You can deploy the Unified Access Gateway appliance by logging in to vCenter Server and using the Deploy OVF Template wizard.

Two versions of the Unified Access Gateway OVA are available, standard OVA and a FIPS version of the OVA.

The FIPS version of the OVA supports the following Edge services:
  • Horizon (pass-through auth and certificate auth)
    Note: Certificate authentication includes both smart card authentication and device certificate authentication.
  • VMware Per-App Tunnel
  • Secure Email Gateway
Important: The FIPS 140-2 version runs with the FIPS certified set of ciphers and hashes and has restrictive services enabled that support FIPS certified libraries. When Unified Access Gateway is deployed in FIPS mode, the appliance cannot be changed to the standard OVA deployment mode. The Horizon edge authentication is not available in the FIPS version.

Unified Access Gateway Sizing Options

To simplify the deployment of the Unified Access Gateway appliance as the Workspace ONE security gateway, sizing options are added to the deployment configurations in the appliance. The deployment configuration offers a choice between a Standard, Large, and Extra Large virtual machine.
  • Standard: This configuration is recommended for Horizon deployment supporting up to 2000 Horizon connections, aligned with the Connection Server capacity. It is also recommended for Workspace ONE UEM Deployments (mobile use cases) up to 10,000 concurrent connections.
  • Large: This configuration is recommended for Workspace ONE UEM Deployments, where Unified Access Gateway needs to support over 50,000 concurrent connections. This size allows Content Gateway, Per App Tunnel and Proxy, and Reverse Proxy to use the same Unified Access Gateway appliance.
  • Extra Large: This configuration is recommended for Workspace ONE UEM Deployments. This size allows Content Gateway, Per App Tunnel and Proxy, and Reverse Proxy to use the same Unified Access Gateway appliance.
  • Note: VM options for Standard, Large, and Extra Large deployments:
    • Standard - 2 core and 4 GB RAM
    • Large - 4 core and 16 GB RAM
    • Extra Large - 8 core and 32 GB RAM

    You can configure these settings using PowerShell. For information about PowerShell parameters, see Using PowerShell to Deploy the Unified Access Gateway Appliance.

    For more information about the Unified Access Gateway sizing recommendations, you can see VMware Configuration Maximums.

Prerequisites

  • Review the deployment options that are available in the wizard. See Unified Access Gateway System and Network Requirements.
  • Determine the number of network interfaces and static IP addresses to configure for the Unified Access Gateway appliance. See Networking Configuration Requirements.
  • Download the .ova installer file for the Unified Access Gateway appliance from the VMware website at https://my.vmware.com/web/vmware/downloads, or determine the URL to use (example: http://example.com/vapps/euc-access-point-Y.Y.0.0-xxxxxxx_OVF10.ova), where Y.Y is the version number and xxxxxxx is the build number.
  • If there is a Hyper-V deployment, and if you are upgrading Unified Access Gateway with static IP, delete the older appliance before deploying the newer instance of Unified Access Gateway.
  • To upgrade your older appliance to a new instance of Unified Access Gateway with zero downtime for users, see the Upgrade with Zero Downtime section.

Procedure

  1. Use the native vSphere Client or the vSphere Web Client to log in to a vCenter Server instance.
    For an IPv4 network, use the native vSphere Client or the vSphere Web Client. For an IPv6 network, use the vSphere Web Client.
  2. Select a menu command for launching the Deploy OVF Template wizard.
    Option Menu Command
    vSphere Client Select File > Deploy OVF Template.
    vSphere Web Client Select any inventory object that is a valid parent object of a virtual machine, such as a data center, folder, cluster, resource pool, or host, and from the Actions menu, select Deploy OVF Template.
  3. On the Select Source page, browse to the .ova file that you downloaded or enter a URL and click Next.
    Review the product details, version, and size requirements.
  4. Follow the prompts and take the following guidelines into consideration as you complete the wizard. Both ESXi and Hyper-V deployments have two options to assign the IP assignment for Unified Access Gateway. If you are upgrading, then for Hyper-V, delete the old box with the same IP address before deploying the box with the new address. For ESXi, you can turn off the old box and deploy a new box with same IP address using static assignment.
    Option Description
    Name and Location Enter a name for the Unified Access Gateway virtual appliance. The name must be unique within the inventory folder. Names are case-sensitive.

    Select a location for the virtual appliance.

    Deployment Configuration For an IPv4 or IPV6 network, you can use one, two, or three network interfaces (NICs). Many DMZ implementations use separated networks to secure the different traffic types. Configure Unified Access Gateway according to the network design of the DMZ in which it is deployed. Along with the number of NICs, you can also choose Standard or Large deployment options for Unified Access Gateway.
    Note: VM options for Standard and Large deployments:
    • Standard - 2 core and 4 GB RAM
    • Large - 4 core and 16 GB RAM
    Host / Cluster Select the host or cluster in which to run the virtual appliance.
    Disk format For evaluation and testing environments, select the Thin Provision format. For production environments, select one of the Thick Provision formats. Thick Provision Eager Zeroed is a type of thick virtual disk format that supports clustering features such as fault tolerance but takes much longer to create than other types of virtual disks.
    Setup Networks/Network Mapping If you are using a vSphere Web Client, the Setup Networks page allows you to map each NIC to a network and specify protocol settings.

    Map the networks used in the OVF template to networks in your inventory.

    1. Select the first row in the table Internet and then click the down arrow to select the destination network. If you select IPv6 as the IP protocol, you must select the network that has IPv6 capabilities.

      After you select the row, you can also enter IP addresses for the DNS server, gateway, and netmask in the lower portion of the window.

    2. If you are using more than one NIC, select the next row ManagementNetwork, select the destination network, and then you can enter the IP addresses for the DNS server, gateway, and netmask for that network.

      If you are using only one NIC, all the rows are mapped to the same network.

    3. If you have a third NIC, also select the third row and complete the settings.

      If you are using only two NICs, for this third row BackendNetwork, select the same network that you used for ManagementNetwork.

    Note: Ignore the IP protocol drop-down menu if it is displayed, and do not make any selection here. The actual selection of IP protocol (IPv4/IPv6/both) depends on what IP mode is specified for IPMode for NIC 1 (eth0), NIC 2 (eth1), and NIC 3 (eth2) when customizing Networking Properties.
    Customize Network Properties The text boxes on the Properties page are specific to Unified Access Gateway and might not be required for other types of virtual appliances. Text in the wizard page explains each setting. If the text is truncated on the right side of the wizard, resize the window by dragging from the lower-right corner. For each of the NICs, for STATICV4, you must enter the IPv4 address for the NIC. For STATICV6, you must enter the IPv6 address for the NIC. If you leave the text boxes empty, the IP address allocation defaults to DHCPV4+DHCPV6.
    Important: The latest release of Unified Access Gateway does not accept netmask or prefix values and default gateway settings from the Network Protocol Profile (NPP). To configure Unified Access Gateway with static IP allocation, you must configure the netmask/prefix under network properties. These values do not be populated from NPP.
    Note:
    • The values are case-sensitive.
    • While deploying Unified Access Gateway using the vSphere Client HTML5 in vSphere 6.7 or earlier, only NIC1 (eth0) is available for configuration. Multiple NICs are available for configuration when using the vSphere client HTML5 in vSphere 7.0.
    • IPMode for NIC1 (eth0): STATICV4/STATICV6/DHCPV4/DHCPV6/AUTOV6/STATICV4+STATICV6/STATICV4+DHCPV6/STATICV4+AUTOV6/DHCPV4+AUTOV6/DHCPV4+STATICV6/DHCPV4+DHCPV6/DHCPV4+AUTOV6 .
    • IPMode for NIC2(eth1): STATICV4/STATICV6/DHCPV4/DHCPV6/AUTOV6/STATICV4+STATICV6/STATICV4+DHCPV6/STATICV4+AUTOV6/DHCPV4+AUTOV6/DHCPV4+STATICV6/DHCPV4+DHCPV6/DHCPV4+AUTOV6 .
    • IPMode for NIC3 (eth2): STATICV4/STATICV6/DHCPV4/DHCPV6/AUTOV6/STATICV4+STATICV6/STATICV4+DHCPV6/STATICV4+AUTOV6/DHCPV4+AUTOV6/DHCPV4+STATICV6/DHCPV4+DHCPV6/DHCPV4+AUTOV6 .
    • Comma-separated list of forward rules in the form {tcp|udp}/listening-port-number/destination-ip-address:destination-port-nu. For example, for IPv4, tcp/5262/10.110.92.129:9443, tcp/5263/10.20.30.50:7443.
    • NIC 1 (eth0) IPv4 address. Enter the IPv4 address for the NIC if you entered STATICV4 for the NIC mode.
      • Comma-separated list of IPv4 custom routes for NIC 1 (eth0) in the form ipv4-network-address/bits ipv4-gateway-address. For example, 20.2.0.0/16 10.2.0.1,20.9.0.0/16 10.2.0.2,10.2.0.1/32
        Note: If ipv4-gateway-address is not specified, then the respective route that is added has a gateway of 0.0.0.0.
    • NIC 1 (eth0) IPv6 address. Enter the IPv6 address for the NIC if you entered STATICV6 for the NIC mode.
    • NIC 1 (eth0) IPv4 Netmask. Enter the IPv4 netmask for the NIC.
    • NIC 1 (eth0) IPv6 Prefix. Enter the IPv6 prefix for the NIC.
    • NIC1 (eth0) Custom Configuration. Enter the custom configuration value for the NIC in the format, SectionName^Parameter=Value. An example of a custom configuration entry is DHCP^UseDNS=false. This value, when used, disables the usage of DNS IP addresses provided by the DHCP server. Using the same format, you can add multiple such systemd.network configuration entries separated by semi-colons.
    • DNS server addresses. Enter space-separated IPv4 or IPv6 addresses of the domain name servers for the Unified Access Gateway appliance. Example of IPv4 entry is 192.0.2.1 192.0.2.2. Example of IPv6 entry is fc00:10:112:54::1
    • IPv4 Default Gateway. Enter a IPv4 default gateway if Unified Access Gateway needs to communicate to an IP address that is not on a local segment of any NIC in Unified Access Gateway.
    • IPv6 Default Gateway. Enter a IPv6 default gateway if Unified Access Gateway needs to communicate to an IP address that is not on a local segment of any NIC in Unified Access Gateway.
    • NIC 2 (eth1) IPv4 address. Enter the IPv4 address for the NIC if you entered STATICV4 for the NIC mode.
    • Comma-separated list of IPv4 custom routes for NIC 2 (eth1) in the form ipv4-network-address/bits ipv4-gateway-address. For example, 20.2.0.0/16 10.2.0.1,20.9.0.0/16 10.2.0.2,10.2.0.1/32
      Note: If ipv4-gateway-address is not specified, then the respective route that is added has a gateway of 0.0.0.0
    • NIC 2 (eth1) IPv6 address. Enter the IPv6 address for the NIC if you entered STATICV6 for the NIC mode.
    • NIC 2 (eth1) IPv4 Netmask. Enter the IPv4 netmask for this NIC.
    • NIC 2 (eth1) IPv6 Prefix. Enter the IPv6 prefix for this NIC.
    • NIC2 (eth1) Custom Configuration. Enter the custom configuration value for the NIC in the same format as NIC 1, SectionName^Parameter=Value.
    • NIC 3 (eth2) IPv4 address. Enter the IPv4 address for the NIC if you entered STATICV4 for the NIC mode.
    • Comma-separated list of IPv4 custom routes for NIC 3 (eth2) in the form ipv4-network-address/bits ipv4-gateway-address. For example, 20.2.0.0/16 10.2.0.1,20.9.0.0/16 10.2.0.2,10.2.0.1/32
      Note: If ipv4-gateway-address is not specified, then the respective route that is added has a gateway of 0.0.0.0
    • NIC 3 (eth2) IPv6 address. Enter the IPv6 address for the NIC if you entered STATICV6 for the NIC mode.
    • NIC 3 (eth2) IPv4 Netmask. Enter the IPv4 netmask for this NIC.
    • NIC 3 (eth2) IPv6 Prefix. Enter the IPv6 prefix for this NIC.
    • NIC3 (eth2) Custom Configuration. Enter the custom configuration value for the NIC in the same format as NIC 1, SectionName^Parameter=Value.
    VM root user password Password for the root user to log into the Unified Access Gateway virtual machine.

    To establish password policies for the root user password, you can configure certain options such as password expiry, minimum length, minimum number of classes of character type, maximum number of failed attempts, and unlock time after the maximum number of failed attempts. You can also use PowerShell and configure these parameters.

    For information about the PowerShell parameters, see Using PowerShell to Deploy the Unified Access Gateway Appliance and PowerShell Parameters for Deploying Unified Access Gateway.

    Admin UI password Password for the admin user to log into the Unified Access Gateway admin UI.

    To establish password policies for the admin user password, you can configure certain options such as minimum length, maximum number of failed attempts, unlock time after the maximum number of failed attempts, and the idle timeout for admin user authenticated sessions.

    Enable SSH Option to enable SSH for accessing Unified Access Gateway virtual machine.
    Allow SSH root login using password Option to access Unified Access Gateway virtual machine by using an SSH root login and password.

    By default, the value of this option is true.

    Allow SSH root login using key pair Option to access Unified Access Gateway virtual machine by using an SSH root login and public-private key pairs.

    By default, this value is false.

    The Unified Access Gateway Admin UI has a field, SSH Public Keys, where an administrator can upload public keys to allow root user access to Unified Access Gateway when using the public-private key pair option. For this field to be available on the Admin UI, the value of this option and Enable SSH must be true at the time of deployment itself. If either of these options are not true, the SSH Public Keys field is not available on the Admin UI.

    SSH Public Keys field is an advanced system setting in the Admin UI. See Configure Unified Access Gateway System Settings.

    Login Banner Text Option to customize the banner text displayed when logging into Unified Access Gateway using SSH or the vSphere Client's Web Console.

    This option can be configured only at the time of deployment. If you do not configure this option, the default text is displayed: VMware EUC Unified Access Gateway.

    Only ASCII characters are supported in the customized text. For multi-line banner texts, \n must be used as the line seperator.

    Note: When Unified Access Gateway is deployed using the OVF template and the login banner text is configured, at the first launch of Unified Access Gateway, the vSphere Client's Web Console displays the default banner text and the customized banner text is ignored. On subsequent launches, the customized banner text is displayed.
    SecureRandom Source Allows you to configure the secure random bit generator source used by Java processes for cryptographic functions.

    This option can be configured only at the time of deployment.

    Supported values are: /dev/random and /dev/urandom. By default, /dev/random is used in the non-FIPS mode and /dev/urandom is used in the FIPS mode.

    Join CEIP Select Join the VMware Customer Experience Improvement Program to join CEIP or deselect the option to leave CEIP.
    Important: SSH options can be configured only during deployment. For security-related reasons, these options cannot be modified after deployment either via the Unified Access Gateway Admin UI or API.
  5. On the Ready to complete page, review the information and click Finish.
    A Deploy OVF Template task appears in the vCenter Server status area so that you can monitor deployment. You can also open a console on the virtual machine to view the console messages that are displayed during system start. A log of these messages is also available in the file /var/log/boot.msg.
  6. Power on the virtual machine.
  7. When the appliance is powered on, verify that end users can connect to the appliance by opening a browser and entering the following URL:
    https://FQDN-of-UAG-appliance

    In this URL, FQDN-of-UAG-appliance is the DNS-resolvable, fully qualified domain name of the Unified Access Gateway appliance.

    If deployment was successful, you see the Web page provided by the server that Unified Access Gateway is pointing to. If deployment was not successful, you can delete the appliance virtual machine and deploy the appliance again. The most common error is not entering certificate thumbprints correctly.

Results

The Unified Access Gateway appliance is deployed and starts automatically.

What to do next

  • Log in to the Unified Access Gateway admin user interface (UI) and configure the desktop and application resources to allow remote access from the Internet through Unified Access Gateway and the authentication methods to use in the DMZ. The administration console URL is in the format https://<mycoUnified Access Gatewayappliance.com:9443/admin/index.html.
    Important: You must complete the Unified Access Gateway configuration post-deployment using the Admin UI. If you do not provide the Admin UI password, you cannot add an Admin UI user later to enable access to either the Admin UI or the API. You must redeploy your Unified Access Gateway instance with a valid Admin UI password if you want to add an Admin UI user.
    Note: If you are not able to access the Admin UI login screen, check to see if the virtual machine has the IP address displayed during the installation of the OVA. If the IP address is not configured, use the VAMI command mentioned in the UI to reconfigure the NICs. Run the command as "cd /opt/vmware/share/vami" then the command "./vami_config_net".