Deploying Unified Access Gateway with vSphere

In this section, you explore the vSphere Admin UI and learn how to deploy an OVF Template by configuring the necessary fields for the Unified Access Gateway. You deploy the Unified Access Gateway in a one-NIC configuration, meaning that the Internet-facing, internal-facing, and management networks all reside on a single NIC.

1. Deploying the OVF Template

Deploying UAG OVF Template
  1. Click the VMs and Templates tab.
  2. Right-click the Region named RegionA01.
  3. Click Deploy OVF Template.

1.1. Uploading OVF Template

Uploading OVF Template
  1. Select Local File.
  2. Click Browse.

1.1.1. Select the OVF File

  1. Click Documents.
  2. Click HOL.
  3. Click Unified Access Gateway.
  4. Select the euc-unified-access-gateway-3.#.#.#-#####.ova file.
  5. Click Open.

1.1.2. Continue after OVF File Selected

Click Next.

1.2. Select Name and Location

Select Name and Location
  1. Enter UAG-LAB for the Name.
  2. Select RegionA01.
  3. Click Next

1.3. Select a Resource

Select a resource
  1. Select RegionA01-COMP01.
  2. Click Next.

1.4. Review Details

Review details

Review the details here, these items will be updated as you complete the OVF Template wizard.

Click Next.

1.5. Select Configuration

Select configuration
  1. Select Two NIC.
  2. Click Next.

Note: The drop-down menu provides a short description of each configuration and sizing of the Unified Access Gateway VM.

  • Single NIC: This configuration means that all traffic to the Unified Access Gateway is received on the same interface regardless of the source, and the Admin UI runs on the same NIC over port 9443.
  • Two NIC: In this exercise, the Two NICs configuration direct traffic from external networks goes to the public interface, and traffic from within the network to an internal interface. The Admin UI runs on the same internal interface over port 9443.
  • Three NIC: Directs traffic from external networks to the public interface, and traffic from within the network to an internal interface. In this configuration, the Admin UI runs on a separate, dedicated Network Interface. When selecting multiple NICs, you must then configure the corresponding network values for each NIC in the Setup Networks and Customize Template sections later in the wizard.

Users who require multiple NICs typically follow this same protocol for other web application servers within their organization. For more information on deploying the Unified Access Gateway with multiple NICs, see Network Considerations chapter on Deploying VMware Unified Access Gateway.

1.6. Select Storage

Select storage
  1. Select Thin provision for the virtual disk format.
  2. Select the ESX02a-Local datastore.
  3. Select Next.

1.7. Select Networks

Select networks
  1. Select the VM-RegionA01-vDS-COMP destination network for the ManagementNetwork, BackendNetwork, and Internet sources.
  2. Click Next.

Note: A single-NIC configuration was selected, meaning the Internet, management, and backend traffic all go through one NIC. However, this step of the wizard asks for three destination networks, which leads to some confusion when you are configuring the Unified Access Gateway for the first time. Since this is a single-NIC deployment, select the same network for all the source network.

1.8. Configure Networking Settings

Under the Networking Properties section:

  1. Select STATICV4 for the IPMode for NIC 0 (eth0) field.
  2. Select STATICV4 for the IPMode for NIC 1 (eth1) field.
  3. Enter 192.168.110.150 for the NIC 1 (eth0) IPv4 Address.
  4. Scroll down to configure additional settings.

1.9. Configure Networking Settings (Continued)

Continue under the Networking Properties section:

  1. Enter 192.168.110.10 for the DNS Server Addresses.
  2. Enter 255.255.255.0 for the NIC 1 (eth0) IPv4 netmask.
  3. Enter 192.168.110.1 for the IPv4 Default Gateway.
  4. Scroll down to configure additional settings.

1.10. Final Network Settings

Continue under the Networking Properties section for final configuration.

  1. Enter 192.168.120.160 for the NIC 2 (eth1) IPv4 Address.
  2. Enter 192.168.110.10/32 192.168.120.1 for the List of IPv4 custom routers for NIC 2 (eth1).
  3. Enter 255.255.255.0 for the NIC 2 (eth1) IPv4 netmask.
  4. Enter UAG-LAB for the Unified Gateway Appliance Name.
  5. Scroll down to configure additional settings.

1.11. Configure CEIP Settings

Customize Template 1 of 4
  1. Click the Join CEIP section to expand it.
  2. Unckeck the Join CEIP option.

1.12. Configure Password Settings

Customize Template 5 of 4
  1. Click the Password Options section to expand it.
  2. Enter VMware1! for the root user password of the Unified Access Gateway Virtual Machine.
  3. Re-enter VMware1! to confirm the password.
  4. Enter VMware1! for the admin user, which enabled REST API access.
  5. Re-enter VMware1! to confirm the password.
  6. Click Next.

1.13. Ready to Complete

Ready to complete

Review all the settings entered in the Network Mapping and Properties to ensure there are no errors.

Click Finish.

2. Accessing the Task Console

Accessing the Task Console

You can follow the status of the OVF deployment through the Task Console.

  1. Click the Home icon.
  2. Click Tasks.

2.1. Monitoring OVF Import and Deployment

Monitoring OVF Import and Deployment
  1. Wait until the Deploy OVF package and Deploy OVF Template tasks.
    NOTE: Due to Hands on Labs limitations, this installation will run for several minutes before completing.  Please allow the tasks to complete before continuing.
  2. Click VMs and Templates once the tasks have completed.

2.2. Handling a Failed OVF Deploy (IF NEEDED)

Deployment error

If your Import OVF package task fails with the error Failed to deploy OVF package on the Tasks Console, you should restart the deployment by returning to step Deploying the OVF Template.

3. Power on Unified Access Gateway Appliance

Power on UAG Appliance
  1. Expand RegionA01.
  2. Scroll down to find the UAG-LAB virtual machine.
  3. Select the UAG-LAB virtual machine.
  4. Click the Summary tab.
  5. Click the Power On icon.  Wait for the virtual machine to power on.
    NOTE: If the Power On icon is not clickable, you may need to refresh the page first!
  6. Click the Refresh icon to check the status of the virtual machine.  The IP Addresses field will populate once it is powered on.
  7. The IP address 192.168.110.150 will be assigned to this virtual machine.
  8. The Console view will show a blue screen once the UAG initialization has completed.

NOTE: Do NOT continue to the next step until the VM receives the associated IP address and is showing a blue screen!  This may take 1-2 minutes.

4. Navigate to the Unified Access Gateway administration console

UAG Admin UI Login

NOTE: The page may say it is unavailable when you try to connect. This is because the Unified Access Gateway appliance service is still starting up and may take a minute or two before it is available.  

  1. Click the New Tab button.
  2. Enter https://uag.corp.local:9443/admin for the URL and press ENTER.
  3. Click the Advanced link.
  4. Accept the security exception and click the Proceed to uag.corp.local (unsafe) link.

NOTE: The connection is not private because no SSL Certificate has been supplied for our Unified Access Gateway.  We will access the administration console to supply a SSL certificate now.  Other Unified Access Gateway Hands-on Labs will cover how to deploy Unified Access Gateway with a SSL Certificate in order to skip this step.

5. Log In to the Unified Access Gateway Administration Console

UAG Login
  1. Enter admin for the username.
  2. Enter VMware1! the password created for the Admin API in the Deploy OVF Wizard.
  3. Click Login.

6. Configuring Settings

Successful login

A successful login redirects you to the window where you can import settings or manually configure the Unified Access Gateway appliance.

Click Select for Configure Manually.

7. Configuring TLS/SSL Certificates

Configuring TLS/SSL Certificates for Unified Access Gateway Appliances

Click the Gear icon for TLS Server Certificate Settings under Advanced Settings.

TLS/SSL is required for client connections to Unified Access Gateway appliances. Client-facing Unified Access Gateway appliances and intermediate servers that terminate TLS/SSL connections require TLS/SSL server certificates.

TLS/SSL server certificates are signed by a Certificate Authority (CA). A CA is a trusted entity that guarantees the identity of the certificate and its creator. When a certificate is signed by a trusted CA, users no longer receive messages asking them to verify the certificate, and thin client devices can connect without requiring additional configuration. A default TLS/SSL server certificate is generated when you deploy a Unified Access Gateway appliance.

Up to this point, the UAG Appliance is using the default certificate, which is not signed by a trusted CA.

7.1. Configuring Type of Certificate

Configuring Type of Certificate
  1. Enable the Admin Interface option.
  2. Enable the Internet Interface option.
  3. Select PFX for the Certificate Type.
  4. Click the Select link to upload a PFX.

7.2. Select PFX Certificate

  1. Click Documents.
  2. Click HOL.
  3. Click Unified Access Gateway.
  4. Click corp_local_wildcard.pfx.
  5. Click Open.

7.3. Enter Certificate Password and Save

  1. Enter VMware1! for the certificate password.
  2. Click Save.

7.4. Unified Access Gateway Certificate Changed

Certificate changed

You will receive a message stating that the Internet-facing interface certificate was changed.  You will need to reload the administration console to see the changes you have made.

  1. Click the Close button on the Unified Access Gateway administration console tab.
  2. Click the New Tab button.

7.5. Validating Certificate installation

Certificate Validation

Enter https://uag.corp.local:9443/admin for the URL and press ENTER to return to the Unified Access Gateway administration console.

You should no longer see a certificate error on the Browser navigation bar.

0 Comments

Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.