To deploy the Unified Access Gateway appliance, ensure that your system meets the hardware and software requirements.

VMware Product Versions Supported

You must use specific versions of VMware products with specific versions of Unified Access Gateway. Refer to the product release notes for the latest information about compatibility, and refer to the VMware Product Interoperability Matrix at http://www.vmware.com/resources/compatibility/sim/interop_matrix.php.

For information about the Unified Access Gateway Lifecycle Support Policy, see https://kb.vmware.com/s/article/2147313.

Hypervisor Requirements

Unified Access Gateway supports the following virtualization platforms:
  • VMware vSphere (ESXi with vCenter)
  • Microsoft Azure
  • Microsoft Hyper-V (Tunnel, Secure Email Gateway, and Content Gateway Edge Services only)
  • Amazon AWS EC2
  • Google Cloud GCE

Hardware Requirements for ESXi Server

The Unified Access Gateway appliance must be deployed on a version of VMware vSphere that is the same as the version supported for the VMware products and versions respectively.

If you plan to use the vSphere Web client, verify that the client integration plug-in is installed. For more information, see the vSphere documentation. If you do not install this plug-in before you start the deployment wizard, the wizard prompts you to install the plug-in. This requires that you close the browser and exit the wizard.

Virtual Appliance Requirements

The OVF package for the Unified Access Gateway appliance automatically selects the virtual machine configuration that the Unified Access Gateway requires. Although you can change these settings, it is recommended that you not change the CPU, memory, or disk space to smaller values than the default OVF settings.

  • CPU minimum requirement is 2000 MHz
  • Minimum memory of 4GB
Important: Unified Access Gateway is a VMware virtual appliance. Security and general patches are distributed by VMware as updated virtual appliance image files. Customization of a Unified Access Gateway appliance or upgrading individual components is not supported apart from increasing memory and the number of vCPUs which can be performed through vCenter Server Edit settings.

Ensure that the datastore you use for the appliance has enough free disk space and meets other system requirements.

  • Virtual appliance download size (depends on the Unified Access Gateway version)
  • Thin-provisioned disk minimum requirement is 3.5 GB
  • Thick-provisioned disk minimum requirement is 20 GB
Note: In addition to the minimum disk requirements, vSphere can create other files such as a swap file on the ESXi datastore for each virtual machine. Disk space is also used for any virtual machine snapshots created with vCenter Server. An ESXi datastore also contains some other small files for each virtual machine.

If memory reservation is not configured, vSphere creates a per-virtual machine swap file (.vswp) of up to the virtual machine memory size. This swap space is for any unreserved virtual machine memory. For example, a 4 GB RAM Unified Access Gateway appliance with a vSphere thick-provisioned disk uses a 20 GB ESXi .vmdk file and the appliance can use a 4 GB ESXi swap file. This results in a total disk space requirement of 24 GB. Similarly, for a 16 GB RAM Unified Access Gateway appliance, the total disk space requirement can be 36 GB.

For more information about Swap Space and Memory Overcommitment, see vSphere Resource Management documentation.

The following information is required to deploy the virtual appliance.

  • Static IP address (recommended)
  • IP address of the DNS server
  • Password for the root user
  • Password for the admin user
  • URL of the server instance of the load balancer that the Unified Access Gateway appliance points to

Unified Access Gateway Sizing Options

  • Standard: This configuration is recommended for Horizon deployment supporting up to 2000 Horizon connections, aligned with the Connection Server capacity. It is also recommended for Workspace ONE UEM Deployments (mobile use cases) up to 10,000 concurrent connections.
  • Large: This configuration is recommended for Workspace ONE UEM Deployments, where Unified Access Gateway needs to support over 50,000 concurrent connections. This size allows Content Gateway, Per App Tunnel and Proxy, and Reverse Proxy to use the same Unified Access Gateway appliance.
  • Extra Large: This configuration is recommended for Workspace ONE UEM Deployments. This size allows Content Gateway, Per App Tunnel and Proxy, and Reverse Proxy to use the same Unified Access Gateway appliance.
  • Note: VM options for Standard, Large, and Extra Large deployments:
    • Standard - 2 core and 4GB RAM
    • Large - 4 core and 16GB RAM
    • Extra Large - 8 core and 32GB RAM

    You can configure these settings using PowerShell. For information about PowerShell parameters, see Using PowerShell to Deploy the Unified Access Gateway Appliance.

    For more information about the Unified Access Gateway sizing recommendations, you can see VMware Configuration Maximums.

Browser Versions Supported

Supported browsers for launching the Admin UI are Chrome, Firefox, and Internet Explorer. Use the most current version of the browser.

Hardware Requirements When Using Windows Hyper-V Server

When you use Unified Access Gateway for an Workspace ONE UEM Per-App Tunnel deployment, you can install the Unified Access Gateway appliance on a Microsoft Hyper-V server.

Supported Microsoft servers are Windows Server 2012 R2 and Windows Server 2016.

Networking Configuration Requirements

You can use one, two, or three network interfaces and Unified Access Gateway requires a separate static IP address for each. Many DMZ implementations use separated networks to secure the different traffic types. Configure Unified Access Gateway according to the network design of the DMZ in which it is deployed.

  • One network interface is appropriate for POCs (proof of concept) or testing. With one NIC, external, internal, and management traffic is all on the same subnet.
  • With two network interfaces, external traffic is on one subnet, and internal and management traffic are on another subnet.
  • Using three network interfaces is the most secure option. With a third NIC, external, internal, and management traffic all have their own subnets.

Multicast DNS and .local hostnames

UAG (Unified Access Gateway) 3.7 and later versions support Multicast DNS in addition to the Unicast DNS. Multi-label names with the domain suffix .local are routed to all local interfaces which are capable of IP multicasting by using the Multicast DNS protocol.

Avoid defining .local in a Unicast DNS server because RFC6762 reserves this domain use for Multicast DNS. For example, if you use a hostname hostname.example.local in a configuration setting such as Proxy Destination URL on the UAG, then the hostname is not resolved with Unicast DNS because .local is reserved for Multicast DNS.

Alternatively, you can use one of the following methods in which the .local domain suffix is not required:

  • Specify an IP address instead of a .local hostname.
  • An additional alternative DNS A record can be added in the DNS server.

    In the earlier example of host name, hostname.example.int can be added to the same IP address as hostname.example.local and used in the UAG configuration.

  • A local hosts file entry can be defined.

    In the earlier example, a local hosts entry can be defined for hostname.example.local.

    hosts file entries specify names and IP addresses and can be set by using the UAG Admin UI or through PowerShell .ini file settings.
    Important: The /etc/hosts file on UAG must not be edited.

    On the UAG, local hosts file entries are searched before performing a DNS search. Such a search ensures that if the host name is present on the hosts file, then the .local names can be used and a DNS search is not required at all.

Log Retention Requirements

The log files are configured by default to use a certain amount of space which is smaller than the total disk size in the aggregate. The logs for Unified Access Gateway are rotated by default. You must use syslog to preserve these log entries. See Collecting Logs from the Unified Access Gateway Appliance.