Per-App Tunnel Configuration Issues

B.

In this scenario, the administrator has configured a per-app tunnel in a cascade deployment type, and has implemented a load balancer that is providing SSL-offloading between the network segments. However, none of the per-app tunnel configured apps are able to establish a tunneled connection.

The problem in this case is likely related to option D: "Per-app tunnel does not support SSL offloading between the two relay -endpoint tunnel servers."

To understand why this is the case, it's important to understand what a per-app tunnel is and how it works. A per-app tunnel is a feature of Workspace ONE Unified Endpoint Management (UEM) that allows IT administrators to provide secure access to corporate applications on mobile devices. It works by creating a secure tunnel between the mobile device and the corporate network, and routing all traffic to and from the corporate applications through that tunnel.

In a cascade deployment type, multiple relay servers are used to provide redundancy and load balancing for the per-app tunnel. In this scenario, the load balancer is providing SSL-offloading between the network segments. This means that the load balancer is decrypting SSL traffic from the mobile device before it reaches the first relay server, and re-encrypting it before sending it to the next relay server or the corporate network.

However, per-app tunnel does not support SSL offloading between the two relay -endpoint tunnel servers. This means that SSL traffic cannot be decrypted by the load balancer and then re-encrypted by the second relay server. Instead, SSL traffic must be encrypted and decrypted by the same relay server. This is because the per-app tunnel relies on SSL certificates to establish trust between the mobile device and the relay server, and between the relay server and the corporate network. If SSL traffic is decrypted and re-encrypted by different servers, this trust relationship is broken.

Therefore, in order to fix the problem, the SSL offloading needs to be disabled between the two relay servers, and enabled only between the mobile device and the first relay server. This will allow SSL traffic to be encrypted and decrypted by the same relay server, and maintain the trust relationship required for the per-app tunnel to function correctly.