Select a name and folder |
Name and Location |
Enter a name for the Unified Access Gateway virtual appliance in the Virtual machine name field. The name must be unique within the inventory folder. Names are case-sensitive. Select a location for the virtual machine from the list. |
Select a compute resource |
Host / Cluster |
Select the host or cluster on which you want to run the virtual appliance. Result: Compatibility and validation checks are done to verify if the compute resource can support the OVF. |
Review details Verify the OVF deployment details. |
Configuration |
Select a deployment configuration |
For an IPv4 or IPV6 network, you can use one, two, or three network interfaces (NICs). Many DMZ implementations use separated networks to secure the different traffic types. Configure Unified Access Gateway according to the network design of the DMZ in which it is deployed. Along with the number of NICs, you can also choose Standard or Large deployment options for Unified Access Gateway.
Note: VM options for
Standard and
Large deployments:
- Standard - 2 core and 4GB RAM
- Large - 4 core and 16GB RAM
- Extra Large - 8 core and 32GB RAM
|
Select storage |
Select virtual disk format |
For evaluation and testing environments, select the Thin Provision format. For production environments, select one of the Thick Provision formats. Thick Provision Eager Zeroed is a type of thick virtual disk format that supports clustering features such as fault tolerance but takes much longer to create than other types of virtual disks. |
VM storage policy |
Datastore default or any other configured storage policy. For more information, see Virtual Machine Storage Policies in the VMware vSphere Documentation at VMware Docs. |
Select networks |
|
If you are using a vSphere Web Client, the Select networks page allows you to map each NIC to a network and specify protocol settings. Map the networks used in the OVF template to networks in your inventory.
- If you are using more than one NIC, on the ManagementNetwork row, select the destination network, and then enter the IP addresses for the DNS server, gateway, and netmask for that network.
If you are using only one NIC, all the rows are mapped to the same network.
- If you have a third NIC, select the third row and complete the settings.
If you are using only two NICs, for BackendNetwork row, select the same network that you used for ManagementNetwork.
- Select the Internet row and click the down arrow to select the destination network. If you select IPv6 as the IP protocol, you must select the network that has IPv6 capabilities.
After you select the row, you can also enter IP addresses for the DNS server, gateway, and netmask in the lower portion of the window. Click NEXT.
Note: Ignore the
IP protocol drop-down menu if it is displayed, and do not make any selection here. The actual selection of IP protocol (IPv4/IPv6/both) depends on what IP mode is specified for IPMode for NIC 1 (eth0), NIC 2 (eth1), and NIC 3 (eth2) when customizing Networking Properties. DNS Server and default gateway settings are global and not associated with any specific NIC.
|
Customize template |
Networking Properties |
The text boxes on the Properties page are specific to Unified Access Gateway and might not be required for other types of virtual appliances. Text in the wizard page explains each setting. If the text is truncated on the right side of the wizard, resize the window by dragging from the lower-right corner. For each of the NICs, for STATICV4, you must enter the IPv4 address for the NIC. For STATICV6, you must enter the IPv6 address for the NIC. If you leave the text boxes empty, the IP address allocation defaults to DHCPV4+DHCPV6.
Important: The latest release of
Unified Access Gateway does not accept netmask or prefix values and default gateway settings from the Network Protocol Profile (NPP). To configure
Unified Access Gateway with static IP allocation, you must configure the netmask/prefix under network properties. These values do not be populated from NPP.
Note:
- The values are case-sensitive.
- While deploying Unified Access Gateway using the vSphere Client HTML5 in vSphere 6.7 or earlier, only NIC1 (eth0) is available for configuration. Multiple NICs are available for configuration when using the vSphere client HTML5 in vSphere 7.0.
- IPMode for NIC1 (eth0): STATICV4/STATICV6/DHCPV4/DHCPV6/AUTOV6/STATICV4+STATICV6/STATICV4+DHCPV6/STATICV4+AUTOV6/DHCPV4+AUTOV6/DHCPV4+STATICV6/DHCPV4+DHCPV6/DHCPV4+AUTOV6.
- Comma-separated list of forward rules in the form {tcp|udp}/listening-port-number/destination-ip-address:destination-port-nu. For example, for IPv4, tcp/5262/10.110.92.129:9443, tcp/5263/10.20.30.50:7443.
- NIC 1 (eth0) IPv4 address. Enter the IPv4 address for the NIC if you entered STATICV4 for the NIC mode.
- NIC 1 (eth0) IPv6 address. Enter the IPv6 address for the NIC if you entered STATICV6 for the NIC mode.
- DNS server addresses. Enter space-separated IPv4 or IPv6 addresses of the domain name servers for the Unified Access Gateway appliance. Example of IPv4 entry is 192.0.2.1 192.0.2.2. Example of IPv6 entry is fc00:10:112:54::1
- DNS Search Domain. Enter space-separated DNS Search list.
- NIC 1 (eth0) IPv4 Netmask. Enter the IPv4 netmask for the NIC.
- NIC 1 (eth0) IPv6 Prefix. Enter the IPv6 prefix for the NIC.
- NIC1 (eth0) Custom Configuration. Enter the custom configuration value for the NIC in the format,
SectionName^Parameter=Value . An example of a custom configuration entry is DHCP^UseDNS=false . This value, when used, disables the usage of DNS IP addresses provided by the DHCP server. Using the same format, you can add multiple such systemd.network configuration entries separated by semi-colons.
- IPv4 Default Gateway. Enter a IPv4 default gateway if Unified Access Gateway needs to communicate to an IP address that is not on a local segment of any NIC in Unified Access Gateway.
- IPv6 Default Gateway. Enter a IPv6 default gateway if Unified Access Gateway needs to communicate to an IP address that is not on a local segment of any NIC in Unified Access Gateway.
|
Unified Gateay Appliance name |
Enter the host name of the appliance for identification. If you do not enter any name, the system automatically generates the name. |
Join CEIP |
Select Join the VMware Customer Experience Improvement Program to join CEIP or deselect the option to leave CEIP. |
Password Options |
OS Login Username |
Enter the username to access the local console of Unified Access Gateway. When configured, a new sudo privileged user with given username is created and root login is disabled. Only a-z, 0-9, underscrore (_) and hyphen (-) are allowed and the maximum length is 32.
Note: Leave this field blank to use root user.
|
Password for OS login |
Enter the password for OS login. This password applies to either root or the custom user as configured in OS Login Username field. |
Password Expiration in days for the OS user |
Enter the Password expiration policy for the OS user. If set to zero password never expires. The default value is 365 days. |
Password policy minimum length |
Enter the minimum length of the password. The default value is 6. |
Password policy for minimum character classes |
Enter password policy for minimum number (1,2,3,4) of classes of character type (uppercase, lowercase, digit, others). |
Password policy for maximum failed attempts |
Enter the maximum failed attempts allowed. The default value is 3. |
Password policy for unlock time in seconds on maximum failed attempts |
Enter the time in seconds to unlock the password when you have reached maximum failed attempts. The default value is 900. |
Session idle timeout for OS user in seconds |
Enter the session idle timeout for OS user. The range is 30 -3600 seconds. Session expiry is disabled if this is set to zero (0). The default value is 300. |
Maximum limit on concurrent login sessions for sudo user |
Enter the maximum limit on cuncurrent login sessions for sudo user. If sudo user is not configured, this setting is ignored. The default value is 10 and minimum configurable is 1. There is no maximum limit. |
Password for the admin user, which enables REST API access |
Admin password policy for minimum length |
Enter the minimum length of the admin password. The default value is 6. |
Admin password policy for maximum failed attempts |
Enter the maximum failed attempts allowed. The default value is 3. |
Admin password policy for unlock time in seconds on maximum failed attempts |
Enter the time in seconds to unlock the admin password when you have reached maximum failed attempts. The default value is 900. |
Admin session idle timeout for OS user in seconds |
Enter the session idle timeout for the admin.The default value is 10 and the maximum is 1440 minutes. |
Maximum concurrent sessions for admin console users |
Enter the maximum limit on cuncurrent login sessions for the admin. The default value is 5 and maximum value is 50. When maximum session count exceeds for a user, least recently used session will be expired. |
Compliance |
Enable DISA STIG compliance |
Sets the OS configuration to comply with the current Photon OS 3.0 DISA STIG Readiness Guidelines. Select this check box to automatically configure password complexity and other STIG requirements.
Note: This setting should be used with the FIPS version when DISA STIG OS compliance is required.
|
System Properties |
Enable SSH |
Option to enable SSH for accessing Unified Access Gateway virtual machine. |
Allow SSH root login using password |
Option to access Unified Access Gateway virtual machine by using an SSH root login and password. By default, the value of this option is true . |
Allow SSH login using key pair |
Option to access Unified Access Gateway virtual machine by using an SSH root login and public-private key pairs. By default, this value is false . The Unified Access Gateway Admin UI has a field, SSH Public Keys, where an administrator can upload public keys to allow the configured or the root user access to Unified Access Gateway when using the public-private key pair option. For this field to be available on the Admin UI, the value of this option and Enable SSH must be true at the time of deployment itself. If either of these options are not true , the SSH Public Keys field is not available on the Admin UI. SSH Public Keys field is an advanced system setting in the Admin UI. See Configure Unified Access Gateway System Settings. |
Login Shell Banner Text |
Option to customize the banner text displayed when logging into Unified Access Gateway using SSH or the vSphere Client's Web Console. This option can be configured only at the time of deployment. If you do not configure this option, the default text is displayed: VMware EUC Unified Access Gateway. Only ASCII characters are supported in the customized text. For multi-line banner texts, \n must be used as the line seperator.
Note: When
Unified Access Gateway is deployed using the OVF template and the login banner text is configured, at the first launch of
Unified Access Gateway, the
vSphere Client's Web Console displays the default banner text and the customized banner text is ignored. On subsequent launches, the customized banner text is displayed.
|
SSH Interface |
Configure the network interface on which SSH login is enabled. By default, SSH is enabled on all the interfaces. The supported values are eth0 , eth1 , and eth2 based on the configuration. |
SSH Port |
Configure the port on which SSH is enabled. The default value is 22 . |
Commands to Run During First boot |
Enter semi-colon separated list of commands in plain-text or base64 encoded format to run during first boot up of Unified Access Gateway. Maximum size is 8kB. For more information, see Configurable Boot Time Commands for First Boot and Every Boot. |
Commands to Run During Every Boot |
Enter semi-colon separated list of commands in plain-text or base64 encoded format to run during every boot up of Unified Access Gateway. Maximum size is 8kB. For more information, see Configurable Boot Time Commands for First Boot and Every Boot. |
SecureRandom Source |
Allows you to configure the secure random bit generator source used by Java processes for cryptographic functions. This option can be configured only at the time of deployment. Supported values are: /dev/random and /dev/urandom . By default, /dev/random is used in the non-FIPS mode and /dev/urandom is used in the FIPS mode. |