GUIDE – AUGUST 2018

PRINTED 15 FEBRUARY 2019

DEPLOYING UNIFIEDACCESS GATEWAY WITHTWO NICS THROUGHPOWERSHELLVMware Workspace ONE

DEPLOYING UNIFIED ACCESS GATEWAY WITH TWO NICS THROUGH POWERSHELL

GUIDE | 2

Table of Contents

Deploying Unified Access Gateway with Two NICs Through PowerShell

– Introduction

– Architecture

– Prerequisites

– Logging In to the vSphere Web Client

– Starting Windows PowerShell

– Preparing the INI File for Deployment

– Deploying the Unified Access Gateway Appliance

– Configuring Web Reverse Proxy

DEPLOYING UNIFIED ACCESS GATEWAY WITH TWO NICS THROUGH POWERSHELL

GUIDE | 3

Deploying VMware United Access Gateway: VMwareWorkspace ONE Operational Tutorial

Deploying Unified Access Gateway with Two NICs ThroughPowerShellIntroductionThis section guides you through the configuration and deployment of the VMware Unified Access Gateway appliance using aPowerShell script. The exercises also describe how to set up a reverse proxy to access internal web sites through the Unified AccessGateway administration console.

In these exercises, the Unified Access Gateway appliance is deployed with two NICs. One NIC faces the Internet, and the second oneis dedicated to management and backend access.

These exercises cover Unified Access Gateway 3.3.1 deployment in vSphere 6.5 U1.

The purpose is to provide a deployment option for an environment that could be used for production. If you want a more basicdeployment with a single NIC for proof of concept, see Deploying Unified Access Gateway with One NIC through vSphere.

ArchitectureThe architectural diagram below shows an example environment which emulates a typical environment, including DMZ and internalnetworks.

In this example, external requests to the vApp are sent to the vPod Router, which directs those requests to the appropriate resource,based on the incoming port. Ports 4000-6500 are reserved for the environment components so all traffic coming in on these ports isforwarded to the appropriate Edge Service for the Unified Access Gateway server. In addition, ports 443 and 9443 are forwarded tothe Unified Access Gateway server over the respective ports.

The vApp networks (internal, DMZ, and transit) are created within the vApp. The internal and transit networks are NATed to the SE-UCS-Network for outbound internet connectivity while the DMZ network routes through the vPod Router for inbound and outboundaccess. Note that the vPodRouter does not have a NIC on the internal network and thus cannot route external traffic to resources onthe internal network.

vPod Router | ESXi01 6.5.0 U1 | Control Center | vCenter Server 6.5 U1 hosted on ESXi01

Architecture Overview DiagramThe following architectural diagram shows an example of two major networks that you can deploy your servers into. For this set ofexercises, you deploy the Unified Access Gateway appliance on a DMZ and assign the respective NICs.

DEPLOYING UNIFIED ACCESS GATEWAY WITH TWO NICS THROUGH POWERSHELL

GUIDE | 4

At the top of the diagram is vCenter Networking. At the bottom of the diagram is the vApp network required to support theenvironment. For these exercises, the focus is on the network hosted on the ESXi, and represented by the following three networks:

VM Network & Management: Represents the dedicated network to access the Management ConsoleInternal Network: Represents the internal network on 172.16.0.x range. The Control Center, ESXI, and vCenter are part ofthe internal network.DMZ Network: Represents the DMZ network on 192.168.110.x which is where the Unified Access Gateway appliance is tobe deployed. The Unified Access Gateway Internet-facing NIC is associated to this network.

Network InterfacesUnified Access Gateway supports deployments with one, two, or three NICs. This means that the server can be partitioned to receivetraffic on a single interface or to route traffic to different interfaces, based on the source of the request. Most often, if you need toimplement multiple NICs, you already follow this standard with other web applications in your organization.

You must determine what is appropriate for your environment when selecting the number of NICs during installation. It is important foryou to understand the expected behavior when two or three NICs are enabled.

Two sections are provided to explore these options. As a first step toward understanding basic deployments, you can install UnifiedAccess Gateway with one NIC using vSphere Client, described in Deploying Unified Access Gateway with One NIC Through vSphere.You can then advance to the next step and install Unified Access Gateway with two NICs as a production environment usingPowerShell, described in Deploying Unified Access Gateway with Two NICs Through PowerShell.

DEPLOYING UNIFIED ACCESS GATEWAY WITH TWO NICS THROUGH POWERSHELL

GUIDE | 5

General ConsiderationsIn the exercises for deploying the Unified Access Gateway server through vSphere, the vCenter setup is hosted in a nested template.This is not usually the case when working with users in a live environment.

User environments can include multiple networks and can optionally have a Network Protocol Profiles (NPP) that corresponds to thenetworks to connect to the Unified Access Gateway. Prior to version 3.3, NPP was a requirement. Since version 3.3, NPP is no longerrequired.

Note: Keep in mind that the Unified Access Gateway requires a netmask, default gateway, and subnet to be defined for each networkenabled during deployment.

PrerequisitesTo deploy Unified Access Gateway using a PowerShell script, you must use the following specific versions of VMware products:

VMware vSphere ESX host with a vCenter ServerPowerShell script running on Windows 8.1 or later machines, or Windows Server 2008 R2 or laterWindows machine running the PowerShell script with VMware OVF Tool command installed (see OVR Tool SoftwareDownload to install OVF Tool 4.3 or later)Unified Access Gateway virtual appliance image OVA file, such as .euc-access-point-3.3.X.X-XXXXXXXXXXX.ova(see VMware Product Interoperability Matrixes to determine which version to download)Unified Access Gateway PowerShell script, such as uagdeploy-VERSION.ZIP, (see Using PowerShell to Deploy VMwareUnified Access Gateway to select the correct script, note its name, and extract the files into a folder on your Windows machine)vSphere data store and network to use

Starting with version 3.3, you can deploy Unified Access Gateway without specifying the netmask and default gateway settings inNetwork Protocol Profiles (NPP). You can specify this networking information directly during deployment of your Unified AccessGateway instance.

Logging In to the vSphere Web ClientTo perform most of this exercise, you need to log in to the vSphere Web Client.

1. Launch Chrome Browser

Double-click the Google Chrome browser icon on the desktop.

2. Authenticate to the vSphere Web Client

DEPLOYING UNIFIED ACCESS GATEWAY WITH TWO NICS THROUGH POWERSHELL

GUIDE | 6

Launch the Chrome browser from your desktop and click the bookmark for vSphere.1.Enter the username, such as administrator@vsphere.local.2.Enter the password, such as VMware1!.3.Click Login.4.

After completing the login, you are presented with the vSphere Web Client.

Starting Windows PowerShell

1. Launch PowerShell

DEPLOYING UNIFIED ACCESS GATEWAY WITH TWO NICS THROUGH POWERSHELL

GUIDE | 7

Click the PowerShell icon located on the Windows task bar.

2. Navigate to the Unified Access Gateway ResourcesDirectory

Navigate to the Unified Access Gateway Resources Directory under the desktop user folder by entering cd '.\Desktop\UAGResources' and then press Enter.

Preparing the INI File for DeploymentIn this exercise, you learn how to use the INI file to deploy and configure a Unified Access Gateway using PowerShell, and how to editthe contents of the INI file for your Unified Access Gateway deployment.

1. Configure the General Deployment SettingsAn INI file containing all of the configuration settings is required to deploy the Unified Access Gateway appliance.

In this exercise, you use the uag-2NIC.ini file to provide the respective parameters for your deployment.

You deploy a new Unified Access Gateway appliance called UAG02 in the example, and which has two NICs. NIC1 is Internet-facingand NIC2 is for backend and management.

DEPLOYING UNIFIED ACCESS GATEWAY WITH TWO NICS THROUGH POWERSHELL

GUIDE | 8

1.1. Open the UAG-2NIC.ini File for Editing

Navigate to the uag-2NIC.ini file, such as:

Click the File Explorer icon on the task bar.1.Click Desktop.2.Click UAG Resources.3.Right-click the uag-2NIC.ini file.4.Click Edit with Notepad++.5.

1.2. Configure General Settings (1/2)

DEPLOYING UNIFIED ACCESS GATEWAY WITH TWO NICS THROUGH POWERSHELL

GUIDE | 9

In the General section, provide the following settings on the INI file:

In the name field, enter a name, such as UAG02 in this example.1.In the source field, enter the path, such as C:\Users\Administrator\Desktop\UAG Resources\UAG Files\euc-2.unified-access-gateway-3.3.0.0-8539135_OVF10.ova, and use File Explorer to verify that the OVA file has thename indicated.In the target field, enter the destination path, such as3. vi://administrator@vsphere.local:VMware1!@vc.corp.local/Nested_Datacenter/host/Host_Cluster.Note: You can replace the password with 'PASSWORD' and the script prompts for the password during the PowerShellexecution.In the diskmode field, enter thin.4.In the ds field (ds refers to data store), enter datastore2_ESXi01.5.In the deploymentOption field, enter twonic.6.

1.3. Configure General Settings (2/2)

DEPLOYING UNIFIED ACCESS GATEWAY WITH TWO NICS THROUGH POWERSHELL

GUIDE | 10

Continue the General section configuration, and set the following additional values for the parameters on the INI file, keeping in mindthat ip0 is the Internet-facing NIC, and ip1 is the internally facing NIC:

In the ipMode field, enter STATICV4.1.In the defaultGateway field, enter the IP address, such as 192.168.110.1.2.In the dns field, enter the IP address, such as 192.168.110.10.3.In the ip0 field, enter the IP address, such as 192.168.110.20.4.Important: ip0 is the Internet-facing NIC.In the ip1 field, enter the IP address, such as 172.16.0.20.5.Important: ip1 is the internally facing NIC.In the netmask0 and netmask1 field, enter the netmask, such as 255.255.255.0.6.In the netInternet field, enter DMZ_VM_DPortGroup.7.In the netManagementNetwork and netBackendNetwork field, enter Internal_VM_DPortGroup.8.

1.4. Configure the TLS/SSL Certificates

DEPLOYING UNIFIED ACCESS GATEWAY WITH TWO NICS THROUGH POWERSHELL

GUIDE | 11

The SSLCert and SSLCertAdmin contain the information regarding the SSL Certificated for the administration and Internet interfaces.

In the pfxCerts field under SSLCert, enter C:\AW Tools\airwlab.com.pfx (this certificate is for the Internet interface).1.In the pfxCerts field under SSLCertAdmin, enter C:\AW Tools\airwlab.com.pfx (this certificate is for the administration2.interface).

Note: The certificate password is requested during the deployment.

Deploying the Unified Access Gateway ApplianceNow that you have configured the INI file for your Unified Access Gateway deployment, you can run the uagdeploy.ps1 Powershellscript and provide this INI file as the configuration to automate the deployment.

1. Execute the Deployment Script

As the script starts, a couple of questions ask for the following information:

When prompted, enter the information requested, such as in the following example:1..\uagdeploy.ps1 .\uag-2NIC VMware1! VMware1! false false no

The first VMware1! is the root password for the Unified Access Gateway appliance.The second VMware1! is the admin password for the REST API management access.The first false is to NOT skip the validation of signature and certificate.The second false is to NOT skip SSL verification for the vSphere connection.The no is to not join the VMware CEIP program.

When prompted, enter the password for the SSLcert and SSLcertAdmin fields.2.

To avoid a password request for the certificate, remove the pfxCerts values and provide a PEM certificate, and set the pemCertsand pemPrivKey for the SSLCert and SSLCertAdmin sections of the INI file.

The deployment starts and you can follow the progress on the same window or on your vSphere Web Client, which you opened at thebeginning of this tutorial.

DEPLOYING UNIFIED ACCESS GATEWAY WITH TWO NICS THROUGH POWERSHELL

GUIDE | 12

2. Confirm that the PowerShell Script Deployment Completes

After successfully finalizing the deployment, the script automatic powers the VM UAG02 on.

The Received IP address presented by the script log is a temporary IP. The final IPs for NIC 1 and NIC2 are assigned to the UnifiedAccess Gateway appliance during the first start. You can return to the vSphere Web Client to validate that as described in the nextstep.

3. Validate the Deployment

DEPLOYING UNIFIED ACCESS GATEWAY WITH TWO NICS THROUGH POWERSHELL

GUIDE | 13

Click VM and Templates.1.Click UAG-2NIC.2.Click View all 2 IP addresses.3.

Important: If the Unified Access Gateway appliance does not finalize the configuration during the first startup, you receive an errormessage from vSphere Web Client. If that happens, wait for the appliance to finalize, and refresh the entire Google Chrome browser.

4. Log In to the Unified Access Gateway AdministrationConsole

DEPLOYING UNIFIED ACCESS GATEWAY WITH TWO NICS THROUGH POWERSHELL

GUIDE | 14

Click the New Tab button to open a new tab.1.Browse to the Unified Access Gateway Administration Console using the URL, such as2. https://uagmgt-int.airwlab.com:9443/admin or by clicking a bookmark if you created one.Enter the username, such as admin in this example.3.Enter the password created for the Admin API in the Deploy OVF Wizard.4.Click Login.5.

5. Confirm the Unified Access Gateway AdministrationConsole Login on the Internal Network

DEPLOYING UNIFIED ACCESS GATEWAY WITH TWO NICS THROUGH POWERSHELL

GUIDE | 15

A successful login redirects you to the initial window where you can import settings or manually configure the Unified Access Gatewayappliance.

Click Admin.1.Click Logout.2.

Configuring Web Reverse ProxyAt this point, the Unified Access Gateway has been deployed and you are able to access the Unified Access Gateway administrationconsole to add and change configurations of your Unified Access Gateway appliance.

This exercise shows you how Unified Access Gateway can be used as a Web reverse proxy, and can act as either a plain reverseproxy or an authenticating reverse proxy in the DMZ. In this exercise, you learn how to set up a plain reverse proxy.

1. Power ON Intranet VM

DEPLOYING UNIFIED ACCESS GATEWAY WITH TWO NICS THROUGH POWERSHELL

GUIDE | 16

Return to the vSphere Web Client to Power ON the VM Intranet, which is hosted on the internal network to be used as part of the WebReverse Proxy exercise.

Click VM and Templates.1.Click Intranet.2.Click Power ON Icon.3.

2. Access Unified Access Gateway Administration Console

DEPLOYING UNIFIED ACCESS GATEWAY WITH TWO NICS THROUGH POWERSHELL

GUIDE | 17

Click the New Tab button to open a new tab.1.Browse to the Unified Access Gateway URL, such as https://uagmgt-int.airwlab.com:9443/admin in this example,2.or click a bookmark if you created one.Enter the username, such as admin in this example.3.Enter the password created for the Admin API in the Deploy OVF Wizard.4.Click Login.5.

3. Select Configure Manually

DEPLOYING UNIFIED ACCESS GATEWAY WITH TWO NICS THROUGH POWERSHELL

GUIDE | 18

Under Configure Manually, click Select.

4. Access Reverse Proxy Settings

Click the Show toggle next to Edge Service Settings. After you click, it switches to display the Hide option.1.Click the gear icon next to Reverse Proxy Settings.2.

DEPLOYING UNIFIED ACCESS GATEWAY WITH TWO NICS THROUGH POWERSHELL

GUIDE | 19

5. Add Reverse Proxy Settings

Click Add to create a new reverse proxy settings that can be used to access the intranet.

6. Define Features Used by Reverse Proxy

Click Enable Reverse Proxy Settings only. The toggle switches to YES.

Note: The Enable Identity Bridging feature can be configured to provide single sign-on (SSO) to legacy Web applications that useKerberos Constrained Delegation (KCD) or header-based authentication. However, this feature is not enabled for this exercise.

7. Configure Intranet Reverse Proxy Settings

DEPLOYING UNIFIED ACCESS GATEWAY WITH TWO NICS THROUGH POWERSHELL

GUIDE | 20

Enter the Instance Id, such as intranet, which is a unique name to identify and differentiate a Web reverse proxy instance1.from all other Web reverse proxy instances.Enter the Proxy Destination URL, such as http://intranet.corp.local, which represent the address of the Web2.Application.Enter the Proxy Pattern, such as (|/intranet(.*)|), which specifies that the matching URI paths will forward to the3.destination URL.Click Save.4.

Additional parameters can be configured for this type of reverse proxy. For more information, see Configure Reverse Proxy WithVMware Identity Manager.

8. Close the Reverse Proxy Settings

DEPLOYING UNIFIED ACCESS GATEWAY WITH TWO NICS THROUGH POWERSHELL

GUIDE | 21

Click Close.

9. Validating Reverse Proxy Configuration

Click the down arrow for the Reverse Proxy Settings.1.Click the refresh icon for the Edge Service Settings.2.Confirm that the intranet proxy status is GREEN.3.

After you add the reverse proxy settings for the intranet, the Unified Access Gateway appliance tests the communication betweenUnified Access Gateway appliance and the intranet. The status turns GREEN if a connection is possible, and otherwise it shows RED.

Important: It can take a few minutes for the intranet proxy to show as GREEN. If you do not see it, click the refresh icon until you seethe status change to either GREEN or RED.

10. Access the Intranet through Reverse Proxy

DEPLOYING UNIFIED ACCESS GATEWAY WITH TWO NICS THROUGH POWERSHELL

GUIDE | 22

Click the New Tab button to open a new tab.1.Enter https://uag.airwlab.com/intranet in the address bar and press Enter.2.Note: The uag.airwlab.com resolves to the IP associated with the Unified Access Gateway Internet NIC, which in thisexample is 192.168.110.20.

The result is a sample intranet page hosted on an internal IIS Server.

Access to the intranet goes through Unified Access Gateway port 443, as result of the TLS port sharing configuration enabledby default during deployment.Access to the administration console goes through Unified Access Gateway port 9443 and IP 172.168.0.20 in this example,associated with the internal NIC.

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright © 2017 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listedat http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may betrademarks of their respective companies.