Occasionally, VMware might authorize the update of one or more OS packages to rectify a critical vulnerability that affects a specific version of Unified Access Gateway and for which no viable workaround is available.

You can configure the Unified Access Gateway to automatically fetch and apply any available authorized Photon OS package to the Unified Access Gateway version which has been deployed in your environment. These updates are then fetched and applied automatically when the appliance is next booted.

In earlier versions, such critical updates were performed manually using the tdnf command based on the guidance provided by VMware Global Support Services.

In the Appliance Updates Settings section, you can select the frequency of applying updates such as on next reboot or every reboot of the Unified Access Gateway appliance.
Note: Updates are applied to the Unified Access Gateway appliance only during the boot cycles after configuring the desired updates scheme on this page.

Procedure

  1. Log in to the Admin UI and in the Configure Manually section, click Select.
  2. Go to Advanced Settings > Appliance Updates Settings and click the gear box icon.
  3. In the Appliance Updates Settings window, enter the following information:
    Configuration Setting Action
    Apply Updates Scheme

    Select the frequency at which the Photon OS and Unified Access Gateway updates can be fetched and applied to Unified Access Gateway.

    By default, the updates scheme is Don’t apply updates.

    Important: If you select the Apply updates on next boot scheme, then after the updates are applied at the next immediate reboot of Unified Access Gateway, the scheme is automatically set back to the default value.
    OS Updates URL Enter the location of the repository from which the Photon OS packages are fetched and applied to the Unified Access Gateway appliance.

    By default, the value of this text box is https://packages.vmware.com/photon. You can either use the default value or provide a URL to your custom repository by mirroring the default VMware repository. The files in a mirrored repository must not be changed.

    The value of this text box must be an absolute URL, which can either be an IP address or hostname prefixed with https.

    Note: If you provide your custom URL for OS updates, the settings get applied after a maximum of one minute.
    Appliance Updates URL Enter the location of the repository from which the Unified Access Gateway authorized OS packages list is fetched and applied to the Unified Access Gateway appliance.

    By default, the value of this text box is https://packages.vmware.com/uag. You can either use the default value or provide a URL to your custom repository by mirroring the default VMware repository. These files in a mirrored repository must not be changed.

    The value of this text box must be an absolute URL, which can either be an IP address or hostname prefixed with https.

    Note: If you provide your custom URL for appliance updates, the settings get applied after a maximum of one minute.
    Trusted Certificates
    Note:

    Normally, it is not necessary to specify the trusted certificates because https://packages.vmware.com uses a trusted certificate. This setting is only required if you are connecting to a local repository that does not use a certificate issued by a trusted CA.

    • To select a certificate in PEM format and add to the trust store, click + .
    • To provide a different name, edit the alias text box.

      By default, the alias name is the filename of the PEM certificate.

    • To remove a certificate from the trust store, click -.
  4. Click Save.

Results

After the updates are applied, the Unified Access Gateway appliance gets rebooted and a package-updates.log file is generated. This log file is available in the UAG-log-archive.zip. You can use the package-updates.log file for checking the status of the update and troubleshooting purpose.

For information about accessing UAG-log-archive.zip from the Admin UI, see Collecting Logs from the Unified Access Gateway Appliance.