PowerShell Parameters for Deploying Unified Access Gateway

Unified Access Gateway can be deployed either by using the vSphere Web Client or PowerShell scripts. In either method, you must configure some parameters for the deployment. The information provided here helps you understand some of the configuration parameters that are used during the PowerShell deployment.

Configuration Parameter	Description
osLoginUsername	This setting is present in the [General] section of the .ini file. Enter a customized username of the high privilege user during Unified Access Gateway deployment. Maximum length of the username is `32` characters and can be a combination of `a-z`, `0-9`, underscore `_` and, hyphen `-`. When this user is configured, the root login is deactivated.
osMaxLoginLimit	This setting is present in the [General] section of the .ini file. Allows you to configure the limit on concurrent logins of Unified Access Gateway local console using high privileged non-root user. The default value is `10`. Note: This configuration is effective only when non-root user (osLoginUsername) is configured for Unified Access Gateway local console login. There is no limit on the concurrent logins of root user.
sshEnabled	This setting is present in the [General] section of the .ini file. When set to `true`, this parameter automatically enables SSH access on the deployed appliance. When sent to `false`, SSH is not enabled. Note: VMware does not generally recommend enabling SSH on Unified Access Gateway except in certain specific situations and where access can be restricted. If root console access is required for Amazon AWS EC2 deployments, SSH can be enabled. For more information on Amazon AWS EC2, see Unified Access Gateway PowerShell Deployment to Amazon Web Services at VMware Docs. Enabling SSH access on Unified Access Gateway deployments for vSphere, Hyper-V, or Microsoft Azure is not generally required as console access with those platforms can be used. In cases where SSH is enabled, TCP port 22 access must be restricted in firewalls or security groups to source IP addresses of individual administrators. EC2 supports this restriction in the EC2 Security Group associated with the Unified Access Gateway network interfaces.
sshPort	This setting is present in the [General] section of the `.ini` file. Configure the port on which SSH is enabled. The default value is `22`.
sshInterface	This setting is present in the [General] section of the `.ini` file. Configure the network interface on which SSH login is enabled. By default, SSH is enabled on all the interfaces. The supported values are `eth0`, `eth1`, and `eth2` based on the configuration.
syslogType	Enables syslog configuration.
Custom configuration setting	The custom configuration values that must be added to the systemd.network files can be provided in the following format: SectionName^Parameter=`Value`. An example of a custom configuration entry is DHCP^UseDNS=`false`. This value, when used, disables the usage of DNS IP addresses provided by the DHCP server. Using the same format, you can add multiple such systemd.network configuration entries separated by semi-colons. Example of custom configuration values for the eth (0,1, and 2) is included in the General section of the sample .ini file.
rootSessionIdleTimeoutSeconds	Duration (in seconds) for which the Unified Access Gateway console session has been idle. After this timeout, the console logs out automatically. Default value of this parameter when logging into Unified Access Gateway using SSH on Microsoft Azure is `180` seconds, and `300` seconds for other platforms. For Serial console session, the default value is `900` seconds. The maximum value of this parameter is `3600` seconds.
rootPasswordExpirationDays	Password expiration policy for the root users. The default password expiration time is `365 days`. To prevent password expiry, the expiration time can be set to `0`.
passwordPolicyMinLen	Minimum length of the root user password. The default value of this parameter is `6`. The maximum value of this parameter is `64`.
passwordPolicyMinClass	Minimum number of classes of character types that can be used to configure the root password complexity. The classes of character types are as follows: uppercase, lowercase, digits, and others. The default value is `1`. This parameter can be configured with the following values: `1`, `2`, `3`, and `4`. If the parameter has the default value, then you can use characters from all the four classes. If the parameter value is `1`, then you can use characters from any one of the classes.
passwordPolicyFailedLockout	Number of failed login attempts allowed for the root user to access the Unified Access Gateway console. The default value is `3`.
passwordPolicyUnlockTime	Duration for which the Unified Access Gateway console is locked out after the configured number of failed login attempts by the root user. After the lockout, the Unified Access Gateway console is unlocked and the root user can access the console. The default value is `900` seconds.
adminpasswordPolicyMinLen	Minimum length of the admin user password. The default value of this parameter is `8`. The maximum value of this parameter is `64`.
adminpasswordPolicyFailedLockoutCount	Number of failed login attempts allowed for the admin user to access the Unified Access Gateway admin UI. The default value is `3`.
adminpasswordPolicyUnlockTime	Duration (in minutes) for which the Unified Access Gateway admin UI is locked out after the configured number of failed login attempts by the admin user. After the lockout, the Unified Access Gateway admin UI is unlocked and the admin user can access the UI. The default value is `5` minutes.
adminSessionIdleTimeoutMinutes	Duration (in minutes) for which the Unified Access Gateway admin UI session has been idle. After this timeout, the admin UI logs out automatically. The default value is `10` minutes. The maximum value is `1440` minutes. If the parameter value is `0`, the session does not expire even though in idle state.
adminMaxConcurrentSessions	This setting is present in the [General] section of the .ini file. Allows you to configure limit on concurrent admin sessions. The default value is `5`. The supported range is `1-50`. When this value is set to `1`, no concurrent sessions are allowed. If you want to create a new session when the number of concurrent sessions already hit the limit, the system will invalidate the least recently used session.
sshLoginBannerText	Option to customize the banner text displayed when logging into Unified Access Gateway using SSH or the vSphere Client's Web Console. This option can be configured only at the time of deployment. If you do not configure this parameter, the default text displayed is VMware EUC Unified Access Gateway. Only ASCII characters are supported in the customized text. For multi-line banner texts, `\n` must be used as the line separator.
secureRandomSource	Allows you to configure the secure random bit generator source used by Java processes for cryptographic functions. This option can be configured only at the time of deployment. Supported values are: `/dev/random` and `/dev/urandom`. By default, `/dev/random` is used in the non-FIPS mode and `/dev/urandom` is used in the FIPS mode.
dsComplianceOS	This setting is present in the [General] section of the `.ini` file. Default value is `false`. When set to `true`, this Boolean flag sets the OS configuration to comply with the current Photon OS 3.0 DISA STIG Readiness Guide. The password complexity and other STIG requirements are automatically configured. Note: This setting must be used with the FIPS version when DISA STIG OS compliance is required.