSX Enabled”]
After meeting the VMware Tunnel for Linux System Requirements, configuring VMware Tunnel settings, and downloading the installer, begin installation. Run the installer on a Linux server, and enable the service.

During VMware Tunnel configuration, you specify whether you are installing in a multi-tier or single-tier configuration.

 [box] Important: After accepting the licensing agreement during installation, specify the components to install. Enter 1 to install Per-App Tunnel only.[/box]


[learn_more caption=”Step 3: Create a Per-App VPN Profile”]
After configuring the VMware Tunnel server, Configure Per-App Tunnel Profile for iOS or Configure Per-App Tunnel Profile for Android. This profile enables specified applications to route HTTP(S) and TCP traffic through the VMware Per-App Tunnel.  However, please note that the VPN profile can only take effect on devices with the VMware Tunnel application installed.

AirWatch Console Configurations
    1. Navigate to Devices > Profiles > List View > Add.
    2. Select the appropriate platform (iOS or Android).
    3. Configure a VPN Payload.
    4. Set the Connection Type to AirWatch Tunnel.
    5. Select the Per-App VPN Rules checkbox.


[learn_more caption=”Step 4: Configure VMware Tunnel App”]
The VMware Tunnel application enables access to internal resources through managed applications. To Access the VMware Tunnel App for iOS or Access the VMware Tunnel App for Android end users must download and install the VMware Tunnel application from the App Store.



[learn_more caption=”Step 5: Apply the Per-App VPN Profile and Security Group Mapping to Apps”]
After you create a per-app tunnel profile, Configure Public Apps to Use Per App Profile in the application configuration screen. This tells that application to use the defined VPN profile when establishing connections.

On the application configuration screen, select the following options:


Learn More About AirWatch-NSX Integration

To learn more about NSX, check out the links below:

Because you liked this blog: