VMware Tunnel on Unified Access Gateway 3.0

This lab walks you through the full deployment of VMware Tunnel on Unified Access Gateway by completing the virtual appliance deployment in the vSphere Web Client and retrieving configuration from the AirWatch REST API via the UAG Admin Interface.  The final section includes the configuration needed to connect a device to the VMware Tunnel server on whitelisted Safari domains by leveraging Device Traffic Rules in the AirWatch Console.

The Unified Access Gateway (UAG) is a platform, deployed as a virtual appliance, that supports multiple VMware and AirWatch products along with other Edge Services unique to the product that allow devices to securely connect to internal resources as defined by the administrator. First, there is an overview of the UAG components and supported Edge Services for UAG 3.0+.

 Next, you will review the various network architecture options supported by VMware Tunnel product. Then the workshop begins with the configuration of VMware Tunnel settings in the Airwatch Console, followed by the virtual appliance deployment in vSphere, and configuration of the UAG from the Admin Interface. Finally, the last section details configuration needed in the Airwatch console in order to connect a managed device to the deployed VMware Tunnel server.

----------------------------------

After AirWatch Tunnel settings are configured in the console, the OVF template is configured during deployment to point to the REST API endpoint of your AirWatch environment to retrieve those settings. The AirWatch Tunnel Virtual Appliance pulls the appropriate settings from the AirWatch API based on the Tunnel hostname provided during configuration.

After completing the OVF template configuration, the administrator can review all settings and power the machine on after deployment. The appliance agent running on the virtual appliance will start up immediately, followed by the AirWatch Tunnel services after 60 seconds.

For larger deployments that have multiple Tunnel appliance nodes, administrators can leverage the Powershell deployment method using a Powershell script and customizable template file packaged with the Virtual Appliance download. it is recommended to use Powershell for large deployments to simplify the process needed to setup multiple nodes of the same product.

1. Unified Access Gateway 3.0 Overview

The Unified Access Gateway (previously Access Point) is a platform that

2. AirWatch Console Settings

INTERNAL NOTES:

v91.airwlab.com OG: SE Users/ Catherine Sanders, GiD: CSanders

VPN Port: 4424 csanders2.airwlab.com,  Internal: 8443, backendTunnel.airwlab.com

 

--------------

To begin the VMware Tunnel deployment, you must first confirm all prerequisites for VMware Tunnel are enabled in the AirWatch Console and then configure the settings for VMware Tunnel in the settings pane, which is also where you will find the link to download the Virtual Appliance.  The virtual appliance file is hosted on the AirWatch Resources Portal since it is not dependent on the console version or settings. This allows the appliance to be updated independently of AirWatch itself and ensures that administrators are pointed to the latest version of the appliance whether their environment is Saas hosted or On-Premises.

 

2.1. Console Prerequisites

Before enabling the VMware Tunnel, there are a few settings that must be enabled in the AirWatch Console.  It is recommended that VMware Tunnel be deployed at a Customer Type Organization Group. In this workshop, there was an Organization Group generated for your user that is set to Type: Customer. Additionally, there must be a Device Root Certificate issued to the Customer Organization Group and a REST API Key generated at the Organization Group where VMware Tunnel will be deployed.

Since you are working in a Customer Type Organization Group, the console is designed to automatically issue a Device Root Certificate to this Organization Group and generate the REST API Key. The next steps show you how to find these settings and ensure they are enabled before configuring the VMware Tunnel settings.

  1. Click Groups & Settings
  2. Click All Settings

2.1.1. Device Root Certificate

  1. Click System
  2. Expand Advanced
  3. Select Device Root Certificate

Note: The certificate should show the "Issued To" value as the name of your organization group as seen in this example.

2.1.2. REST API Key

  1. Click System
  2. Expand Advanced
  3. Expand API
  4. Select REST API

Here you will see any API Keys enabled at this Organization Group. There are other components that use REST API keys, but the VMware Tunnel REST API Key just needs to be set to Account Type: Admin. No changes should be required. If there is no REST API key generated at your Organization Group, set Enable API Access to Enabled and Click +Add to generate a new key. Be sure to click Save if any changes are made or keys added to the REST API page.

2.2. VMware Tunnel Settings

  1. Click System
  2. Expand Advanced
  3. Expand API
  4. Select REST API

Here you will see any API Keys enabled at this Organization Group. There are other components that use REST API keys, but the VMware Tunnel REST API Key just needs to be set to Account Type: Admin. No changes should be required. If there is no REST API key generated at your Organization Group, set Enable API Access to Enabled and Click +Add to generate a new key. Be sure to click Save if any changes are made or keys added to the REST API page.

3. Virtual Appliance Download

4. vSphere Deployment

5. Open the vCenter Web Client

Open the vCenter Web Client
  1. Click the vSphere Web Client tab.

Note: If the vSphere Web Client tab was closed in a previous step, you can access the page by clicking the 'vCenter vSphere Web Client' bookmark in your browser.

5.1. Login to the vSphere Web Client

Login to the vSphere Web Client
  1. Enter [email protected] for the User name
  2. Enter "VMware1!" for the Password
  3. Click Login

5.2. VMs & Templates

VMs & Templates

Click "VMs and Templates"

5.3. Deploy OVF Template

Deploy OVF Template
  1. Right Click on vc.corp.local
  2. Select "Deploy OVF Template"

6. Select Source

Select Source
  1. Select Local File radio button
  2. Click Browse
  3. Navigate to the AirWatch Tunnel Appliance Resources Folder on the Desktop
  4. Select the EUC Access Point OVA File
  5. Click Open
  6. Click Next to Continue

6.1. Review Details

Review Details

Click "Next"

6.2. Select name and folder

Select name and folder
  1. Customize the Name field (optional). This is the machine display name in vSphere.
  2. Select the Nested_Datacenter
  3. Click "Next"

6.3. Select configuration

Select configuration
  1. Select "Single NIC" the Configuration for the appliance
  2. Click Next

6.4. Select a resource

Select a resource
  1. Expand Nested_Datacenter, expand Host_Cluster
  2. Select esxi01.corp.local as the host
  3. Click Next

6.5. Select storage

Select storage
  1. Select virtual disk format, for this lab you will select "Thin Provision"
  2. Select the VM Storage Policy, for this lab you will select "Datastore Default"
  3. Click Next

6.6. Setup Networks - NestedTemplate102016

Setup Networks - NestedTemplate102016
  1. Ensure VM Network for Internet, ManagementNetwork, and BackendNetwork, Ensure IP Protocol is set to "IPv4"
  2. Enter DNS server address: "192.168.110.10, 128.64.0.2"
  3. Enter Netmask: "255.255.255.0"
  4. Enter Gateway: "192.168.110.1"
  5. Click Next

7. Complete OVF Template Setup

Next, you must configure the Networking Properties and Password Options for the Unified Access Gateway appliance.

Note: Click "Collapse all..." to show each section in the template. Ensure that the required fields in each section are completed as the vSphere client will not always alert you when these items are missing.

nd AirWatch Properties are required. The other sections are optional based on your environment or use case.

Customize Template

Customize Template

Customize Template
  1. Expand the Networking Properties section.
  2. Enter STATICV4 for IPMode
  3. Enter "192.168.110.20 for the NIC 1 (eth0) IPv4 address
  4. Enter "192.168.110.10 128.64.0.2" for the DNS server address. Note: multiple DNS servers are space-separated in this section.
  5. Scroll down to complete the Password Options section

Password Options

Password Options
  1. Enter password for the root user: VMware1!, enter a second time to confirm
  2. Enter password for the admin user of the API: VMware1!, enter a second time to confirm
  3. Scroll down to AirWatch Properties section.

If password complexity for the root user and the Tunnel API admin user are not met with the password you choose, the deployment will fail. Note that the API admin account is optional and can be omitted in production.

AirWatch Properties

AirWatch Properties
  1. Enter the REST API URL of your AirWatch Environment: "https://hol.awmdm.com"
  2. Enter  [email protected] you use to log in to the console
  3. Enter the password you use to log in to the console: "VMware1!"
  4. Enter GroupID for your Organization Group in the console (e.g. "name1234") To find the Group ID, hover your mouse over the GroupID tab at the top of the AirWatch Console screen.
  5. Enter "pool#.airwlab.com" for Hostname. This must match the hostname configured in the AirWatch Tunnel settings in the console.
  6. Click Next

Review setting selections

Review setting selections
  1. Review details and ensure DNS, IPv4 setting, hostname, etc. are populated correctly.
  2. Scroll down to review all settings.
  3. Check the box to "Power on after deployment"
  4. Click "Finish"

The virtual appliance will take a few minutes to deploy and start up all services. Return to the console while the appliance deployment is finishing up to complete the configuration in the AirWatch console required to test the Tunnel on an iOS device.