Updated on: 03 JUN 2021

Image Product 3 | 02 JUN 2021

Check for additions and updates to these release notes.

DMZ Design for Unified Access Gateway with Multiple Network Interface Cards

kubectl get vm -n my-ns-ubuntu
NAME              AGE
vmsvc-ubuntu-vm   28s

One of the configuration settings for Unified Access Gateway is the number of virtual Network Interface Cards (NICs) to use. When you deploy Unified Access Gateway, you select a deployment configuration for your network. 

Name:vmsvc-ubuntu-vm
Namespace:    my-ns-ubuntu
Annotations:  vmoperator.vmware.com/image-supported-check: disabled
API Version:  vmoperator.vmware.com/v1alpha1
Kind:         
Class Name:  custom
Image Name:  vmservice-ubuntu-20-10-server-cloudimg-amd64
Network Interfaces:
Network Name:  primary
Network Type:  vsphere-distributed
Power State:     poweredOn
Storage Class:   wcpglobal-storage-profile
Metadata:
Creation Timestamp:  2021-03-23T19:07:36Z
Finalizers:
virtualmachine.vmoperator.vmware.com
Generation:  1
Managed Fields:

You can specify one, two, or three NICS settings which are specified as onenic, twonic or threenic.

Reducing the number of open ports on each virtual LAN and separating out the different types of network traffic can significantly improve security. The benefits are mainly in terms of separating and isolating the different types of network traffic as part of a defense-in-depth DMZ security design strategy. This can be achieved either by implementing separate physical switches within the DMZ, with multiple virtual LANs within the DMZ, or as part of a full VMware NSX managed DMZ.

Typical Single NIC DMZ Deployment

The simplest deployment of Unified Access Gateway is with a single NIC where all network traffic is combined onto a single network. Traffic from the Internet-facing firewall is directed to one of the available Unified Access Gateway appliances. Unified Access Gateway then forwards the authorized traffic through the inner firewall to resources on the internal network. Unified Access Gateway discards unauthorized traffic.

Figure 1. Unified Access Gateway Single NIC Option 
APIVersion: vmoperator.vmware.com/v1alpha1
kind: VirtualMachine metadata: name: vmsvc-ubuntu-vm  namespace: my-ns-ubuntu spec: imageName: vmservice-ubuntu-20-10-server-cloudimg-amd64 className: custom powerState: poweredOn storageClass: wcpglobal-storage-profile networkInterfaces:- networkName: "primary" networkType: vsphere-distributed

Separating Unauthenticated User Traffic from Back-End and Management Traffic

An alternative option over the single NIC deployment is to specify two NICs. The first is still used for Internet facing unauthenticated access, but the back-end authenticated traffic and management traffic are separated onto a different network.

Figure 2. Unified Access Gateway Two NIC Option

In a two NIC deployment, Unified Access Gateway must authorize the traffic going to the internal network through the inner firewall. Unauthorized traffic is not on this back-end network. Management traffic such as the REST API for Unified Access Gateway is only on this second network

If a device on the unauthenticated front-end network, such as the load balancer, was compromised then reconfiguring that device to bypass Unified Access Gateway is not possible in this two NIC deployment. It combines layer 4 firewall rules with layer 7 Unified Access Gateway security. Similarly, if the Internet facing firewall was misconfigured to allow TCP port 9443 through, this would still not expose the Unified Access Gateway Management REST API to Internet users. A defense-in-depth principle uses multiple levels of protection, such as knowing that a single configuration mistake or system attack does not necessarily create an overall vulnerability

In a two NIC deployment, you can put additional infrastructure systems such as DNS servers, RSA SecurID Authentication Manager servers on the back-end network within the DMZ so that these servers cannot be visible on the Internet facing network. Putting infrastructure systems within the DMZ guards against layer 2 attacks from the Internet facing LAN from a compromised front-end system and effectively reduces the overall attack surface.

Most Unified Access Gateway network traffic is the display protocols for Blast and PCoIP. With a single NIC, display protocol traffic to and from the Internet is combined with traffic to and from the back-end systems. When two or more NICs are used, the traffic is spread across front-end and back-end NICs and networks. This reduces the potential bottleneck of a single NIC and results in performance benefits.

Unified Access Gateway supports a further separation by also allowing separation of the management traffic onto a specific management LAN. HTTPS management traffic to port 9443 is then only possible from the management LAN.

Figure 3. Unified Access Gateway Three NIC Option
Table 1. VMware Photon PlatformAdministration Console
Purpose Access Required Credentials

You use the VMware Photon Platform console for these system administrator tasks.

  • Add tenants.
  • Customize the VMware Photon Platform user interface.
  • Configure email servers.
  • View event logs.
  • Configure vRealize Orchestrator.
  1. Start a browser and open the VMware Photon Platform appliance splash page using the fully qualified domain name of the virtual appliance:

    https://vrealize-automation-appliance-FQDN.

  2. Click VMware Photon Platform console.

    You can also use this URL to open the VMware Photon Platform console: https://vrealize-automation-appliance-FQDN/vcac

  3. Log in.

You must be a user with the system administrator role.

Table 2. VMware Photon Platform Tenant Console. This interface is the primary user interface that you use to create and manage your services and resources.
Purpose Access Required Credentials

You use VMware Photon Platform for these tasks.

  • Request new IT service blueprints.
  • Create and manage cloud and IT resources.
  • Create and manage custom groups.
  • Create and manage business groups.
  • Assign roles to users.
  1. Start a browser and enter the URL of your tenancy using the fully qualified domain name of the virtual appliance and the tenant URL name:

    https://vrealize-automation-appliance-FQDN/vcac/org/tenant_URL_name .

  2. Log in.
You must be a user with one or more of these roles:
  • Application Architect
  • Approval Administrator
  • Catalog Administrator
  • Container Administrator
  • Container Architect
  • Health Consumer
  • Infrastructure Architect
  • Secure Export Consumer
  • Software Architect
  • Tenant Administrator
  • XaaS Architect
Table 3. VMware Photon Platform Appliance Management Interface.
Purpose Access Required Credentials

You use VMware Photon Platform Appliance Management for these tasks.

  • View the status of registered services.
  • View system information and reboot or shutdown the appliance.
  • Manage participation in the Customer Experience Improvement Program.
  • View network status.
  • View update status and install updates.
  • Manage administration settings.
  • Manage VMware Photon Platform host settings.
  • Manage SSO settings.
  • Manage product licenses.
  • Configure the VMware Photon Platform Postgres database.
  • Configure VMware Photon Platform messaging.
  • Configure VMware Photon Platform logging.
  • Install IaaS components.
  • Migrate from an existing VMware Photon Platform installation.
  • Manage IaaS component certificates.
  • Configure Xenon service.
  1. Start a browser and open the VMware Photon Platform appliance splash page using the fully qualified domain name of the virtual appliance:

    https://vrealize-automation-appliance-FQDN

  2. Click VMware Photon Platform Appliance Management.

    You can also use this URL to open the VMware Photon Platform appliance management interface: https://vrealize-automation-appliance-FQDN:5480

  3. Log in.
  • User name: root
  • Password: Password you entered when you deployed the VMware Photon Platform appliance.
Table 4. vRealize Orchestrator Client
Purpose Access Required Credentials

You use the vRealize Orchestrator Client for these tasks.

  • Develop actions.
  • Develop workflows.
  • Manage policies.
  • Install packages.
  • Manage user and user group permissions.
  • Attach tags to URI objects.
  • View inventory.
  1. Start a browser and open the VMware Photon Platform splash page using the fully qualified domain name of the virtual appliance:

    https://vrealize-automation-appliance-FQDN

  2. To download the client.jnlp file to your local computer, click vRealize Orchestrator Client.
  3. Right-click the client.jnlp file and select Launch.
  4. On the Do you want to Continue? dialog box, click Continue.
  5. Log in.

You must be a user with the system administrator role or part of the vcoadmins group configured in the vRealize Orchestrator Control Center Authentication Provider settings.

Table 5. vRealize Orchestrator Control Center
Purpose Access Required Credentials

You use the vRealize Orchestrator Control Center to edit the configuration of the default vRealize Orchestrator instance that is embedded in VMware Photon Platform.

  1. Start a browser and open the VMware Photon Platform appliance splash page using the fully qualified domain name of the virtual appliance:

    https://vrealize-automation-appliance-FQDN

  2. Click VMware Photon Platform Appliance Management.

    You can also use this URL to open the VMware Photon Platform appliance management interface: https://vrealize-automation-appliance-FQDN:5480

  3. Log in.
  4. Click vRA > Orchestrator.
  5. Select Orchestrator user interface.
  6. Click Start.
  7. Click the Orchestrator user interface URL.
  8. Log in.
User Name
  • Enter root if role-based authentication is not configured.
  • Enter your VMware Photon Platform user name if it is configured for role-based authentication.

Password

  • Enter the password you entered when you deployed the VMware Photon Platform appliance if role-based authentication is not configured.
  • Enter the password for your user name if your user name is configured for role-based authentication.
Table 6. Linux Command Prompt
Purpose Access Required Credentials

You use the Linux command prompt on a host, such as the VMware Photon Platform appliance host, for these tasks.

  • Stop or start services
  • Edit configuration files
  • Run commands
  • Retrieve data
  1. On the VMware Photon Platform appliance host, open a command prompt.

    One way to open the command prompt on your local computer is to start a session on the host using an application such as PuTTY.

  2. Log in.
  • User name: root
  • Password: Password you created when you deployed the VMware Photon Platform appliance.
Table 7. Windows Command Prompt
Purpose Access Required Credentials

You can use a Windows command prompt on a host, such as the IaaS host, to run scripts.

  1. On the IaaS host, log in to Windows.

    One way to log in from your local computer is to start a remote desktop session.

  2. Open the Windows command prompt.

    One way to open the command prompt is to right-click the Start icon on the host and select Command Prompt or Command Prompt (Admin).

  • User name: User with administrative privileges.
  • Password: User's password.