I don’t like long blog titles, and mine was long enough. This article will be about removing a View security server, and replacing it with a UAG which is supposed to make everything more simple, and more powerful.
BTW, when you go to configure there is a choice for import config, that is how you do your updates. Delete the appliance (export config first), then deploy new, configure it, then import the config. Then test.
- Have a good backup of your Security Server just in case.
- Download the bits for the UAG from here. Normally do not get the FIPS one.
- Make sure you know your security server settings, maybe have a printout of them.
- Need an IP and FQDN for the gateway.
BTW, I am using vSphere 6.7 U2 plus patches (as of 5/20/19) and Horizon View 7.8. The gateway is 3.5. I am going to do a UI type configuration of it.
We first need to deploy the OVA.
- During deployment you will need to select the number of network cards, and the networks for them. Often one network is enough but be sure what you choose. I chose only one.
- In the Customize template screen, you will need to configure your networking along with forward rules that I am going to ignore right now since I am not sure. Also set your passwords too. (in version 3.6 the complexity of config has increased and more options too.)
- Once it is finished deploying power it up.
- As it boot you will see a message about newer VMware Tools for the VM. Ignore it. It will deal with itself.
- I like to connect to the VM Console and fix the timezone. No need to log in or anything so pretty easy.
- In the VM Summary screen we should see that the IP and FQDN we selected is in use or not. In my case it is.
Lets connect to the FQDN and make sure it answers. For me the URL is:
Now we have the UAG running but not working. So time to configure.
- The first time you log in you will need to change your password. Use the admin account and not root.
- Once you are logged in we have a choice of importing settings or configuring manually. I have not got a JSON of settings, and this is my first UAG so doing it manually.
- Our first screen is interesting.
- Click on the System Configuration gear icon.
- There are a few changes for this screen.
- I like to increase the password age to something much higher than 90. BTW, 0 is the never expire.
- I like to add a syslog destination. The format is odd - syslog://fqdn:514.
- I add the same config to the audit syslog field.
- Now I scroll down and select Save.
- Now we need to do some View settings. Select in the General Settings area, push the Show button for Edge Service Settings.
- Use the gear as part of the Horizon Settings line.
- Then enable Horizon.
- Now we have some things we recognize.
- Take the settings from your security server and add them in to this screen. I will mention in my SS the blast external URL was an IP and here it is a FQDN and in the SS HTTPS Secure Tunnel it was https://fqdn:443 but in the screen above it was Connection Server URL and it was https://fqdn:8443. Not sure yet the implications.
- I did what I recognize, and did not enable other stuff - like the UDP tunnel or the Blast Proxy Cert tunnel.
- BTW, the thumbprint comes from the URL of the View Connection server. Click on the Not Secure part of the URL, than Certificate, than expand Details, and scroll down to SHA-1 and copy from it.
- I get an error when I hit Save.
- I got rid of the error by Selecting Cancel and entering everything again, but doing sha1= and copying the sha1 info.
- Also, change the 8443 you see above in the Connection Server URL field to a 443. The little i popup says 8443 but it should be 443.
- Once you save, you will see something like below.
- The first time, when I had 8443 in the CS URL the Horizon Destination Server was yes and down. When it changed to 443 it was, after a refresh, green.
- Now that we have configured things and it is all green, now it is time to put it into production.
- You need to remove your SS from the View config. As the command line on the View Connection server use the following command.
vdmadmin.exe -S -r -s <security server name>
- You need to disable the tunnel and two gateways in the Connection Server config.
- In my case, my firewall rules are pointing at the security server that doesn’t exist any longer. So we need to modify those rules for the new UAG IP address.
- We can also add our UAG to our View management UI.
- In the View Admin, change to the View Configuration area.
- Select Servers.
- Now change to the Gateways section,
and register your UAG.
- It is important to note that View only details the UAG status when there are active connections.
- Power off the security server.
- I would suggest also exporting the UAG settings. I exported it as an INI file.
- I also adjusted my backup jobs to not protect my security server any longer but instead protect the UAG. I also adjusted my DR replicas the same way.
Now we are finished with the implementation of the UAG, and the removal of the security server. So lets make sure things are working.
- Can we connect successfully to the View Connection server / and desktop inside the lab?
- Can we connect successfully to the View desktop from outside the lab?
We have a UAG working, no more security server and my inbound access works. So all good. I want to thank a variety of people in the vExpert EUC Slack channel for pushing me to get this done. I appreciate very much the help from Sean Massey.
If you have questions, or comments, do not hesitate to share them with me.
=== END ===
17 thoughts on “Deploy and configure VMware Unified Access Gateway”
Nice article. I’ll have to try an make the switch soon I guess. Although it’s really tricky when you have multiple NIC’s in a large infrastructure. The naming of the NIC’s in the answer is some confusing when you have multiple NIC’s, at least to me.
I did only have one network adapter, but I noticed that there is support for multiples and it seems like well thought support. But I have not tried it out.
cant access the UAG by https://ip:9443
Can you please add some detail to your question? It would help me answer things better.
How cam I customize the uag landing Page? Replace the Logo?
I do not know the answer to the question Bernd, I suggest you reach out to VMware support and ask.
I’m not sure you need to customize the uag landing page because it is just for management only. It should forward all users to the view login page.
You are correct, no need to customize but I thought some might want too.
how does we configured it so the users in internal network to not pass through UAG but to just connect straight to Connection server ? thanks.
The internal users can connect directly to your connection server instead of the UAG.
I could be wrong, but I think I have the same question in regards to the step in which you say “You need to disable the tunnel and two gateways in the Connection Server config.”
Doesn’t unchecking those options prevent accessing view from internal users? It seemed to when I was testing last night, but I could have had something setup incorrectly. Internally our users would connect straight to the connection server, and externally, they would connect to the UAG.
I will test this next time I install the UAG which will be soon. And yes, internal users go to CS, and external to UAG.
It looks like I just had something miss-configured. Internal and external access is working as you suggested, with the gateways disabled on the connection server.
Glad things are working, most excellent.
I like your one NIC option, which I am planning to implement, but wondering if it might come to bite me when configuring RSA authentication.
I think it should work with RSA, but I have not tested it. A quick call to VMware support might answer that question.
Sorry not more help.