Configuring Web Reverse Proxy and Identity Bridging in VMware Unified Access Gateway: Workspace ONE Operational Tutorial

VMware Workspace ONE UEM 9.5 and later
VMware Unified Access Gateway 3.3 and later

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE®environment. In this tutorial, you configure a web reverse proxy instance to access an intranet website using certificate-based authentication on the Unified Access Gateway. You also configure two modes for Identity Bridging; SAML to Kerberos and Certificate to Kerberos.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE UEM administrators of existing production environments.

Knowledge of additional technologies such as network, VPN configuration,  VMware Workspace ONE® Intelligence and VMware Workspace ONE® UEM is also helpful.

Configuring Web Reverse Proxy and Device Certificate Authentication

Introduction

The web reverse proxy feature in Unified Access Gateway enables external access to internal websites.

This section helps you to configure a web reverse proxy instance to access an intranet website using device certificate as authentication method on the Unified Access Gateway.

The exercises cover Unified Access Gateway 3.3.1 deployment and in vSphere 6.5 U1.

Procedures include:

  • Deploying the Unified Access Gateway appliance
  • Configuring web reverse proxy to access both SSL and non-SSL websites
  • Adding certificate-based authentication to an intranet website

 The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

 

Architecture

The architectural diagram below shows an example environment which emulates a typical environment, including DMZ and internal networks.

In this example, external requests to the vApp are sent to the vPod Router, which directs those requests to the appropriate resource, based on the incoming port. Ports 4000-6500 are reserved for the environment components so all traffic coming in on these ports is forwarded to the appropriate Edge Service for the Unified Access Gateway server. In addition, ports 443 and 9443 are forwarded to the Unified Access Gateway server over the respective ports.

The vApp networks (internal, DMZ, and transit) are created within the vApp. The internal and transit networks are NATed to the SE-UCS-Network for outbound internet connectivity while the DMZ network routes through the vPod Router for inbound and outbound access. Note that the vPodRouter does not have a NIC on the internal network and therefore cannot route external traffic to resources on the internal network.

vPod Router | ESXi01 6.5.0 U1 | Control Center | vCenter Server 6.5 U1 hosted on ESXi01

Architecture Overview Diagram

The following architectural diagram shows an example of two major networks that you can deploy your servers into. For this set of exercises, you deploy the Unified Access Gateway appliance on a DMZ and assign the respective NICs.

HOL Architecture Overview

At the top of the diagram is vCenter Networking. At the bottom of the diagram is the vApp network required to support the environment. For these exercises, the focus is on the network hosted on the ESXi, and represented by the following three networks:

  • VM Network & Management: Represents the dedicated network to access the Management Console
  • Internal Network: Represents the internal network on 172.16.0.x range. The Control Center, ESXI, and vCenter are part of the internal network.
  • DMZ Network: Represents the DMZ network on 192.168.110.x which is where the Unified Access Gateway appliance is to be deployed. The Unified Access Gateway Internet-facing NIC is associated to this network.

Network Interfaces

Unified Access Gateway supports deployments with one, two, or three NICs. This means that the server can be partitioned to receive traffic on a single interface or to route traffic to different interfaces, based on the source of the request. Most often, if you need to implement multiple NICs, you already follow this standard with other web applications in your organization.

You must determine what is appropriate for your environment when selecting the number of NICs during installation. It is important for you to understand the expected behavior when two or three NICs are enabled.

To explore these options, see Deploying VMware Unified Access Gateway: VMware Workspace ONE Operational Tutorial.

General Considerations

In the exercises for deploying the Unified Access Gateway server through vSphere, the vCenter setup is hosted in a nested template. This is not usually the case when working with users in a live environment.

User environments can include multiple networks and can optionally have a Network Protocol Profiles (NPP) that corresponds to the networks to connect to the Unified Access Gateway. Prior to version 3.3, NPP was a requirement. Since version 3.3, NPP is no longer required.

Note: Keep in mind that the Unified Access Gateway requires a netmask, default gateway, and subnet to be defined for each network enabled during deployment.

Prerequisites

Before you can perform the steps in this exercise, you must install and configure the following components:

  • VMware AirWatch 8.4 and later or VMware Workspace ONE UEM 9.5 and later
  • VMware vSphere ESX host with a vCenter Server (vSphere 6® and later)
  • vSphere data store and network to use
  • PowerShell script running on Windows 8.1 or later machines, or Windows Server 2008 R2 or later
  • Windows machine running the PowerShell script with VMware OVF Tool command installed (see OVR Tool Software Download to install OVF Tool 4.3 or later)
  • Unified Access Gateway PowerShell script, such as uagdeploy-VERSION.ZIP (download from my.vmware.com, and extract the files into a folder on your Windows machine)
  • Obtain a Unified Access Gateway virtual appliance image OVA file, such as .euc-access-point-3.3.X.X-XXXXXXXXXXX.ova (see VMware Product Interoperability Matrixes to determine which version to download)
  • CA Root and Intermediate certificate, and user certificate to configure Device Certificate Authentication

Logging In to the vSphere Web Client

To perform most of this exercise, you need to log in to the vSphere Web Client.

1. Launch Chrome Browser

Launch Chrome Browser (Content Locker, airwatch, airwatch content locker, vmware content locker)

Double-click the Google Chrome browser icon on the desktop.

2. Authenticate to the vSphere Web Client

Authenticate to the vCenter vSphere Web Client (Content Locker, airwatch, airwatch content locker, vmware content locker)
  1. Launch the Chrome browser from your desktop and click the bookmark for vSphere.
  2. Enter the username, such as administrator@vsphere.local.
  3. Enter the password, such as VMware1!.
  4. Click Login.

After completing the login, you are presented with the vSphere Web Client.

Preparing Unified Access Gateway INI Settings for Deployment

This section covers the required INI settings to configure Unified Access Gateway appliance during deployment.

1. Configure the General Deployment Settings

An INI file containing all of the configuration settings is required to deploy the Unified Access Gateway appliance.

In this exercise, you use the uag-appliance.ini file to provide the respective parameters for your deployment.

You deploy a new Unified Access Gateway appliance called UAG02 in the example, and which has two NICs. NIC1 is Internet-facing and NIC2 is for back end and management.

1.1. Open the uag-appliance.ini File for Editing

Editing UAG-2NIC.ini

Navigate to the uag-appliance.ini file. In this example, the INI file is located in UAG Resources.

  1. Click the File Explorer icon on the task bar.
  2. Click Desktop.
  3. Click UAG Resources.
  4. Right-click the uag-appliance.ini file.
  5. Click Edit with Notepad++.

1.2. Configure General Settings (1/2)

General Settings 1/2

In the General section, provide the following settings:

  1. In the name field, enter a name, such as UAG02 in this example.
  2. In the source field, enter the path, such as C:\Users\Administrator\Desktop\UAG Resources\UAG Files\euc-unified-access-gateway-3.3.0.0-8539135_OVF10.ova, and use File Explorer to verify that the OVA file has the name indicated.
  3. In the target field, enter the destination path, such as  vi://administrator@vsphere.local:VMware1!@vc.corp.local/Nested_Datacenter/host/Host_Cluster. Note: You can replace the password with 'PASSWORD' and the script prompts for the password during the PowerShell execution.
  4. In the diskmode field, enter thin.
  5. In the ds field (ds refers to data store), enter datastore2_ESXi01.
  6. In the deploymentOption field, enter twonic.

 

1.3. Configure General Settings (2/2)

General Settings 2/2

Continue with the General section configuration, configure the following parameters in the INI file. Keep in mind that ip0 is the Internet-facing NIC, and ip1 is the internally facing NIC.

  1. For ipMode, enter STATICV4.
  2. For defaultGateway, enter 192.168.110.1 .
  3. For dns, enter 192.168.110.10.
  4. For ip0, enter 192.168.110.20.
    Note: ip0 is the Internet-facing NIC.
  5. Enter 172.16.0.20 for the ip1 field.
    Note: ip1 is the internally facing NIC.
  6. For netmask0 and netmask1, enter 255.255.255.0.
  7. For netInternet, enter DMZ_VM_DPortGroup.
  8. For netManagementNetwork and netBackendNetwork, enter Internal_VM_DPortGroup.

1.4. Configure the TLS/SSL Certificates

Select Name and Location

SSLCert and SSLCertAdmin contain SSL certificate information for the administration and Internet interfaces.

  1. For pfxCerts under SSLCert, enter C:\AW Tools\airwlab.com.pfx (this certificate is for the Internet interface).
  2. For pfxCerts under SSLCertAdmin, enter C:\AW Tools\airwlab.com.pfx  (this certificate is for the administration interface).

The certificate password is requested during the deployment.

Deploying Unified Access Gateway Appliance

After you have configured the INI file for your Unified Access Gateway deployment, the next step is to run the uagdeploy.ps1 PowerShell script passing the INI as a parameter. 

1. Open PowerShell

Open PowerShell

Click the PowerShell icon.

2. Deploy Unified Access Gateway Using PowerShell

Running the script

After you run the script, it prompts for input.

  1. Navigate to the folder containing your INI file. For example, enter cd '.\Desktop\UAG Resources' then press Enter.
  2. Enter .\uagdeploy.ps1 .\<uag-tunnel>.ini <password1> <password2> false false no then press Enter.
    Replace <uag-tunnel> with your INI file name.
    Replace <password1> with the root password for the Unified Access Gateway appliance.
    Replace <password2> with the administrator password for  REST API management access.
    The first false is to not skip the validation of signature and certificate.
    The second false is to not skip SSL verification for the vSphere connection.
    The no is to not join the VMware CEIP program.
  3. Enter the password for the SSLcert and SSLcertAdmin fields, for example,  certpassword.
  4. Enter the apiuser password, for example, apiuserpassword to allow Unified Access Gateway to obtain the VMware Tunnel settings from Workspace ONE UEM.

To avoid a password request for the certificate, remove the pfxCert values and provide a PEM certificate in the INI file. Set the pemCerts and pemPrivKey for the SSLCert and SSLCertAdmin sections in the INI file.

The deployment starts and you can follow the progress in the same window or on your vSphere Web Client.

3. Confirm the PowerShell Script Deployment Completes

Deployment finished
  1. Confirm the deployment has been completed successfully. The Completed successfully text is shown in the output.
  2. Click Close.

After a successful deployment, the script automatically powers on the VM UAG-2NIC-TUNNEL.

The Received IP address presented by the script log is a temporary IP; the final IPs for NIC one and NIC two are assigned to the Unified Access Gateway appliance during the first start. Return to the vSphere Web Client and validate the IP address in the next step.

4. Validate Unified Access Gateway Deployment

Validating UAG Appliance status
  1. If you do not see the UAG-2NIC VM under Nested_Datacenter, you may need to click Refresh first.
  2. Click UAG-2NIC-TUNNEL.
  3. Click the Summary tab.
  4. Click View all 2 IP addresses.
  5. The IP addresses in this example are 192.168.110.20 and 172.16.0.20.

Important: If the Unified Access Gateway appliance does not finalize the configuration during the first startup, you receive an error message from vSphere Web Client. If that happens, wait for the appliance to finalize, and refresh the entire Google Chrome browser.

5. Log In to Unified Access Gateway Administrator Console

UAG Admin UI Login
  1. Click the New Tab button to open a new tab.
  2. Navigate to the Unified Access Gateway administration console URL, for example,  https://uagmgt-int.airwlab.com:9443/admin.
  3. Enter the username, for example, admin .
  4. Enter the password, for example, VMware1!.
  5. Click Login.

6. Confirm Administrator Login to the Internal Network

Succesfull login

A successful login redirects you to the following screen. Keep this window open as you will return to the administration console later.

Click Select to configure settings manually.

Configuring Web Reverse Proxy to Access a Non-SSL Website

The Unified Access Gateway is now deployed and you can access to the Unified Access Gateway administration console to update the appliance configuration.

This section helps you to configure Unified Access Gateway as a web reverse proxy, enabling external access to a internal website (intranet) hosted on an internal server. Communication occurs on HTTP/port 80.

1. Access the Reverse Proxy Settings

Acessing Reverse Proxy Settings
  1. Click SHOW, after you click SHOW, it changes to HIDE.
  2. Click the Gear icon next to Reverse Proxy Settings.

2. Add Reverse Proxy Settings

Adding Reverse Proxy Settings

Click Add to create a new reverse proxy instance. You configure this new reverse proxy instance to access the intranet.

3. Define Features Used by Reverse Proxy

Enabling Reverse Proxy Settings

Click Enable Reverse Proxy Settings. The toggle changes to YES.

The Unified Access Gateway identity bridging feature can be configured to provide single sign-on (SSO) to legacy web applications that use Kerberos constrained delegation (KCD) or header-based authentication. The identity bridging feature is covered in <link to chapter>.

4. Configure Intranet Reverse Proxy Settings

Configuring Intranet settings for Reverse Proxy
  1. Enter intranet for the Instance Id, which is a unique name to identify and differentiate a web reverse proxy instance from all other web reverse proxy instances.
  2. Enter a Proxy Destination URL, for example, http://intranet.corp.local. This URL represents the web application address on the internal network.
  3. Enter (|/intranet(.*)|) for Proxy Pattern, which specifies the value in regular expression format that matches the URIs that are related to the intranet URL (proxyDestinationUrl). For the intranet server, a forward slash intranet (/intranet) is the value used to access the intranet home page when using the Unified Access Gateway appliance.
  4. Click Save.

Additional parameters can be configured for this type of reverse proxy. For more details, see Configure Reverse Proxy with Workspace ONE Access in the VMware Unified Access Gateway Documentation.

5. Close the Reverse Proxy Settings

Configuration saved sucessfully

Click Close.

6. Validate Reverse Proxy Configuration

Validating reverse proxy configuration for intranet
  1. Click the arrow for Reverse Proxy Settings.
  2. Click the refresh icon for the Edge Service Settings.
  3. Confirm the intranet proxy status is green.

After you add the reverse proxy settings for intranet, the Unified Access Gateway appliance tests the communication between the appliance and intranet. The status turns green if a connection is possible, otherwise, it turns red.

Note: It may take a few minutes for the intranet proxy to show as green. Click the refresh icon until the status changes to either green or red.

7. Access Intranet Through Reverse Proxy

Intranet access through Reverse Proxy
  1. Click the New Tab button.
  2. Enter an intranet address, for example, https://uag.airwlab.com/intranet in the address bar and press Enter.

In this example, the result is a sample intranet page hosted on an internal IIS server.

  • Access to the intranet is through Unified Access Gateway port 443, as result of the TLS port sharing configuration enabled by default during deployment.
  • Access to the Unified Access Gateway administration console is through Unified Access Gateway port 9443 and IP 172.168.0.20, associated to the internal NIC.

Configuring Web Reverse Proxy to Access an SSL Website

To access an internal SSL website, additional configuration is required to establish trust between Unified Access Gateway and the internal website. This section helps you to configure the existing intranet reverse proxy instance to access an SSL website. Communication occurs on HTTPS/port 443.

1. Access the Reverse Proxy Settings

Acessing Reverse Proxy Settings

In the Unified Access Gateway administration console, click the Gear icon next to Reverse Proxy Settings.

2. Add Reverse Proxy Settings

Access the instance configuration

Click the Gear icon to update the intranet configuration settings.

3. Configure Intranet Reverse Proxy Settings

Configuring Intranet settings for Reverse Proxy
  1. Change the Proxy Destination URL to include https, for example, https://intranet.corp.local.
  2. Enter the Proxy Destination URL Thumbprints, for example, sha1=1a bd c3 3d be dd 1e 4a 57 ae 54 9b d7 8a 8c 20 cb 40 a5 59. This value represents the list of acceptable SSL server certificates.
  3. Click Save.

Note: A thumbprint is in the format [alg=]xx:xx, where alg can be sha1, the default, or md5. The xx values represent hexadecimal digits. The : separator can also be a space or omitted. If you do not configure the thumbprints, the server certificates must be issued by a trusted CA.

Additional parameters can be configured for this type of reverse proxy. For more details, see Configure Reverse Proxy with Workspace ONE Access in the VMware Unified Access Gateway Documentation.

4. Close the Reverse Proxy Settings

Configuration saved sucessfully

Click Close.

5. Validate Reverse Proxy Configuration

Validating reverse proxy configuration for intranet
  1. Click the arrow for Reverse Proxy Settings.
  2. Click the refresh icon for Edge Service Settings
  3. Confirm the intranet proxy status is green.

After you add the reverse proxy settings for intranet, the Unified Access Gateway appliance tests the communication between the appliance and intranet. The status turns green if a connection is possible, otherwise, it turns red.

Note: It may take a few minutes for the intranet proxy to show as green. Click the refresh icon until the status changes to either green or red.

6. Access Intranet Through Reverse Proxy

Intranet access through Reverse Proxy
  1. Click the New Tab button.
  2. Enter a https address, for example, https://uag.airwlab.com/intranet in the address bar and press Enter.

In this example, the result is a sample intranet page hosted on an internal IIS server. However, Unified Access Gateway is now connecting to the intranet on port 443 using HTTPS.

  • Access to the intranet is through Unified Access Gateway port 443, as result of the TLS port sharing configuration enabled by default during deployment.
  • Access to the Unified Access Gateway administration console is through Unified Access Gateway port 9443 and IP 172.168.0.20, associated to the internal NIC.

Adding Certificate-Based Authentication to the Intranet Website

All users can access the intranet based on the current web reverse proxy configuration. You can restrict access to the intranet to some users by adding device certificate as the authentication method on the Unified Access Gateway appliance.

This section helps you to add certificate-based authentication and grant access to the intranet only for users who have a certificate installed on their device. The user certificate must match the root certificate set on the Unified Access Gateway appliance.

1. Enable X.509 Certificate Settings

Acessing Reverse Proxy Settings

In the Unified Access Gateway administration console:

  1. Click SHOW next to Authentication Settings.
  2. Click the Gear icon next to X.509 Certificate.

1.1. Upload Certificate to Unified Access Gateway Appliance

Access the instance configuration
  1. Click NO to enable X.509 Certificate; after you click NO, it changes to YES.
  2. Click Select to upload the Root and Intermediate CA Certificates.
  3. Enter the path to your certificates, for example, C:\AW Tools and press Enter.
  4. Click the combo box and select All Files.
  5. Select you certificate, for example, root-corplocal.pem.
  6. Click Open.
  7. Click Save.

After you click Save, the message Configuration saved successfully appears. The certificate has been uploaded and added to the Unified Access Gateway Appliance certificate store.

Important: In this example, only the ROOT certificate is used during the authentication process. In a production environment, you will have ROOT and INTERMEDIATE certificates available, and you must upload both to the Unified Access Gateway appliance.

2. Enable Certificate Authentication for Intranet Website

Open Intranet settings

The next step is to configure Unified Access Gateway to require certificate authentication for intranet access.  
Select the Gear icon for Reverse Proxy Settings.

2.1. Edit the Intranet Reverse Proxy Settings

Configuration saved sucessfully

Select the Gear icon for the intranet Instance.

2.2. Configure Intranet Reverse Proxy Settings

Configuring Intranet settings for Reverse Proxy

Click More.

2.3. Configure the Authentication Method

Set Auth Method
  1. Select certificate-auth for Auth Method.
  2. Click Save.

2.4. Close the Reverse Proxy Settings

Configuration saved sucessfully

Click Close.

3. Import the User Certificate to the Local Windows Store

Open Chrome Settings
  1. In Google Chrome, click the three dots next to the URL address bar.
  2. Click Settings.

3.1. Access the Certificate Settings

Access to Certificate Settings
  1. Enter Certificate in the search text box.
  2. Select Manage certificates.

3.2. Choose Import Certificate

Start Import of certificate

Click Import under the Personal tab.

3.3. Start the Certificate Import Wizard

Click Next

Click Next.

 

3.4. Choose the User Certificate

Select the User Certificate
  1. Click Browse.
  2. Enter the certificate path, for example, C:\AW Tools and press Enter.
  3. Click the combo box and select Personal Information Exchange (*.pfx).
  4. Select the user certificate, for example, user-corplocal.pfx. This user certificate should match the root certificate previously uploaded to the Unified Access Gateway appliance.
  5. Click Open.
  6. Click Next.

3.5. Enter the User Certificate Password

Provide Password
  1. Enter a Password, for example, VMware1!.
  2. Click Next.

3.6. Choose the Personal Certificate Store

Certificate Imported

Keep the default selection and click Next.

The certificate will be imported to the Personal store.

3.7. Complete the Certificate Import Wizard

Finish

Click Finish.

3.8. Confirm Certificate was Imported

Certificate imported

Click OK. The list of certificates is refreshed and the user certificate is listed as part of the Personal Store.

You have now imported the user certificate. The next step is to import the root certificate.

4. Import the Root Certificate to the Local Windows Store

Import Trusted Root

Import the Root certificate to complete the client-side configuration.

  1. Select Trusted Root Certification Authorities.
  2. Click Import.

4.1. Start the Certificate Import Wizard

Next

Click Next.

4.2. Choose the Root Certificate

Importing the root certificate
  1. Click Browse.
  2. Enter the path to your root certificate, for example, C:\AW Tools and press Enter.
  3. Click the combo box and select All Files (*.*).
  4. Select the root certificate that was uploaded to the Unified Access Gateway appliance, for example, root-corplocal.pem.
  5. Click Open.
  6. Click Next.

4.3. Choose the Trusted Root Certification Authorities Store

Confirm

Click Next to confirm that you want to import the certificate under the Trusted Root Certification Authorities Store.

4.4. Complete the Certificate Import Wizard

Finish

Click Finish.

4.5. Confirm the Certificate Warning and Install (If Prompted)

Confirm

Click Yes to confirm the installation of the certificate.

4.6. Confirm the Certificate was Imported

Import successful

Click OK.

4.7. Confirm the Root Certificate was Imported

Certificate imported
  1. Confirm that your certificate is listed under Trusted Root Certification Authorities.
  2. Click Close.

5. Test the Certificate Authentication

Opening incognito window
  1. On Google Chrome, click the three dots next to the URL address bar.
  2. Click New incognito window.

5.2. Select the User Certificate

Select the certificate

All the certificates in the Personal store that match the root certificates installed on the Unified Access Gateway appliance, are shown on the certificate list. In this exercise, only one root certificate was uploaded for the domain intranet.corp.local, and there is only one certificate on the key store that matches this root. Therefore, only one certificate is listed.

  1. Select the certificate.
  2. Click OK.

 

5.3. Confirm Certificate Authentication was Successful

Intranet

The intranet page is displayed and is only accessible from external networks to users that have the correct certificate.

Click Close.

Conclusion

In this set of exercises, you have learned how to:

  • Deploy the VMware Unified Access Gateway on a two-NIC configuration using PowerShell script
  • Configure Web reverse proxy to access internal Web sites through HTTP and HTTPS protocols
  • Configure device certificate authentication to secure and restrict access to internal websites through Web reverse proxy configuration

For more information, see the VMware Unified Access Gateway documentation.

Getting Started with Identity Bridging: Kerberos Setup

Introduction

Today's workforce depends on mobility and organizations must enable their workforce through multiple ways—this enablement can lead to a review of internal procedures, technologies, IT security requirements, and so on. As part of this process, providing external access to internal web applications is one of the top priorities for IT leaders to enable the workforce. Security is the primary requirement; providing the best user experience without compromising security is key.

Unified Access Gateway allows secure access to internal applications through multiple edge services. This section demonstrates how identity bridging can provide external access and single sign-on to internal legacy applications (non-SAML applications) using Kerberos constrained delegation(KCD).

Identity bridging on Unified Access Gateway acts as a proxy that sits in front of web applications and translates the user identity to Kerberos. The user provides their identity through SAML or a certificate, and Unified Access Gateway translates that identity and uses KCD to perform the authentication against the internal applications.

The identity bridging mode can be configured with Workspace ONE in the cloud to authenticate users. When a user requests access to a legacy Web application, the identity provider (IdP) applies the applicable authentication and authorization policies.

This section guides you through the entire process on how to configure identity bridging and covers all the requirements.

These exercises cover Kerberos configuration on Windows Server 2016.

Procedures include:

  • Understanding Kerberos Delegation
  • Configuring Internet Information Server (IIS) to support Kerberos Authentication
  • Configuring Kerberos Delegation on the Service Account

After you complete the initial identity bridging configuration, you can configure one of two options:

 The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

Architecture

The architectural diagram below shows an example environment which emulates a typical environment, including DMZ and internal networks.

In this example, external requests to the vApp are sent to the vPod Router, which directs those requests to the appropriate resource, based on the incoming port. Ports 4000-6500 are reserved for the environment components so all traffic coming in on these ports is forwarded to the appropriate Edge Service for the Unified Access Gateway server. In addition, ports 443 and 9443 are forwarded to the Unified Access Gateway server over the respective ports.

The vApp networks (internal, DMZ, and transit) are created within the vApp. The internal and transit networks are NATed to the SE-UCS-Network for outbound internet connectivity while the DMZ network routes through the vPod Router for inbound and outbound access. Note that the vPodRouter does not have a NIC on the internal network and therefore cannot route external traffic to resources on the internal network.

vPod Router | ESXi01 6.5.0 U1 | Control Center | vCenter Server 6.5 U1 hosted on ESXi01

Architecture Overview Diagram

The following architectural diagram shows an example of two major networks that you can deploy your servers into. For this set of exercises, you deploy the Unified Access Gateway appliance on a DMZ and assign the respective NICs.

HOL Architecture Overview

At the top of the diagram is vCenter Networking. At the bottom of the diagram is the vApp network required to support the environment. For these exercises, the focus is on the network hosted on the ESXi, and represented by the following three networks:

  • VM Network & Management: Represents the dedicated network to access the Management Console
  • Internal Network: Represents the internal network on 172.16.0.x range. The Control Center, ESXI, and vCenter are part of the internal network.
  • DMZ Network: Represents the DMZ network on 192.168.110.x which is where the Unified Access Gateway appliance is to be deployed. The Unified Access Gateway Internet-facing NIC is associated to this network.

Network Interfaces

Unified Access Gateway supports deployments with one, two, or three NICs. This means that the server can be partitioned to receive traffic on a single interface or to route traffic to different interfaces, based on the source of the request. Most often, if you need to implement multiple NICs, you already follow this standard with other web applications in your organization.

You must determine what is appropriate for your environment when selecting the number of NICs during installation. It is important for you to understand the expected behavior when two or three NICs are enabled.

To explore these options, see Deploying VMware Unified Access Gateway: VMware Workspace ONE Operational Tutorial.

General Considerations

In the exercises for deploying the Unified Access Gateway server through vSphere, the vCenter setup is hosted in a nested template. This is not usually the case when working with users in a live environment.

User environments can include multiple networks and can optionally have a Network Protocol Profiles (NPP) that corresponds to the networks to connect to the Unified Access Gateway. Prior to version 3.3, NPP was a requirement. Since version 3.3, NPP is no longer required.

Note: Keep in mind that the Unified Access Gateway requires a netmask, default gateway, and subnet to be defined for each network enabled during deployment.

Prerequisites

To perform the steps in this exercise, the following prerequisites are required. The following steps focus only on Kerberos configuration and there is no need to download any VMware software:

  • AD account with administrator privileges to configure Kerberos delegation.
  • Administrator access to the IIS Web Server to perform Kerberos configuration on the websites that will be accessible through Unified Access Gateway.

 

Kerberos Delegation Overview

Kerberos delegation allows a configured system and user to request Kerberos tokens on behalf of another user.

Because Unified Access Gateway is not joined to the domain, you must add Active Directory (AD) domain Kerberos support to Unified Access Gateway. This process is done with a keytab file, which contains necessary security tokens/hashes for Unified Access Gateway to interact with AD. The keytab file also contains information about the user delegated to request Kerberos tokens on another users behalf.

Microsoft recommends that each internal web application has its own delegated user and therefore different keytab files. It is possible to have one delegated user and one keytab file for many different internal apps, but if the keytab file is compromised, you risk access to all internal apps. When you have one user and keytab file per application this allows you to deactivate access to only one system at a time.

Although creating the user and keytab file for each application requires more administration, there are clear security benefits.

A Kerberos realm is the domain over which a Kerberos server has the authority to authenticate. A realm is your trust boundaries. In AD Kerberos, your trust boundaries are your clients, AD servers, and application servers all joined to the domain. Each one trusts the other because they are all part of the same Kerberos realm.

This exercise uses the following environment configuration:

  • AD Domain / Kerberos realm — CORP.LOCAL
  • Internal web server computer name — INTRANET
  • Internal web server URL — http://it.corp.local
  • Internal web application (Kerberos enabled) — http://it.corp.local/itbudget
  • URL used in Workspace ONE Web to access the internal web site through Unified Access Gateway— https://uag.airwlab.com/itbudget
  • User for Kerberos delegation: iis_it (UPN: iis_it@CORP.LOCAL)

Authentication Flow

The following diagram describes all the steps used by identity bridging with SAML to Kerberos authentication on Unified Access Gateway. Understanding Kerberos is critical to successfully configure identity bridging.

Authentication Flow
  1. Client navigates to the application URL (https://uag.airwlab.com/itbudget).
  2. Client is redirected to the IdP (Workspace One) for authentication (https://vidm.airwlab.com). The IdP issues a SAML assertion upon authentication.
  3. Client passes the SAML assertion to Unified Access Gateway (http://uag.airwlab.com). Unified Access Gateway validates that the SAML assertion is from a trusted IdP.
  4. Unified Access Gateway extracts the client’s username from the SAML assertion and requests a Kerberos ticket from Active Directory (CORP.LOCAL) on behalf of that user.
  5. Unified Access Gateway authenticates against the internal web server (https://it.corp.local) using the Kerberos ticket obtained from AD.

Configuring Kerberos Delegation

This exercise helps you to configure Kerberos delegation for the IIS IT service account that has been assigned to handle Kerberos delegation for the IIS website.

1. Configure Service Account in Active Directory

IIS IT User

Confirm that your service account (CORP\IIS_IT) is available in Active Directory Users and Computers management console. This example uses the CORP\IIS_IT (IIS IT) account.

  1. Click the Active Directory Users and Computers icon from the taskbar.
  2. Navigate to Users.
  3. Confirm your IT user exists.

1.1. Configure Service Principal Name (SPN) for Service Account

The next step is to assign a Service Principal Name (SPN) entry for the name the website has to respond to, for example, IT.CORP.LOCAL.

The SPN can be associated with a web server machine name or service account under which the application pool's web server will be running. It can be a Local System, Network Service, or a domain account; the SPN must be unique.

If the IIS website only needs to be available by the server name on which it is located, you would not need to create additional SPN entries as these already exist in the server account INTRANET in Active Directory. In this example, the DNS name is IT.CORP.LOCAL and the web server machine is INTRANET, and you create an SPN entry HTTP/IT.CORP.LOCAL for the user account CORP\IIS_IT.

Important: For Kerberos authentication to succeed in a load-balanced scenario, the web servers must use an alternate credential that is shared by all members of the array. The credential must also be associated with the array-specific SPNs. This shared credential may be either a computer account or a service account and must be known by every web server within the array.

Load balancing is outside the scope of this exercise, however, for more information, see the Microsoft article: Using Kerberos with a Client Access Server Array or a Load-Balancing Solution.

1.2. Assign Service Principal Name to Service Account

Setspn for HTTP/it.corp.local
  1. Click the Command Prompt icon from the taskbar on the intranet VM.
  2. Enter the command setspn /s HTTP/it.corp.local CORP\iis_it and press Enter.
    Replace it.corp.local with your DNS name and CORP\iis_it with your IT service user.
  3. Confirm that the command was successful, noted by the Updated object output.

With this command, you are giving permission to the user, CORP\IIS_IT, to decrypt Kerberos tickets, when users access these addresses and authenticate sessions.

1.3. Assign Delegation Rights to the Service Account

Select IIS IT User

Return to the Active Directory Users and Computers management console.

  1. Click the Active Directory Users and Computers icon from the taskbar.
  2. Right-click your user, for example, IIS IT.
  3. Click Properties.

1.4. Update Delegation Settings

Set User account for Delegation
  1. Select the Delegation tab.
  2. Select Trust this user for delegation to specified services only.
  3. Select Use any authentication protocol.
  4. Click Add.

1.6. Search for the Intranet Object Name

Search Intranet computer
  1. Enter your machine name, for example, intranet.
  2. Click OK.

1.7. Select the HTTP Service

Select HTTP protocol
  1. Select http for INTRANET computer in the Available services list.
  2. Click OK.

1.8. Add HTTP Service for the Delegation

Add HTTP as Service
  1. Confirm that http for INTRANET computer was added to the list of services to which the IIS_IT account can present delegated credentials. The computer value refreshes the next time you select the Delegation tab; instead of INTRANET, you should see INTRANET.CORP.LOCAL.
  2. Click OK.

You have now authorized a specific user (IIS_IT) to delegate the user logged in credentials to any HTTP service on the INTRANET machine. This setting varies depending on the type of SPN you have registered and might fall under any one of the below categories.

2. Create a Keytab File

Creating Keytab file

The keytab file is the token used to connect to Active Directory and request an authentication ticket without a login password. Keytab can only be generated through Windows Server OS.

Service names are not case sensitive for Active Directory, but they are case sensitive for Kerberos. However, you may use the following conventions:

  • Kerberos realms (and Active Directory Domains) are written in uppercase.
  • Hostnames are written in lowercase.
  • Database lookups are case sensitive.

Note: The case-sensitive constraint means that the principal names expressed in the mappings must be written using the same case as those returned by a domain-name lookup. The Active Directory is not case sensitive, while Kerberos is case sensitive.

Ensure you are logged in to your domain controller to generate the keytab file.

This example illustrates the best practice for the components of the SPN:

  • HTTP—All uppercase letters
  • it.corp.local—All lowercase letters.
  • CORP.LOCAL—All uppercase letters.
  1. Open Command Prompt.
  2. Enter the following command:
  3. ktpass /princ HTTP/it.corp.local@CORP.LOCAL /mapuser iis_IT@CORP.LOCAL /mapOp set /pass VMware1! /crypto all /ptype KRB5_NT_PRINCIPAL /out C:\it.keytab and press Enter.
  • Replace HTTP/it.corp.local@CORP.LOCAL with your service principal name.
  • Replace iis_IT@CORP.LOCAL with your service account user.
  • Replace VMware1! with your password.

This command creates a file named it.keytab in C:\ — This file will be used to configure identity bridging on Unified Access Gateway.

The following list describes the ktpass tool parameters.

  • /princ — Specifies the principal name in the form HTTP/it.corp.local@CORP.LOCAL that you created in Assign Service Principal Name to Service Account. - Warning: This parameter is case-sensitive.
  • Warning: This parameter is case sensitive and there is no validation to see if the parameter matches the exact case of the userPrincipalName attribute value when generating the keytab file.
  • /mapuser — Maps the name of the Kerberos principal, which is specified by the princ parameter, to the specified domain account.
  • /mapOp — Specifies how the mapping attribute is set, in this case, -Set sets the value for Data Encryption Standard (DES) - only encryption for the specified local user name.
  • /crypto — Specifies the keys that are generated in the keytab file.
  • /ptype — Specifies the principal type; KRB5_NT_PRINCIPAL is the general principal type (recommended).
  • /out — Specifies the name of the Kerberos version 5 keytab file to generate

Configuring Kerberos Authentication on IIS Website

In this exercise, you connect to a machine in your intranet and configure Kerberos authentication on Internet Information Services (IIS). This example uses a VM called Intranet VM.

1. Log In to the Intranet VM

Enter your credentials on your intranet machine.

  1. Enter your password.
  2. Click the Login button, or press Enter.

2. Launch IIS

Launch IIS

Click the IIS Manager icon from the toolbar.

3. Configure IIS Website

Configure Authentication Method
  1. Expand INTRANET.
  2. Expand Sites.
  3. Select IT Site.
  4. Double-click Authentication.

3.1. Enable Windows Authentication Method

Set Windows Authentication
  1. Select Windows Authentication.
  2. Click Enable.

Note: Make sure Anonymous Authentication, ASP.NET Impersonation, and Basic Authentication are Disabled. When you install IIS for the first time, Anonymous Authentication is always enabled by default.

3.2. Configure Authentication Providers

Access to List of Providers

After you enable the Windows authentication method, you can set up the authentication providers.

Click Providers to open the list of providers available for Windows authentication.

3.3. Configure Providers

Configuring Providers

In this example, Negotiate and NTLM have already been configured as the two enabled providers available. In a new IIS installation, you must install the providers as part of the IIS installation, and add those here.  This procedure is outside the scope of this exercise.

Negotiate is a container that uses Kerberos as the first authentication method. If the authentication fails, NTLM is used, which means username and password will be used.

Important: It is mandatory that Negotiate comes first in the list of providers. Confirm that Negotiate is first and NTLM second.

Click X to close the dialog box.

3.4. Configure Kernel-Mode Authentication

Access Advanced Setings

Click Advanced Settings...

 

3.5. Enable Kernel-Mode Authentication

Enable Kernel Mode
  1. Select the Enable Kernel-mode authentication check box.
  2. Click OK.

Keep Extended Protection Off for this exercise. However, in a production environment you should configure this option, as it enhances the existing Windows Authentication functionality to mitigate authentication relay attacks. For more information about Extended Protection, see the Microsoft article Description of the update that implements Extended Protection for Authentication in Internet Information Services (IIS).

4. Configure IIS Application Pool

Confgure the Application Pool to launch from a specific account.

4.1. Configure Identity for an Application Pool

Config Application Pools
  1. Select Application Pools.
  2. Select IT in the Application Pools list.
  3. Click Advanced Settings.

4.2. Update the Application Pool Identity

Set new Identity

Click the dot icon for Identity under Process Model.

4.3. Select Custom Account

Set the account
  1. Select Custom account.
  2. Click Set...

4.4. Set Custom Account Credentials

Set Credentials

In this step, select an account to be used to launch the Pool. This example uses CORP\iis_it.

  1. Enter the User name, for example, corp\iis_it.
  2. Enter the Password, for example, VMware1!.
  3. Confirm the password.
  4. Click OK.

4.5. Confirm Custom Account for Application Pool Identity

Confirm Credentials

Click OK to confirm that corp\iis_it is the account to be used by this pool.

4.6. Confirm the Updated Application Pool Identity

Confirm
  1. Confirm that the correct account is listed for Identity.
  2. Click OK.

4.7. Configure Application Pool to use Identity Credentials

Access Configuration Editor
  1. Select the IT website.
  2. Double-click Configuration Editor.

4.8. Select Windows Authentication

Select Authentication Configuration
  1. Open the Section list.
  2. Navigate to system.webServer > security > authentication > windowsAuthentication.

4.9. Update Windows Authentication Configuration

Select Pool to use Credentials
  1. Click the dropdown arrow for useAppPoolCredentials.
  2. Select True for useAppPoolCredentials.
  3. Click Apply.

When you set useAppPoolCredentials to true you are telling IIS that it must use it's application pool identity (which you set for CORP\iis_it) to decrypt the Kerberos token/ticket which was obtained from AD and forwarded by the client to the server to authenticate the user.

4.10. Reset IIS

  1. Click the Command Prompt icon from the taskbar.
  2. Enter iisreset and press Enter.
  3. Confirm IIS successfully stops and then starts again.

Selecting Identity Bridging Option

Now that you have completed the initial configuration for identity bridging, select one of the following two options.

 

Configuring SAML to Kerberos Option for Identity Bridging

Introduction

Unified Access Gateway in identity bridging mode (SAML to Kerberos) acts as the service provider that passes user authentication to the configured legacy applications. Workspace ONE Access acts as an identity provider and provides SSO into SAML applications. When users access legacy applications that require KCD or header-based authentication, Workspace ONE Access authenticates the user. A SAML assertion with the user's information is sent to the Unified Access Gateway. Unified Access Gateway uses this authentication to allow users to access the application.

This section helps you to configure the SAML to Kerberos option in identity bridging by providing SSO to legacy web applications using KCD.

This set of exercises covers a Unified Access Gateway 3.3 deployment with Workspace ONE Access 3.2.1 in vSphere 6.5 U1.

Procedures include:

  • Deploying a Unified Access Gateway appliance with two NICs, one facing the internet and the second one dedicated to management and back end access.
  • Configuring identity bridging on Unified Access Gateway.
  • Configuring Web application (SAML) on Workspace ONE Access.
  • Testing external access to an internal web application (SAML) using SSO through identity bridging (Kerberos).

 The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

1. Authentication Flow

The following diagram describe the authentication flow that you will configure in this section.

Authentication Flow
  1. Client navigates to application URL(https://uag.airwlab.com/itbudget).
  2. Client is redirected to the IdP (Workspace One) for authentication (https://vidm.airwlab.com). The IdP issues a SAML assertion upon authentication.
  3. Client passes the SAML assertion to Unified Access Gateway (http://uag.airwlab.com). Unified Access Gateway validates that the SAML assertion is from a trusted IdP.
  4. Unified Access Gateway extracts the client’s username from the SAML assertion and requests a Kerberos ticket from Active Directory (CORP.LOCAL) on behalf of that user.
  5. Unified Access Gateway authenticates against the internal web server (https://it.corp.local) using the Kerberos ticket obtained from AD.

Prerequisites

Before you can perform the steps in this exercise, you must install and configure the following components:

  • VMware AirWatch 8.4 and later or VMware Workspace ONE UEM 9.5 and later
  • VMware vSphere ESX host with a vCenter Server (vSphere 6® and later)
  • vSphere data store and network to use
  • PowerShell script running on Windows 8.1 or later machines, or Windows Server 2008 R2 or later
  • Windows machine running the PowerShell script with VMware OVF Tool command installed (see OVR Tool Software Download to install OVF Tool 4.3 or later)
  • Obtain a Unified Access Gateway virtual appliance image OVA file, such as .euc-access-point-3.3.X.X-XXXXXXXXXXX.ova (see VMware Product Interoperability Matrixes to determine which version to download)
  • Unified Access Gateway PowerShell script, such as uagdeploy-VERSION.ZIP (download from my.vmware.com, and extract the files into a folder on your Windows machine)
  • Network access from the Unified Access Gateway back end services NIC to the internal website used on the reverse proxy.

Logging In to the vSphere Web Client

To perform most of this exercise, you need to log in to the vSphere Web Client.

1. Launch Chrome Browser

Launch Chrome Browser (Content Locker, airwatch, airwatch content locker, vmware content locker)

Double-click the Google Chrome browser icon on the desktop.

2. Authenticate to the vSphere Web Client

Authenticate to the vCenter vSphere Web Client (Content Locker, airwatch, airwatch content locker, vmware content locker)
  1. Launch the Chrome browser from your desktop and click the bookmark for vSphere.
  2. Enter the username, such as administrator@vsphere.local.
  3. Enter the password, such as VMware1!.
  4. Click Login.

After completing the login, you are presented with the vSphere Web Client.

Preparing Web Reverse Proxy INI Settings for Deployment

You can deploy and configure Unified Access Gateway using a PowerShell script.

This section helps you to configure the required INI settings for a Web Reverse Proxy instance during the Unified Access Gateway appliance deployment.

1. Configuring the General Deployment Settings

A INI file containing all the configuration settings is required to deploy the Unified Access Gateway appliance.

In this exercise, you use the uag-ReverseProxy.ini file to provide the respective parameters for your deployment.

You deploy a new Unified Access Gateway appliance called UAG-2NIC, which has two NICs. NIC one is Internet-facing and NIC two is for back end and management.

1.1. Edit the UAG-ReverseProxy.ini File

Editing UAG-2NIC.ini

Navigate to uag-ReverseProxy.ini. In this example, the INI file is located in UAG Resources.

  1. Click the File Explorer icon on the task bar.
  2. Select Desktop.
  3. Select UAG Resources.
  4. Right-click the uag-ReverseProxy.ini file.
  5. Click Edit with Notepad++.

1.2. Configure General Settings (1/2)

General Settings 1/2

In the General section, configure the following parameters. Your values will differ.

  1. For name, enter UAG-2NIC.
  2. For source, enter the path and name of the OVA File. For example, the OVA file is located in C:\Users\Administrator\Desktop\UAG Resources\UAG Files.
  3. For target, enter vi://administrator@vsphere.local:VMware1!@vc.corp.local/Nested_Datacenter/host/Host_Cluster.
    Note: You can replace the password with 'PASSWORD' and the script prompts for the password during the PowerShell execution.
  4. For diskmode, enter thin.
  5. For ds, enter datastore2_ESXi01 (ds refers to data store).
  6. For deploymentOption, enter twonic.

 

1.3. Configure General Settings (2/2)

General Settings 2/2

Continue with the General section configuration, configure the following parameters in the INI file.

  1. For ipMode, enter STATICV4.
  2. For defaultGateway, enter 192.168.110.1 .
  3. For dns, enter 192.168.110.10.
  4. For ip0, enter 192.168.110.20.
    Note: ip0 is the Internet-facing NIC.
  5. For ip1, enter 172.16.0.20.
    Note: ip1 is the internally facing NIC.
  6. For netmask0 and netmask1, enter 255.255.255.0.
  7. For netInternet, enter DMZ_VM_DPortGroup.
  8. For netManagementNetwork and netBackendNetwork, enter Internal_VM_DPortGroup.

1.4. Configure TLS/SSL Certificates for Unified Access Gateway Appliance

Select Name and Location

SSLCert and SSLCertAdmin contain SSL certificate information for the administration and Internet interfaces.

  1. For pfxCerts under SSLCert, enter C:\AW Tools\airwlab.com.pfx (this certificate is for the Internet interface).
  2. For pfxCerts under SSLCertAdmin, enter C:\AW Tools\airwlab.com.pfx  (this certificate is for the administration interface).

The certificate password is requested during the deployment.

2. Configure Web Reverse Proxy instance

In addition to the regular settings responsible for the appliance configuration, you add an additional section named WebReverseProxy1. The following steps help you to configure a Web reverse proxy instance named itbudget.

  1. For proxyDestinationUrl, enter an internal URL. For example, https://it.corp.local.
  2. For instanceId, enter a name such as, itbudget.
  3. For proxyDestinationUrlThumbprints, enter sha1=b2 56 a1 cf 8b 21 95 22 45 c2 c0 30 91 7c 1b 75 ce 51 74 e5.
  4. For landingPagePath, enter /.
  5. For proxyHostPattern, enter uag.airwlab.com.
  6. For proxyPattern, enter (|/itbudget(.*)|).

 You can configure this WebReverseProxy instance in the Unified Access Gateway administration console, however, this exercise shows you how to automate that configuration. The following list describes the required parameters.

  • proxyDestinationUrl — The internal address of the Web application, which is usually the back end URL.
  • instanceId — The unique name to identify and differentiate a Web reverse proxy instance from all other Web reverse proxy instances.
  • proxyDestinationUrlThumbprints — A list of acceptable SSL server certificate thumbprints for the proxyDestination URL.
  • landingPage — The page the user is redirected to when accessing the website.
  • proxyHostPattern — External host name used to check the incoming host to see whether it matches the pattern for that particular instance. Host pattern is optional, when configuring Web reverse proxy instances.
  • proxyPattern — the matching URI paths that forward to the destination URL.

Deploying Unified Access Gateway Appliance

After you have configured the INI file for your Unified Access Gateway deployment, the next step is to run the uagdeploy.ps1 PowerShell script passing the INI as a parameter.

1. Open PowerShell window

Open PowerShell

Click the PowerShell icon.

2. Deploy Unified Access Gateway Using PowerShell

Running the script

After you run the script, it prompts for input.

  1. Navigate to the folder containing your INI file. For example, enter cd '.\Desktop\UAG Resources' then press Enter.
  2. Enter .\uagdeploy.ps1 .\<uag-tunnel>.ini <password1> <password2> false false no then press Enter.
    Replace <uag-tunnel> with your INI file name.
    Replace <password1> with the root password for the UAG appliance.Replace <password2> with the administrator password for  REST API management access.
    The first false is to not skip the validation of signature and certificate.
    The second false is to not skip SSL verification for the vSphere connection.
    The no is to not join the VMware CEIP program.
  3. Enter the password for the certificated that will be used on the following fields SSLcert and SSLcertAdmin.
  4. Enter the password for the apiuser previously defined on the INI file, which allows Unified Access Gateway to obtain the VMware Tunnel settings from Workspace ONE UEM.

To avoid a password request for the certificate, remove the pfxCert values and provide a PEM certificate in the INI file. Set the pemCerts and pemPrivKey for the SSLCert and SSLCertAdmin sections in the INI file.

The deployment starts and you can follow the progress in the same window or on your vSphere Web Client.

3. Confirm the PowerShell Script Deployment Completes

Deployment finished
  1. Confirm the deployment has been completed successfully. The Completed successfully text is shown in the output.
  2. Click Close.

After a successful deployment, the script automatically powers on the VM UAG-2NIC.

The Received IP address presented by the script log is a temporary IP; the final IPs for NIC one and NIC two are assigned to the Unified Access Gateway appliance during the first start. Return to the vSphere Web Client and validate the IP address in the next step.

4. Validate Unified Access Gateway Deployment

Validating UAG Appliance status
  1. Click VM and Templates.
  2. Click UAG-2NIC.
  3. Click View all 2 IP addresses.

Important: If the Unified Access Gateway appliance does not finalize the configuration during the first startup, you receive an error message from vSphere Web Client. If that happens, wait for the appliance to finalize, and refresh the entire Google Chrome browser.

5. Log In to Unified Access Gateway Administration Console

UAG Admin UI Login
  1. Click the New Tab button to open a new tab.
  2. Navigate to the Unified Access Gateway administration console URL, for example,  https://uagmgt-int.airwlab.com:9443/admin.
  3. Enter the username, for example, admin .
  4. Enter the password, for example, VMware1!.
  5. Click Login.

6. Validate Configuration Settings

Select Configuration Settings

A successful login redirects you to the following screen. Keep this window open as you will return to the administration console later.

Click Select to configure settings manually.

7. Confirm the Web Reverse Proxy Instance is Running

General Settings

Follow the next steps to confirm that a web reverse proxy instance named itbudget has been automatically configured. 

  1. Click SHOW, after you click SHOW, it changes to HIDE.
  2. Click the arrow next to Reverse Proxy Settings.
  3. Confirm that itbudget exists.

Obtaining IdP metadata from Workspace ONE Access

This section helps you to retrieve the IdP metadata file from Workspace ONE Access.

1. Log In to the Workspace ONE Access Administration Console

Access vIDM Console

Return to Google Chrome.

  1. Click the New tab button.
  2. Enter the Workspace ONE Access administration console URL, for example, https://vidm.airwlab.com and press Enter.
  3. Select System Domain.
  4. Deselect the Remember this setting check box.
  5. Click Next.

1.1. Enter the Administrator Credentials

vIDM Credentials
  1. Enter the Username, for example, admin.
  2. Enter the Password, for example, VMware1!.
  3. Click Sign in.

1.2. Navigate to Catalog

vIDM Console

Click Catalog.

1.3. Access Catalog Settings

Access Settings

Click Settings.

1.4. Download the Identity Provider Metadata

Download IdP metadata
  1. Click SAML Metadata.
  2. Right-click Identity Provider (IdP) metadata.
  3. Click Save link as...

You need this file during the identity bridging configuration.

1.5. Save the Identity Provider Metadata

Save the IdP file
  1. Verify the Downloads folder is selected.
  2. Check the file name for the metadata is set to idp.xml.
  3. Click Save.

1.6. Close the Catalog Settings

Click the Close button to close the Catalog Settings screen.

Configuring Identity Bridging on Unified Access Gateway

You have deployed the Unified Access Gateway appliance and confirmed that the itbudget web reverse proxy was configured. The next steps are performed in the Unified Access Gateway administration console.

1. Configure Identity Provider

Advanced Settings IdP Metadata

Scroll down to Identity Bridging Settings and click the gear icon next to Upload Identity Provider Metadata.

2. Upload the Identity Provider Metadata

Set iDP Metadata

Navigate to the idp.xml file. In this example, idp.xml is located in the Downloads folder.

  1. Click Select.
  2. Select Downloads.
  3. Select idp.xml.
  4. Click Open.
  5. Click Save.

After you click Save, you should see the message Configuration saved successfully.

Note: The Entity ID is retrieved from the IDP metadata XML, so there is no need to manually enter the value.

3. Configure Keytab

Advanced Settings Keytab

Under Identity Bridging Settings, click the gear icon next to Upload Keytab Settings.

4. Update the Keytab Settings

Set Keytab
  1. Enter the Principal Name, for example, HTTP/it.corp.local@CORP.LOCAL.
  2. Click Select.
  3. Select Local Disk (C:) folder.
  4. Select the it.keytab file.
  5. Click Open.
  6. Click Save.

After you click Save, you should see the message Keytab upload is successful.

Note: If you do not enter a Principal Name value, then the first Principal Name found in the keytab file will be used. If your keytab contains multiple Principal Names, you should manually enter Principal Name in Keytab Settings.

5. Configure Realm

Advanced Settings Realm

Under Identity Bridging Settings, click the gear icon next to Realm Settings.

6. Add a Realm Setting

Add Relm Settings

Click Add.

7. Configure the Realm Settings

Realm Settings
  1. Enter the Name of the realm, for example, CORP.LOCAL.
    Note: This entry must use capital letters.
  2. Enter the Key Distribution Centers, for example, corp.local.
  3. Enter 3 for KCD Timeout (in seconds).
  4. Click Save.

After you click Save, you should see the message Configuration saved successful.

8. Close the Realm Settings

Realm configured

You have configured the Realm settings.

Click Close.

9. Configure Identity Bridging

Access Reverse Proxy settings
  1. If the Edge Service Settings are currently hidden, click the Show toggle to display the settings.
  2. Select the gear icon for Reverse Proxy Settings.

10. Open the itbudget Reverse Proxy Settings

Setup itbudget instance

Select the gear icon for the itbudget reverse proxy Instance.

11. Update the itbudget Reverse Proxy Settings

Config identity bridging
  1. Click NO to show the Enable Identity Bridging, it changes YES after you click NO.
  2. Select SAML for Authentication Types.
  3. Select your Identity Provider, for example, https://vidm.airwlab.com.
  4. Select the Keytab, for example, HTTP/it.corp.local@CORP.LOCAL.
  5. Enter the Target Service Principal Name, for example, HTTP/it.corp.local@CORP.LOCAL.
  6. Enter /itbudget for Service Landing Page. After a successful authentication UAG will redirect the user to the Service Landing Page, the default value is /, this value must match with your proxy pattern.
  7. Click Download SAML service provider metadata. This will open a dialog box.

Important: Do not click Save at this point. Continue to the next step.

12. Download the SAML Service Provider Metadata

Download SAML SP metadata
  1. Enter the External Host Name, for example, uag.airwlab.com.
  2. Click Download.

An XML file is downloaded to the Downloads folder. This file will be used during the Web App setup in Workspace ONE Access.

13. Save the Reverse Proxy Settings

Config identity bridging

Click Save.

14. Confirm the Reverse Proxy Settings Saved

Configuration saved sucessfully

Confirm the Configuration is saved successfully message is displayed.

Configuring a Web Application in Workspace ONE Access

This section helps you to configure a web application named IT Budget in Workspace ONE Access.

1. Add New Web App

Add new WebApp

In the Workspace ONE Access administration console:

  1. Click the drop-down arrow next to Catalog.
  2. Click Web Apps.
  3. Click New.

2. Configure Web App

Configure WebApp
  1. Enter a Name, for example, IT Budget.
  2. Enter the Description, for example, Internal website for IT Budget planning.
  3. Click Next.

2.1. Upload SAML Service Provider Metadata

Open xml file

In this step, you navigate to the SAML XML file downloaded in Download the SAML Service Provider Metadata.

  1. Click the File Explorer icon from the taskbar.
  2. Select the Downloads folder.
  3. Right-click the xml file, for example, uag.airwlab.com.xml.
  4. Select Edit with Notepad++.

2.2. Copy the SAML XML

Copy XML
  1. Right-click on the content and click Select All.
  2. Right-click on the content and click Copy.
  3. Click X to close Notepad++.

2.3. Paste the SAML XML

Configuring SSO for WebApp

Return to the Workspace ONE Access Console.

  1. Right-click in the URL/XML text box.
  2. Click Paste, and confirm that the copied text is entered.
  3. Click Next.

2.4. Define Access Policies

Set Access Policies

Click Next.

You will use the default access policy already defined in Workspace ONE Access.

2.5. Save Web App Configuration

Save WebApp configuration

Click Save & Assign.

3. Assign Web App to an Active Directory Group

  1. Enter ALL USERS in the Users / User Groups text box.
  2. Select ALL USERS.

3.1. Update the Deployment Type and Save

Group Assignment
  1. Select Automatic in the drop-down menu for Deployment Type.
  2. Click Save.

Testing Access to Web Application using SSO through Identity Bridging

Open new incognito window

You now have the IT Budget web application configured and added to the catalog.

  1. In Google Chrome, click the three dots menu on the upper-right corner.
  2. Select New incognito window.

1. Access the Intranet Site

Access internal website via UAG
  1. Enter your intranet address, for example, https://uag.airwlab.com/itbudget and press Enter.

2. Select the Domain

Select domain

You are redirected to Workspace ONE Access for authentication on your domain, for example, corp.local.

Click Next.

3. Enter Domain User Credentials

Enter credentials
  1. Enter your username, for example, imauser.
  2. Enter your password, for example, VMware1!.
  3. Click Sign in.

4. Confirm Access after Successful Authentication

Successfull access via SAML to Kerberos

You should see the internal website after a successful authentication.

 

5. Validate Kerberos Authentication

Launch Event Viewer

Return to your intranet machine and open Event Viewer.

6. View Logon Logs

View Logon Log
  1. Expand the Windows Logs node.
  2. Select Security.
  3. Select one Logon Category event
  4. Select the Details tab.
  5. Click the XML View toggle.
  6. The log details show an authentication on behalf of the user imauser using Kerberos.

 

Conclusion

In this set of exercises, you have learned how to:

  • Deploy the VMware Unified Access Gateway on two NICs and configure a Web reverse proxy instance using a PowerShell script
  • Configure Internet Information Server (IIS) to support Kerberos authentication
  • Set up Kerberos delegation on the service account
  • Configure a Web application (SAML) on Workspace ONE Access
  • Configure identity bridging for a Web reverse proxy instance on Unified Access Gateway to provide single sign-on (SSO) to legacy Web applications

For more information, see the VMware Unified Access Gateway documentation.

Configuring Certificate to Kerberos Option for Identity Bridging

Introduction

Unified Access Gateway in identity bridging mode acts as the service provider that passes user authentication to the configured legacy applications.

When you use VMware Workspace ONE Web (formerly VMware Browser) to access the target website; the target website acts as the reverse-proxy. Unified Access Gateway validates the presented certificate. If the certificate is valid, the browser displays the user interface page for the back-end application.

This section helps you to configure the certificate to Kerberos option in identity bridging to provide SSO for legacy web applications using Workspace ONE Web and Unified Access Gateway. You also learn how to leverage Workspace ONE UEM to deploy and manage the user certificate life cycle on the device, automating the entire process and eliminating manual configurations.

Any browser can be used to access the internal web application through Unified Access Gateway, however, other browsers open a dialog requesting the user certificate. Workspace ONE Web does not request a user certificate initially, as the browser checks the local certificate store for a certificate that matches the one requested, therefore providing a silent experience to the end user. In this scenario, you can still use Workspace ONE UEM to deploy and manage the user certificate on managed devices.

These exercises cover a Unified Access Gateway 3.3 deployment integrated with Workspace ONE UEM 9.6.

Procedures include:

  • Deploying a Unified Access Gateway appliance with two NICs, one facing the internet and the second one dedicated to management and back end access
  • Configuring Identity Bridging on Unified Access Gateway
  • Configuring VMware Enterprise Systems Connector to integrate Microsoft AD with Workspace ONE UEM.
  • Configuring CA integration in Workspace ONE UEM
  • Configuring Workspace ONE Web to use certificate for authentication
  • Testing SSO access to an internal web application performing certificate to kerberos authentication through Workspace ONE Web

 The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

1. Authentication Flow

The following diagram describe the authentication flow that you will configure in this section.

Authentication Flow
  1. Client navigates to application URL (https://uag.airwlab.com/itbudget). (The client certificate is sent to Unified Access Gateway in TLS handshake).
  2. Unified Access Gateway checks if the client certificate is valid or revoked.
  3. Unified Access Gateway extracts the client’s UPN from the certificate and requests a Kerberos ticket from Active Directory (CORP.LOCAL) on behalf of that user.
  4. Unified Access Gateway authenticates against the internal web server (https://it.corp.local) using the Kerberos ticket obtained from AD.

Prerequisites

Before you can perform the steps in this exercise, you must install and configure the following components:

  • VMware AirWatch 8.4 and later or VMware Workspace ONE UEM 9.5 and later
  • VMware vSphere ESX host with a vCenter Server (vSphere 6® and later)
  • vSphere data store and network to use
  • PowerShell script running on Windows 8.1 or later machines, or Windows Server 2008 R2 or later
  • Windows machine running the PowerShell script with VMware OVF Tool command installed (see OVR Tool Software Download to install OVF Tool 4.3 or later)
  • Unified Access Gateway PowerShell script, such as uagdeploy-VERSION.ZIP (download from my.vmware.com, and extract the files into a folder on your Windows machine)
  • iPhone, iPad, and iPod Touch devices running iOS 9.0 and later
  • CA Root and Intermediate certificate, and user certificate to configure Device Certificate Authentication

Ensure the following settings are enabled in the Workspace ONE UEM Console:

  • Organization Group created and set as Customer Type 
  • Device Root Certificate issued
  • REST API Key generated at the Organization Group where VMware Tunnel will be enabled

Logging In to the Workspace ONE UEM Console

To deploy a 3rd party macOS app, you must first log in to the Workspace ONE UEM Console.

1. Launch Chrome Browser

Launch Chrome Browser (mobile connector, coupa tutorial)

On your desktop, double-click the Google Chrome icon.

3. Authenticate In to the Workspace ONE UEM Console

Workspace ONE UEM login screen for Android enterprise enrollment
  1. Enter your Username, for example, administrator.
  2. Click Next. After you click Next, the Password text box is displayed.
Workspace 1 login (mobile connector, coupa tutorial)
  1. Enter your Password, for example, VMware1!
  2. Click Login.

Note: If you see a Captcha, be aware that it is case sensitive.

Integrating Active Directory and Workspace ONE UEM

This section helps you to integrate Microsoft AD with Workspace ONE UEM.

This integration is required for a few reasons:

  1. The user certificate is generated based on the enrolled user information.
  2. Workspace ONE UEM sends the certificate request to Microsoft CA. This request is based on a certificate template that requires the user information.
  3. To perform Kerberos authentication, a domain account is required.

Perform these exercises on the machine where you will install the VMware Enterprise Systems Connector.

  1. Select Groups & Settings.
  2. Select All Settings.

2. Enable VMware Enterprise Systems Connector

In this step, you enable VMware Enterprise Systems Connector, which acts as a gateway between your devices and internal services such as Microsoft AD, Certificate Authority, SMP Server, and so on.

Enable ACC
  1. Select System.
  2. Select Enterprise Integration.
  3. Select VMware Enterprise Systems Connector.
  4. Select Override.
  5. Select Enabled for Enable VMware Enterprise System Connector.
  6. Select Enable for Enable Auto Update.
  7. Click Save.

3. Download VMware Enterprise Systems Connector

Download

Click Download VMware Enterprise Systems Connector Installer.

3.1. Create a Password for the VMware Enterprise Systems Connector Installer Certificate

Password

When you run the installer, a password is requested. This password allows the import of current settings to the VMware Enterprise Systems Connector.

After you provide the password, the installer is downloaded to the Downloads folder.

  1. Enter VMware1! for the Password.
  2. Enter VMware1! again to confirm the password.
  3. Click Download.

4. Install the VMware Enterprise Systems Connector

Ensure you are logged into the machine where you will install VMware Enterprise Systems Connector.

4.1. Run the VMware Enterprise Systems Connector Installer

Run Installer

After the download completes, click the VMware Enterprise Systems Connector Installer.exe to begin installation.

4.2.

Click Run when prompted to run this software.

4.3. Begin the VMware Enterprise Systems Connector Installer

Click Next.

4.4. Accept the License Agreement Terms

  1. Select I accept the terms in the license agreement.
  2. Click Next.

4.5. Choose the Program Features to Install

  1. Ensure that the AirWatch Cloud Connector is set to install and that the VMware Identity Manager Connector is not set to install.
  2. Click Next.

4.6. Accept the Default Destination Folder

Accept the default destination folder by clicking Next.

4.7. Enter the Certificate Password

  1. Enter the Certificate Password, for example, VMware1!.
  2. Click Next.

4.8. Deactivate Outbound Proxy

Ensure Outbound Proxy is not selected and click Next.

4.9. Begin the Installation Process

Click Install.

4.10. Close the VMware Enterprise Systems Connector Installer

Click Finish.

5. Confirm the VMware Enterprise Systems Connector Installation was Successful

In the Workspace ONE UEM Console:

  1. In the VMware Enterprise Systems Connector settings, scroll down to find the Test Connection button.
  2. Click Test Connection. Ensure the VMware Enterprise Systems Connector is active message is displayed.

6. Integrate Microsoft AD and Workspace ONE UEM

To integrate Active Directory with Workspace ONE UEM, navigate to the Directory Services settings.

  1. Select Directory Services under Enterprise Integration.
  2. Click Skip wizard and configure manually.

6.1. Configure AD Server Settings

Server config
  1. Select Override for Current Settings.
  2. Select Active Directory for Directory Type.
  3. Enter the Server, for example, controlcenter.corp.local.
  4. Select NONE for Encryption Type.
  5. Enter 389 for Port.
  6. Enter 3 for Protocol Version.
  7. Select Disabled for Use Service Account Credentials.
  8. Select GSS-Negotiate for Bind Authentication Type.
  9. Enter the Bind UserName, for example, corp\imaservice.
  10. Enter the Bind Password, for example, VMware1!.
  11. Enter the Domain, for example, CORP.
  12. Select the User tab located on the top.

6.2. Configure AD User Settings

  1. Select Override for Current Settings.
  2. Click the plus icon next to CORP domain.
  3. Select the Base DN, for example, DC=corp, DC=local.
  4. Select the Group tab.

6.3. Configure AD Group Settings

  1. Select Override for Current Settings.
  2. Click the plus icon next to CORP domain.
  3. Select the Base DN, for example, DC=corp, DC=local.
  4. Select Server to return to the server settings.

6.4. Test AD Connection

  1. Scroll down to find the Test Connection button.
  2. Click Test Connection and check for the message Connection successful with the given server name, bind username, and password.
  3. Click Save.

Integrating Certificate Authority with Workspace ONE UEM

This section helps you to integrate Microsoft Certificate Authority (CA) with Workspace ONE UEM, and configure the Certificate Template to be requested by Workspace ONE Web.

This integration is required for a few reasons:

  1. Workspace ONE UEM requests and delivers the user certificate on the user device, fully automated.
  2. Workspace ONE UEM revokes the certificate when the device is unenrolled.
  3. Workspace ONE Web presents the user certificate to Unified Access Gateway when accessing the internal website, to initiate the validation process and transformation of the request to Kerberos.

1. Add Certificate Authority to Workspace ONE UEM

Add

In the Workspace ONE UEM Console,

  1. Navigate to System > Enterprise Integration > Certificate Authorities.
  2. Click Add under the Certificate Authorities tab.

2. Configure Certificate Authority

Configure CA
  1. Enter a name, for example, CONTROLCENTER CA.
  2. Select Microsoft ADCS.
  3. Select ADCS.
  4. Enter the Server Hostname, for example, controlcenter.corp.local.
  5. Enter the Authority Name, for example, corp-CONTROLCENTER-CA.
  6. Enter the User name, for example, corp\imaservice. This service account must have permission to request, renew, and revoke certificates on the CA.
  7. Enter the Password, for example, VMware1!.
  8. Enter the password again.
  9. Click Test Connection. You should see the message Test is successful .
  10. Click Save and Add Template.

3. Add Certificate Template

In this step, you add the certificate template that associates the CA used to generate the user certificate.

The properties of this certificate template must match the template defined on the CA, otherwise the user cannot authenticate using the certificate.

Configure Template
  1. Enter a Name, for example, MobileUserCertificate.
  2. Select the Certificate Authority, for example, CONTROLCENTER CA.
  3. Enter certificatetemplate:MobileUser for Issuing Template. The issuing template must match the template on the CA. In this example, the template name is MobileUser.
  4. Enter CN={EnrollmentUser} for Subject Name.
  5. Select 2048 for Private Key Length.
  6. Select both the Signing and Encryption options for Private Key Type
  7. For SAN Type, select Email Address and {Email Address}.
  8. Add a second SAN Type and select User Principal Name and {UserPrincipalName}.
  9. Select the Enable Certificate Revocation check box.
  10. Click Save.

4. Confirm the Certificate Authority was Created

CA
  1. Select the Certificate Authorities tab.
  2. Click Refresh if needed.
  3. Confirm that the CONTROLCENTER.CORP.LOCAL Certificate Authority was added.

4.1. Confirm the Certificate Request Template was Created

Template
  1. Select the Request Templates tab.
  2. Click Refresh if needed.
  3. Confirm the MobileUserCertificate Request Template was added.

5. Validate the Certificate Template

There are several ways to validate that the Certificate Template is available on Microsoft CA. If you are using Enterprise Microsoft CA, open the Certificate Authority and you will see a folder named Certificate Template. If you are using Standalone CA (as in this exercise), use mmc.exe to see the list of templates.

Launch MMC

Launch MMC on your machine. In this example, the MMC snap-in is available on the task bar.

5.1. Select MobileUser Template

Open Template
  1. Click Certificate Templates.
  2. Right-click the user template, for example, Mobile User.
  3. Click Properties.

The next steps help you to locate some of the template attributes that you defined in the Workspace ONE UEM Console.

5.2. Validate Template Name

Template Name
  1. Select the General tab.
  2. Validate your Template name, for example, MobileUser.

5.3. Validate Private Key Type

  1. Select the Request Handling tab.
  2. Confirm the Purpose is set to Signature and encryption.

5.4. Validate Private Key Length

  1. Select the Cryptography tab.
  2. Ensure the Minimum key size is 2048.

5.5. Validate Subject Name Request

  1. Select the Subject Name tab.
  2. Ensure Supply in the request is selected.

Enabling VMware Tunnel in the Workspace ONE UEM Console

When the VMware Tunnel edge service is enabled on the Unified Access Gateway appliance, it retrieves the VMware Tunnel configuration from Workspace ONE UEM. Therefore, the VMware Tunnel must be configured first in the Workspace ONE UEM Console, prior to deployment of the Unified Access Gateway appliance.

This section helps you to configure VMware Tunnel in the Workspace ONE UEM Console.

1. Open All Settings

Open All Settings
  1. Select Groups & Settings.
  2. Select All Settings.

 

2. Configure VMware Tunnel Settings

Configure the VMware Tunnel settings
  1. Select System.
  2. Select Enterprise Integration.
  3. Select VMware Tunnel.
  4. Select Configuration.
  5. Change the setting to Override.
  6. Select Enabled for VMware Tunnel.
  7. Click Configure.

2.1. Configure Deployment Type

Configuration Type
  1. Select Enabled for Proxy (Windows & Linux).
  2. Select Basic (Single-Tier) from the drop-down menu for VPN Configuration Type. The Unified Access Gateway appliance is deployed on a DMZ where the VMware Tunnel edge service is enabled to communicate with the internal network.
  3. Select Disabled for Per-App Tunnel (Linux Only).
  4. Click Next to continue.

Enabling the Proxy option allows access to internal websites exclusively through Workspace ONE Web, which uses port 2020 to communicate with the front-end appliance. In this exercise, Proxy is not enabled.

2.2. Configure Hostname and Port Details

Configure Hostname and Port Details
  1. Enter the VMware Tunnel server host name for Hostname.
  2. Enter a Port number.
  3. Click Next.

2.3. Configure VMware Tunnel SSL Certificate

Configure Tunnel SSL Certificate
  1. Ensure Use Public SSL Certificate is selected.
  2. Click Upload and navigate to your certificate. This example uses the airwlab.pfx file in C:\AW Tools.
  3. Click Next.

2.4. Select Authentication

Authentication
  1. Select Default.
  2. Click Next.

2.5. Select Miscellaneous Details

VMware Tunnel Configuration - Miscellaneous
  1. Select Disabled for Access Logs.
  2. Click Next to continue.

2.6. Confirm VMware Tunnel Settings

Confirm VMware Tunnel Settings

Verify that the configuration summary is correct. Click Save to continue.

2.7. Download the Unified Access Gateway Appliance

Download the Appliance

After the configuration is saved, click Download the Unified Access Gateway to download the virtual appliance. Extract the ZIP file on the Windows machine where you will install Unified Access Gateway.

Workspace ONE Web Application Settings and Policies

The Settings and Policies section of the Workspace ONE UEM Console contains settings that control security, behavior, and the data retrieval of specific applications. The settings are often called SDK settings because they run on the Workspace ONE SDK framework.

You can apply these SDK features to applications built with the Workspace ONE SDK, to supported Workspace ONE UEM applications, and to applications wrapped by the Workspace ONE App Wrapping engine. The same features can be applied because the Workspace ONE SDK framework processes the functionality.

Workspace ONE Web can use these Setting and Policies, which can be based on two types of SDK settings:

  • Default settings work well across organization groups, applied to large numbers of devices.
  • Custom settings work with individual devices or for small numbers of devices with applications that require special mobile application management (MAM) features.

In this exercise, you change the default settings of Workspace ONE Web.

1. Configure VMware Browser

Browser Settings
  1. Select Apps.
  2. Select Browser.
  3. Select Override for Current Setting.
  4. Scroll down to find the Mode section.

1.1. Configure Browser Mode

Mode
  1. Select Disabled for Kiosk Mode.
  2. Enter your intranet website for Home Page URL, for example, http://intranet.corp.local/intranet.
  3. Select Allow for Selection Mode.
  4. Enter your Allowed Site URLs, for example,  *.corp.local and *.airwlab.com.
  5. Click Save.

2. Configure Security Policies

Integrated Authentication
  1. Select Settings and Policies.
  2. Select Security Policies.
  3. Select Override for Current Setting.
  4. Select Enabled for Integrated Authentication.
  5. Select Enabled for Use Certificate.
  6. Select Defined Certificate Authority for Credential Source.
  7. Select the Certificate Authority, for example, CONTROLCENTER CA.
  8. Select the Certificate Template, for example, MobileUserCertificate.
  9. Enter * for Allowed Sites.
  10. Scroll down to the end of the page.

This configuration allows the user credentials to be passed on to allowed sites for integrated authentication. In this example, the user certificate is the user credential.

2.1. Configure App Tunnel Mode Settings

App Tunnel Mode
  1. Select Enabled for AirWatch App Tunnel.
  2. Select VMware Tunnel - Proxy for App Tunnel Mode.
  3. Enter the App Tunnel URLs, for example, *.corp.local and *uag.airwlab.com*.
  4. Click Save.

In this step, you define how Workspace ONE Web redirects the traffic to access internal resources. Any requests from Workspace ONE Web that match the App Tunnel URLs, are redirected through Tunnel Proxy.

Preparing VMware Tunnel and Reverse Proxy INI Settings for Deployment

This section covers the required INI settings to configure VMware Tunnel and web reverse proxy during the Unified Access Gateway appliance deployment.

1. Configure the General Deployment settings

The INI file contains all the configuration settings required to deploy the Unified Access Gateway appliance.

This exercise uses the uag-Cert-to-Kerberos.ini file and is configured for a Unified Access Gateway appliance called uag-Cert, that has two NICs—NIC one is set to internet facing and NIC two for back end and management.

2. Edit the INI File

Editing UAG-2NIC.ini

Navigate to your Unified Access Gateway INI file. In this example, the INI file is located in UAG Resources.

  1. Click the File Explorer icon from the task bar.
  2. Select Desktop.
  3. Select UAG Resources.
  4. Right-click the ini file, for example, uag-Cert-to-Kerberos.
  5. Click Edit with Notepad++.

3. General and Network Settings

General Settings 1/2

In this example, the settings are already filled out. The General section includes details such as deployment location and network configuration for the Unified Access Gateway appliance.

The SSLCert and SSLCertAdmin sections contain SSL certificate location for the administrator and Internet interfaces.

4. Configuring VMware Tunnel Settings

AirWatch settings

The AirWatch section contains the required parameters to enable the VMware Tunnel edge service on your Unified Access Gateway appliance.

  1. Enter the apiServerUsername, for example,  apiuser.
  2. Enter your  Group ID for the Organization Group.
  3. Enter the apiServerUrl, for example, https://v9.airwlab.com
  4. Enter the airwatchServerHostname, for example,  https://pool##.airwlab.com.

During the Unified Access Gateway deployment, the PowerShell script prompts you for the apiServerUsername password.

5. Validate Web Reverse Proxy Configuration

WRP

A web reverse proxy instance called ITBUDGET has been added to this INI file. You use this instance to enable identity bridging and perform certificate to Kerberos authentication in a later exercise.

In this exercise, proxyDestinationUrl is set to https://it.corp.local. For your environment, set proxyDestinationUrl to an intranet address.

6. Save INI File

Click the Save icon to save your changes.

Deploying Unified Access Gateway Appliance

After you have configured the INI file for your Unified Access Gateway deployment, the next step is to run the uagdeploy.ps1 PowerShell script passing the INI as a parameter.

1. Open PowerShell window

Open PowerShell

Click the PowerShell icon.

2. Deploy Unified Access Gateway using PowerShell

Running the script

After you run the script, it prompts for input.

  1. Navigate to the folder containing your INI file. For example, enter cd '.\Desktop\UAG Resources' then press Enter.
  2. Enter .\uagdeploy.ps1 .\<uag-tunnel>.ini <password1> <password2> false false no then press Enter.
  3. Replace <uag-tunnel> with your INI file name.
  4. Replace <password1> with the root password for the UAG appliance.Replace <password2> with the administrator password for  REST API management access.
  5. The first false is to not skip the validation of signature and certificate.
  6. The second false is to not skip SSL verification for the vSphere connection.
  7. The no is to not join the VMware CEIP program.
  8. Enter the password for the certificated that will be used on the following fields SSLcert and SSLcertAdmin.
  9. Enter the password for the apiuser previously defined on the INI file, which allows Unified Access Gateway to obtain the VMware Tunnel settings from Workspace ONE UEM.

To avoid a password request for the certificate, remove the pfxCert values and provide a PEM certificate in the INI file. Set the pemCerts and pemPrivKey for the SSLCert and SSLCertAdmin sections in the INI file.

The deployment starts and you can follow the progress in the same window or on your vSphere Web Client.

3. Confirm the PowerShell Script Deployment Completes

Deployment finished
  1. Confirm the deployment has been completed successfully. The Completed successfully text is shown in the output.
  2. Click Close.
  3. After a successful deployment, the script automatically powers on the VM UAG-CERT.
  4. The Received IP address presented by the script log is a temporary IP; the final IPs for NIC one and NIC two are assigned to the Unified Access Gateway appliance during the first start. Return to the vSphere Web Client and validate the IP address in the next step.

4. Validate Unified Access Gateway Deployment

Validating UAG Appliance status

Return to the vSphere Web Client tab in Google Chrome.

  1. If you do not see the UAG-CERT VM under Nested_Datacenter, you may need to click Refresh.
  2. Click UAG-CERT.
  3. Click the Summary tab.
  4. Click View all 2 IP addresses.
  5. In this example, the IP addresses are:
    192.168.110.20
    172.16.0.20

Important: If the Unified Access Gateway appliance does not finalize the configuration during the first startup, you receive an error message from vSphere Web Client. If that happens, wait for the appliance to finalize, and refresh the entire Google Chrome browser.

5. Log In to Unified Access Gateway Administration Console

UAG Admin UI Login
  1. Click the New Tab button to open a new tab.
  2. Navigate to the Unified Access Gateway administration console URL, for example,  https://uagmgt-int.airwlab.com:9443/admin.
  3. Enter the username, for example, admin .
  4. Enter the password, for example, VMware1!.
  5. Click Login.

6. Validate Configuration Settings

Select Configuration Settings

A successful login redirects you to the following screen.

Click Select to configure settings manually.

7. Confirm the Web Reverse Proxy Instance is Running

General Settings

Follow the next steps to confirm that a web reverse proxy instance named itbudget has been automatically configured. 

  1. Click SHOW, after you click SHOW, it changes to HIDE.
  2. Click the arrow next to Reverse Proxy Settings.
  3. Confirm that itbudget exists.

Keep the administration console open as the next step is to enable the identity bridging feature for itbudget.

8. Test Tunnel Proxy Connection

Open All Settings

Return to the Workspace ONE UEM Console to perform a test connection between Tunnel Proxy and Workspace ONE UEM API, AWCM, and device service.

  1. Select Groups & Settings.
  2. Select All Settings.

 

8.1. Perform Test Connection for Tunnel Proxy

Configure the VMware Tunnel settings
  1. Select System.
  2. Select Enterprise Integration.
  3. Select VMware Tunnel.
  4. Select Configuration.
  5. Click Test Connection.

8.2. Verify Test Connection Results

Test Connection

If all test connection results are green, your environment is setup correctly and you can proceed to the next steps. Click Cancel or the X button to close the screen.

Configuring Identity Bridging on Unified Access Gateway

You have deployed the Unified Access Gateway appliance, confirmed that the itbudget web reverse proxy was configured, and tested the Tunnel Proxy connection settings. The next steps are performed in the Unified Access Gateway administration console.

1. Return to the Unified Access Gateway Administration Console

Return to the Unified Access Gateway administration console.

2. Configure Certificate Authentication Settings

Enable Certificate
  1. Click Show for the Authentication Settings.
  2. Click the gear icon next to X.509 Certificate.

2.1. Upload Certificate to Unified Access Gateway Appliance

Access the instance configuration
  1. Click NO to enable X.509 Certificate. After you click NO, the toggle changes to YES and you will see additional options.
  2. Click Select to upload the Root and Intermediate CA Certificates.
  3. Navigate to your certificate location, for example, C:\AW Tools and press Enter.
  4. Click the combo box and select All Files.
  5. Select your root certificate, for example, root-corplocal.pem.
  6. Click Open.

2.2. Enable Certificate Revocation

Cert Revocation

Point to the information icon to read a tip on each of the following steps.

Unified Access Gateway can perform a certificate revocation check in two ways; through CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol). In this step, you configure Unified Access Gateway to use OCSP and in case it fails, to use the CRL.

  1. Click Yes to Enable Cert Revocation.
  2. Select the Use CRL from Certificate check box.
  3. Enter the CRL Location, for example, http://controlcenter.corp.local/CertEnroll/corp-CONTROLCENTER-CA.crl.
  4. Select the Enable OCSP Revocation check box.
  5. Click Yes for Use CRL in case of OCSP Failure.
  6. Enter the OCSP URL, for example, http://controlcenter.corp.local/ocsp.
  7. Select the Use OCSP URL from certificate check box.
  8. Click Save.

3. Configure Keytab

Advanced Settings Keytab

Click the gear icon for Upload Keytab Settings under Identity Bridging Settings.

3.1. Update the Keytab Settings

Set Keytab
  1. Enter the Principal Name, for example, HTTP/it.corp.local@CORP.LOCAL.
  2. Click Select.
  3. Select Local Disk (C:) folder.
  4. Select the it.keytab file.
  5. Click Open.
  6. Click Save.
  7. After you click Save, you should see the message Keytab upload is successful.
  8. Note: If you do not enter a Principal Name value, then the first Principal Name found in the keytab file will be used. If your keytab contains multiple Principal Names, you should manually enter Principal Name in Keytab Settings.

4. Configure Realm

Advanced Settings Realm

Click the gear icon for Realm Settings under Advanced Settings.

4.1. Add a Realm Setting

Add Relm Settings

Click Add.

4.2. Configure the Realm Settings

Realm Settings
  1. Enter the Name of the realm, for example, CORP.LOCAL.
  2. Note: This entry must use capital letters.
  3. Enter the Key Distribution Centers, for example, corp.local.
  4. Enter 3 for KCD Timeout (in seconds).
  5. Click Save.
  6. After you click Save, you should see the message Configuration saved successful.

4.3. Close the Realm Settings

Realm configured

You have configured the Realm settings.

Click Close.

5. Configure OCSP Settings

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.

Unified Access Gateway sends the OCSP request to the specified URL and receives a response that contains information indicating whether or not the certificate is revoked. To allow that communication, the OCSP Signing Certificate must be uploaded to the Unified Access Gateway appliance.

 

OCSP Settings

In Identity Bridging Settings, click the gear icon next to OCSP Settings.

5.1. How to Obtain the OCSP Signing Certificate

You can view and export the OCSP signing certificate in the Online Responder Management Console. You can install and configure the Online Responder Management Console from Windows Features. During the configuration, you are requested to create the OCSP signing certificate on the CA. Therefore, in a production scenario, you have two options to obtain the signing certificate.

In this example, the certificate has already been exported to C:\AW Tools, named ocsp.crt.

OCSP Console

5.2. Add OCSP Setting

Add

Click Add.

5.3. Select OCSP Signing Certificate

Select OCSP Certificate
  1. Click Select.
  2. Navigate to C:\AW Tools.
  3. Change the filter to All Files.
  4. Select the ocsp.crt certificate — This is the certificate used to sign your OCSP Responder.
  5. Click Open.
  6. Click Save.

5.4. Confirm OCSP Settings

Confirm

After you click Save, confirm that you see the OCSP signing certificate information.

Click Close.

6. Configure Identity Bridging for Web Reverse Proxy Instance

Next, configure identity bridging for the Web reverse proxy instance; itbudget.

6.1. Open the ITBUDGET Reverse Proxy Settings

Access Reverse Proxy settings
  1. If the Edge Service Settings are currently hidden, click the Show toggle to display the settings.
  2. Select the gear icon for Reverse Proxy Settings.

6.2. Select ITBUDGET Reverse Proxy Instance

Setup itbudget instance

Select the gear icon for the itbudget reverse proxy instance.

6.3. Update the ITBUDGET Identity Bridging Settings

Config identity bridging
  1. Click NO to show the Enable Identity Bridging settings. After you click No, it changes to YES.
  2. Select CERTIFICATE for Authentication Types.
  3. Select the Keytab, for example, HTTP/it.corp.local@CORP.LOCAL.
  4. Enter the Target Service Principal Name, for example, HTTP/it.corp.local@CORP.LOCAL. 
  5. Click Save.

6.4. Confirm the Identity Bridging Settings Saved

Configuration saved sucessfully

Confirm the Configuration is saved successfully message is displayed.

Retrieving the Group ID from Workspace ONE UEM Console

In this activity, retrieve your Group ID from the Workspace ONE UEM Console. The Group ID is required when enrolling your device.

Workspace ONE UEM Group ID

In the Workspace ONE UEM Console:

  1. To find the Group ID, point your mouse over the Organization Group tab at the top of the screen.
  2. Your Group ID is displayed at the bottom of the Organization Group pop up.

Enrolling an iOS Device

In this section, enroll your iOS device in Workspace ONE UEM by installing the Workspace ONE Intelligent Hub (formerly the AirWatch Agent). A Group ID is required to complete enrollment. See Retrieving Your Group ID from the Workspace ONE UEM Console.

1. Download and Install Workspace ONE Intelligent Hub from App Store (IF NEEDED)

Download/Install AirWatch MDM Agent Application from App Store - IF NEEDED

Note: Checked out devices will likely have the Workspace ONE Intelligent Hub already installed. You may skip this step if your device has the Workspace ONE Intelligent Hub installed.

At this point, if you are using your own iOS device or if the device you are using does not have the Workspace ONE Intelligent Hub Application installed, then install the application from the App Store.

To install the Workspace ONE Intelligent Hub application from the App Store, open the App Store application and download the free Workspace ONE Intelligent Hub application.

2. Launch the Workspace ONE Intelligent Hub

Launching the AirWatch MDM Agent

Launch the Hub app on the device.  

3. Enter the Server URL

Enter the AirWatch Server URL
  1. Enter the Server URL for your Workspace ONE UEM environment.
  2. Click Next.

Click the Server Details button.

4. Enter the Group ID for Workspace ONE Intelligent Hub

Return to the Workspace ONE Intelligent Hub application on your iOS Device,

  1. Enter your Group ID for your Organization Group for the Group ID field.
  2. Tap the Next button.

Note: On an iPhone, you may have to close the keyboard by clicking Done to click the Next button.

5. Enter User Credentials

Authenticate the AirWatch MDM Agent

You now provide user credentials to authenticate to Workspace ONE UEM.

  1. Enter the Username, for example, testuser.
  2. Enter the Password, for exmaple, VMware1!.
  3. Tap Next.

6. Redirect to Safari and Enable MDM Enrollment in Settings

The Workspace ONE Intelligent Hub prompts you to enable Workspace Services to enroll your device into Workspace ONE UEM.  

Tap Next to begin.

7. Allow Website to Open Settings (IF NEEDED)

If you are prompted to allow the website to open Settings, tap Allow.

Note: If you do not see this prompt, ignore this and continue to the next step. This prompt occurs only for iOS devices on iOS 10.3.3 or later.

8. Install the Workspace ONE MDM Profile

Install the MDM Profile

Tap Install in the upper-right corner of the Install Profile dialog box.

9. Install and Verify the Workspace ONE MDM Profile

Install and Verify the AirWatch MDM Profile

Tap Install when prompted on the Install Profile dialog.

10. iOS MDM Profile Warning

iOS MDM Profile Warning

You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.

Tap Install in the upper-right corner of the screen.

11. Trust the Remote Management Profile.

You should now see the iOS request to trust the source of the MDM profile.

Tap Trust when prompted at the Remote Management dialog.

12. iOS Profile Installation Complete

You should now see that the iOS Profile was successfully installed.

Tap Done in the upper-right corner of the prompt.

13. Workspace ONE UEM Enrollment Success

AirWatch Enrollment Success

Your enrollment is now complete. Tap Open to navigate to the Workspace ONE Intelligent Hub.

14. Accept the Workspace ONE Intelligent Hub Notice

Tap Done to confirm the notice and continue.

15. Accept Notifications for Hub (IF NEEDED)

Tap Allow if you get a prompt to allow notifications for the Hub app.

16. Accept the App Installation (IF NEEDED)

Accept the App Installation (IF NEEDED)

You may be prompted to install a series of applications. If prompted, tap Install to accept the application installation.

17. Confirm the Privacy Policy

Tap I Understand when shown the Privacy policy.

18. Accept the Data Sharing Policy

Tap I Agree for the Data Sharing policy.

19. Confirm the Device Enrollment in the Hub App

Confirm that the Hub app shows the user account that you enrolled with.

You have now successfully enrolled your iOS device with Workspace ONE UEM. Continue to the next step.

Testing Access to Workspace ONE Web using SSO through Identity Bridging

Now that you have enabled identity bridging and configured the certificate to Kerberos option, you are ready to test access to Workspace ONE Web on your iOS device.

1. Launch Workspace ONE Web

Confirm that Workspace ONE Web is already installed on your device. Tap Browser to open the application.

2. Confirm Access to Intranet Site

Intranet Home Page

In a previous exercise (Configure Browser Mode), you set an intranet address as the home page for Workspace ONE Web, for example, http://intranet.corp.local. This intranet page should now be showing.

In this example, Workspace ONE Web uses the Tunnel Proxy component of the VMware Tunnel service to provide access to this internal website. However, you cannot access the intranet URL from any other external network.

3. Access ITBDUGET Website from Workspace ONE Web

Test access

Navigate to https://uag.airwlab.com/itbudget.

You should see the webpage without any prompt to provide any credentials.

4. Validate Kerberos Authentication

This section helps you to validate Kerberos authentication.

4.1. Launch Event Viewer

Launch Event Viewer

Open Event Viewer.

4.2. Connect to Event Viewer From Another Computer

  1. Right-click Event Viewer (Local).
  2. Select Connect to Another Computer.

4.3. Connect to INTRANET Server Event Viewer

Select Computer
  1. Enter a name for Another Computer, for example, INTRANET.
  2. Click OK.

4.4. View Logon Logs

View Logon Log
  1. Expand the Windows Logs node.
  2. Select Security.
  3. Select one Logon Category event.
  4. Select the Details tab.
  5. Click the XML View toggle.
  6. The log details show an authentication on behalf of the user PSILVER using Kerberos.

 

5. Validate Certificate requested by Workspace ONE Web

This section helps you to confirm that Workspace ONE Web requested a certificate for authentication.

5.1. Launch Certificate Authority

Launch CA

Click the Certificate Authority icon.

5.2. Open Most Recently Issued Certificate

CA
  1. Click Issued Certificates.
  2. Select the last issued certificate.
  3. Right-click and select Open.

5.3. Confirm the Certificate Was Issued to Correct User

Confirm the most recently issued certificate was issued to psilver@corp.local.

Conclusion

In this set of exercises, you have learned how to:

  • Deploy an Unified Access Gateway appliance with two NICs, one NIC is internet-facing and the second NIC is dedicated to management and back end access. The Web reverse proxy configuration to access the intranet is automatically configured during deployment.
  • Configure Internet Information Server (IIS) to support Kerberos authentication
  • Set up Kerberos delegation on the service account
  • Configure identity bridging on Unified Access Gateway
  • Configure VMware Enterprise System Connector to integrate Microsoft AD with Workspace ONE UEM
  • Integrate CA with Workspace ONE UEM
  • Configure Workspace ONE Web to use certificate for authentication
  • Access an internal website through Unified Access Gateway, performing certificate to Kerberos authentication through Workspace ONE Web

For more information, see the VMware Unified Access Gateway documentation.

Summary and Additional Resources

Conclusion

This operational tutorial provided steps to configure web reverse proxy with device certificate authentication and to configure the identity bridging feature with two options; SAML to Kerberos and Certificate to Kerberos.

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon. 

About the Author

This tutorial was written by:

  • Andreano Lanusse, End-User-Computing Staff Architect, Technical Marketing, VMware.

Feedback

Your feedback is valuable. 

To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Filter Tags

Horizon Workspace ONE Horizon Unified Access Gateway Workspace ONE Access Workspace ONE UEM Document Operational Tutorial Advanced Deploy Identity / Access Management Secure Remote Access