Zero downtime upgrade enables you to upgrade Unified Access Gateway with no downtime for the users.

When the quiesce mode value is YES, the Unified Access Gateway appliance is shown as not available when the load balancer checks the health of the appliance. Requests that come to the load balancer are sent to the next Unified Access Gateway appliance that is behind the load balancer.

Prerequisites

  • Two or more Unified Access Gateway appliances configured behind the load balancer.

  • The Health Check URL setting configured with a URL that the load balancer connects to check the health of Unified Access Gateway appliance.

  • Check the health of the appliance in the load balancer. Type the REST API command GET https://mycoUnifiedAccessGateway.com:443/favicon.ico.

    The response is HTTP/1.1 200 OK, if the Quiesce Mode is set to No, or HTTP/1.1 503, if the Quiesce Mode is set to Yes.

    Note:
    • Do not use any other URL other than GET https://mycoUnifiedAccessGateway.com:443/favicon.ico. Doing so will lead to incorrect status response and resource leaks.

    • favicon.ico is not supported for Content Gateway and VMware Tunnel services.

Procedure

  1. In the admin UI Configure Manually section, click Select.
  2. In the Advanced Settings section, click the System Configuration gearbox icon.
  3. In the Quiesce Mode row, enable YES to pause the Unified Access Gateway appliance.

    When the appliance is stopped, existing sessions that the appliance is serving are honored for 10 hours, after which the sessions are closed.

  4. Click Save.

    New requests that come to the load balancer are sent to the next Unified Access Gateway appliance.

What to do next

  • For a vSphere deployment:

    1. Back up the JSON file by exporting the file.

    2. Delete the old Unified Access Gateway appliance in Quiesce Mode.

    3. Deploy the new version of Unified Access Gateway appliance.

    4. Import the JSON file you exported earlier.

  • For a PowerShell deployment:

    1. Delete the Unified Access Gateway appliance in Quiesce Mode.

    2. Redeploy the Unified Access Gateway with the same INI file that was used during the first deployment. See Using PowerShell to Deploy the Unified Access Gateway Appliance.

Note:

If you see a Tunnel Server certificate error message after re-enabling the load balancer, apply the same SSL server certificate and private key PEM files that was used earlier on the Unified Access Gateway appliance. This is required because the JSON or INI file cannot contain private keys associated with an SSL server certificate since private keys cannot be exported, due to security reasons. With a PowerShell deployment, it is done automatically and you do not need to reapply the certificate.