DMZ & Internal networks:

External requests to the vApp are sent to the vPod Router, which will direct those requests to the appropriate resource based on the incoming port. Ports 4000-6500 are reserved for the lab components so all traffic coming in on these ports will be forwarded to your Unified Access Gateway appliance's appropriate Edge Service.  In addition, ports 443 and 9443 will be forwarded to your UAG server over the respective ports.

The vApp Networks (Internal, DMZ, and Transit) are created within the Lab vApp.  The Internal and Transit networks are NATed to the SE-UCS-Network for outbound internet connectivity while the DMZ network routes through the vPodRouter for inbound and outbound access. Note that the vPodRouter does not have a NIC on the Internal network and thus cannot route external traffic to resources on the Internal network.

This setup was taken so that the lab environment can attempt to emulate a typical customer environment.

vPod Router | ESXi01 6.5.0 U1 | Control Center | vIDM 3.2 and vCenter Server 6.5 U1 deployed in the ESXi01

In our lab environment, there are two networks that you can deploy your servers into, however for this lab you will be deploying the Unified Access Gateway Appliance on a DMZ and assigning the respective Network Interface Cards (NICs).

As you can see on the Architectural diagram, there are two major networks. On the bottom is the vApp network required to support the lab and on the top is the Lab network, identified as vCenter Networking. For the propose of this lab we will focus on the Lab network, which is hosted on the ESXi and represented by the following three networks.

• VM Network & Management: Dedicated network to access Management Console
• Internal Network: Represents the internal network on 172.16.0.x range. ControlCenter, ESXI, vCenter and Intranet Server are part of the internal network.
• DMZ Network: Represents the DMZ network on 192.168.110.x which is where the Unified Access Gateway Appliance will be deployed. The Unified Access Gateway Internet facing NIC will be associated to this network.

Unified Access Gateway supports deployments with one, two, or three NICs. This means that the server can be partitioned to receive traffic on a single interface or to route traffic to different interfaces, based on the source of the request. Most often, if you need to implement multiple NICs, you already follow this standard with other web applications in your organization.

You must determine what is appropriate for your environment when selecting the number of NICs during installation. It is important for you to understand the expected behavior when two or three NICs are enabled.

Two modules are provided to explore these options under the Lab Overview - HOL-1857-01-UAG - Deploying Unified Access Gateway - Getting Started. As a first step toward understanding basic deployments, you can install Unified Access Gateway with one NIC using vSphere Client, described in Module 1 - Basic UAG Deployment (one NIC) using vSphere Admin UI. You can then advance to the next step and install Unified Access Gateway with two NICs as a production environment using PowerShell, described in Module 2 - UAG Deployment (two NICs) using PowerShell script.

In the exercises for deploying the Unified Access Gateway server through vSphere, the vCenter setup is hosted in a nested template. This is not usually the case when working with users in a live environment.

User environments can include multiple networks and can optionally have a Network Protocol Profiles (NPP) that corresponds to the networks to connect to the Unified Access Gateway. Prior to version 3.3, NPP was a requirement. Since version 3.3, NPP is no longer required.

Note: Keep in mind that the Unified Access Gateway requires a netmask, default gateway, and subnet to be defined for each network enabled during deployment.