You can deploy the Unified Access Gateway appliance by logging in to vCenter Server and using the Deploy OVF Template wizard.

About this task

Two versions of the Unified Access Gateway OVA are available, standard OVA and a FIPS version of the OVA. The FIPS 140-2 version runs with the FIPS certified set of ciphers and hashes and has restrictive services enabled that support FIPS certified libraries. When Unified Access Gateway is deployed in FIPS mode, the appliance cannot be changed to the standard OVA deployment mode.

Note:

If you use the native vSphere Client, verify that you have assigned an IP pool to each network. To add an IP pool in vCenter Server using the native vSphere Client, go to the IP Pools tab of the data center. Alternatively, if you are using the vSphere Web Client, you can create a network protocol profile. Go to the Manage tab of the data center and select the Network Protocol Profiles tab.

Prerequisites

Procedure

  1. Use the native vSphere Client or the vSphere Web Client to log in to a vCenter Server instance.

    For an IPv4 network, use the native vSphere Client or the vSphere Web Client. For an IPv6 network, use the vSphere Web Client.

  2. Select a menu command for launching the Deploy OVF Template wizard.

    Option

    Menu Command

    vSphere Client

    Select File > Deploy OVF Template.

    vSphere Web Client

    Select any inventory object that is a valid parent object of a virtual machine, such as a data center, folder, cluster, resource pool, or host, and from the Actions menu, select Deploy OVF Template.

  3. On the Select Source page, browse to the .ova file that you downloaded or enter a URL and click Next.

    Review the product details, version, and size requirements.

  4. Follow the wizard prompts and take the following guidelines into consideration as you complete the wizard.

    Option

    Description

    Name and Location

    Enter a name for the Unified Access Gateway virtual appliance. The name must be unique within the inventory folder. Names are case sensitive.

    Select a location for the virtual appliance.

    Deployment Configuration

    For an IPv4 network, you can use one, two, or three network interfaces (NICs). For an IPv6 network, use three NICs. Unified Access Gateway requires a separate static IP address for each NIC. Many DMZ implementations use separated networks to secure the different traffic types. Configure Unified Access Gateway according to the network design of the DMZ in which it is deployed.

    Host / Cluster

    Select the host or cluster in which to run the virtual appliance.

    Disk format

    For evaluation and testing environments, select the Thin Provision format. For production environments, select one of the Thick Provision formats. Thick Provision Eager Zeroed is a type of thick virtual disk format that supports clustering features such as fault tolerance but takes much longer to create than other types of virtual disks.

    Setup Networks/Network Mapping

    If you are using vSphere Web Client, the Setup Networks page allows you to map each NIC to a network and specify protocol settings.

    Map the networks used in the OVF template to networks in your inventory.

    1. Select IPv4 or IPv6 from the IP protocol drop-down list.

    2. Select the first row in the table Internet and then click the down arrow to select the destination network. If you select IPv6 as the IP protocol, you must select the network that has IPv6 capabilities.

      After you select the row, you can also enter IP addresses for the DNS server, gateway, and netmask in the lower portion of the window.

    3. If you are using more than one NIC, select the next row ManagementNetwork, select the destination network, and then you can enter the IP addresses for the DNS server, gateway, and netmask for that network.

      If you are using only one NIC, all the rows are mapped to the same network.

    4. If you have a third NIC, also select the third row and complete the settings.

      If you are using only two NICs, for this third row BackendNetwork, select the same network that you used for ManagementNetwork.

    With the vSphere Web Client, a network protocol profile is automatically created after you complete the wizard if one does not exist.

    If you use the native vSphere Client, the Network Mapping page allows you to map each NIC to a network, but there are no fields for specifying the DNS server, gateway, and netmask addresses. As described in the prerequisites, you must already have assigned an IP pool to each network or created a network protocol profile.

    Customize Network Properties

    The text boxes on the Properties page are specific to Unified Access Gateway and might not be required for other types of virtual appliances. Text in the wizard page explains each setting. If the text is truncated on the right side of the wizard, resize the window by dragging from the lower-right corner.

    • IPMode:STATICV4/STATICV6. If you enter STATICV4, you must enter the IPv4 address for the NIC. If you enter STATICV6, you must enter the IPv6 address for the NIC.

    • Comma separated list of forward rules in the form {tcp|udp}/listening-port-number/destination-ip-address:destination-port-nu

    • NIC 1 (ETH0) IPv4 address. Enter the IPv4 address for the NIC if you entered STATICV4 for the NIC mode.

    • Comma separated list of IPv4 custom routes for NIC 1 (eth0) in the form ipv4-network-address/bits.ipv4-gateway-address

    • NIC 1 (eth0) IPv6 address. Enter the IPv6 address for the NIC if you entered STATICV6 for the NIC mode.

    • DNS server addresses. Enter space-separated IPv4 or IPv6 addresses of the domain name serves for the Unified Access Gateway appliance. Example of IPv4 entry is 192.0.2.1 192.0.2.2. Example of IPv6 entry is fc00:10:112:54::1

    • NIC 2 (eth1) IPv4 address. Enter the IPv4 address for the NIC if you entered STATICV4 for the NIC mode.

    • Comma separated list of IPv4 custom routes for NIC 2 (eth1) in the form ipv4-network-address/bits.ipv4-gateway-address

    • NIC 2 (eth1) IPv6 address. Enter the IPv6 address for the NIC if you entered STATICV6 for the NIC mode.

    • NIC 3 (eth2) IPv4 address. Enter the IPv4 address for the NIC if you entered STATICV4 for the NIC mode.

    • Comma separated list of IPv4 custom routes for NIC 3 (eth2) in the form ipv4-network-address/bits.ipv4-gateway-address

    • NIC 3 (eth2) IPv6 address. Enter the IPv6 address for the NIC if you entered STATICV6 for the NIC mode.

    • Password options. Enter the password for the root user of this VM and the password for the administrator user who accesses the administration console and enables REST API access.

    • Password options. Enter the password for the admin user who logs in to the Admin UI to configure Unified Access Gateway and who can enable the REST API access.

    Other settings are either optional or already have a default setting entered.

  5. On the Ready to Complete page, select Power on after deployment, and click Finish.

    A Deploy OVF Template task appears in the vCenter Server status area so that you can monitor deployment. You can also open a console on the virtual machine to view the console messages that are displayed during system boot. A log of these messages is also available in the file /var/log/boot.msg.

  6. When deployment is complete, verify that end users can connect to the appliance by opening a browser and entering the following URL:
    https://FQDN-of-UAG-appliance

    In this URL, FQDN-of-UAG-appliance is the DNS-resolvable, fully qualified domain name of the Unified Access Gateway appliance.

    If deployment was successful, you see the Web page provided by the server that Unified Access Gateway is pointing to. If deployment was not successful, you can delete the appliance virtual machine and deploy the appliance again. The most common error is not entering certificate thumbprints correctly.

Results

The Unified Access Gateway appliance is deployed and starts automatically.

What to do next

Log in to the Unified Access Gateway admin user interface (UI) and configure the desktop and application resources to allow remote access from the Internet through Unified Access Gateway and the authentication methods to use in the DMZ. The administration console URL is in the format https://<mycoUnified Access Gatewayappliance.com:9443/admin/index.html.

Note:

If you are not able to access the admin UI log in screen, check to see if the virtual machine has the IP address displayed during the installation of the OVA. If the IP address is not configured, use the vami command mentioned in the UI to reconfigure the NICs. Run the command as " cd /opt/vmware/share/vami" then the command "./vami_config_net".