VMware Content Gateway on Unified Access Gateway Introduction
In today's world we are in some capacity we are remote workers, our applications are spread between internal systems and SaaS, as our corporate files are hosted on-premises and start spreading across multiple Cloud repositories, like Office 365, DropBox, Google Drive and others. Mobile access to internal documents is a necessity in todays work environments, also multiples apps to access multiples cloud repositores end up impacting the end user experience as security for IT administrators.
The VMware Content Gateway provides a secure and effective method for end users to access internal repositories. Using the VMware Content Gateway with VMware Content Locker provides levels of access to your corporate content. Your end users can remotely access their documentation, financial documents, board books, and more directly from content repositories or internal fileshares. As files are added or updated within your existing content repository, the changes immediately display in VMware Content Locker. Users are granted access to their approved files and folders based on the existing access control lists defined in your internal repository.
The VMware Content Locker not only provides access to on-premise content repository, but also enable users to have access to multiple cloud repositories from a single app, VMware Content Locker.
1. VMware Content Gateway Edge Service on Unified Access Gateway
Before we get started with this exercise, it's important that you understand the VMWare Content Gateway Architecture & Deployment models for implementing the service to provide secure internal access to file repositories from your device fleet.
The VMware Content Gateway works as a edge service on the Unified Access Gateway appliance, and can automatically be configured during deployment of the appliance via PowerShell or after using the Unified Access Gateway administration console.
The VMware's Unified Access Gateway appliance OVF template product, contains several edge services, beyond VMware Content Gateway, which includes: VMware Tunnel, Web Reverse Proxy and Horizon. This appliance runs off VMware's standard hardened image.
This exercise will guide you through the necessary Workspace ONE UEM configuration, along with the Unified Access Gateway deployment steps in vSphere via PowerShell, configuration of VMware Content Gateway Edge Service and use of Content Locker App on an enrolled iOS device to access files on an internal file share repository.
2. VMware Content Gateway Deployment Model on Unified Access Gateway
The VMware Content Gateway can be deployed in one of two configurations:
- The Basic Model consists of a single Unified Access Gateway Appliance, typically situated in the DMZ, where devices can connect to the appropriate port for each feature, authenticate with a certificate issued from the Workspace ONE UEM Console, and connect to internal sites.
- Alternatively, the VMware Content Gateway can be deployed on a Cascade Mode configuration. This option allows devices to authenticate to the Front-end Content Gateway on the Unified Access Gateway Appliance located on the DMZ, then connect to the Content Gateway Back-end enabled on a second Unified Access Gateway Appliance over a single port and then access internal resources.
2.1. Basic Model
Basic deployment model includes a single Unified Access Gateway Appliance, since you can enable VMware Tunnel on port 443 for the same appliance, VMware Tunnel and Content Gateway will require a distinct hostname on the Unified Access Gateway Appliance.
The default port for Content Gateway is 443 as TLS Port Sharing is enabled by default on Unified Access Gateway, when TLS Port Sharing is disabled Content Gateway listen on port 10443.
These ports are secured with a public SSL Certificate from trusted third party with subject name of server hostname.
2.2. Cascade Model
The Cascade deployment model architecture includes two instances of Unified Access Gateways with VMware Content Gateway enabled on each. In cascade mode, the front-end server resides in the DMZ and communicates to the back-end server in your internal network.
The Content Gateway requests come from port 443 when TLS Port Sharing is enabled on the Front-End Unified Access Gateway, internally Unified Access Gateway redirect the request to HAProxy, which redirects the request to Content Gateway edge service on port 10443, then authenticate the device and forward the request to the Back-End Content Gateway, which redirect to the specific internal resource port.
In order to permit the successful deployment of VMware Tunnel the following prerequisites are required:
- AirWatch 8.4+ or Workspace ONE UEM 9.5+
- VMware Unified Access Gateway 3.4 Appliance
- vSphere 6+
4. Exercise Flow
To limit the scope of this lab, we have setup a unique hostname and single port for the Content Gateway Edge Service. We will perform the following steps (in sequence) to complete this lab:
- Configure API key and Device Root Certificate in the console.
- Configure VMware Content Gateway settings in the console.
- Deploy Unified Access Gateway Appliance enabling VMware Content Gateway Edge Services through PowerShell based on a Single-Tier Architecture.
- Review the VMware Content Gateway Edge Service configuration from Unified Access Gateway administration console.
- Configure VMware Content Locker app on Workspace ONE UEM Console.
- Validate the internal access to files on a internal server from your enrolled iOS device.