Configuring Web Reverse Proxy and Device Certificate Authentication

VMware Workspace ONE UEM 9.5 and later VMware Unified Access Gateway 3.3 and later

Configuring Web Reverse Proxy and Device Certificate Authentication

Introduction

The web reverse proxy feature in Unified Access Gateway enables external access to internal websites.

This section helps you to configure a web reverse proxy instance to access an intranet website using device certificate as authentication method on the Unified Access Gateway.

The exercises cover Unified Access Gateway 3.3.1 deployment and in vSphere 6.5 U1.

Procedures include:

  • Deploying the Unified Access Gateway appliance
  • Configuring web reverse proxy to access both SSL and non-SSL websites
  • Adding certificate-based authentication to an intranet website

 The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

 

Architecture

The architectural diagram below shows an example environment which emulates a typical environment, including DMZ and internal networks.

In this example, external requests to the vApp are sent to the vPod Router, which directs those requests to the appropriate resource, based on the incoming port. Ports 4000-6500 are reserved for the environment components so all traffic coming in on these ports is forwarded to the appropriate Edge Service for the Unified Access Gateway server. In addition, ports 443 and 9443 are forwarded to the Unified Access Gateway server over the respective ports.

The vApp networks (internal, DMZ, and transit) are created within the vApp. The internal and transit networks are NATed to the SE-UCS-Network for outbound internet connectivity while the DMZ network routes through the vPod Router for inbound and outbound access. Note that the vPodRouter does not have a NIC on the internal network and therefore cannot route external traffic to resources on the internal network.

vPod Router | ESXi01 6.5.0 U1 | Control Center | vCenter Server 6.5 U1 hosted on ESXi01

Architecture Overview Diagram

The following architectural diagram shows an example of two major networks that you can deploy your servers into. For this set of exercises, you deploy the Unified Access Gateway appliance on a DMZ and assign the respective NICs.

At the top of the diagram is vCenter Networking. At the bottom of the diagram is the vApp network required to support the environment. For these exercises, the focus is on the network hosted on the ESXi, and represented by the following three networks:

  • VM Network & Management: Represents the dedicated network to access the Management Console
  • Internal Network: Represents the internal network on 172.16.0.x range. The Control Center, ESXI, and vCenter are part of the internal network.
  • DMZ Network: Represents the DMZ network on 192.168.110.x which is where the Unified Access Gateway appliance is to be deployed. The Unified Access Gateway Internet-facing NIC is associated to this network.

Network Interfaces

Unified Access Gateway supports deployments with one, two, or three NICs. This means that the server can be partitioned to receive traffic on a single interface or to route traffic to different interfaces, based on the source of the request. Most often, if you need to implement multiple NICs, you already follow this standard with other web applications in your organization.

You must determine what is appropriate for your environment when selecting the number of NICs during installation. It is important for you to understand the expected behavior when two or three NICs are enabled.

To explore these options, see Deploying VMware Unified Access Gateway: VMware Workspace ONE Operational Tutorial.

General Considerations

In the exercises for deploying the Unified Access Gateway server through vSphere, the vCenter setup is hosted in a nested template. This is not usually the case when working with users in a live environment.

User environments can include multiple networks and can optionally have a Network Protocol Profiles (NPP) that corresponds to the networks to connect to the Unified Access Gateway. Prior to version 3.3, NPP was a requirement. Since version 3.3, NPP is no longer required.

Note: Keep in mind that the Unified Access Gateway requires a netmask, default gateway, and subnet to be defined for each network enabled during deployment.

Prerequisites

Before you can perform the steps in this exercise, you must install and configure the following components:

  • VMware AirWatch 8.4 and later or VMware Workspace ONE UEM 9.5 and later
  • VMware vSphere ESX host with a vCenter Server (vSphere 6® and later)
  • vSphere data store and network to use
  • PowerShell script running on Windows 8.1 or later machines, or Windows Server 2008 R2 or later
  • Windows machine running the PowerShell script with VMware OVF Tool command installed (see OVR Tool Software Download to install OVF Tool 4.3 or later)
  • Unified Access Gateway PowerShell script, such as uagdeploy-VERSION.ZIP (download from my.vmware.com, and extract the files into a folder on your Windows machine)
  • Obtain a Unified Access Gateway virtual appliance image OVA file, such as .euc-access-point-3.3.X.X-XXXXXXXXXXX.ova (see VMware Product Interoperability Matrixes to determine which version to download)
  • CA Root and Intermediate certificate, and user certificate to configure Device Certificate Authentication

Logging In to the vSphere Web Client

To perform most of this exercise, you need to log in to the vSphere Web Client.

1. Launch Chrome Browser

Launch Chrome Browser

Double-click the Google Chrome browser icon on the desktop.

2. Authenticate to the vSphere Web Client

  1. Launch the Chrome browser from your desktop and click the bookmark for vSphere.
  2. Enter the username, such as administrator@vsphere.local.
  3. Enter the password, such as VMware1!.
  4. Click Login.

After completing the login, you are presented with the vSphere Web Client.

Preparing Unified Access Gateway INI Settings for Deployment

This section covers the required INI settings to configure Unified Access Gateway appliance during deployment.

1. Configure the General Deployment Settings

An INI file containing all of the configuration settings is required to deploy the Unified Access Gateway appliance.

In this exercise, you use the uag-appliance.ini file to provide the respective parameters for your deployment.

You deploy a new Unified Access Gateway appliance called UAG02 in the example, and which has two NICs. NIC1 is Internet-facing and NIC2 is for back end and management.

1.1. Open the uag-appliance.ini File for Editing

Editing UAG-2NIC.ini

Navigate to the uag-appliance.ini file. In this example, the INI file is located in UAG Resources.

  1. Click the File Explorer icon on the task bar.
  2. Click Desktop.
  3. Click UAG Resources.
  4. Right-click the uag-appliance.ini file.
  5. Click Edit with Notepad++.

1.2. Configure General Settings (1/2)

General Settings 1/2

In the General section, provide the following settings:

  1. In the name field, enter a name, such as UAG02 in this example.
  2. In the source field, enter the path, such as C:\Users\Administrator\Desktop\UAG Resources\UAG Files\euc-unified-access-gateway-3.3.0.0-8539135_OVF10.ova, and use File Explorer to verify that the OVA file has the name indicated.
  3. In the target field, enter the destination path, such as  vi://administrator@vsphere.local:VMware1!@vc.corp.local/Nested_Datacenter/host/Host_Cluster. Note: You can replace the password with 'PASSWORD' and the script prompts for the password during the PowerShell execution.
  4. In the diskmode field, enter thin.
  5. In the ds field (ds refers to data store), enter datastore2_ESXi01.
  6. In the deploymentOption field, enter twonic.

 

1.3. Configure General Settings (2/2)

General Settings 2/2

Continue with the General section configuration, configure the following parameters in the INI file. Keep in mind that ip0 is the Internet-facing NIC, and ip1 is the internally facing NIC.

  1. For ipMode, enter STATICV4.
  2. For defaultGateway, enter 192.168.110.1 .
  3. For dns, enter 192.168.110.10.
  4. For ip0, enter 192.168.110.20.
    Note: ip0 is the Internet-facing NIC.
  5. Enter 172.16.0.20 for the ip1 field.
    Note: ip1 is the internally facing NIC.
  6. For netmask0 and netmask1, enter 255.255.255.0.
  7. For netInternet, enter DMZ_VM_DPortGroup.
  8. For netManagementNetwork and netBackendNetwork, enter Internal_VM_DPortGroup.

1.4. Configure the TLS/SSL Certificates

Select Name and Location

SSLCert and SSLCertAdmin contain SSL certificate information for the administration and Internet interfaces.

  1. For pfxCerts under SSLCert, enter C:\AW Tools\airwlab.com.pfx (this certificate is for the Internet interface).
  2. For pfxCerts under SSLCertAdmin, enter C:\AW Tools\airwlab.com.pfx  (this certificate is for the administration interface).

The certificate password is requested during the deployment.

Deploying Unified Access Gateway Appliance

After you have configured the INI file for your Unified Access Gateway deployment, the next step is to run the uagdeploy.ps1 PowerShell script passing the INI as a parameter. 

1. Open PowerShell

Open PowerShell

Click the PowerShell icon.

2. Deploy Unified Access Gateway Using PowerShell

After you run the script, it prompts for input.

  1. Navigate to the folder containing your INI file. For example, enter cd '.\Desktop\UAG Resources' then press Enter.
  2. Enter .\uagdeploy.ps1 .\<uag-tunnel>.ini <password1> <password2> false false no then press Enter.
    Replace <uag-tunnel> with your INI file name.
    Replace <password1> with the root password for the Unified Access Gateway appliance.
    Replace <password2> with the administrator password for  REST API management access.
    The first false is to not skip the validation of signature and certificate.
    The second false is to not skip SSL verification for the vSphere connection.
    The no is to not join the VMware CEIP program.
  3. Enter the password for the SSLcert and SSLcertAdmin fields, for example,  certpassword.
  4. Enter the apiuser password, for example, apiuserpassword to allow Unified Access Gateway to obtain the VMware Tunnel settings from Workspace ONE UEM.

To avoid a password request for the certificate, remove the pfxCert values and provide a PEM certificate in the INI file. Set the pemCerts and pemPrivKey for the SSLCert and SSLCertAdmin sections in the INI file.

The deployment starts and you can follow the progress in the same window or on your vSphere Web Client.

3. Confirm the PowerShell Script Deployment Completes

  1. Confirm the deployment has been completed successfully. The Completed successfully text is shown in the output.
  2. Click Close.

After a successful deployment, the script automatically powers on the VM UAG-2NIC-TUNNEL.

The Received IP address presented by the script log is a temporary IP; the final IPs for NIC one and NIC two are assigned to the Unified Access Gateway appliance during the first start. Return to the vSphere Web Client and validate the IP address in the next step.

4. Validate Unified Access Gateway Deployment

  1. If you do not see the UAG-2NIC VM under Nested_Datacenter, you may need to click Refresh first.
  2. Click UAG-2NIC-TUNNEL.
  3. Click the Summary tab.
  4. Click View all 2 IP addresses.
  5. The IP addresses in this example are 192.168.110.20 and 172.16.0.20.

Important: If the Unified Access Gateway appliance does not finalize the configuration during the first startup, you receive an error message from vSphere Web Client. If that happens, wait for the appliance to finalize, and refresh the entire Google Chrome browser.

5. Log In to Unified Access Gateway Administrator Console

UAG Admin UI Login
  1. Click the New Tab button to open a new tab.
  2. Navigate to the Unified Access Gateway administration console URL, for example,  https://uagmgt-int.airwlab.com:9443/admin.
  3. Enter the username, for example, admin .
  4. Enter the password, for example, VMware1!.
  5. Click Login.

6. Confirm Administrator Login to the Internal Network

Succesfull login

A successful login redirects you to the following screen. Keep this window open as you will return to the administration console later.

Click Select to configure settings manually.

Configuring Web Reverse Proxy to Access a Non-SSL Website

The Unified Access Gateway is now deployed and you can access to the Unified Access Gateway administration console to update the appliance configuration.

This section helps you to configure Unified Access Gateway as a web reverse proxy, enabling external access to a internal website (intranet) hosted on an internal server. Communication occurs on HTTP/port 80.

1. Access the Reverse Proxy Settings

Acessing Reverse Proxy Settings
  1. Click SHOW, after you click SHOW, it changes to HIDE.
  2. Click the Gear icon next to Reverse Proxy Settings.

2. Add Reverse Proxy Settings

Adding Reverse Proxy Settings

Click Add to create a new reverse proxy instance. You configure this new reverse proxy instance to access the intranet.

3. Define Features Used by Reverse Proxy

Enabling Reverse Proxy Settings

Click Enable Reverse Proxy Settings. The toggle changes to YES.

The Unified Access Gateway identity bridging feature can be configured to provide single sign-on (SSO) to legacy web applications that use Kerberos constrained delegation (KCD) or header-based authentication. The identity bridging feature is covered in <link to chapter>.

4. Configure Intranet Reverse Proxy Settings

Configuring Intranet settings for Reverse Proxy
  1. Enter intranet for the Instance Id, which is a unique name to identify and differentiate a web reverse proxy instance from all other web reverse proxy instances.
  2. Enter a Proxy Destination URL, for example, http://intranet.corp.local. This URL represents the web application address on the internal network.
  3. Enter (|/intranet(.*)|) for Proxy Pattern, which specifies the value in regular expression format that matches the URIs that are related to the intranet URL (proxyDestinationUrl). For the intranet server, a forward slash intranet (/intranet) is the value used to access the intranet home page when using the Unified Access Gateway appliance.
  4. Click Save.

Additional parameters can be configured for this type of reverse proxy. For more details, see Configure Reverse Proxy with VMware Identity Manager in the VMware Unified Access Gateway Documentation.

5. Close the Reverse Proxy Settings

Configuration saved sucessfully

Click Close.

6. Validate Reverse Proxy Configuration

Validating reverse proxy configuration for intranet
  1. Click the arrow for Reverse Proxy Settings.
  2. Click the refresh icon for the Edge Service Settings.
  3. Confirm the intranet proxy status is green.

After you add the reverse proxy settings for intranet, the Unified Access Gateway appliance tests the communication between the appliance and intranet. The status turns green if a connection is possible, otherwise, it turns red.

Note: It may take a few minutes for the intranet proxy to show as green. Click the refresh icon until the status changes to either green or red.

7. Access Intranet Through Reverse Proxy

  1. Click the New Tab button.
  2. Enter an intranet address, for example, https://uag.airwlab.com/intranet in the address bar and press Enter.

In this example, the result is a sample intranet page hosted on an internal IIS server.

  • Access to the intranet is through Unified Access Gateway port 443, as result of the TLS port sharing configuration enabled by default during deployment.
  • Access to the Unified Access Gateway administration console is through Unified Access Gateway port 9443 and IP 172.168.0.20, associated to the internal NIC.

Configuring Web Reverse Proxy to Access an SSL Website

To access an internal SSL website, additional configuration is required to establish trust between Unified Access Gateway and the internal website. This section helps you to configure the existing intranet reverse proxy instance to access an SSL website. Communication occurs on HTTPS/port 443.

1. Access the Reverse Proxy Settings

Acessing Reverse Proxy Settings

In the Unified Access Gateway administration console, click the Gear icon next to Reverse Proxy Settings.

2. Add Reverse Proxy Settings

Access the instance configuration

Click the Gear icon to update the intranet configuration settings.

3. Configure Intranet Reverse Proxy Settings

Configuring Intranet settings for Reverse Proxy
  1. Change the Proxy Destination URL to include https, for example, https://intranet.corp.local.
  2. Enter the Proxy Destination URL Thumbprints, for example, sha1=1a bd c3 3d be dd 1e 4a 57 ae 54 9b d7 8a 8c 20 cb 40 a5 59. This value represents the list of acceptable SSL server certificates.
  3. Click Save.

Note: A thumbprint is in the format [alg=]xx:xx, where alg can be sha1, the default, or md5. The xx values represent hexadecimal digits. The : separator can also be a space or omitted. If you do not configure the thumbprints, the server certificates must be issued by a trusted CA.

Additional parameters can be configured for this type of reverse proxy. For more details, see Configure Reverse Proxy with VMware Identity Manager in the VMware Unified Access Gateway Documentation.

4. Close the Reverse Proxy Settings

Configuration saved sucessfully

Click Close.

5. Validate Reverse Proxy Configuration

Validating reverse proxy configuration for intranet
  1. Click the arrow for Reverse Proxy Settings.
  2. Click the refresh icon for Edge Service Settings
  3. Confirm the intranet proxy status is green.

After you add the reverse proxy settings for intranet, the Unified Access Gateway appliance tests the communication between the appliance and intranet. The status turns green if a connection is possible, otherwise, it turns red.

Note: It may take a few minutes for the intranet proxy to show as green. Click the refresh icon until the status changes to either green or red.

6. Access Intranet Through Reverse Proxy

  1. Click the New Tab button.
  2. Enter a https address, for example, https://uag.airwlab.com/intranet in the address bar and press Enter.

In this example, the result is a sample intranet page hosted on an internal IIS server. However, Unified Access Gateway is now connecting to the intranet on port 443 using HTTPS.

  • Access to the intranet is through Unified Access Gateway port 443, as result of the TLS port sharing configuration enabled by default during deployment.
  • Access to the Unified Access Gateway administration console is through Unified Access Gateway port 9443 and IP 172.168.0.20, associated to the internal NIC.

Adding Certificate-Based Authentication to the Intranet Website

All users can access the intranet based on the current web reverse proxy configuration. You can restrict access to the intranet to some users by adding device certificate as the authentication method on the Unified Access Gateway appliance.

This section helps you to add certificate-based authentication and grant access to the intranet only for users who have a certificate installed on their device. The user certificate must match the root certificate set on the Unified Access Gateway appliance.

1. Enable X.509 Certificate Settings

Acessing Reverse Proxy Settings

In the Unified Access Gateway administration console:

  1. Click SHOW next to Authentication Settings.
  2. Click the Gear icon next to X.509 Certificate.

1.1. Upload Certificate to Unified Access Gateway Appliance

Access the instance configuration
  1. Click NO to enable X.509 Certificate; after you click NO, it changes to YES.
  2. Click Select to upload the Root and Intermediate CA Certificates.
  3. Enter the path to your certificates, for example, C:\AW Tools and press Enter.
  4. Click the combo box and select All Files.
  5. Select you certificate, for example, root-corplocal.pem.
  6. Click Open.
  7. Click Save.

After you click Save, the message Configuration saved successfully appears. The certificate has been uploaded and added to the Unified Access Gateway Appliance certificate store.

Important: In this example, only the ROOT certificate is used during the authentication process. In a production environment, you will have ROOT and INTERMEDIATE certificates available, and you must upload both to the Unified Access Gateway appliance.

2. Enable Certificate Authentication for Intranet Website

Open Intranet settings

The next step is to configure Unified Access Gateway to require certificate authentication for intranet access.  
Select the Gear icon for Reverse Proxy Settings.

2.1. Edit the Intranet Reverse Proxy Settings

Configuration saved sucessfully

Select the Gear icon for the intranet Instance.

2.2. Configure Intranet Reverse Proxy Settings

Configuring Intranet settings for Reverse Proxy

Click More.

2.3. Configure the Authentication Method

Set Auth Method
  1. Select certificate-auth for Auth Method.
  2. Click Save.

2.4. Close the Reverse Proxy Settings

Configuration saved sucessfully

Click Close.

3. Import the User Certificate to the Local Windows Store

Open Chrome Settings
  1. In Google Chrome, click the three dots next to the URL address bar.
  2. Click Settings.

3.1. Access the Certificate Settings

  1. Enter Certificate in the search text box.
  2. Select Manage certificates.

3.2. Choose Import Certificate

Start Import of certificate

Click Import under the Personal tab.

3.3. Start the Certificate Import Wizard

Click Next

Click Next.

 

3.4. Choose the User Certificate

  1. Click Browse.
  2. Enter the certificate path, for example, C:\AW Tools and press Enter.
  3. Click the combo box and select Personal Information Exchange (*.pfx).
  4. Select the user certificate, for example, user-corplocal.pfx. This user certificate should match the root certificate previously uploaded to the Unified Access Gateway appliance.
  5. Click Open.
  6. Click Next.

3.5. Enter the User Certificate Password

Provide Password
  1. Enter a Password, for example, VMware1!.
  2. Click Next.

3.6. Choose the Personal Certificate Store

Certificate Imported

Keep the default selection and click Next.

The certificate will be imported to the Personal store.

3.7. Complete the Certificate Import Wizard

Finish

Click Finish.

3.8. Confirm Certificate was Imported

Certificate imported

Click OK. The list of certificates is refreshed and the user certificate is listed as part of the Personal Store.

You have now imported the user certificate. The next step is to import the root certificate.

4. Import the Root Certificate to the Local Windows Store

Import Trusted Root

Import the Root certificate to complete the client-side configuration.

  1. Select Trusted Root Certification Authorities.
  2. Click Import.

4.1. Start the Certificate Import Wizard

Next

Click Next.

4.2. Choose the Root Certificate

  1. Click Browse.
  2. Enter the path to your root certificate, for example, C:\AW Tools and press Enter.
  3. Click the combo box and select All Files (*.*).
  4. Select the root certificate that was uploaded to the Unified Access Gateway appliance, for example, root-corplocal.pem.
  5. Click Open.
  6. Click Next.

4.3. Choose the Trusted Root Certification Authorities Store

Confirm

Click Next to confirm that you want to import the certificate under the Trusted Root Certification Authorities Store.

4.4. Complete the Certificate Import Wizard

Finish

Click Finish.

4.5. Confirm the Certificate Warning and Install (If Prompted)

Confirm

Click Yes to confirm the installation of the certificate.

4.6. Confirm the Certificate was Imported

Import successful

Click OK.

4.7. Confirm the Root Certificate was Imported

Certificate imported
  1. Confirm that your certificate is listed under Trusted Root Certification Authorities.
  2. Click Close.

5. Test the Certificate Authentication

Opening incognito window
  1. On Google Chrome, click the three dots next to the URL address bar.
  2. Click New incognito window.

5.2. Select the User Certificate

All the certificates in the Personal store that match the root certificates installed on the Unified Access Gateway appliance, are shown on the certificate list. In this exercise, only one root certificate was uploaded for the domain intranet.corp.local, and there is only one certificate on the key store that matches this root. Therefore, only one certificate is listed.

  1. Select the certificate.
  2. Click OK.

 

5.3. Confirm Certificate Authentication was Successful

The intranet page is displayed and is only accessible from external networks to users that have the correct certificate.

Click Close.

Conclusion

In this set of exercises, you have learned how to:

  • Deploy the VMware Unified Access Gateway on a two-NIC configuration using PowerShell script
  • Configure Web reverse proxy to access internal Web sites through HTTP and HTTPS protocols
  • Configure device certificate authentication to secure and restrict access to internal websites through Web reverse proxy configuration

For more information, see the VMware Unified Access Gateway documentation.