You can configure the security protocols and cryptographic algorithms that are used to encrypt communications between clients and the Unified Access Gateway appliance from the admin configuration pages.

Prerequisites

  • Review the Unified Access Gateway Deployment Properties. The following settings information is required:
    • Static IP address for the Unified Access Gateway appliance
    • IP Addresses of the DNS servers
      Note: A maximum of two DNS server IP addresses can be specified.

      Unified Access Gateway uses the platform default fallback public DNS addresses only when no DNS server addresses are provided to UAG either as part of the configuration settings or through DHCP.

    • Password for the administration console
    • URL of the server instance or load balancer that the Unified Access Gateway appliance points to
    • Syslog server URL to save the event log files

Procedure

  1. In the admin UI Configure Manual section, click Select.
  2. In the Advanced Settings section, click the System Configuration gearbox icon.
  3. Edit the following Unified Access Gateway appliance configuration values.
    Option Default Value and Description
    UAG Name Unique Unified Access Gateway appliance name.
    Note: The appliance name can consist of a text string up to 24 characters which includes alphabets (A-Z), digits (0-9), minus sign (-), and period (.). However, the appliance name cannot have spaces.
    Locale

    Specifies the locale to use when generating error messages.

    • en_US for American English. This is the default.
    • ja_JP for Japanese
    • fr_FR for French
    • de_DE for German
    • zh_CN for Simplified Chinese
    • zh_TW for Traditional Chinese
    • ko_KR for Korean
    • es for Spanish
    • pt_BR for Brazilian Portuguese
    • en_GB for British English
    Cipher Suites Most cases, the default settings do not need to be changed. This is the cryptographic algorithms that are used to encrypt communications between clients and the Unified Access Gateway appliance. Cipher settings are used for enabling various security protocols.
    TLS 1.0 Enabled Default is NO.

    Select YES to enable TLS 1.0 security protocol.

    TLS 1.1 Enabled Default is NO.

    Select YES to enable TLS 1.1 security protocol.

    TLS 1.2 Enabled Default is YES.

    The TLS 1.2 security protocol is enabled.

    TLS 1.3 Enabled Default is YES

    The TLS 1.3 security protocol is enabled.

    Allowed Host Headers Enter the IP address or the host name as the host header values. This setting is applicable for the UAG deployment with Horizon and Web Reverse Proxy use cases.

    For UAG deployments with Horizon, you might be required to provide multiple host headers. This depends on whether N+1 Virtual IP (VIP) is used and the Blast Secure Gateway (BSG) and VMware Tunnel are enabled and configured to use port 443 externally.

    The Horizon clients send the IP address in the host header for the blast connection request. If the BSG is configured to use port 443, then the allowed host headers must contain the external IP address of the BSG hostname configured in the blast external URL for the specific UAG.

    If the host header values are not specified then any host header value sent by the client is accepted by default.

    Syslog Type Select the Syslog type from the drop-down menu. The options are:
    • UDP: Syslog messages are sent over the network in plain text over UDP. This is the default option.
    • TLS: TLS encryption is added between two syslog servers to keep the messages secured.
    • TCP: Syslog messages are streamed over TCP.
    Note: This setting is applicable for Unified Access Gateway 3.7 and later. TCP option is applicable for Unified Access Gateway 2009 and later.
    Syslog URL When Syslog Type is set to UDP or TCP this option is enabled. Enter the Syslog server URL that is used for logging Unified Access Gateway events. This value can be a URL or a host name or IP address. If you do not set the syslog server URL, no events are logged.

    Maximum number of two URLs can be provided. URLs are separated by a comma. Example: syslog://server1.example.com:514, syslog://server2.example.com:514

    By default Content Gateway and Secure Email Gateway edge services events are logged. To log events on syslog server for Tunnel Gateway edge service configured on Unified Access Gateway, an administrator has to configure the Syslog on Workspaceone UEM console with the information.Syslog Hostname=localhost and Port=514

    For more information on Syslog on Workspaceone UEM console, see the Configure Per-App Tunnel topic of the VMware Tunnel for Linux documentation.

    Syslog Servers When Syslog Type is set to TLS this option is enabled. Enter the Syslog server URL that is used for logging Unified Access Gateway events. This value can be a URL or a host name or IP address. If you do not set the syslog server URL, no events are logged.

    Maximum number of two URLs can be provided. URLs are separated by a comma. Example: syslog://server1.example.com:514, syslog://server2.example.com:514

    By default Content Gateway and Secure Email Gateway edge services events are logged. To log events on syslog server for Tunnel Gateway edge service configured on Unified Access Gateway, an administrator has to configure the Syslog on Workspaceone UEM console with the information.Syslog Hostname=localhost and Port=514

    Note: This is applicable for Unified Access Gateway 3.7 and later.
    Syslog Audit URL Enter the Syslog server URL that is used for logging Unified Access Gateway audit events. This value can be a URL or a host name or IP address. If you do not set the syslog server URL, no audit events are logged.

    Maximum number of two URLs can be provided. URLs are separated by a comma. Example: syslog://server1.example.com:514, syslog://server2.example.com:514

    CA Certificate This option is enabled when a Syslog server is added. Select a valid Syslog Certificate Authority certificate.
    Syslog client certificate
    Note: This option is enabled only when a Syslog Server is added in the Unified Access Gateway Admin UI.

    Select a valid Syslog client certificate in the PEM format.

    Syslog client certificate key
    Note: This option is enabled only when a Syslog Server is added in the Unified Access Gateway Admin UI.

    Select a valid Syslog client certificate key in the PEM format.

    Note: When Unified Access Gateway is deployed using PowerShell, if an invalid or expired certificate or key is provided, the admin UI instance will be not be available.
    Syslog Include System Messages Toggle Yes to enable system services such as haproxy, cron, ssh, kernel, and system to send system messages to the syslog server.

    By default, the toggle is set to No.

    Alternately, this feature can also be configured through the PowerShell deployment. For more information about the setting in the INI file, see Using PowerShell to Deploy the Unified Access Gateway Appliance.

    Health Check URL Enter a URL that the load balancer connects to and checks the health of Unified Access Gateway.
    Cookies to be Cached The set of cookies that Unified Access Gateway caches. The default is none.
    Session Timeout Default value is 36000000 milliseconds.
    Quiesce Mode Enable YES to pause the Unified Access Gateway appliance to achieve a consistent state to perform maintenance tasks
    Monitor Interval Default value is 60.
    Password Age Number of days current administrator password is valid. The default is 90 days. Specify zero (0) if password will never expire.
    Request Timeout Indicates the maximum time Unified Access Gateway waits for a request to be received.

    The default value is 3000.

    This timeout must be specified in milliseconds.

    Body Receive Timeout Indicates the maximum time Unified Access Gateway waits for a request body to be received.

    The default is 5000.

    This timeout must be specified in milliseconds.

    Maximum Connections per Session Maximum number of TCP connections allowed per TLS session.

    The default value is 16.

    For no limit on the allowed number of TCP connections, set the value of this field to 0.

    Note: Field value of 8 or lower causes errors in the Horizon Client .
    Client Connection Idle Timeout Specify the time (in seconds) a client connection can stay idle before the connection is closed. The default value is 360 seconds (6 minutes). A value of Zero indicates that there is no idle timeout.
    Authentication Timeout

    The maximum wait time in milliseconds before which authentication must happen. The default is 300000. If 0 is specified, it indicates no time limit for authentication.

    Clock Skew Tolerance Enter the permitted time difference in seconds between an Unified Access Gateway clock and the other clocks on the same network. The default is 600 seconds.
    Max Allowed System CPU Indicates the maximum allowed average system CPU usage in one minute.

    When the configured CPU limit is exceeded, new sessions are not allowed and the client receives an HTTP 503 error to indicate that the Unified Access Gateway appliance is temporarily overloaded. Additionally, the exceeded limit also allows a load balancer to mark the Unified Access Gateway appliance down so that new requests can be directed to other Unified Access Gateway appliances.

    Value is in percentage.

    Default value is 100%.

    Join CEIP If enabled, sends Customer Experience Improvement Program ("CEIP") information to VMware. See Join or Leave the Customer Experience Improvement Program for details.
    Enable SNMP Toggle YES to enable SNMP service. Simple Network Management Protocol collects system statistics, memory, and Tunnel edge service MIB information by Unified Access Gateway. The list of available Management Information Base (MIB),
    • UCD-SNMP-MIB::systemStats
    • UCD-SNMP-MIB::memory
    • VMWARE-TUNNEL-SERVER-MIB::vmwTunnelServerMIB
    SNMP Version Select the desired SNMP version.
    Note: If you have deployed Unified Access Gateway through PowerShell, enabled SNMP, but not configured SNMPv3 settings either through PowerShell or the Unified Access Gateway Admin UI, then by default SNMPv1 and SNMPV2c versions are used.

    For configuring the SNMPv3 settings in the Admin UI, see Configure SNMPv3 Using the Unified Access Gateway Admin UI.

    For configuring SNMPv3 settings through PowerShell deployment, certain SNMPv3 settings must be added to the INI file. See Using PowerShell to Deploy the Unified Access Gateway Appliance.

    Admin Disclaimer Text Enter the disclaimer text based on your organization's user agreement policy.

    For an administrator to successfully log into the Unified Access Gateway Admin UI, the administrator must accept the agreement policy.

    The disclaimer text can be configured either through PowerShell deployment or by using the Unified Access Gateway Admin UI. For more information about the PowerShell setting in the INI file, see Using PowerShell to Deploy the Unified Access Gateway Appliance.

    While using the Unified Access Gateway Admin UI to configure this text box, the administrator must first log into the Admin UI and then configure the disclaimer text. On subsequent administrator logins, the text is displayed for the administrator to accept before accessing the login page.

    DNS Enter Domain Name System addresses that are added to /run/systemd/resolve/resolv.conf configuration file. It must contain a valid DNS search address. Click '+' to add a new DNS address.
    DNS Search Enter Domain Name System search that is added to /etc/resolv.conf configuration file. It must contain a valid DNS search address. Click '+' to add a new DNS search entry.
    NTP Servers NTP servers for network time protocol synchronization. You can enter valid IP addresses and hostnames. Any per-interface NTP servers obtained from systemd-networkd.service configuration or through DHCP will take precedence over these configurations. Click '+' to add a new NTP server.
    FallBack NTP Servers Fallback NTP servers for network time protocol synchronization. If NTP server information is not found, these fallback NTP server host names or IP addresses will be used. Click '+' to add a new fallback NTP server.
    SSH Public Keys Upload public keys to enable root user access to Unified Access Gateway when using the public-private key pair option.

    Administrators can upload multiple, unique public keys to Unified Access Gateway.

    This field is visible on the Admin UI only when the following SSH options are set to true during deployment: Enable SSH and Allow SSH root login using key pair. For information about these options, see Deploy Unified Access Gateway Using the OVF Template Wizard.

  4. Click Save.

What to do next

Configure the edge service settings for the components that Unified Access Gateway is deployed with. After the edge settings are configured, configure the authentication settings.