Deploying VMware Unified Access Gateway: VMware Workspace ONE Operational Tutorial

VMware Unified Access Gateway 3.3.1 VMware Workspace ONE 9.6

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE®environment. In this tutorial, you deploy the VMware Unified Access Gateway with one NIC using the vSphere Web Client. You also deploy VMware Unified Access Gateway with two NICs using a PowerShell script.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Identity Manager™ and VMware Workspace ONE® UEM, is also helpful.

Deploying Unified Access Gateway with One NIC Through vSphere

Introduction

This section guides you through the GUI-based deployment and configuration of the VMware Unified Access Gateway OVF in the VMware vSphere Web Client.

These exercises provide instructions for deploying a Unified Access Gateway appliance in vSphere using a single Network Interface Card (NIC) deployment. The Unified Access Gateway administration console is used to configure the Unified Access Gateway Certificate and change network settings.

These exercises cover Unified Access Gateway 3.3.1 deployment in vSphere 6.5 U1.

The purpose is to provide a basic deployment option for exploration or proof of concept, to demonstrate available tools in the administration console, and to describe the components that support the features and services. If you want a more advanced deployment with two or more NICs in a production environment, see Deploying Unified Access Gateway with Two NICs Through PowerShell.

Architecture

The architectural diagram below shows an example environment which emulates a typical environment, including DMZ and internal networks.

In this example, external requests to the vApp are sent to the vPod Router, which directs those requests to the appropriate resource, based on the incoming port. Ports 4000-6500 are reserved for the environment components so all traffic coming in on these ports is forwarded to the appropriate Edge Service for the Unified Access Gateway server. In addition, ports 443 and 9443 are forwarded to the Unified Access Gateway server over the respective ports.

The vApp networks (internal, DMZ, and transit) are created within the vApp. The internal and transit networks are NATed to the SE-UCS-Network for outbound internet connectivity while the DMZ network routes through the vPod Router for inbound and outbound access. Note that the vPodRouter does not have a NIC on the internal network and thus cannot route external traffic to resources on the internal network.

vPod Router | ESXi01 6.5.0 U1 | Control Center | vCenter Server 6.5 U1 hosted on ESXi01

Architecture Overview Diagram

The following architectural diagram shows an example of two major networks that you can deploy your servers into. For this set of exercises, you deploy the Unified Access Gateway appliance on a DMZ and assign the respective NICs.

At the top of the diagram is vCenter Networking. At the bottom of the diagram is the vApp network required to support the environment. For these exercises, the focus is on the network hosted on the ESXi, and represented by the following three networks:

  • VM Network & Management: Represents the dedicated network to access the Management Console
  • Internal Network: Represents the internal network on 172.16.0.x range. The Control Center, ESXI, and vCenter are part of the internal network.
  • DMZ Network: Represents the DMZ network on 192.168.110.x which is where the Unified Access Gateway appliance is to be deployed. The Unified Access Gateway Internet-facing NIC is associated to this network.

Network Interfaces

Unified Access Gateway supports deployments with one, two, or three NICs. This means that the server can be partitioned to receive traffic on a single interface or to route traffic to different interfaces, based on the source of the request. Most often, if you need to implement multiple NICs, you already follow this standard with other web applications in your organization.

You must determine what is appropriate for your environment when selecting the number of NICs during installation. It is important for you to understand the expected behavior when two or three NICs are enabled.

Two sections are provided to explore these options. As a first step toward understanding basic deployments, you can install Unified Access Gateway with one NIC using vSphere Client, described in Deploying Unified Access Gateway with One NIC Through vSphere. You can then advance to the next step and install Unified Access Gateway with two NICs as a production environment using PowerShell, described in Deploying Unified Access Gateway with Two NICs Through PowerShell.

General Considerations

In the exercises for deploying the Unified Access Gateway server through vSphere, the vCenter setup is hosted in a nested template. This is not usually the case when working with users in a live environment.

User environments can include multiple networks and can optionally have a Network Protocol Profiles (NPP) that corresponds to the networks to connect to the Unified Access Gateway. Prior to version 3.3, NPP was a requirement. Since version 3.3, NPP is no longer required.

Note: Keep in mind that the Unified Access Gateway requires a netmask, default gateway, and subnet to be defined for each network enabled during deployment.

Prerequisites

Before you can perform the exercises to deploy Unified Access Gateway using vSphere Web Client, you must satisfy the following requirements:

  • Set up a VMware vSphere ESXi host with a vCenter Server
  • Obtain a Unified Access Gateway virtual appliance image OVA file, such as .euc-access-point-3.3.X.X-XXXXXXXXXXX.ova (see VMware Product Interoperability Matrixes to determine which version to download)
  • Set up a vSphere data store and the network to use

Note: Starting with Unified Access Gateway 3.3, you can deploy Unified Access Gateway without specifying the netmask and default gateway settings in Network Protocol Profiles (NPP). You can specify this networking information directly during deployment of your Unified Access Gateway appliance.

Logging In to the vSphere Web Client

To perform most of this exercise, you need to log in to the vSphere Web Client.

1. Launch Chrome Browser

Launch Chrome Browser

Double-click the Google Chrome browser icon on the desktop.

2. Authenticate to the vSphere Web Client

  1. Launch the Chrome browser from your desktop and click the bookmark for vSphere.
  2. Enter the username, such as administrator@vsphere.local.
  3. Enter the password, such as VMware1!.
  4. Click Login.

After completing the login, you are presented with the vSphere Web Client.

Deploying Unified Access Gateway with vSphere

In this section, you explore the vSphere Admin UI and learn how to deploy an OVF Template by configuring the necessary fields for the Unified Access Gateway. You deploy the Unified Access Gateway in a one-NIC configuration, meaning that the Internet-facing, internal-facing, and management networks all reside on a single NIC.

1. Deploying the OVF Template

Deploying UAG OVF Template
  1. Click the VMs and Templates button.
  2. Right-click the vSphere appliance, such as vc.corp.local.
  3. Click Deploy OVF Template...

2. Uploading OVF Template

Uploading OVF Template
  1. Select Local File.
  2. Click Browse.

2.1. Select the OVF File

Select OVF
  1. Click Desktop.
  2. Click UAG Resources.
  3. Click UAG Files.
  4. Select the euc-unified-access-gateway-3.3.#.#-#####.ovf file.
  5. Click Open.

3. Continue after OVF File Selected

Continue

Click Next.

4. Select Name and Location

Select Name and Location
  1. Select Nested_Datacenter.
  2. Click Next.

5. Select a Resource

Select a resource
  1. Select Host_Cluster.
  2. Click Next.

6. Review Details

Review details

Review the details here. These items are updated as you complete the OVF Template wizard.

Click Next.

7. Select Configuration

Select configuration
  1. Select Single NIC.
  2. Click Next.

Note: The drop-down menu provides a short description of each configuration and sizing of the Unified Access Gateway VM.

  • Single NIC: In this exercise, the Single NIC configuration means that all traffic to the Unified Access Gateway is received on the same interface regardless of the source, and the Admin UI runs on the same NIC over port 9443.
  • Two NICs: Directs traffic from external networks to the public interface, and traffic from within the network to an internal interface. The Admin UI runs on the same internal interface.
  • Three NICs: Directs traffic from external networks to the public interface, and traffic from within the network to an internal interface. In this configuration, the Admin UI runs on a separate, dedicated Network Interface. When selecting multiple NICs, you must then configure the corresponding network values for each NIC in the Setup Networks and Customize Template sections later in the wizard.

Users who require multiple NICs typically follow this same protocol for other web application servers within their organization. For more information on deploying the Unified Access Gateway with multiple NICs, see Deploying and Configuring VMware Unified Access Gateway.

8. Select Storage

Select storage
  1. Select Thin provision.
  2. Select a datastore, such as datastore2_ESXi01.
  3. Select Next.

9. Select Networks

Select networks
  1. For this appliance, select the destination of each source, such as DMZ_VM_DPortGroup in this example.
    Note: A single-NIC configuration was selected, meaning the Internet, management, and backend traffic all go through one NIC. However, this step of the wizard asks for three destination networks, which leads to some confusion when you are configuring the Unified Access Gateway for the first time. Since this is a single-NIC deployment, select the same network for all the source network.
  2. Click Next.

10. Customize Template

Scroll through the Customize Template and provide the information required.

10.1. Customize Template 1 of 4

Customize Template 1 of 4
  1. Uncheck the Join CEIP check box.
  2. Click the Networking Properties down arrow.
  3. Scroll down.

10.2. Customize Template 2 of 4

Customize Template 2 of 4
  1. Enter the DNS server addresses, such as 192.168.110.10 in this example.
  2. Enter the IPMode, such as STATICV4 in this example.
  3. Enter the Default Gateway address, such as 192.168.110.1 in this example.
  4. Enter the NIC 1 (eth0) IPv4 address, such as 192.168.110.20 in this example.
  5. Scroll down.

10.3. Customize Template 3 of 4

Customize Template 3 of 4
  1. Enter the NIC1 (eth0) IPv4 netmask, such as 255.255.255.0 in this example.
  2. Enter the Unified Gateway Appliance Name, such as UAG01.
  3. Click Password Options.
  4. Scroll down.

10.4. Customize Template 4 of 4

Customize Template 5 of 4
  1. Enter the admin user, which enabled REST API access.
  2. Reenter to confirm the password.
  3. Enter the root user password of the Unified Access Gateway VM.
  4. Reenter to confirm the password.
  5. Click Next.

11. Ready to Complete

Ready to complete

Review all the settings entered in the Network Mapping and Properties windows to ensure there are no errors.

Click Finish.

12. Accessing the Task Console

Accessing the Task Console

You can follow the status of the OVF deployment through the task console.

  1. Click the Home icon.
  2. Click Tasks.

13. Monitoring OVF Import and Deployment

Monitoring OVF Import and Deployment
  1. Wait until the Deploy OVF package and Deploy OVF Template complete.
  2. Click Back.

13.1. Handling a Failed OVF Deploy (If Needed)

Deployment error

If your Import OVF package task fails with the error saying, "Failed to deploy OVF package" on the Tasks Console, restart the deployment by returning to step Deploying the OVF Template.

14. Power on Unified Access Gateway Appliance

Power on UAG Appliance
  1. Select the virtual machine, such as euc-unified-access-gateway-xxxx in this example.
  2. Click the Power on icon.
  3. Click the Refresh icon.
  4. The UAG VM Screen turns blue as soon the initialization finishes.
  5. Wait until an IP address is assigned to this VM, such as 192.168.110.20 in this example.

Warning: Do not continue to the next step until the VM receives the associated IP address!  This can take one or two minutes.

Configuring TLS/SSL Certificates

1. Navigate to the Unified Access Gateway Administration Console Login

UAG Admin UI Login
  1. Click the New Tab button.
  2. Enter the URL, such as https://192.168.110.20:9443/admin for this example, and press Enter.
  3. Click the Advanced link.
  4. Accept the security exception and click the Proceed to 192.168.110.20 (unsafe) link.

2. Log In to the Unified Access Gateway Administration Console

UAG Login
  1. Enter the username, such as admin in this example.
  2. Enter the password created for the Admin API in the Deploy OVF Wizard.
  3. Click Login.

3. Choose Manual Configuration

A successful login redirects you to the window where you can import settings or manually configure the Unified Access Gateway appliance.

Under Configure Manually, click Select.

4. Configure TLS/SSL Certificates

Configuring TLS/SSL Certificates for Unified Access Gateway Appliances

TLS/SSL is required for client connections to Unified Access Gateway appliances. Client-facing Unified Access Gateway appliances and intermediate servers that terminate TLS/SSL connections require TLS/SSL server certificates.

TLS/SSL server certificates are signed by a Certificate Authority (CA). A CA is a trusted entity that guarantees the identity of the certificate and its creator. When a certificate is signed by a trusted CA, users no longer receive messages asking them to verify the certificate, and thin client devices can connect without requiring additional configuration. A default TLS/SSL server certificate is generated when you deploy a Unified Access Gateway appliance.

At this point, the Unified Access Gateway appliance is using the default certificate, which is not signed by a trusted CA.

Under Advanced Settings, click the gear icon for TLS Server Certificate Settings.

4.1. Configure Certificate Type

  1. Select the gear icon for TLS Server Certificate Settings under Advanced Settings.
  2. Check Internet interface.
  3. Check Admin interface.
  4. Select PFX as Certificate Type.

4.2. Upload PFX Certificate

Upload Certificate

Click Select to upload the certificate in PFX format.

4.3. Select the PFX Certificate

  1. Navigate to the PFX Certificate, as in this example in Microsoft Explorer:
    • Click Local Disk (C:).
    • Click AW Tools.
    • Click the PFX certificate file, such as airwlab.com.pfx.
  2. Click Open.

4.4. Enter the Certificate Password and Save

  1. Enter the certificate password.
  2. Click Save.

4.5. Verify Changes to the Certificate

You receive a message stating that the Internet-facing interface certificate has changed. You must reload the administration console to see the changes you made.

  1. Click the Close button on the Unified Access Gateway administration console browser tab.
  2. Click the New Tab button.

4.6. Validate Certificate Installation

Certificate Validation

Browse to your Unified Access Gateway URL, such as https://uagmgt-dmz.airwlab.com:9443/admin in this example, or click a bookmark if you created one.

You should no longer see a certificate error on the Browser navigation bar.

Updating Network Settings

You can now log in to the Unified Access Gateway administration console and update the network settings so that the Unified Access Gateway is deployed on a different IP than originally.

1. Log In to the Unified Access Gateway Administration Console

Access UAG Admin UI

Log in to the Unified Access Gateway administration console (such as https://uag.airwlab.com:9443/admin).

  1. Enter the username, such as admin in this example.
  2. Enter the password.
  3. Click Login.

2. Select Configure Manually

Access Settings

Under Configure Manually, click Select.

3. Access Network Settings

Access to network settings

Under Advanced Settings, click the gear icon for Network Settings.

4. View and Edit the Network Settings

Network Settings
  1. Click the down arrow for NIC 1, the Internet-facing interface.
  2. View the configuration detail displayed about NIC 1.
  3. Click the gear icon for NIC 1 to update the IP address.

5. Change Network Settings

NIC 1 Configuration

The Unified Access Gateway administration console allows you to update the IPv4 address and IP allocation mode associated to NIC 1.

  1. In the IPv4 Address field, enter the new IP address (such as 192.168.110.21 in this example) to update it.
  2. Click Save.

6. Wait for Network Settings to Complete

Configuration in Progress

After saving, a message appears: NIC1 configuration in progress. This means that the Unified Access Gateway is updating the NIC with the new IP address, and restarting the NIC. Users lose connectivity with the administration console and this message disappears when the configuration is finished.

After the configuration completes, click Close.

7. Validate the Network Changes

Acessing UAG Admin UI based on new IP address

The page automatically reloads on the new IP address you configured for your Unified Access Gateway. You can also enter the new IP manually to navigate to the Unified Access Gateway administration console.

  1. Enter the URL to access the Unified Access Gateway administration console, based on the new IP address, such as https://192.168.110.21:9443/admin in this example.
  2. Enter the username, such as admin in this example.
  3. Enter the password.
  4. Click Login.

You now have access to the Unified Access Gateway administration console using the new IP address.

Deploying Unified Access Gateway with Two NICs Through PowerShell

Introduction

This section guides you through the configuration and deployment of the VMware Unified Access Gateway appliance using a PowerShell script. The exercises also describe how to set up a reverse proxy to access internal web sites through the Unified Access Gateway administration console.

In these exercises, the Unified Access Gateway appliance is deployed with two NICs. One NIC faces the Internet, and the second one is dedicated to management and backend access.

These exercises cover Unified Access Gateway 3.3.1 deployment in vSphere 6.5 U1.

The purpose is to provide a deployment option for an environment that could be used for production. If you want a more basic deployment with a single NIC for proof of concept, see Deploying Unified Access Gateway with One NIC through vSphere.

Architecture

The architectural diagram below shows an example environment which emulates a typical environment, including DMZ and internal networks.

In this example, external requests to the vApp are sent to the vPod Router, which directs those requests to the appropriate resource, based on the incoming port. Ports 4000-6500 are reserved for the environment components so all traffic coming in on these ports is forwarded to the appropriate Edge Service for the Unified Access Gateway server. In addition, ports 443 and 9443 are forwarded to the Unified Access Gateway server over the respective ports.

The vApp networks (internal, DMZ, and transit) are created within the vApp. The internal and transit networks are NATed to the SE-UCS-Network for outbound internet connectivity while the DMZ network routes through the vPod Router for inbound and outbound access. Note that the vPodRouter does not have a NIC on the internal network and thus cannot route external traffic to resources on the internal network.

vPod Router | ESXi01 6.5.0 U1 | Control Center | vCenter Server 6.5 U1 hosted on ESXi01

Architecture Overview Diagram

The following architectural diagram shows an example of two major networks that you can deploy your servers into. For this set of exercises, you deploy the Unified Access Gateway appliance on a DMZ and assign the respective NICs.

At the top of the diagram is vCenter Networking. At the bottom of the diagram is the vApp network required to support the environment. For these exercises, the focus is on the network hosted on the ESXi, and represented by the following three networks:

  • VM Network & Management: Represents the dedicated network to access the Management Console
  • Internal Network: Represents the internal network on 172.16.0.x range. The Control Center, ESXI, and vCenter are part of the internal network.
  • DMZ Network: Represents the DMZ network on 192.168.110.x which is where the Unified Access Gateway appliance is to be deployed. The Unified Access Gateway Internet-facing NIC is associated to this network.

Network Interfaces

Unified Access Gateway supports deployments with one, two, or three NICs. This means that the server can be partitioned to receive traffic on a single interface or to route traffic to different interfaces, based on the source of the request. Most often, if you need to implement multiple NICs, you already follow this standard with other web applications in your organization.

You must determine what is appropriate for your environment when selecting the number of NICs during installation. It is important for you to understand the expected behavior when two or three NICs are enabled.

Two sections are provided to explore these options. As a first step toward understanding basic deployments, you can install Unified Access Gateway with one NIC using vSphere Client, described in Deploying Unified Access Gateway with One NIC Through vSphere. You can then advance to the next step and install Unified Access Gateway with two NICs as a production environment using PowerShell, described in Deploying Unified Access Gateway with Two NICs Through PowerShell.

General Considerations

In the exercises for deploying the Unified Access Gateway server through vSphere, the vCenter setup is hosted in a nested template. This is not usually the case when working with users in a live environment.

User environments can include multiple networks and can optionally have a Network Protocol Profiles (NPP) that corresponds to the networks to connect to the Unified Access Gateway. Prior to version 3.3, NPP was a requirement. Since version 3.3, NPP is no longer required.

Note: Keep in mind that the Unified Access Gateway requires a netmask, default gateway, and subnet to be defined for each network enabled during deployment.

Prerequisites

To deploy Unified Access Gateway using a PowerShell script, you must use the following specific versions of VMware products:

  • VMware vSphere ESX host with a vCenter Server
  • PowerShell script running on Windows 8.1 or later machines, or Windows Server 2008 R2 or later
  • Windows machine running the PowerShell script with VMware OVF Tool command installed (see OVR Tool Software Download to install OVF Tool 4.3 or later)
  • Unified Access Gateway virtual appliance image OVA file, such as .euc-access-point-3.3.X.X-XXXXXXXXXXX.ova (see VMware Product Interoperability Matrixes to determine which version to download)
  • Unified Access Gateway PowerShell script, such as  uagdeploy-VERSION.ZIP, (see Using PowerShell to Deploy VMware Unified Access Gateway to select the correct script, note its name, and extract the files into a folder on your Windows machine)
  • vSphere data store and network to use

Starting with version 3.3, you can deploy Unified Access Gateway without specifying the netmask and default gateway settings in Network Protocol Profiles (NPP). You can specify this networking information directly during deployment of your Unified Access Gateway instance.

Logging In to the vSphere Web Client

To perform most of this exercise, you need to log in to the vSphere Web Client.

1. Launch Chrome Browser

Launch Chrome Browser

Double-click the Google Chrome browser icon on the desktop.

2. Authenticate to the vSphere Web Client

  1. Launch the Chrome browser from your desktop and click the bookmark for vSphere.
  2. Enter the username, such as administrator@vsphere.local.
  3. Enter the password, such as VMware1!.
  4. Click Login.

After completing the login, you are presented with the vSphere Web Client.

Starting Windows PowerShell

1. Launch PowerShell

Launch PowerShell window

Click the PowerShell icon located on the Windows task bar.

 

2. Navigate to the Unified Access Gateway Resources Directory

Navigate to the Unified Access Gateway Resources Directory under the desktop user folder by entering cd '.\Desktop\UAG Resources' and then press Enter.

Preparing the INI File for Deployment

In this exercise, you learn how to use the INI file to deploy and configure a Unified Access Gateway using PowerShell, and how to edit the contents of the INI file for your Unified Access Gateway deployment.

1. Configure the General Deployment Settings

An INI file containing all of the configuration settings is required to deploy the Unified Access Gateway appliance.

In this exercise, you use the uag-2NIC.ini file to provide the respective parameters for your deployment.

You deploy a new Unified Access Gateway appliance called UAG02 in the example, and which has two NICs. NIC1 is Internet-facing and NIC2 is for backend and management.

1.1. Open the UAG-2NIC.ini File for Editing

Editing UAG-2NIC.ini

Navigate to the uag-2NIC.ini file, such as:

  1. Click the File Explorer icon on the task bar.
  2. Click Desktop.
  3. Click UAG Resources.
  4. Right-click the uag-2NIC.ini file.
  5. Click Edit with Notepad++.

1.2. Configure General Settings (1/2)

General Settings 1/2

In the General section, provide the following settings on the INI file:

  1. In the name field, enter a name, such as UAG02 in this example.
  2. In the source field, enter the path, such as C:\Users\Administrator\Desktop\UAG Resources\UAG Files\euc-unified-access-gateway-3.3.0.0-8539135_OVF10.ova, and use File Explorer to verify that the OVA file has the name indicated.
  3. In the target field, enter the destination path, such as  vi://administrator@vsphere.local:VMware1!@vc.corp.local/Nested_Datacenter/host/Host_Cluster.
    Note: You can replace the password with 'PASSWORD' and the script prompts for the password during the PowerShell execution.
  4. In the diskmode field, enter thin.
  5. In the ds field (ds refers to data store), enter datastore2_ESXi01.
  6. In the deploymentOption field, enter twonic.

 

1.3. Configure General Settings (2/2)

General Settings 2/2

Continue the General section configuration, and set the following additional values for the parameters on the INI file, keeping in mind that ip0 is the Internet-facing NIC, and ip1 is the internally facing NIC:

  1. In the ipMode field, enter STATICV4.
  2. In the defaultGateway field, enter the IP address, such as 192.168.110.1.
  3. In the dns field, enter the IP address, such as 192.168.110.10.
  4. In the ip0 field, enter the IP address, such as 192.168.110.20.
    Important: ip0 is the Internet-facing NIC.
  5. In the ip1 field, enter the IP address, such as 172.16.0.20.
    Important: ip1 is the internally facing NIC.
  6. In the netmask0 and netmask1 field, enter the netmask, such as 255.255.255.0.
  7. In the netInternet field, enter DMZ_VM_DPortGroup.
  8. In the netManagementNetwork and netBackendNetwork field, enter Internal_VM_DPortGroup.

1.4. Configure the TLS/SSL Certificates

Select Name and Location

The SSLCert and SSLCertAdmin contain the information regarding the SSL Certificated for the administration and Internet interfaces.

  1. In the pfxCerts field under SSLCert, enter C:\AW Tools\airwlab.com.pfx (this certificate is for the Internet interface).
  2. In the pfxCerts field under SSLCertAdmin, enter C:\AW Tools\airwlab.com.pfx (this certificate is for the administration interface).

Note: The certificate password is requested during the deployment.

Deploying the Unified Access Gateway Appliance

Now that you have configured the INI file for your Unified Access Gateway deployment, you can run the uagdeploy.ps1 Powershell script and provide this INI file as the configuration to automate the deployment.

1. Execute the Deployment Script

As the script starts, a couple of questions ask for the following information:

  1. When prompted, enter the information requested, such as in the following example:
    .\uagdeploy.ps1 .\uag-2NIC VMware1! VMware1! false false no
    • The first VMware1! is the root password for the Unified Access Gateway appliance.
    • The second VMware1! is the admin password for the REST API management access.
    • The first false is to NOT skip the validation of signature and certificate.
    • The second false is to NOT skip SSL verification for the vSphere connection.
    • The no is to not join the VMware CEIP program.
  2. When prompted, enter the password for the SSLcert and SSLcertAdmin fields.

To avoid a password request for the certificate, remove the pfxCerts values and provide a PEM certificate, and set the pemCerts and pemPrivKey for the SSLCert and SSLCertAdmin sections of the INI file.

The deployment starts and you can follow the progress on the same window or on your vSphere Web Client, which you opened at the beginning of this tutorial.

2. Confirm that the PowerShell Script Deployment Completes

After successfully finalizing the deployment, the script automatic powers the VM UAG02 on.

The Received IP address presented by the script log is a temporary IP. The final IPs for NIC 1 and NIC2 are assigned to the Unified Access Gateway appliance during the first start. You can return to the vSphere Web Client to validate that as described in the next step.

3. Validate the Deployment

Validating UAG Appliance status
  1. Click VM and Templates.
  2. Click UAG-2NIC.
  3. Click View all 2 IP addresses.

Important: If the Unified Access Gateway appliance does not finalize the configuration during the first startup, you receive an error message from vSphere Web Client. If that happens, wait for the appliance to finalize, and refresh the entire Google Chrome browser.

4. Log In to the Unified Access Gateway Administration Console

UAG Admin UI Login
  1. Click the New Tab button to open a new tab.
  2. Browse to the Unified Access Gateway Administration Console using the URL, such as  https://uagmgt-int.airwlab.com:9443/admin or by clicking a bookmark if you created one.
  3. Enter the username, such as admin in this example.
  4. Enter the password created for the Admin API in the Deploy OVF Wizard.
  5. Click Login.

5. Confirm the Unified Access Gateway Administration Console Login on the Internal Network

A successful login redirects you to the initial window where you can import settings or manually configure the Unified Access Gateway appliance.

  1. Click Admin.
  2. Click Logout.

Configuring Web Reverse Proxy

At this point, the Unified Access Gateway has been deployed and you are able to access the Unified Access Gateway administration console to add and change configurations of your Unified Access Gateway appliance.

This exercise shows you how Unified Access Gateway can be used as a Web reverse proxy, and can act as either a plain reverse proxy or an authenticating reverse proxy in the DMZ. In this exercise, you learn how to set up a plain reverse proxy.

1. Power ON Intranet VM

Power ON Intranet VM

Return to the vSphere Web Client to Power ON the VM Intranet, which is hosted on the internal network to be used as part of the Web Reverse Proxy exercise.

  1. Click VM and Templates.
  2. Click Intranet.
  3. Click Power ON Icon.

2. Access Unified Access Gateway Administration Console

Access UAG Admin UI
  1. Click the New Tab button to open a new tab.
  2. Browse to the Unified Access Gateway URL, such as https://uagmgt-int.airwlab.com:9443/admin in this example, or click a bookmark if you created one.
  3. Enter the username, such as admin in this example.
  4. Enter the password created for the Admin API in the Deploy OVF Wizard.
  5. Click Login.

3. Select Configure Manually

Access Settings

Under Configure Manually, click Select.

4. Access Reverse Proxy Settings

Acessing Reverse Proxy Settings
  1. Click the Show toggle next to Edge Service Settings. After you click, it switches to display the Hide option.
  2. Click the gear icon next to Reverse Proxy Settings.

5. Add Reverse Proxy Settings

Adding Reverse Proxy Settings

Click Add to create a new reverse proxy settings that can be used to access the intranet.

6. Define Features Used by Reverse Proxy

Enabling Reverse Proxy Settings

Click Enable Reverse Proxy Settings only. The toggle switches to YES.

Note: The Enable Identity Bridging feature can be configured to provide single sign-on (SSO) to legacy Web applications that use Kerberos Constrained Delegation (KCD) or header-based authentication. However, this feature is not enabled for this exercise.

7. Configure Intranet Reverse Proxy Settings

Configuring Intranet settings for Reverse Proxy
  1. Enter the Instance Id, such as intranet, which is a unique name to identify and differentiate a Web reverse proxy instance from all other Web reverse proxy instances.
  2. Enter the Proxy Destination URL, such as http://intranet.corp.local, which represent the address of the Web Application.
  3. Enter the Proxy Pattern, such as (|/intranet(.*)|), which specifies that the matching URI paths will forward to the destination URL.
  4. Click Save.

Additional parameters can be configured for this type of reverse proxy. For more information, see Configure Reverse Proxy With VMware Identity Manager.

8. Close the Reverse Proxy Settings

Configuration saved sucessfully

Click Close.

9. Validating Reverse Proxy Configuration

Validating reverse proxy configuration for intranet
  1. Click the down arrow for the Reverse Proxy Settings.
  2. Click the refresh icon for the Edge Service Settings.
  3. Confirm that the intranet proxy status is GREEN.

After you add the reverse proxy settings for the intranet, the Unified Access Gateway appliance tests the communication between Unified Access Gateway appliance and the intranet. The status turns GREEN if a connection is possible, and otherwise it shows RED.

Important: It can take a few minutes for the intranet proxy to show as GREEN. If you do not see it, click the refresh icon until you see the status change to either GREEN or RED.

10. Access the Intranet through Reverse Proxy

  1. Click the New Tab button to open a new tab.
  2. Enter https://uag.airwlab.com/intranet in the address bar and press Enter.
    Note: The uag.airwlab.com resolves to the IP associated with the Unified Access Gateway Internet NIC, which in this example is 192.168.110.20.

The result is a sample intranet page hosted on an internal IIS Server.

  • Access to the intranet goes through Unified Access Gateway port 443, as result of the TLS port sharing configuration enabled by default during deployment.
  • Access to the administration console goes through Unified Access Gateway port 9443 and IP 172.168.0.20 in this example, associated with the internal NIC.

Summary and Additional Resources

Conclusion

In these exercises, you have learned how to:

  • Deploy the VMware Unified Access Gateway on one NIC using the vSphere Web Client
  • Access the VMware Unified Access Gateway administration console
  • Configure TLS Certificate for the Unified Access Gateway administrative and Internet interfaces
  • Change network settings from Unified Access Gateway administration console

For additional documentation, be sure to check out the VMware Unified Access Gateway Reference page at https://docs.vmware.com/en/Unified-Access-Gateway/

Terminology Used in This Tutorial

The following terms are used in this tutorial:

application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as VMware Identity Manager.
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile device management
(MDM) agent
Software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
service provider (SP) A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

About the Authors

This tutorial was written by:

  • Andreano Lanusse, End-User-Computing Staff Architect, Technical Marketing, VMware.

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.