Deploy and configure VMware Unified Access Gateway

Hi there,

I don’t like long blog titles, and mine was long enough.  This article will be about removing a View security server, and replacing it with a UAG which is supposed to make everything more simple, and more powerful.

BTW, when you go to configure there is a choice for import config, that is how you do your updates.  Delete the appliance (export config first), then deploy new, configure it, then import the config.  Then test.

Pre-reqs

• Have a good backup of your Security Server just in case.
• Download the bits for the UAG from here. Normally do not get the FIPS one.
• Make sure you know your security server settings, maybe have a printout of them.
• Need an IP and FQDN for the gateway.

Process

BTW, I am using vSphere 6.7 U2 plus patches (as of 5/20/19) and Horizon View 7.8.  The gateway is 3.5.  I am going to do a UI type configuration of it.

Deploy

We first need to deploy the OVA.

• During deployment you will need to select the number of network cards, and the networks for them.  Often one network is enough but be sure what you choose. I chose only one.
• In the Customize template screen, you will need to configure your networking along with forward rules that I am going to ignore right now since I am not sure. Also set your passwords too. (in version 3.6 the complexity of config has increased and more options too.)
• Once it is finished deploying power it up.
• As it boot you will see a message about newer VMware Tools for the VM.  Ignore it. It will deal with itself.
• I like to connect to the VM Console and fix the timezone. No need to log in or anything so pretty easy.
• In the VM Summary screen we should see that the IP and FQDN we selected is in use or not.  In my case it is.

Lets connect to the FQDN and make sure it answers. For me the URL is:

https://uag.thewhites.ca:9443/admin/index.html#/Login

Configure

Now we have the UAG running but not working.  So time to configure.

• The first time you log in you will need to change your password. Use the admin account and not root.
• Once you are logged in we have a choice of importing settings or configuring manually.  I have not got a JSON of settings, and this is my first UAG so doing it manually.
• Our first screen is interesting.

• Click on the System Configuration gear icon.
• There are a few changes for this screen.

• I like to increase the password age to something much higher than 90.  BTW, 0 is the never expire.
• I like to add a syslog destination.  The format is odd - syslog://fqdn:514.
• I add the same config to the audit syslog field.
• Now I scroll down and select Save.
• Now we need to do some View settings.  Select in the General Settings area, push the Show button for Edge Service Settings.

• Use the gear as part of the Horizon Settings line.
• Then enable Horizon.
• Now we have some things we recognize.

• Take the settings from your security server and add them in to this screen. I will mention in my SS the blast external URL was an IP and here it is a FQDN and in the SS HTTPS Secure Tunnel it was https://fqdn:443 but in the screen above it was Connection Server URL and it was https://fqdn:8443.  Not sure yet the implications.
• I did what I recognize, and did not enable other stuff - like the UDP tunnel or the Blast Proxy Cert tunnel.
• BTW, the thumbprint comes from the URL of the View Connection server.  Click on the Not Secure part of the URL, than Certificate, than expand Details, and scroll down to SHA-1 and copy from it.
• I get an error when I hit Save.

• I got rid of the error by Selecting Cancel and entering everything again, but doing sha1= and copying the sha1 info.
• Also, change the 8443 you see above in the Connection Server URL field to a 443.  The little i popup says 8443 but it should be 443.
• Once you save, you will see something like below.

• The first time, when I had 8443 in the CS URL the Horizon Destination Server was yes and down.  When it changed to 443 it was, after a refresh, green.
• Now that we have configured things and it is all green, now it is time to put it into production.

Production

• You need to remove your SS from the View config. As the command line on the View Connection server use the following command.

vdmadmin.exe -S -r -s <security server name>

• You need to disable the tunnel and two gateways in the Connection Server config.

• In my case, my firewall rules are pointing at the security server that doesn’t exist any longer.  So we need to modify those rules for the new UAG IP address.
• We can also add our UAG to our View management UI.
  • In the View Admin, change to the View Configuration area.
  • Select Servers.
  • Now change to the Gateways section,
    and register your UAG.

• • It is important to note that View only details the UAG status when there are active connections.
• Power off the security server.
• I would suggest also exporting the UAG settings. I exported it as an INI file.
• I also adjusted my backup jobs to not protect my security server any longer but instead protect the UAG.  I also adjusted my DR replicas the same way.

Test Time

Now we are finished with the implementation of the UAG, and the removal of the security server.  So lets make sure things are working.

• Can we connect successfully to the View Connection server / and desktop inside the lab?
• Can we connect successfully to the View desktop from outside the lab?

Helpful Links

• This article got me started.  It was quite useful.
• Much more useful was this article.

Conclusion

We have a UAG working, no more security server and my inbound access works.  So all good.  I want to thank a variety of people in the vExpert EUC Slack channel for pushing me to get this done. I appreciate very much the help from Sean Massey.

If you have questions, or comments, do not hesitate to share them with me.

Michael

=== END ===