Introduction - Unified Access Gateway Deployment
This workshop guides you through the end-to-end setup of Unified Access Gateway 3.4. You will deploy two UAG appliances using each deployment method. The first appliance will be deployed through vSphere Admin UI and the second one through PowerShell script.
In both deployments you will setup a SSL Certificate for each Unified Access Gateway appliance and access the Administration Console from a browser, as other configurations.
This workshop is aimed at educating the user on both deployment options for Unified Access Gateway, demonstrating available tools in the Admin UI, and understanding the components that make this product work to support each of the various features and services.
At the end of this lab, the user will understand how to determine which deployment method is appropriate for their customer and how to leverage the tools available to successfully implement the required services in a customer environment.
Before getting started, let's go over the lab network setup followed by a brief outline of each deployment method.
DMZ & Internal networks:
External requests to the vApp are sent to the vPod Router, which will direct those requests to the appropriate resource based on the incoming port. Ports 4000-6500 are reserved for the lab components so all traffic coming in on these ports will be forwarded to your Unified Access Gateway appliance's appropriate Edge Service. In addition, ports 443 and 9443 will be forwarded to your Unified Access Gateway Appliance over the respective ports.
The vApp Networks (Internal, DMZ, and Transit) are created within the Lab vApp. The Internal and Transit networks are NATed to the SE-UCS-Network for outbound internet connectivity while the DMZ network routes through the vPodRouter for inbound and outbound access. Note that the vPodRouter does not have a NIC on the Internal network and thus cannot route external traffic to resources on the Internal network.
This setup was taken so that the lab environment can attempt to emulate a typical customer environment.
vPod Router | ESXi01 6.5.0 U1 | Control Center | vCenter Server 6.5 U1 deployed in the ESXi01
HOL Architecture Overview
In our lab environment, there are two networks that you can deploy your servers into, however for this lab you will be deploying the UAG Appliance on a DMZ and assigning the respective Network Interface Cards (NICs).
As you can see on the Architectural diagram, there are two major networks. On the bottom is the vApp network required to support the lab and on the top is the Lab network, identified as vCenter Networking. For the propose of this lab we will focus on the Lab network, which is hosted on the ESXi and represented by the following three networks.
- VM Network & Management: Dedicated network to access Management Console
- Internal Network: Represents the internal network on 172.16.0.x range. ControlCenter, ESXI and vCenter are part of the internal network.
- DMZ Network: Represents the DMZ network on 192.168.110.x which is where the UAG Appliance will be deployed. The Unified Access Gateway Internet facing NIC will be associated to this network.
Unified Access Gateway supports 1, 2, or 3 NIC deployments. This means the server can be partitioned to receive traffic on a single interface or route traffic to different interfaces based on the source of the request. Most often, the customers that need to implement multiple Network Interface Cards will already follow this standard with other web applications in their organization.
It is up to the customer to determine what is appropriate for their environment when selecting the number of NICs during installation. However, it is important for you to understand the expected behavior when 2 or 3 NICs are enabled. For this lab, as well as many customer use cases, we will provide two modules, where the first one will install Unified Access Gateway on a single NIC and the second one will install Unified Access Gateway with two NICs.
Since this workshop is designed for the purpose of deploying the Unified Access Gateway server through vSphere, the vCenter setup is hosted in a nested template, which will not be case when working with customers in a live environment.
Customer environments will include multiple networks and may or may not have a Network Protocol Profiles (NPP) that correspond to the networks they will connect the Unified Access Gateway to. Prior to UAG version 3.3 NPP was a requirement. However, in version 3.3+ NPP is no longer required. Keep in mind, the Unified Access Gateway requires a Netmask, Default Gateway, and subnet to be defined for each network enabled during deployment.