Deploying Unified Access Gateway with Two NICs Through PowerShell

Deploying Unified Access Gateway with Two NICs Through PowerShell

Introduction

This section guides you through the configuration and deployment of the VMware Unified Access Gateway appliance using a PowerShell script. The exercises also describe how to set up a reverse proxy to access internal web sites through the Unified Access Gateway administration console.

In these exercises, the Unified Access Gateway appliance is deployed with two NICs. One NIC faces the Internet, and the second one is dedicated to management and backend access.

These exercises cover Unified Access Gateway 3.3.1 deployment in vSphere 6.5 U1.

The purpose is to provide a deployment option for an environment that could be used for production. If you want a more basic deployment with a single NIC for proof of concept, see Deploying Unified Access Gateway with One NIC through vSphere.

Architecture

The architectural diagram below shows an example environment which emulates a typical environment, including DMZ and internal networks.

In this example, external requests to the vApp are sent to the vPod Router, which directs those requests to the appropriate resource, based on the incoming port. Ports 4000-6500 are reserved for the environment components so all traffic coming in on these ports is forwarded to the appropriate Edge Service for the Unified Access Gateway server. In addition, ports 443 and 9443 are forwarded to the Unified Access Gateway server over the respective ports.

The vApp networks (internal, DMZ, and transit) are created within the vApp. The internal and transit networks are NATed to the SE-UCS-Network for outbound internet connectivity while the DMZ network routes through the vPod Router for inbound and outbound access. Note that the vPodRouter does not have a NIC on the internal network and thus cannot route external traffic to resources on the internal network.

vPod Router | ESXi01 6.5.0 U1 | Control Center | vCenter Server 6.5 U1 hosted on ESXi01

Architecture Overview Diagram

The following architectural diagram shows an example of two major networks that you can deploy your servers into. For this set of exercises, you deploy the Unified Access Gateway appliance on a DMZ and assign the respective NICs.

At the top of the diagram is vCenter Networking. At the bottom of the diagram is the vApp network required to support the environment. For these exercises, the focus is on the network hosted on the ESXi, and represented by the following three networks:

  • VM Network & Management: Represents the dedicated network to access the Management Console
  • Internal Network: Represents the internal network on 172.16.0.x range. The Control Center, ESXI, and vCenter are part of the internal network.
  • DMZ Network: Represents the DMZ network on 192.168.110.x which is where the Unified Access Gateway appliance is to be deployed. The Unified Access Gateway Internet-facing NIC is associated to this network.

Network Interfaces

Unified Access Gateway supports deployments with one, two, or three NICs. This means that the server can be partitioned to receive traffic on a single interface or to route traffic to different interfaces, based on the source of the request. Most often, if you need to implement multiple NICs, you already follow this standard with other web applications in your organization.

You must determine what is appropriate for your environment when selecting the number of NICs during installation. It is important for you to understand the expected behavior when two or three NICs are enabled.

Two sections are provided to explore these options. As a first step toward understanding basic deployments, you can install Unified Access Gateway with one NIC using vSphere Client, described in Deploying Unified Access Gateway with One NIC Through vSphere. You can then advance to the next step and install Unified Access Gateway with two NICs as a production environment using PowerShell, described in Deploying Unified Access Gateway with Two NICs Through PowerShell.

General Considerations

In the exercises for deploying the Unified Access Gateway server through vSphere, the vCenter setup is hosted in a nested template. This is not usually the case when working with users in a live environment.

User environments can include multiple networks and can optionally have a Network Protocol Profiles (NPP) that corresponds to the networks to connect to the Unified Access Gateway. Prior to version 3.3, NPP was a requirement. Since version 3.3, NPP is no longer required.

Note: Keep in mind that the Unified Access Gateway requires a netmask, default gateway, and subnet to be defined for each network enabled during deployment.

Prerequisites

To deploy Unified Access Gateway using a PowerShell script, you must use the following specific versions of VMware products:

  • VMware vSphere ESX host with a vCenter Server
  • PowerShell script running on Windows 8.1 or later machines, or Windows Server 2008 R2 or later
  • Windows machine running the PowerShell script with VMware OVF Tool command installed (see OVR Tool Software Download to install OVF Tool 4.3 or later)
  • Unified Access Gateway virtual appliance image OVA file, such as .euc-access-point-3.3.X.X-XXXXXXXXXXX.ova (see VMware Product Interoperability Matrixes to determine which version to download)
  • Unified Access Gateway PowerShell script, such as  uagdeploy-VERSION.ZIP, (see Using PowerShell to Deploy VMware Unified Access Gateway to select the correct script, note its name, and extract the files into a folder on your Windows machine)
  • vSphere data store and network to use

Starting with version 3.3, you can deploy Unified Access Gateway without specifying the netmask and default gateway settings in Network Protocol Profiles (NPP). You can specify this networking information directly during deployment of your Unified Access Gateway instance.

Logging In to the vSphere Web Client

To perform most of this exercise, you need to log in to the vSphere Web Client.

1. Launch Chrome Browser

Launch Chrome Browser

Double-click the Google Chrome browser icon on the desktop.

2. Authenticate to the vSphere Web Client

  1. Launch the Chrome browser from your desktop and click the bookmark for vSphere.
  2. Enter the username, such as administrator@vsphere.local.
  3. Enter the password, such as VMware1!.
  4. Click Login.

After completing the login, you are presented with the vSphere Web Client.

Starting Windows PowerShell

1. Launch PowerShell

Launch PowerShell window

Click the PowerShell icon located on the Windows task bar.

 

2. Navigate to the Unified Access Gateway Resources Directory

Navigate to the Unified Access Gateway Resources Directory under the desktop user folder by entering cd '.\Desktop\UAG Resources' and then press Enter.

Preparing the INI File for Deployment

In this exercise, you learn how to use the INI file to deploy and configure a Unified Access Gateway using PowerShell, and how to edit the contents of the INI file for your Unified Access Gateway deployment.

1. Configure the General Deployment Settings

An INI file containing all of the configuration settings is required to deploy the Unified Access Gateway appliance.

In this exercise, you use the uag-2NIC.ini file to provide the respective parameters for your deployment.

You deploy a new Unified Access Gateway appliance called UAG02 in the example, and which has two NICs. NIC1 is Internet-facing and NIC2 is for backend and management.

1.1. Open the UAG-2NIC.ini File for Editing

Editing UAG-2NIC.ini

Navigate to the uag-2NIC.ini file, such as:

  1. Click the File Explorer icon on the task bar.
  2. Click Desktop.
  3. Click UAG Resources.
  4. Right-click the uag-2NIC.ini file.
  5. Click Edit with Notepad++.

1.2. Configure General Settings (1/2)

General Settings 1/2

In the General section, provide the following settings on the INI file:

  1. In the name field, enter a name, such as UAG02 in this example.
  2. In the source field, enter the path, such as C:\Users\Administrator\Desktop\UAG Resources\UAG Files\euc-unified-access-gateway-3.3.0.0-8539135_OVF10.ova, and use File Explorer to verify that the OVA file has the name indicated.
  3. In the target field, enter the destination path, such as  vi://administrator@vsphere.local:VMware1!@vc.corp.local/Nested_Datacenter/host/Host_Cluster.
    Note: You can replace the password with 'PASSWORD' and the script prompts for the password during the PowerShell execution.
  4. In the diskmode field, enter thin.
  5. In the ds field (ds refers to data store), enter datastore2_ESXi01.
  6. In the deploymentOption field, enter twonic.

 

1.3. Configure General Settings (2/2)

General Settings 2/2

Continue the General section configuration, and set the following additional values for the parameters on the INI file, keeping in mind that ip0 is the Internet-facing NIC, and ip1 is the internally facing NIC:

  1. In the ipMode field, enter STATICV4.
  2. In the defaultGateway field, enter the IP address, such as 192.168.110.1.
  3. In the dns field, enter the IP address, such as 192.168.110.10.
  4. In the ip0 field, enter the IP address, such as 192.168.110.20.
    Important: ip0 is the Internet-facing NIC.
  5. In the ip1 field, enter the IP address, such as 172.16.0.20.
    Important: ip1 is the internally facing NIC.
  6. In the netmask0 and netmask1 field, enter the netmask, such as 255.255.255.0.
  7. In the netInternet field, enter DMZ_VM_DPortGroup.
  8. In the netManagementNetwork and netBackendNetwork field, enter Internal_VM_DPortGroup.

1.4. Configure the TLS/SSL Certificates

Select Name and Location

The SSLCert and SSLCertAdmin contain the information regarding the SSL Certificated for the administration and Internet interfaces.

  1. In the pfxCerts field under SSLCert, enter C:\AW Tools\airwlab.com.pfx (this certificate is for the Internet interface).
  2. In the pfxCerts field under SSLCertAdmin, enter C:\AW Tools\airwlab.com.pfx (this certificate is for the administration interface).

Note: The certificate password is requested during the deployment.

Deploying the Unified Access Gateway Appliance

Now that you have configured the INI file for your Unified Access Gateway deployment, you can run the uagdeploy.ps1 Powershell script and provide this INI file as the configuration to automate the deployment.

1. Execute the Deployment Script

As the script starts, a couple of questions ask for the following information:

  1. When prompted, enter the information requested, such as in the following example:
    .\uagdeploy.ps1 .\uag-2NIC VMware1! VMware1! false false no
    • The first VMware1! is the root password for the Unified Access Gateway appliance.
    • The second VMware1! is the admin password for the REST API management access.
    • The first false is to NOT skip the validation of signature and certificate.
    • The second false is to NOT skip SSL verification for the vSphere connection.
    • The no is to not join the VMware CEIP program.
  2. When prompted, enter the password for the SSLcert and SSLcertAdmin fields.

To avoid a password request for the certificate, remove the pfxCerts values and provide a PEM certificate, and set the pemCerts and pemPrivKey for the SSLCert and SSLCertAdmin sections of the INI file.

The deployment starts and you can follow the progress on the same window or on your vSphere Web Client, which you opened at the beginning of this tutorial.

2. Confirm that the PowerShell Script Deployment Completes

After successfully finalizing the deployment, the script automatic powers the VM UAG02 on.

The Received IP address presented by the script log is a temporary IP. The final IPs for NIC 1 and NIC2 are assigned to the Unified Access Gateway appliance during the first start. You can return to the vSphere Web Client to validate that as described in the next step.

3. Validate the Deployment

Validating UAG Appliance status
  1. Click VM and Templates.
  2. Click UAG-2NIC.
  3. Click View all 2 IP addresses.

Important: If the Unified Access Gateway appliance does not finalize the configuration during the first startup, you receive an error message from vSphere Web Client. If that happens, wait for the appliance to finalize, and refresh the entire Google Chrome browser.

4. Log In to the Unified Access Gateway Administration Console

UAG Admin UI Login
  1. Click the New Tab button to open a new tab.
  2. Browse to the Unified Access Gateway Administration Console using the URL, such as  https://uagmgt-int.airwlab.com:9443/admin or by clicking a bookmark if you created one.
  3. Enter the username, such as admin in this example.
  4. Enter the password created for the Admin API in the Deploy OVF Wizard.
  5. Click Login.

5. Confirm the Unified Access Gateway Administration Console Login on the Internal Network

A successful login redirects you to the initial window where you can import settings or manually configure the Unified Access Gateway appliance.

  1. Click Admin.
  2. Click Logout.

Configuring Web Reverse Proxy

At this point, the Unified Access Gateway has been deployed and you are able to access the Unified Access Gateway administration console to add and change configurations of your Unified Access Gateway appliance.

This exercise shows you how Unified Access Gateway can be used as a Web reverse proxy, and can act as either a plain reverse proxy or an authenticating reverse proxy in the DMZ. In this exercise, you learn how to set up a plain reverse proxy.

1. Power ON Intranet VM

Power ON Intranet VM

Return to the vSphere Web Client to Power ON the VM Intranet, which is hosted on the internal network to be used as part of the Web Reverse Proxy exercise.

  1. Click VM and Templates.
  2. Click Intranet.
  3. Click Power ON Icon.

2. Access Unified Access Gateway Administration Console

Access UAG Admin UI
  1. Click the New Tab button to open a new tab.
  2. Browse to the Unified Access Gateway URL, such as https://uagmgt-int.airwlab.com:9443/admin in this example, or click a bookmark if you created one.
  3. Enter the username, such as admin in this example.
  4. Enter the password created for the Admin API in the Deploy OVF Wizard.
  5. Click Login.

3. Select Configure Manually

Access Settings

Under Configure Manually, click Select.

4. Access Reverse Proxy Settings

Acessing Reverse Proxy Settings
  1. Click the Show toggle next to Edge Service Settings. After you click, it switches to display the Hide option.
  2. Click the gear icon next to Reverse Proxy Settings.

5. Add Reverse Proxy Settings

Adding Reverse Proxy Settings

Click Add to create a new reverse proxy settings that can be used to access the intranet.

6. Define Features Used by Reverse Proxy

Enabling Reverse Proxy Settings

Click Enable Reverse Proxy Settings only. The toggle switches to YES.

Note: The Enable Identity Bridging feature can be configured to provide single sign-on (SSO) to legacy Web applications that use Kerberos Constrained Delegation (KCD) or header-based authentication. However, this feature is not enabled for this exercise.

7. Configure Intranet Reverse Proxy Settings

Configuring Intranet settings for Reverse Proxy
  1. Enter the Instance Id, such as intranet, which is a unique name to identify and differentiate a Web reverse proxy instance from all other Web reverse proxy instances.
  2. Enter the Proxy Destination URL, such as http://intranet.corp.local, which represent the address of the Web Application.
  3. Enter the Proxy Pattern, such as (|/intranet(.*)|), which specifies that the matching URI paths will forward to the destination URL.
  4. Click Save.

Additional parameters can be configured for this type of reverse proxy. For more information, see Configure Reverse Proxy With VMware Identity Manager.

8. Close the Reverse Proxy Settings

Configuration saved sucessfully

Click Close.

9. Validating Reverse Proxy Configuration

Validating reverse proxy configuration for intranet
  1. Click the down arrow for the Reverse Proxy Settings.
  2. Click the refresh icon for the Edge Service Settings.
  3. Confirm that the intranet proxy status is GREEN.

After you add the reverse proxy settings for the intranet, the Unified Access Gateway appliance tests the communication between Unified Access Gateway appliance and the intranet. The status turns GREEN if a connection is possible, and otherwise it shows RED.

Important: It can take a few minutes for the intranet proxy to show as GREEN. If you do not see it, click the refresh icon until you see the status change to either GREEN or RED.

10. Access the Intranet through Reverse Proxy

  1. Click the New Tab button to open a new tab.
  2. Enter https://uag.airwlab.com/intranet in the address bar and press Enter.
    Note: The uag.airwlab.com resolves to the IP associated with the Unified Access Gateway Internet NIC, which in this example is 192.168.110.20.

The result is a sample intranet page hosted on an internal IIS Server.

  • Access to the intranet goes through Unified Access Gateway port 443, as result of the TLS port sharing configuration enabled by default during deployment.
  • Access to the administration console goes through Unified Access Gateway port 9443 and IP 172.168.0.20 in this example, associated with the internal NIC.