Configuring High Availability in VMware Unified Access Gateway: Workspace ONE Operational Tutorial

The Unified Access Gateway server can be partitioned to receive traffic on a single interface or to route traffic to different interfaces. Although Unified Access Gateway can support up to three NICs, this tutorial implements a two NIC deployment. One NIC faces the internet, and the other one is dedicated to management and backend access.

The following architectural diagram shows the setup of the test environment used for this tutorial. This test environment emulates a typical environment, and includes DMZ and internal networks.

At the top of the diagram is vCenter Networking. In this environment, external requests to the vApp are sent to the vPod Router, which directs those requests to the appropriate resource, based on the incoming port. Ports 4000-6500 are reserved for the environment components so all traffic coming in on these ports is forwarded to the appropriate Edge Service for the Unified Access Gateway server. In addition, ports 443 and 9443 are forwarded to the Unified Access Gateway server over the respective ports.

Note:  In this example, the vCenter setup is hosted in a nested template. This is not usually the case when working with users in a live environment.

At the bottom of the diagram is the vApp network required to support the environment. The vApp networks (internal, DMZ, and transit) are created within the vApp. The internal and transit networks are NATed to the SE-UCS-Network for outbound internet connectivity while the DMZ network routes through the vPod Router for inbound and outbound access. Note that the vPodRouter does not have a NIC on the internal network and thus cannot route external traffic to resources on the internal network.

vPod Router | ESXi01 6.5.0 U1 | Control Center | vCenter Server 6.5 U1 hosted on ESXi01

For these exercises, the focus is on the network hosted on the ESXi, and represented by the following three networks:

• VM Network & Management: Represents the dedicated network to access the Management Console
• Internal Network: Represents the internal network on 172.16.0.x range. The Control Center, ESXI, and vCenter are part of the internal network.
• DMZ Network: Represents the DMZ network on 192.168.110.x which is where the Unified Access Gateway appliance is to be deployed. The Unified Access Gateway Internet-facing NIC is associated to this network.

Note: Keep in mind that the Unified Access Gateway requires a netmask, default gateway, and subnet to be defined for each network enabled during deployment.

Double-click the Chrome browser on the desktop.

1. Launch the Chrome browser from your desktop and enter the following vSphere URL https://vc.corp.local/ui
2. Enter the username, for example, administrator@vsphere.local.
3. Enter the password, for example, VMware1!.
4. Click Login.

After completing the login, you are presented with the vSphere HTML5 Client.

In this exercise, you use the uag-HA1.ini and uag-HA2.ini files to deploy two Unified Access Gateways, one named UAG-HA1 and the other named UAG-HA2. Each Unified Access Gateway will have two NICs, where NIC one is Internet-facing and NIC two for backend and management.

Navigate to your Unified Access Gateway INI file. In this example, the INI files are located in UAG Resources.

1. Click the File Explorer icon on the task bar.
2. Click Desktop.
3. Click UAG Resources.
4. Select both the uag-HA1.ini and uag-HA2.ini files, then right-click.
5. Click Edit with Notepad++ to open both files.

Note that distinct ip0 and ip1 addresses are used in each configuration file. The IP addresses are the only difference between the two appliances, all other values should be identical.

It is important to review and ensure that all the settings are configured identically, including the edge services on all appliances that will be part of the cluster. 

Click the PowerShell icon located on the Windows task bar.

Navigate to the folder containing your INI file. For example, enter cd '.\Desktop\UAG Resources' then press Enter.

After you run the script, it prompts for input. Enter the information requested, such as in the following example.

1. Enter .\uagdeploy.ps1 .\uag-HA1.ini VMware1! VMware1! false false no
2. The first VMware1! is the root password for the Unified Access Gateway appliance.
   The second VMware1! is the admin password for the REST API management access.
   The first false is to NOT skip the validation of signature and certificate.
   The second false is to NOT skip SSL verification for the vSphere connection.
   The no is to not join the VMware CEIP program.
3. Enter YOUR CERTIFICATE PASSWORD for the SSLcert and SSLcertAdmin fields when prompted.

To avoid a password request for the certificate, remove the pfxCert values and provide a PEM certificate in the INI file. Set the pemCerts and pemPrivKey for the SSLCert and SSLCertAdmin sections in the INI file.

The deployment starts and you can follow the progress in the same window or on your vSphere Web Client.

After successfully finalizing the deployment, the script automatically powers on the UAG-HA1 VM.

The Received IP address presented by the script log is a temporary IP. The final IPs for NIC 1 and NIC2 are assigned to the Unified Access Gateway appliance during the first boot. Return to the vSphere Web Client to Validate the Deployment.

Now, deploy the second appliance, called UAG-HA2, passing the uag-HA2.ini file as parameter.

1. Enter .\uagdeploy.ps1 .\uag-HA2.ini VMware1! VMware1! false false no The first VMware1! is the root password for the Unified Access Gateway appliance.
   The second VMware1! is the admin password for the REST API management access.
   The first false is to NOT skip the validation of signature and certificate.
   The second false is to NOT skip SSL verification for the vSphere connection.
   The no is to not join the VMware CEIP program.
2. Enter YOUR CERTIFICATE PASSWORD or the SSLcert and SSLcertAdmin fields when prompted.

To avoid a password request for the certificate, remove the pfxCert values and provide a PEM certificate in the INI file. Set the pemCerts and pemPrivKey for the SSLCert and SSLCertAdmin sections in the INI file.

The deployment starts and you can follow the progress in the same window or on your vSphere Web Client.

1. Click VM and Templates.
2. Click UAG-HA1.
3. Click View all 2 IP addresses. Note the IP Addresses displayed for the VM.

Repeat steps #2 and #3 for UAG-HA2. The IP addresses for this appliance should differ from UAG-HA1.

Note: If the Unified Access Gateway appliance does not finalize the configuration during the first startup, you receive an error message from vSphere Web Client. If that happens, wait for the appliance to finalize, and refresh the entire Google Chrome browser.

1. Click the New Tab button to open a new tab.
2. Navigate to the first appliance, for example, https://uagha-1.airwlab.com:9443/admin or click the UAG Internal Admin Console bookmark.
3. Enter the username, for example, admin.
4. Enter the password, for example, VMware1!  (created for the Admin API in the Deploy OVF Wizard).
5. Click Login.
6. Repeat steps 1-5, opening a new tab and log in to the second appliance, for example, using the following URL https://uagha-2.airwlab.com:9443/admin

A successful login redirects you to the following screen on both appliances, where you can import settings or manually configure the Unified Access Gateway appliance individually.

1. Click Select under Configure Manually in the UAG-HA1 administration console.
2. Select the tab to return to the UAG-HA2 administration console.
3. Click Select under Configure Manually in the UAG-HA2 administration console.

Validate the web reverse proxy settings to access the intranet on both appliances, using the administration consoles for UAG-HA1 and UAG-HA2 that you previously logged in to.

Remember to perform the following steps on both UAG-HA1 and UAG-HA2, switching between the two browser tabs as needed to validate the settings on each Unified Access Gateway.

Perform the following steps on each appliance using the administration console. 

1. Click SHOW next to Edge Service Settings, after you click SHOW, it changes to HIDE.
2. Click the Gear icon next to Reverse Proxy Settings.

In the administration console, the High Availability Settings is currently Not Configured on UAG-HA1 appliance at this point.

Click the High Availability Gear icon to configure.

Now repeat the same steps to configure the High Availability settings on UAG-HA2.

From your Chrome Browser, return to the tab where you logged into the the administration console for UAG-HA2.  The URL is https://uagha-2.airwlab.com:9443/admin.

The same Virtual IP Address (192.168.110.50) and Group ID (50) must be used on UAG-HA2 to make this appliance part of the same cluster where UAG-HA1 resides.

Return to the vSphere Web Client to validate the assignment of the additional virtual IP address to the primary appliance.

1. Click VM and Templates.
2. Select the UAG-HA1 VM.
3. Click View all 3 IP addresses.
4. The virtual IP address 192.168.110.50 was assigned to the UAG-HA1 VM, the primary appliance.

Note: You may need to refresh the page to see the IP addresses update properly.

Perform the same steps to view the IP addresses of the UAG-HA2 VM. Notice that it still has two IP addresses, as this appliance is set as the backup appliance on the high availability stack.

1. In Google Chrome, click the New Tab button to open a new tab.
2. Enter the floating virtual IP address (VIP) that you configured on the primary Unified Access Gateway  when setting up high availability, for example,  https://uagvip.airwlab.com/intranet in the address bar and press Enter.

The result is a sample intranet page hosted on an internal IIS server.

Return to the vSphere Web Client and Power Off the UAG-HA1 VM.

1. Click VM and Templates.
2. Click UAG-HA1 VM.
3. Click ACTIONS.
4. Hover over the Power option.
5. Click Power Off.
6. Click Yes to confirm Power Off action for UAG-HA1.

Wait for the UAG-HA1 complete shutdown. This triggers the backup Unified Access Gateway appliance in the cluster to become the primary appliance.

1. Click on the New Tab button to open a new tab.
2. Navigate to your intranet address, for example, https://uagvip.airwlab.com/intranet.

The same intranet webpage should show up, without any disruption for the user, however the traffic now is going through the UAG-HA2.

Return to the UAG-HA2 console administration tab (for example, https://uagha-2.airwlab.com:9443/admin), in Google Chrome.

UAG-HA2 is now set as the primary appliance and the virtual IP address is assigned to it.

Note: If the High Availability Settings do not show UAG-HA2 as the Master appliance, refresh the page.

Return to the vSphere Web Client to validate the assignment of the additional virtual IP address to the primary appliance.

1. Click VM and Templates.
2. Select UAG-HA2 VM.
3. Click View all 3 IP addresses.
4. The Virtual IP address 192.168.110.50 is now assigned to the UAG-HA2, the primary appliance.

Note: You may need to refresh the page to see the IP addresses update properly.

This confirms that when the primary Unified Access Gateway appliance was taken offline, the backup Unified Access Gateway appliance was promoted to primary and assigned the 192.168.110.50 virtual IP (uagvip.airwlab.com), and access to the intranet resource was uninterrupted.