Introduction - Securing Access to Internal Websites through Unified Access Gateway

This workshop guides you through the end-to-end setup on how to secure access to internal website through Unified Access Gateway leveraging Web Reverse Proxy and Identity Bridging features.

In both modules you will be deploying the Unified Access Gateway Appliance via PowerShell method, and perform specific configuration related to the module..

This workshop is aimed at educating the user on how to enable external access to internal websites using Web Reverse Proxy feature in Unified Access Gateway, and secure authentication through Identity Bridging converting SAML to Kerberos for legacy web applications that doesn't support SAML today.

At the end of this lab, you will learn how to provide and secure external access to internal websites through VMware Unified Access Gateway, and what's the appropriate approach based on customer use cases & requirements.

Before getting started, let's go over the lab network setup followed by a brief outline of each deployment method.

1. Lab Architecture

DMZ & Internal networks:

External requests to the vApp are sent to the vPod Router, which will direct those requests to the appropriate resource based on the incoming port. Ports 4000-6500 are reserved for the lab components so all traffic coming in on these ports will be forwarded to your Unified Access Gateway appliance's appropriate Edge Service.  In addition, ports 443 and 9443 will be forwarded to your UAG server over the respective ports.

The vApp Networks (Internal, DMZ, and Transit) are created within the Lab vApp.  The Internal and Transit networks are NATed to the SE-UCS-Network for outbound internet connectivity while the DMZ network routes through the vPodRouter for inbound and outbound access. Note that the vPodRouter does not have a NIC on the Internal network and thus cannot route external traffic to resources on the Internal network.

This setup was taken so that the lab environment can attempt to emulate a typical customer environment.

vPod Router | ESXi01 6.5.0 U1 | Control Center | vIDM 3.2 and vCenter Server 6.5 U1 deployed in the ESXi01

2. HOL Architecture Overview

HOL Architecture Overview

In our lab environment, there are two networks that you can deploy your servers into, however for this lab you will be deploying the Unified Access Gateway Appliance on a DMZ and assigning the respective Network Interface Cards (NICs).

As you can see on the Architectural diagram, there are two major networks. On the bottom is the vApp network required to support the lab and on the top is the Lab network, identified as vCenter Networking. For the propose of this lab we will focus on the Lab network, which is hosted on the ESXi and represented by the following three networks.

  • VM Network & Management: Dedicated network to access Management Console
  • Internal Network: Represents the internal network on 172.16.0.x range. ControlCenter, ESXI, vCenter and Intranet Server are part of the internal network.
  • DMZ Network: Represents the DMZ network on 192.168.110.x which is where the Unified Access Gateway Appliance will be deployed. The Unified Access Gateway Internet facing NIC will be associated to this network.

3. Network Interfaces

Unified Access Gateway supports deployments with one, two, or three NICs. This means that the server can be partitioned to receive traffic on a single interface or to route traffic to different interfaces, based on the source of the request. Most often, if you need to implement multiple NICs, you already follow this standard with other web applications in your organization.

You must determine what is appropriate for your environment when selecting the number of NICs during installation. It is important for you to understand the expected behavior when two or three NICs are enabled.

Two modules are provided to explore these options under the Lab Overview - HOL-1857-01-UAG - Deploying Unified Access Gateway - Getting Started. As a first step toward understanding basic deployments, you can install Unified Access Gateway with one NIC using vSphere Client, described in Module 1 - Basic UAG Deployment (one NIC) using vSphere Admin UI. You can then advance to the next step and install Unified Access Gateway with two NICs as a production environment using PowerShell, described in Module 2 - UAG Deployment (two NICs) using PowerShell script.


4. Customer Considerations

In the exercises for deploying the Unified Access Gateway server through vSphere, the vCenter setup is hosted in a nested template. This is not usually the case when working with users in a live environment.

User environments can include multiple networks and can optionally have a Network Protocol Profiles (NPP) that corresponds to the networks to connect to the Unified Access Gateway. Prior to version 3.3, NPP was a requirement. Since version 3.3, NPP is no longer required.

Note: Keep in mind that the Unified Access Gateway requires a netmask, default gateway, and subnet to be defined for each network enabled during deployment.


Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.