Re: Android and Tunnel/UAG

troysp · ‎02-02-2023

Hello,

I am trying to understand how Android functions differently than iOS with regards to UAG tunnel traffic. There are some KB articles on DNS configurations in the UAG to support Android with traffic rules through the tunnel. I am just trying to understand what this is and why it is needed. I have tried to make the changes that are in the KB article but things are still not working as expected on Android. For example. our Teams app is functioning properly on an iOS device, except for calls, but putting the Teams for Android app in the same rules does not work. Does anyone know of any documentation or some more information on what is needed with regards to the UAG configuration to make Android function properly? Any information you can offer is greatly appreciated.

Thank you

Troy

AlexanderMuc · ‎02-10-2023

There is one major difference between tunnelling Android and iOS devices.

With Android, the name resolution of tunneled traffic always takes place via the DNS server defined for the UAGs.

On iOS, name resolution is done via the "last endpoint". This means that the DNS server stored on the UAG is used for internal traffic. If the traffic is forwarded via a proxy, the name resolution is done via the proxy.

Example:

- (Microsoft) Teams is completely tunneled via UAG on iOS and Android devices.

- External hostnames are routed to the Internet via a proxy using SeverTrafficRules.

- The internal DNS server does not execute DNS forwarding

iOS devices perform name resolution of external hostnames via the proxy, Android generally sends all requests to the internal DNS. As a result, login via the cloud does not work on Android, for example.

This can be mitigated, for example, by tunneling only certain addresses for the app in the DeviceTrafficRules on Android, or bypassing certain external addresses from the tunnel.

troysp · ‎02-15-2023

Thank you for this information. This is what I thought was happening. We are still trying to get Teams to work correctly on Android. Would it be possible to share your device traffic rules as an example? I have Teams working on iOS other than calls which does not seem to work. I am trying to figure out what servers to bypass the VPN tunnel in order to make calls work.

AlexanderMuc · ‎02-16-2023

This is an example of device and server traffic rules. If the VPN is configured for apps, the traffic is completely tunneled for each app in this case. Specific VMware addresses are bypassed from the tunnel.

Traffic to *.internal(2).corp goes directly to the destination after the VPN endpoint, the rest is routed through a proxy.

Device Traffic Rules

All Applications / BYPASS / *api.na1.region.data.vmwservices.com*,*discovery.awmdm.com*,*signing.awmdm.com*,*vmwservices.com*

All Other Apps / TUNNEL / *

Server Traffic Rules

*internal.corp,*internal2.corp / BYPASS

* / PROXY / "Outbound Proxy"

We had a similar problem a long time ago when setting up VMware Tunnel, where the traffic for Android did not work properly, unlike iOS. We had a workaround where the last rule in the server traffic rules was a "* / BYPASS". Since the rule is never active, this should not change the behavior.