You can deploy the Unified Access Gateway appliance by logging in to vCenter Server and using the Deploy OVF Template wizard.

Unified Access Gateway Sizing Options

To simplify the deployment of the Unified Access Gateway appliance as the Workspace ONE security gateway, sizing options are added to the deployment configurations in the appliance. The deployment configuration offers a choice between a Standard, Large, and Extra Large virtual machine.
  • Standard: This configuration is recommended for Horizon deployment supporting up to 2000 Horizon connections, aligned with the Connection Server capacity. It is also recommended for Workspace ONE UEM Deployments (mobile use cases) up to 10,000 concurrent connections.
  • Large: This configuration is recommended for Workspace ONE UEM Deployments, where Unified Access Gateway needs to support over 50,000 concurrent connections. This size allows Content Gateway, Per App Tunnel and Proxy, and Reverse Proxy to use the same Unified Access Gateway appliance.
  • Extra Large: This configuration is recommended for Workspace ONE UEM Deployments. This size allows Content Gateway, Per App Tunnel and Proxy, and Reverse Proxy to use the same Unified Access Gateway appliance.
  • Note: VM options for Standard, Large, and Extra Large deployments:
    • Standard - 2 core and 4GB RAM
    • Large - 4 core and 16GB RAM
    • Extra Large - 8 core and 32GB RAM

    You can configure these settings using PowerShell. For information about PowerShell parameters, see Using PowerShell to Deploy the Unified Access Gateway Appliance.

    For more information about the Unified Access Gateway sizing recommendations, you can see VMware Configuration Maximums.

Prerequisites

  • Review the deployment options that are available in the wizard. See Unified Access Gateway System and Network Requirements.
  • Determine the number of network interfaces and static IP addresses to configure for the Unified Access Gateway appliance. See Networking Configuration Requirements.
  • Download the .ova installer file for the Unified Access Gateway appliance from the VMware website at https://my.vmware.com/web/vmware/downloads, or determine the URL to use (example: http://example.com/vapps/euc-unified-access-gateway-YY.MM.0.0-xxxxxxx_OVF10.ova), where YY.MM is the version number and xxxxxxx is the build number.
  • If there is a Hyper-V deployment, and if you are upgrading Unified Access Gateway with static IP, delete the older appliance before deploying the newer instance of Unified Access Gateway.
  • To upgrade your older appliance to a new instance of Unified Access Gateway with zero downtime for users, see the Upgrade with Zero Downtime section.

Procedure

  1. Use the native vSphere Client or the vSphere Web Client to log in to a vCenter Server instance.
    For an IPv4 network, use the native vSphere Client or the vSphere Web Client. For an IPv6 network, use the vSphere Web Client.
  2. Select a menu command for launching the Deploy OVF Template wizard.
    Option Menu Command
    vSphere Client Select File > Deploy OVF Template.
    vSphere Web Client Select any inventory object that is a valid parent object of a virtual machine, such as a data center, folder, cluster, resource pool, or host, and from the Actions menu, select Deploy OVF Template.
  3. On the Select an OVF template page, click URL and enter a URL to download and install the OVF template from the internet or click Local file to browse to the .ova file that you downloaded. Click NEXT.
    Review the product details, version, and size requirements.
  4. Follow the prompts and take the following guidelines into consideration as you complete the wizard. Both ESXi and Hyper-V deployments have two options to assign the IP assignment for Unified Access Gateway. If you are upgrading, then for Hyper-V, delete the old box with the same IP address before deploying the box with the new address. For ESXi, you can turn off the old box and deploy a new box with same IP address using static assignment.
    Table 1. OVF Deployment Options
    Option Description
    Select a name and folder
    Name and Location Enter a name for the Unified Access Gateway virtual appliance in the Virtual machine name field. The name must be unique within the inventory folder. Names are case-sensitive.

    Select a location for the virtual machine from the list.

    Select a compute resource
    Host / Cluster Select the host or cluster on which you want to run the virtual appliance.

    Result: Compatibility and validation checks are done to verify if the compute resource can support the OVF.

    Review details

    Verify the OVF deployment details.
    Configuration
    Select a deployment configuration For an IPv4 or IPV6 network, you can use one, two, or three network interfaces (NICs). Many DMZ implementations use separated networks to secure the different traffic types. Configure Unified Access Gateway according to the network design of the DMZ in which it is deployed. Along with the number of NICs, you can also choose Standard or Large deployment options for Unified Access Gateway.
    Note: VM options for Standard and Large deployments:
    • Standard - 2 core and 4GB RAM
    • Large - 4 core and 16GB RAM
    • Extra Large - 8 core and 32GB RAM
    Select storage
    Select virtual disk format For evaluation and testing environments, select the Thin Provision format. For production environments, select one of the Thick Provision formats.

    Thick Provision Eager Zeroed is a type of thick virtual disk format that supports clustering features such as fault tolerance but takes much longer to create than other types of virtual disks.
    VM storage policy

    Datastore default or any other configured storage policy. For more information, see Virtual Machine Storage Policies in the VMware vSphere Documentation at VMware Docs.

    Select networks
    If you are using a vSphere Web Client, the Select networks page allows you to map each NIC to a network and specify protocol settings.

    Map the networks used in the OVF template to networks in your inventory.

    1. If you are using more than one NIC, on the ManagementNetwork row, select the destination network, and then enter the IP addresses for the DNS server, gateway, and netmask for that network.

      If you are using only one NIC, all the rows are mapped to the same network.

    2. If you have a third NIC, select the third row and complete the settings.

      If you are using only two NICs, for BackendNetwork row, select the same network that you used for ManagementNetwork.

    3. Select the Internet row and click the down arrow to select the destination network. If you select IPv6 as the IP protocol, you must select the network that has IPv6 capabilities.

      After you select the row, you can also enter IP addresses for the DNS server, gateway, and netmask in the lower portion of the window. Click NEXT.

    Note: Ignore the IP protocol drop-down menu if it is displayed, and do not make any selection here. The actual selection of IP protocol (IPv4/IPv6/both) depends on what IP mode is specified for IPMode for NIC 1 (eth0), NIC 2 (eth1), and NIC 3 (eth2) when customizing Networking Properties. DNS Server and default gateway settings are global and not associated with any specific NIC.
    Customize template
    Networking Properties The text boxes on the Properties page are specific to Unified Access Gateway and might not be required for other types of virtual appliances. Text in the wizard page explains each setting. If the text is truncated on the right side of the wizard, resize the window by dragging from the lower-right corner. For each of the NICs, for STATICV4, you must enter the IPv4 address for the NIC. For STATICV6, you must enter the IPv6 address for the NIC. If you leave the text boxes empty, the IP address allocation defaults to DHCPV4+DHCPV6.
    Important: The latest release of Unified Access Gateway does not accept netmask or prefix values and default gateway settings from the Network Protocol Profile (NPP). To configure Unified Access Gateway with static IP allocation, you must configure the netmask/prefix under network properties. These values do not be populated from NPP.
    Note:
    • The values are case-sensitive.
    • While deploying Unified Access Gateway using the vSphere Client HTML5 in vSphere 6.7 or earlier, only NIC1 (eth0) is available for configuration. Multiple NICs are available for configuration when using the vSphere client HTML5 in vSphere 7.0.
    • IPMode for NIC1 (eth0): STATICV4/STATICV6/DHCPV4/DHCPV6/AUTOV6/STATICV4+STATICV6/STATICV4+DHCPV6/STATICV4+AUTOV6/DHCPV4+AUTOV6/DHCPV4+STATICV6/DHCPV4+DHCPV6/DHCPV4+AUTOV6.
    • Comma-separated list of forward rules in the form {tcp|udp}/listening-port-number/destination-ip-address:destination-port-nu. For example, for IPv4, tcp/5262/10.110.92.129:9443, tcp/5263/10.20.30.50:7443.
    • NIC 1 (eth0) IPv4 address. Enter the IPv4 address for the NIC if you entered STATICV4 for the NIC mode.
      • Comma separated list of IPV4 custom routes for NIC (eth0) in the form ipv4-network-address/bits ipv4-gateway-address. For example, 20.2.0.0/16 10.2.0.1,20.9.0.0/16 10.2.0.2,10.2.0.1/32
        Note: If ipv4-gateway-address is not specified, then the respective route that is added has a gateway of 0.0.0.0.
    • NIC 1 (eth0) IPv6 address. Enter the IPv6 address for the NIC if you entered STATICV6 for the NIC mode.
    • DNS server addresses. Enter space-separated IPv4 or IPv6 addresses of the domain name servers for the Unified Access Gateway appliance. Example of IPv4 entry is 192.0.2.1 192.0.2.2. Example of IPv6 entry is fc00:10:112:54::1
    • DNS Search Domain. Enter space-separated DNS Search list.
    • NIC 1 (eth0) IPv4 Netmask. Enter the IPv4 netmask for the NIC.
    • NIC 1 (eth0) IPv6 Prefix. Enter the IPv6 prefix for the NIC.
    • NIC1 (eth0) Custom Configuration. Enter the custom configuration value for the NIC in the format, SectionName^Parameter=Value. An example of a custom configuration entry is DHCP^UseDNS=false. This value, when used, disables the usage of DNS IP addresses provided by the DHCP server. Using the same format, you can add multiple such systemd.network configuration entries separated by semi-colons.
    • IPv4 Default Gateway. Enter a IPv4 default gateway if Unified Access Gateway needs to communicate to an IP address that is not on a local segment of any NIC in Unified Access Gateway.
    • IPv6 Default Gateway. Enter a IPv6 default gateway if Unified Access Gateway needs to communicate to an IP address that is not on a local segment of any NIC in Unified Access Gateway.
    Unified Gateay Appliance name Enter the host name of the appliance for identification. If you do not enter any name, the system automatically generates the name.
    Join CEIP Select Join the VMware Customer Experience Improvement Program to join CEIP or deselect the option to leave CEIP.
    Password Options
    OS Login Username Enter the username to access the local console of Unified Access Gateway.

    When configured, a new sudo privileged user with given username is created and root login is disabled. Only a-z, 0-9, underscrore (_) and hyphen (-) are allowed and the maximum length is 32.

    Note: Leave this field blank to use root user.
    Password for OS login Enter the password for OS login. This password applies to either root or the custom user as configured in OS Login Username field.
    Password Expiration in days for the OS user Enter the Password expiration policy for the OS user. If set to zero password never expires. The default value is 365 days.
    Password policy minimum length Enter the minimum length of the password. The default value is 6.
    Password policy for minimum character classes Enter password policy for minimum number (1,2,3,4) of classes of character type (uppercase, lowercase, digit, others).
    Password policy for maximum failed attempts Enter the maximum failed attempts allowed. The default value is 3.
    Password policy for unlock time in seconds on maximum failed attempts Enter the time in seconds to unlock the password when you have reached maximum failed attempts. The default value is 900.
    Session idle timeout for OS user in seconds Enter the session idle timeout for OS user. The range is 30 -3600 seconds. Session expiry is disabled if this is set to zero (0). The default value is 300.
    Maximum limit on concurrent login sessions for sudo user Enter the maximum limit on cuncurrent login sessions for sudo user. If sudo user is not configured, this setting is ignored.

    The default value is 10 and minimum configurable is 1. There is no maximum limit.
    Password for the admin user, which enables REST API access
    Admin password policy for minimum length Enter the minimum length of the admin password. The default value is 6.
    Admin password policy for maximum failed attempts Enter the maximum failed attempts allowed. The default value is 3.
    Admin password policy for unlock time in seconds on maximum failed attempts Enter the time in seconds to unlock the admin password when you have reached maximum failed attempts. The default value is 900.
    Admin session idle timeout for OS user in seconds Enter the session idle timeout for the admin.The default value is 10 and the maximum is 1440 minutes.
    Maximum concurrent sessions for admin console users Enter the maximum limit on cuncurrent login sessions for the admin.

    The default value is 5 and maximum value is 50.

    When maximum session count exceeds for a user, least recently used session will be expired.

    Compliance
    Enable DISA STIG compliance

    Sets the OS configuration to comply with the current Photon OS 3.0 DISA STIG Readiness Guidelines.

    Select this check box to automatically configure password complexity and other STIG requirements.

    Note: This setting should be used with the FIPS version when DISA STIG OS compliance is required.
    System Properties
    Enable SSH Option to enable SSH for accessing Unified Access Gateway virtual machine.
    Allow SSH root login using password Option to access Unified Access Gateway virtual machine by using an SSH root login and password.

    By default, the value of this option is true.
    Allow SSH login using key pair Option to access Unified Access Gateway virtual machine by using an SSH root login and public-private key pairs.

    By default, this value is false.

    The Unified Access Gateway Admin UI has a field, SSH Public Keys, where an administrator can upload public keys to allow the configured or the root user access to Unified Access Gateway when using the public-private key pair option. For this field to be available on the Admin UI, the value of this option and Enable SSH must be true at the time of deployment itself. If either of these options are not true, the SSH Public Keys field is not available on the Admin UI.

    SSH Public Keys field is an advanced system setting in the Admin UI. See Configure Unified Access Gateway System Settings.
    Login Shell Banner Text Option to customize the banner text displayed when logging into Unified Access Gateway using SSH or the vSphere Client's Web Console.

    This option can be configured only at the time of deployment. If you do not configure this option, the default text is displayed: VMware EUC Unified Access Gateway.

    Only ASCII characters are supported in the customized text. For multi-line banner texts, \n must be used as the line seperator.

    Note: When Unified Access Gateway is deployed using the OVF template and the login banner text is configured, at the first launch of Unified Access Gateway, the vSphere Client's Web Console displays the default banner text and the customized banner text is ignored. On subsequent launches, the customized banner text is displayed.
    SSH Interface

    Configure the network interface on which SSH login is enabled.

    By default, SSH is enabled on all the interfaces.

    The supported values are eth0, eth1, and eth2 based on the configuration.
    SSH Port

    Configure the port on which SSH is enabled.

    The default value is 22.
    Commands to Run During First boot Enter semi-colon separated list of commands in plain-text or base64 encoded format to run during first boot up of Unified Access Gateway. Maximum size is 8kB. For more information, see Configurable Boot Time Commands for First Boot and Every Boot.
    Commands to Run During Every Boot Enter semi-colon separated list of commands in plain-text or base64 encoded format to run during every boot up of Unified Access Gateway. Maximum size is 8kB. For more information, see Configurable Boot Time Commands for First Boot and Every Boot.
    SecureRandom Source Allows you to configure the secure random bit generator source used by Java processes for cryptographic functions.

    This option can be configured only at the time of deployment.

    Supported values are: /dev/random and /dev/urandom. By default, /dev/random is used in the non-FIPS mode and /dev/urandom is used in the FIPS mode.
  5. On the Ready to complete page, review the information and click Finish.
    A Deploy OVF Template task appears in the vCenter Server status area so that you can monitor deployment. You can also open a console on the virtual machine to view the console messages that are displayed during system start. A log of these messages is also available in the file /var/log/boot.msg.
  6. Power on the virtual machine.
  7. When the appliance is powered on, verify that end users can connect to the appliance by opening a browser and entering the following URL: 
    https://FQDN-of-UAG-appliance

    In this URL, FQDN-of-UAG-appliance is the DNS-resolvable, fully qualified domain name of the Unified Access Gateway appliance.

    If deployment was successful, you see the Web page provided by the server that Unified Access Gateway is pointing to. If deployment was not successful, you can delete the appliance virtual machine and deploy the appliance again. The most common error is not entering certificate thumbprints correctly.

Results

The Unified Access Gateway appliance is deployed and starts automatically.

What to do next

  • Log in to the Unified Access Gateway admin user interface (UI) and configure the desktop and application resources to allow remote access from the Internet through Unified Access Gateway and the authentication methods to use in the DMZ. The administration console URL is in the format https://<mycoUnifiedGatewayAppliance>.com:9443/admin/index.html .
    Important: You must complete the Unified Access Gateway configuration post-deployment using the Admin UI. If you do not provide the Admin UI password, you cannot add an Admin UI user later to enable access to either the Admin UI or the API. You must redeploy your Unified Access Gateway instance with a valid Admin UI password if you want to add an Admin UI user.
    Note: If you are not able to access the Admin UI login screen, check if the virtual machine has the IP address displayed during the installation of the OVA. If the IP address is not configured, use the VAMI command mentioned in the UI to reconfigure the NICs. Run the command as "cd /opt/vmware/share/vami" then the command "./vami_config_net".