I am trying to understand how Android functions differently than iOS with regards to UAG tunnel traffic. There are some KB articles on DNS configurations in the UAG to support Android with traffic rules through the tunnel. I am just trying to understand what this is and why it is needed. I have tried to make the changes that are in the KB article but things are still not working as expected on Android. For example. our Teams app is functioning properly on an iOS device, except for calls, but putting the Teams for Android app in the same rules does not work. Does anyone know of any documentation or some more information on what is needed with regards to the UAG configuration to make Android function properly? Any information you can offer is greatly appreciated.
There is one major difference between tunnelling Android and iOS devices.
With Android, the name resolution of tunneled traffic always takes place via the DNS server defined for the UAGs.
On iOS, name resolution is done via the "last endpoint". This means that the DNS server stored on the UAG is used for internal traffic. If the traffic is forwarded via a proxy, the name resolution is done via the proxy.
- (Microsoft) Teams is completely tunneled via UAG on iOS and Android devices.
- External hostnames are routed to the Internet via a proxy using SeverTrafficRules.
- The internal DNS server does not execute DNS forwarding
iOS devices perform name resolution of external hostnames via the proxy, Android generally sends all requests to the internal DNS. As a result, login via the cloud does not work on Android, for example.
This can be mitigated, for example, by tunneling only certain addresses for the app in the DeviceTrafficRules on Android, or bypassing certain external addresses from the tunnel.
Thank you for this information. This is what I thought was happening. We are still trying to get Teams to work correctly on Android. Would it be possible to share your device traffic rules as an example? I have Teams working on iOS other than calls which does not seem to work. I am trying to figure out what servers to bypass the VPN tunnel in order to make calls work.
This is an example of device and server traffic rules. If the VPN is configured for apps, the traffic is completely tunneled for each app in this case. Specific VMware addresses are bypassed from the tunnel.
Traffic to *.internal(2).corp goes directly to the destination after the VPN endpoint, the rest is routed through a proxy.
Device Traffic Rules
All Applications / BYPASS / *api.na1.region.data.vmwservices.com*,*discovery.awmdm.com*,*signing.awmdm.com*,*vmwservices.com*
All Other Apps / TUNNEL / *
Server Traffic Rules
*internal.corp,*internal2.corp / BYPASS
* / PROXY / "Outbound Proxy"