PowerShell scripts prepare you environment with all the configuration settings. When you run the PowerShell script to deploy Unified Access Gateway, the solution is ready for production on first system boot.
However, both Admin UI and the API are not available if the Admin UI password is not provided during deployment.
- If you do not provide the Admin UI password at the time of deployment, you cannot add a user later to enable access to either the Admin UI or the API. You must redeploy your Unified Access Gateway instance with a valid password if you want to add an Admin UI user.
Unified Access Gateway 3.5 and later includes an optional
sshEnabledINI property. Setting
[General]section of the PowerShell INI file automatically enables
sshaccess on the deployed appliance. VMware does not generally recommend enabling
sshon Unified Access Gateway except in certain specific situations and where access can be restricted. This capability is mainly intended for Amazon AWS EC2 deployments where an alternative console access is not available.
sshEnabled=trueis not specified or is set to
sshis not enabled.
sshaccess on Unified Access Gateway for vSphere, Hyper-V or Microsoft Azure deployments is not generally required as console access with those platforms can be used. If root console access is required for Amazon AWS EC2 deployment, then set
sshEnabled=true. In cases where
sshis enabled, TCP port 22 access must be restricted in firewalls or security groups to source IP addresses of individual administrators. EC2 supports this restriction in the EC2 Security Group associated with the Unified Access Gateway network interfaces.
- For a Hyper-V deployment, and if you are upgrading Unified Access Gateway with static IP, delete the older appliance before deploying the newer instance of Unified Access Gateway.
- Verify that the system requirements are appropriate and available for use.
This is a sample script to deploy Unified Access Gateway in your environment.
- Download the Unified Access Gateway OVA from My VMware to your Windows machine.
- Download the uagdeploy-XXX.zip files into a folder on the Windows machine.
The ZIP files are available at https://communities.vmware.com/docs/DOC-30835.
- Open a PowerShell script and modify the directory to the location of your script.
- Create a INI configuration file for the Unified Access Gateway virtual appliance.
For example: Deploy a new Unified Access Gateway appliance AP1. The configuration file is named ap1.ini. This file contains all the configuration settings for AP1. You can use the sample INI files in the apdeploy.ZIP file to create the INI file and modify the settings appropriately.Note:
Example of the INI File to modify.
- You can have unique INI files for multiple Unified Access Gateway deployments in your environment. You must change the IP Addresses and the name parameters in the INI file appropriately to deploy multiple appliances.
[General] netManagementNetwork= netInternet= netBackendNetwork= name= dns=10.112.64.1 ip0=10.108.120.119 diskMode= source= defaultGateway=10.108.120.125 target= ds= authenticationTimeout=300000 fipsEnabled=false uagName=trustedcert locale=en_US ipModeforNIC3=DHCPV4_DHCPV6 tls12Enabled=true ipMode=DHCPV4_DHCPV6 requestTimeoutMsec=10000 ipModeforNIC2=DHCPV4_DHCPV6 tls11Enabled=true clientConnectionIdleTimeout=180 tls10Enabled=false adminCertRolledBack=false honorCipherOrder=false cookiesToBeCached=none healthCheckUrl=/favicon.ico quiesceMode=false isCiphersSetByUser=false tlsPortSharingEnabled=true ceipEnabled=true bodyReceiveTimeoutMsec=15000 monitorInterval=60 cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA adminPasswordExpirationDays=90 httpConnectionTimeout=120 isTLS11SetByUser=false sessionTimeout=36000000 ssl30Enabled=false [WebReverseProxy1] proxyDestinationUrl=https://10.108.120.21 trustedCert1= instanceId=view healthCheckUrl=/favicon.ico userNameHeader=AccessPoint-User-ID proxyPattern=/(.*) landingPagePath=/ hostEntry1=10.108.120.21 HZNView.uagqe.auto.com [Horizon] proxyDestinationUrl=https://enterViewConnectionServerUrl trustedCert1= gatewayLocation=external disableHtmlAccess=false healthCheckUrl=/favicon.ico proxyDestinationIPSupport=IPV4 smartCardHintPrompt=false queryBrokerInterval=300 proxyPattern=(/|/view-client(.*)|/portal(.*)|/appblast(.*)) matchWindowsUserName=false windowsSSOEnabled=false [SSLCert] pemPrivKey= pemCerts= pfxCerts= pfxCertAlias= [SSLCertAdmin] pemPrivKey= pemCerts= pfxCerts= pfxCertAlias=
- To make sure that the script execution is successful, type the PowerShell
set-executionpolicy -scope currentuser unrestrictedYou must run this command once and only if it is currently restricted.
- (Optional) If there is a warning for the script, run the following command to unblock the warning: unblock-file -path .\uagdeploy.ps1
- Run the command to start the deployment. If you do not specify the .INI file, the script defaults to ap.ini.
.\uagdeploy.ps1 -iniFile uag1.ini
- Enter the credentials when prompted and complete the script.
Note: If you are prompted to add the fingerprint for the target machine, enter yes.Unified Access Gateway appliance is deployed and available for production.
What to do next
[General] name=UAG1 source=C:\temp\euc-unified-access-gateway-3.2.1-7766089_OVF10.ova
If you want to upgrade with zero service interruption, see Upgrade with Zero Downtime.