Introduction - AirWatch on UAG 3.1

This workshop guides you through the end-to-end setup of the AirWatch components supported on Unified Access Gateway 3.1, which include Content Gateway and VMware Tunnel.  You will deploy 2 instances of the UAG using each deployment method. The first server is installed using vSphere and the second server install is done through Powershell.

First, you must configure settings for VMware Tunnel and Content Gateway components in the AirWatch Console using the public facing hostname and ports sent via email when you enrolled in the lab. Next, the vSphere OVF Deployment of UAG, log in to the Admin UI to enable the Edge Services on UAG, configure INI file for back end server install, Powershell script to deploy back end server, then testting the connection on your device.

Next, you will deploy the front end Unified Access Gateway appliance in the vSphere Web Client and enable the Edge Services corresponding to the AirWatch components configure din the first step.

1. Console Configuration

2. vSphere OVF Deployment & Admin UI Config

3. Powershell INI edits / Run Script to Install

4. local validation

5. Device Testing

6. Additional Tools & Troubleshooting

Next Lab(s):

- Reverse Proxy on UAG (IDM)
- Per App Tunnel & Content Gateway with TLS Port 443 Sharing


This workshop is aimed at educating the user on both deployment options for Unified Access Gateway, demonstrating available tools in the Admin UI, and understanding the components that make this product work to support each of the various features and services.

At the end of this lab, the user will understand how to determine which deployment method is appropriate for their customer and how to leverage the tools available to successfully implement the required services in a customer environment.  

Before geting started, let's go over the lab network setup followed by a brief outline of each deployment method.

Lab Architecture

DMZ & Internal networks


External requests to the vApp are sent to the vPod Router, which will direct those requests to the appropriate resource based on the incoming port. Port 4000-6500 are reserved for the lab comonents so all traffic coming in on these ports will be forwarded to your UAG server's appropriate Edge Service.

The vApp resides in the SE_UCS_Network

Since the vPod router is the actual router handling traffic, and it is on both the DMZ and internal networks, traffic to the internet gets routed by it to the SE_UCS connection on the DMZ and then forwarded to the internal network

that way it be more 1:1 with your lab environment emulating a customer environment.

vPod Router | Esxi01 | Control Center | vCenter Server

HOL Network Overview

In our lab environment, there are two networks that you can deploy your servers in to. The DMZ Network will host the first server you will install, which is the front-end or Relay server. The back-end/Endpoint server will reside in the lab's internal network.


Devices will reach out to the DMZ network to connect to the Unified Access Gateway on the ports sent via email upon enrolling in this workshop.

Customer Considerations

Since this workshop is designed for the purpose of deploying the Unified Access Gateway server through VSphere, the vCenter setup is hosted in a nested template, which will not be case when working with customers in a live environment.

Customer environments will include multiple networks and may or may not have a Network Protocol Profiles that correspond to the networks they will connect the Unified Access Gateway to. Keep in mind, the Unified Access Gateway requires a Netmask, Default Gateway, and subnet to be defined for each network enabled during deployment.

Network Interfaces

UAG supports 1 - 3 NIC deployments. This means the server can be partitioned to receive traffic on a single interface or route traffic to different interfaces based on the source of the request. Most often, those customers needing to implement multiple Network Interface Cards will already follow this standard with other web applications in their organization.

It is up to the customer to determine what is appropriate for their environment when selecting the number of NICs during installation. However, it is importnat for you to understand the expected behavior when 2 or 3 NICs are enabled. For this workshop, as well as many customer use cases, we will install Unified Access Gateway on a single NIC.  

UAG 3.1 & AirWatch 9.2 Updates

  1. Content Gateway Support on Unified Access Gateway
  2. TLS Port 443 Sharing Feature
  3. Customer Experience Improvement Program
  4. Updated file paths to VMware Tunnel application files - /opt/airwatch/tunnel/ --> opt/vmware/tunnel/
    - Content Gateway Files stored in /opt/airwatch/content-gateway/
  5. VPN_Report Tool in vpnd/ folder
  6. Per App Tunnel Test Connection Button in AirWatch Console
  7. Admin UI Enhancements for managing Admin Password*


Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.