You can configure the security protocols and cryptographic algorithms that are used to encrypt communications between clients and the Unified Access Gateway appliance from the admin configuration pages.

Prerequisites

  • Review the Unified Access Gateway Deployment Properties. The following settings information is required:
    • Static IP address for the Unified Access Gateway appliance
    • IP Address of the DNS server
    • Password for the administration console
    • URL of the server instance or load balancer that the Unified Access Gateway appliance points to
    • Syslog server URL to save the event log files

Procedure

  1. In the admin UI Configure Manual section, click Select.
  2. In the Advanced Settings section, click the System Configuration gearbox icon.
  3. Edit the following Unified Access Gateway appliance configuration values.
    Option Default Value and Description
    UAG Name Unique UAG appliance name.
    Locale

    Specifies the locale to use when generating error messages.

    • en_US for American English. This is the default.
    • ja_JP for Japanese
    • fr_FR for French
    • de_DE for German
    • zh_CN for Simplified Chinese
    • zh_TW for Traditional Chinese
    • ko_KR for Korean
    • es for Spanish
    • pt_BR for Brazilian Portuguese
    • en_GB for British English
    Cipher Suites Most cases, the default settings do not need to be changed. This is the cryptographic algorithms that are used to encrypt communications between clients and the Unified Access Gateway appliance. Cipher settings are used for enabling various security protocols.
    TLS 1.0 Enabled Default is NO.

    Select YES to enable TLS 1.0 security protocol.

    TLS 1.1 Enabled Default is NO.

    Select YES to enable TLS 1.1 security protocol.

    TLS 1.2 Enabled Default is YES.

    The TLS 1.2 security protocol is enabled.

    Syslog Type Select the Syslog type from the drop-down list. The options are:
    • UDP: Syslog messages are sent over the network in plain text over UDP. This is the default option.
    • TLS: TLS encryption is added between two syslog servers to keep the messages secured.
    Note: This is applicable for Unified Access Gateway 3.7 and later.
    Syslog URL When Syslog Type is set to UDP this option is enabled. Enter the Syslog server URL that is used for logging Unified Access Gateway events. This value can be a URL or a host name or IP address. If you do not set the syslog server URL, no events are logged.

    Maximum number of two URLs can be provided. URLs are separated by a comma. Example: syslog://server1.example.com:514, syslog://server2.example.com:514

    By default Content Gateway and Secure Email Gateway edge services events are logged. To log events on syslog server for Tunnel Gateway edge service configured on Unified Access Gateway, an administrator has to configure the Syslog on Workspaceone UEM console with the information.Syslog Hostname=localhost and Port=514

    For more information on Syslog on Workspaceone UEM console, see the Configure Per-App Tunnel topic of the VMware Tunnel for Linux documentation.

    Syslog Servers When Syslog Type is set to TLS this option is enabled. Enter the Syslog server URL that is used for logging Unified Access Gateway events. This value can be a URL or a host name or IP address. If you do not set the syslog server URL, no events are logged.

    Maximum number of two URLs can be provided. URLs are separated by a comma. Example: syslog://server1.example.com:514, syslog://server2.example.com:514

    By default Content Gateway and Secure Email Gateway edge services events are logged. To log events on syslog server for Tunnel Gateway edge service configured on Unified Access Gateway, an administrator has to configure the Syslog on Workspaceone UEM console with the information.Syslog Hostname=localhost and Port=514

    Note: This is applicable for Unified Access Gateway 3.7 and later.
    Syslog Audit URL Enter the Syslog server URL that is used for logging Unified Access Gateway audit events. This value can be a URL or a host name or IP address. If you do not set the syslog server URL, no audit events are logged.

    Maximum number of two URLs can be provided. URLs are separated by a comma. Example: syslog://server1.example.com:514, syslog://server2.example.com:514

    CA Certificate This option is enabled when a Syslog server is added. Select a valid Syslog Certificate Authority certificate.
    Syslog client certificate Select a valid Syslog client certificate in the PEM format.
    Syslog client certificate key Select a valid Syslog client certificate key in the PEM format.
    Note: When Unified Access Gateway is deployed using PowerShell, if an invalid or expired certificate or key is provided, the admin UI instance will be not be available.
    Health Check URL Enter a URL that the load balancer connects to and checks the health of Unified Access Gateway.
    Cookies to be Cached The set of cookies that Unified Access Gateway caches. The default is none.
    IP Mode Select the static IP mode, either STATICV4 OR STATICV6.
    Session Timeout Default value is 36000000 milliseconds.
    Quiesce Mode Enable YES to pause the Unified Access Gateway appliance to achieve a consistent state to perform maintenance tasks
    Monitor Interval Default value is 60.
    Password Age Number of days current administrator password is valid. The default is 90 days. Specify zero (0) if password will never expire.
    Request Timeout Specify the request timeout in seconds. The default is 3000.
    Body Receive Timeout Specify the body receive timeout in seconds. The default is 5000.
    Maximum Connections per Session Maximum number of TCP connections allowed per TLS session.

    The default value is 16.

    For no limit on the allowed number of TCP connections, set the value of this field to 0.

    Note: Field value of 8 or lower causes errors in the Horizon Client .
    Client Connection Idle Timeout Specify the time (in seconds) a client connection can stay idle before the connection is closed. The default value is 360 seconds (6 minutes). A value of Zero indicates that there is no idle timeout.
    Authentication Timeout

    The maximum wait time in milliseconds before which authentication must happen. The default is 300000. If 0 is specified, it indicates no time limit for authentication.

    Clock Skew Tolerance Enter the permitted time difference in seconds between an Unified Access Gateway clock and the other clocks on the same network. The default is 600 seconds.
    Join CEIP If enabled, sends Customer Experience Improvement Program ("CEIP") information to VMware. See Join or Leave the Customer Experience Improvement Program for details.
    Enable SNMP Toggle YES to enable SNMP service. Simple Network Management Protocol collects system statistics, memory, and Tunnel edge service MIB information by Unified Access Gateway.
    Note: You must enable SNMP before configuring Tunnel. If you enable SNMP after configuring Tunnel, you must re-save the Tunnel settings for the SNMP settings to take effect.
    The list of available Management Information Base (MIB),
    • UCD-SNMP-MIB::systemStats
    • UCD-SNMP-MIB::memory
    • VMWARE-TUNNEL-SERVER-MIB::vmwTunnelServerMIB
    DNS Enter Domain Name System addresses that are added to /run/systemd/resolve/resolv.conf configuration file. It must contain a valid DNS search address. Click '+' to add a new DNS address.
    DNS Search Enter Domain Name System search that is added to /etc/resolv.conf configuration file. It must contain a valid DNS search address. Click '+' to add a new DNS search entry.
    NTP Servers NTP servers for network time protocol synchronization. You can enter valid IP addresses and hostnames. Any per-interface NTP servers obtained from systemd-networkd.service configuration or through DHCP will take precedence over these configurations. Click '+' to add a new NTP server.
    FallBack NTP Servers Fallback NTP servers for network time protocol synchronization. If NTP server information is not found, these fallback NTP server host names or IP addresses will be used. Click '+' to add a new fallback NTP server.
    SSH Public Keys Upload public keys to enable root user access to Unified Access Gateway when using the public-private key pair option.

    Administrators can upload multiple, unique public keys to Unified Access Gateway.

    This field is visible on the Admin UI only when the following SSH options are set to true during deployment: Enable SSH and Allow SSH root login using key pair. For information about these options, see Deploy Unified Access Gateway Using the OVF Template Wizard.

  4. Click Save.

What to do next

Configure the edge service settings for the components that Unified Access Gateway is deployed with. After the edge settings are configured, configure the authentication settings.