Deploying Unified Access Gateway with One NIC Through vSphere

Deploying Unified Access Gateway with One NIC Through vSphere

Introduction

This section guides you through the GUI-based deployment and configuration of the VMware Unified Access Gateway OVF in the VMware vSphere Web Client.

These exercises provide instructions for deploying a Unified Access Gateway appliance in vSphere using a single Network Interface Card (NIC) deployment. The Unified Access Gateway administration console is used to configure the Unified Access Gateway Certificate and change network settings.

These exercises cover Unified Access Gateway 3.3.1 deployment in vSphere 6.5 U1.

The purpose is to provide a basic deployment option for exploration or proof of concept, to demonstrate available tools in the administration console, and to describe the components that support the features and services. If you want a more advanced deployment with two or more NICs in a production environment, see Deploying Unified Access Gateway with Two NICs Through PowerShell.

Architecture

The architectural diagram below shows an example environment which emulates a typical environment, including DMZ and internal networks.

In this example, external requests to the vApp are sent to the vPod Router, which directs those requests to the appropriate resource, based on the incoming port. Ports 4000-6500 are reserved for the environment components so all traffic coming in on these ports is forwarded to the appropriate Edge Service for the Unified Access Gateway server. In addition, ports 443 and 9443 are forwarded to the Unified Access Gateway server over the respective ports.

The vApp networks (internal, DMZ, and transit) are created within the vApp. The internal and transit networks are NATed to the SE-UCS-Network for outbound internet connectivity while the DMZ network routes through the vPod Router for inbound and outbound access. Note that the vPodRouter does not have a NIC on the internal network and thus cannot route external traffic to resources on the internal network.

vPod Router | ESXi01 6.5.0 U1 | Control Center | vCenter Server 6.5 U1 hosted on ESXi01

Architecture Overview Diagram

The following architectural diagram shows an example of two major networks that you can deploy your servers into. For this set of exercises, you deploy the Unified Access Gateway appliance on a DMZ and assign the respective NICs.

At the top of the diagram is vCenter Networking. At the bottom of the diagram is the vApp network required to support the environment. For these exercises, the focus is on the network hosted on the ESXi, and represented by the following three networks:

  • VM Network & Management: Represents the dedicated network to access the Management Console
  • Internal Network: Represents the internal network on 172.16.0.x range. The Control Center, ESXI, and vCenter are part of the internal network.
  • DMZ Network: Represents the DMZ network on 192.168.110.x which is where the Unified Access Gateway appliance is to be deployed. The Unified Access Gateway Internet-facing NIC is associated to this network.

Network Interfaces

Unified Access Gateway supports deployments with one, two, or three NICs. This means that the server can be partitioned to receive traffic on a single interface or to route traffic to different interfaces, based on the source of the request. Most often, if you need to implement multiple NICs, you already follow this standard with other web applications in your organization.

You must determine what is appropriate for your environment when selecting the number of NICs during installation. It is important for you to understand the expected behavior when two or three NICs are enabled.

Two sections are provided to explore these options. As a first step toward understanding basic deployments, you can install Unified Access Gateway with one NIC using vSphere Client, described in Deploying Unified Access Gateway with One NIC Through vSphere. You can then advance to the next step and install Unified Access Gateway with two NICs as a production environment using PowerShell, described in Deploying Unified Access Gateway with Two NICs Through PowerShell.

General Considerations

In the exercises for deploying the Unified Access Gateway server through vSphere, the vCenter setup is hosted in a nested template. This is not usually the case when working with users in a live environment.

User environments can include multiple networks and can optionally have a Network Protocol Profiles (NPP) that corresponds to the networks to connect to the Unified Access Gateway. Prior to version 3.3, NPP was a requirement. Since version 3.3, NPP is no longer required.

Note: Keep in mind that the Unified Access Gateway requires a netmask, default gateway, and subnet to be defined for each network enabled during deployment.

Prerequisites

Before you can perform the exercises to deploy Unified Access Gateway using vSphere Web Client, you must satisfy the following requirements:

  • Set up a VMware vSphere ESXi host with a vCenter Server
  • Obtain a Unified Access Gateway virtual appliance image OVA file, such as .euc-access-point-3.3.X.X-XXXXXXXXXXX.ova (see VMware Product Interoperability Matrixes to determine which version to download)
  • Set up a vSphere data store and the network to use

Note: Starting with Unified Access Gateway 3.3, you can deploy Unified Access Gateway without specifying the netmask and default gateway settings in Network Protocol Profiles (NPP). You can specify this networking information directly during deployment of your Unified Access Gateway appliance.

Logging In to the vSphere Web Client

To perform most of this exercise, you need to log in to the vSphere Web Client.

1. Launch Chrome Browser

Launch Chrome Browser

Double-click the Google Chrome browser icon on the desktop.

2. Authenticate to the vSphere Web Client

  1. Launch the Chrome browser from your desktop and click the bookmark for vSphere.
  2. Enter the username, such as administrator@vsphere.local.
  3. Enter the password, such as VMware1!.
  4. Click Login.

After completing the login, you are presented with the vSphere Web Client.

Deploying Unified Access Gateway with vSphere

In this section, you explore the vSphere Admin UI and learn how to deploy an OVF Template by configuring the necessary fields for the Unified Access Gateway. You deploy the Unified Access Gateway in a one-NIC configuration, meaning that the Internet-facing, internal-facing, and management networks all reside on a single NIC.

1. Deploying the OVF Template

Deploying UAG OVF Template
  1. Click the VMs and Templates button.
  2. Right-click the vSphere appliance, such as vc.corp.local.
  3. Click Deploy OVF Template...

2. Uploading OVF Template

Uploading OVF Template
  1. Select Local File.
  2. Click Browse.

2.1. Select the OVF File

Select OVF
  1. Click Desktop.
  2. Click UAG Resources.
  3. Click UAG Files.
  4. Select the euc-unified-access-gateway-3.3.#.#-#####.ovf file.
  5. Click Open.

3. Continue after OVF File Selected

Continue

Click Next.

4. Select Name and Location

Select Name and Location
  1. Select Nested_Datacenter.
  2. Click Next.

5. Select a Resource

Select a resource
  1. Select Host_Cluster.
  2. Click Next.

6. Review Details

Review details

Review the details here. These items are updated as you complete the OVF Template wizard.

Click Next.

7. Select Configuration

Select configuration
  1. Select Single NIC.
  2. Click Next.

Note: The drop-down menu provides a short description of each configuration and sizing of the Unified Access Gateway VM.

  • Single NIC: In this exercise, the Single NIC configuration means that all traffic to the Unified Access Gateway is received on the same interface regardless of the source, and the Admin UI runs on the same NIC over port 9443.
  • Two NICs: Directs traffic from external networks to the public interface, and traffic from within the network to an internal interface. The Admin UI runs on the same internal interface.
  • Three NICs: Directs traffic from external networks to the public interface, and traffic from within the network to an internal interface. In this configuration, the Admin UI runs on a separate, dedicated Network Interface. When selecting multiple NICs, you must then configure the corresponding network values for each NIC in the Setup Networks and Customize Template sections later in the wizard.

Users who require multiple NICs typically follow this same protocol for other web application servers within their organization. For more information on deploying the Unified Access Gateway with multiple NICs, see Deploying and Configuring VMware Unified Access Gateway.

8. Select Storage

Select storage
  1. Select Thin provision.
  2. Select a datastore, such as datastore2_ESXi01.
  3. Select Next.

9. Select Networks

Select networks
  1. For this appliance, select the destination of each source, such as DMZ_VM_DPortGroup in this example.
    Note: A single-NIC configuration was selected, meaning the Internet, management, and backend traffic all go through one NIC. However, this step of the wizard asks for three destination networks, which leads to some confusion when you are configuring the Unified Access Gateway for the first time. Since this is a single-NIC deployment, select the same network for all the source network.
  2. Click Next.

10. Customize Template

Scroll through the Customize Template and provide the information required.

10.1. Customize Template 1 of 4

Customize Template 1 of 4
  1. Uncheck the Join CEIP check box.
  2. Click the Networking Properties down arrow.
  3. Scroll down.

10.2. Customize Template 2 of 4

Customize Template 2 of 4
  1. Enter the DNS server addresses, such as 192.168.110.10 in this example.
  2. Enter the IPMode, such as STATICV4 in this example.
  3. Enter the Default Gateway address, such as 192.168.110.1 in this example.
  4. Enter the NIC 1 (eth0) IPv4 address, such as 192.168.110.20 in this example.
  5. Scroll down.

10.3. Customize Template 3 of 4

Customize Template 3 of 4
  1. Enter the NIC1 (eth0) IPv4 netmask, such as 255.255.255.0 in this example.
  2. Enter the Unified Gateway Appliance Name, such as UAG01.
  3. Click Password Options.
  4. Scroll down.

10.4. Customize Template 4 of 4

Customize Template 5 of 4
  1. Enter the admin user, which enabled REST API access.
  2. Reenter to confirm the password.
  3. Enter the root user password of the Unified Access Gateway VM.
  4. Reenter to confirm the password.
  5. Click Next.

11. Ready to Complete

Ready to complete

Review all the settings entered in the Network Mapping and Properties windows to ensure there are no errors.

Click Finish.

12. Accessing the Task Console

Accessing the Task Console

You can follow the status of the OVF deployment through the task console.

  1. Click the Home icon.
  2. Click Tasks.

13. Monitoring OVF Import and Deployment

Monitoring OVF Import and Deployment
  1. Wait until the Deploy OVF package and Deploy OVF Template complete.
  2. Click Back.

13.1. Handling a Failed OVF Deploy (If Needed)

Deployment error

If your Import OVF package task fails with the error saying, "Failed to deploy OVF package" on the Tasks Console, restart the deployment by returning to step Deploying the OVF Template.

14. Power on Unified Access Gateway Appliance

Power on UAG Appliance
  1. Select the virtual machine, such as euc-unified-access-gateway-xxxx in this example.
  2. Click the Power on icon.
  3. Click the Refresh icon.
  4. The UAG VM Screen turns blue as soon the initialization finishes.
  5. Wait until an IP address is assigned to this VM, such as 192.168.110.20 in this example.

Warning: Do not continue to the next step until the VM receives the associated IP address!  This can take one or two minutes.

Configuring TLS/SSL Certificates

1. Navigate to the Unified Access Gateway Administration Console Login

UAG Admin UI Login
  1. Click the New Tab button.
  2. Enter the URL, such as https://192.168.110.20:9443/admin for this example, and press Enter.
  3. Click the Advanced link.
  4. Accept the security exception and click the Proceed to 192.168.110.20 (unsafe) link.

2. Log In to the Unified Access Gateway Administration Console

UAG Login
  1. Enter the username, such as admin in this example.
  2. Enter the password created for the Admin API in the Deploy OVF Wizard.
  3. Click Login.

3. Choose Manual Configuration

A successful login redirects you to the window where you can import settings or manually configure the Unified Access Gateway appliance.

Under Configure Manually, click Select.

4. Configure TLS/SSL Certificates

Configuring TLS/SSL Certificates for Unified Access Gateway Appliances

TLS/SSL is required for client connections to Unified Access Gateway appliances. Client-facing Unified Access Gateway appliances and intermediate servers that terminate TLS/SSL connections require TLS/SSL server certificates.

TLS/SSL server certificates are signed by a Certificate Authority (CA). A CA is a trusted entity that guarantees the identity of the certificate and its creator. When a certificate is signed by a trusted CA, users no longer receive messages asking them to verify the certificate, and thin client devices can connect without requiring additional configuration. A default TLS/SSL server certificate is generated when you deploy a Unified Access Gateway appliance.

At this point, the Unified Access Gateway appliance is using the default certificate, which is not signed by a trusted CA.

Under Advanced Settings, click the gear icon for TLS Server Certificate Settings.

4.1. Configure Certificate Type

  1. Select the gear icon for TLS Server Certificate Settings under Advanced Settings.
  2. Check Internet interface.
  3. Check Admin interface.
  4. Select PFX as Certificate Type.

4.2. Upload PFX Certificate

Upload Certificate

Click Select to upload the certificate in PFX format.

4.3. Select the PFX Certificate

  1. Navigate to the PFX Certificate, as in this example in Microsoft Explorer:
    • Click Local Disk (C:).
    • Click AW Tools.
    • Click the PFX certificate file, such as airwlab.com.pfx.
  2. Click Open.

4.4. Enter the Certificate Password and Save

  1. Enter the certificate password.
  2. Click Save.

4.5. Verify Changes to the Certificate

You receive a message stating that the Internet-facing interface certificate has changed. You must reload the administration console to see the changes you made.

  1. Click the Close button on the Unified Access Gateway administration console browser tab.
  2. Click the New Tab button.

4.6. Validate Certificate Installation

Certificate Validation

Browse to your Unified Access Gateway URL, such as https://uagmgt-dmz.airwlab.com:9443/admin in this example, or click a bookmark if you created one.

You should no longer see a certificate error on the Browser navigation bar.

Updating Network Settings

You can now log in to the Unified Access Gateway administration console and update the network settings so that the Unified Access Gateway is deployed on a different IP than originally.

1. Log In to the Unified Access Gateway Administration Console

Access UAG Admin UI

Log in to the Unified Access Gateway administration console (such as https://uag.airwlab.com:9443/admin).

  1. Enter the username, such as admin in this example.
  2. Enter the password.
  3. Click Login.

2. Select Configure Manually

Access Settings

Under Configure Manually, click Select.

3. Access Network Settings

Access to network settings

Under Advanced Settings, click the gear icon for Network Settings.

4. View and Edit the Network Settings

Network Settings
  1. Click the down arrow for NIC 1, the Internet-facing interface.
  2. View the configuration detail displayed about NIC 1.
  3. Click the gear icon for NIC 1 to update the IP address.

5. Change Network Settings

NIC 1 Configuration

The Unified Access Gateway administration console allows you to update the IPv4 address and IP allocation mode associated to NIC 1.

  1. In the IPv4 Address field, enter the new IP address (such as 192.168.110.21 in this example) to update it.
  2. Click Save.

6. Wait for Network Settings to Complete

Configuration in Progress

After saving, a message appears: NIC1 configuration in progress. This means that the Unified Access Gateway is updating the NIC with the new IP address, and restarting the NIC. Users lose connectivity with the administration console and this message disappears when the configuration is finished.

After the configuration completes, click Close.

7. Validate the Network Changes

Acessing UAG Admin UI based on new IP address

The page automatically reloads on the new IP address you configured for your Unified Access Gateway. You can also enter the new IP manually to navigate to the Unified Access Gateway administration console.

  1. Enter the URL to access the Unified Access Gateway administration console, based on the new IP address, such as https://192.168.110.21:9443/admin in this example.
  2. Enter the username, such as admin in this example.
  3. Enter the password.
  4. Click Login.

You now have access to the Unified Access Gateway administration console using the new IP address.