Unified Access Gateway can be deployed either by using the vSphere Web Client or PowerShell scripts. In either method, you must configure some parameters for the deployment. The information provided here helps you understand some of the configuration parameters that are used during the PowerShell deployment.

Configuration Parameter Description

osLoginUsername

This setting is present in the [General] section of the .ini file.

Enter a customized username of the high privilege user during Unified Access Gateway deployment.

Maximum length of the username is 32 characters and can be a combination of a-z, 0-9, underscore _ and, hyphen -.

When this user is configured, the root login is deactivated.

osMaxLoginLimit

This setting is present in the [General] section of the .ini file.

Allows you to configure the limit on concurrent logins of Unified Access Gateway local console using high privileged non-root user.

The default value is 10.

Note: This configuration is effective only when non-root user (osLoginUsername) is configured for Unified Access Gateway local console login. There is no limit on the concurrent logins of root user.
sshEnabled This setting is present in the [General] section of the .ini file. When set to true, this parameter automatically enables SSH access on the deployed appliance.

When sent to false, SSH is not enabled.

Note: VMware does not generally recommend enabling SSH on Unified Access Gateway except in certain specific situations and where access can be restricted. If root console access is required for Amazon AWS EC2 deployments, SSH can be enabled. For more information on Amazon AWS EC2, see Unified Access Gateway PowerShell Deployment to Amazon Web Services at VMware Docs.

Enabling SSH access on Unified Access Gateway deployments for vSphere, Hyper-V, or Microsoft Azure is not generally required as console access with those platforms can be used.

In cases where SSH is enabled, TCP port 22 access must be restricted in firewalls or security groups to source IP addresses of individual administrators. EC2 supports this restriction in the EC2 Security Group associated with the Unified Access Gateway network interfaces.

sshPort

This setting is present in the [General] section of the .ini file.

Configure the port on which SSH is enabled.

The default value is 22.

sshInterface

This setting is present in the [General] section of the .ini file.

Configure the network interface on which SSH login is enabled.

By default, SSH is enabled on all the interfaces.

The supported values are eth0, eth1, and eth2 based on the configuration.

syslogType Enables syslog configuration.
Custom configuration setting The custom configuration values that must be added to the systemd.network files can be provided in the following format: SectionName^Parameter=Value.

An example of a custom configuration entry is DHCP^UseDNS=false. This value, when used, disables the usage of DNS IP addresses provided by the DHCP server.

Using the same format, you can add multiple such systemd.network configuration entries separated by semi-colons. Example of custom configuration values for the eth (0,1, and 2) is included in the General section of the sample .ini file.

rootSessionIdleTimeoutSeconds Duration (in seconds) for which the Unified Access Gateway console session has been idle. After this timeout, the console logs out automatically.

Default value of this parameter when logging into Unified Access Gateway using SSH on Microsoft Azure is 180 seconds, and 300 seconds for other platforms.

For Serial console session, the default value is 900 seconds.

The maximum value of this parameter is 3600 seconds.

rootPasswordExpirationDays Password expiration policy for the root users.

The default password expiration time is 365 days.

To prevent password expiry, the expiration time can be set to 0.

passwordPolicyMinLen Minimum length of the root user password.

The default value of this parameter is 6.

The maximum value of this parameter is 64.

passwordPolicyMinClass Minimum number of classes of character types that can be used to configure the root password complexity.

The classes of character types are as follows: uppercase, lowercase, digits, and others.

The default value is 1.

This parameter can be configured with the following values: 1, 2, 3, and 4.

If the parameter has the default value, then you can use characters from all the four classes. If the parameter value is 1, then you can use characters from any one of the classes.

passwordPolicyFailedLockout Number of failed login attempts allowed for the root user to access the Unified Access Gateway console.

The default value is 3.

passwordPolicyUnlockTime Duration for which the Unified Access Gateway console is locked out after the configured number of failed login attempts by the root user.

After the lockout, the Unified Access Gateway console is unlocked and the root user can access the console.

The default value is 900 seconds.

adminpasswordPolicyMinLen Minimum length of the admin user password.

The default value of this parameter is 8.

The maximum value of this parameter is 64.

adminpasswordPolicyFailedLockoutCount Number of failed login attempts allowed for the admin user to access the Unified Access Gateway admin UI.

The default value is 3.

adminpasswordPolicyUnlockTime Duration (in minutes) for which the Unified Access Gateway admin UI is locked out after the configured number of failed login attempts by the admin user.

After the lockout, the Unified Access Gateway admin UI is unlocked and the admin user can access the UI.

The default value is 5 minutes.

adminSessionIdleTimeoutMinutes Duration (in minutes) for which the Unified Access Gateway admin UI session has been idle. After this timeout, the admin UI logs out automatically.

The default value is 10 minutes.

The maximum value is 1440 minutes.

If the parameter value is 0, the session does not expire even though in idle state.

adminMaxConcurrentSessions

This setting is present in the [General] section of the .ini file.

Allows you to configure limit on concurrent admin sessions.

The default value is 5.

The supported range is 1-50.

When this value is set to 1, no concurrent sessions are allowed.

If you want to create a new session when the number of concurrent sessions already hit the limit, the system will invalidate the least recently used session.

sshLoginBannerText Option to customize the banner text displayed when logging into Unified Access Gateway using SSH or the vSphere Client's Web Console.

This option can be configured only at the time of deployment. If you do not configure this parameter, the default text displayed is VMware EUC Unified Access Gateway.

Only ASCII characters are supported in the customized text. For multi-line banner texts, \n must be used as the line separator.

secureRandomSource Allows you to configure the secure random bit generator source used by Java processes for cryptographic functions.

This option can be configured only at the time of deployment.

Supported values are: /dev/random and /dev/urandom. By default, /dev/random is used in the non-FIPS mode and /dev/urandom is used in the FIPS mode.

dsComplianceOS

This setting is present in the [General] section of the .ini file.

Default value is false.

When set to true, this Boolean flag sets the OS configuration to comply with the current Photon OS 3.0 DISA STIG Readiness Guide. The password complexity and other STIG requirements are automatically configured.

Note: This setting must be used with the FIPS version when DISA STIG OS compliance is required.