You can set up Unified Access Gateway for use in your environment.
For more information about Unified Access Gateway configuration, see VMware Unified Access Gateway documentation.
Note: You cannot deploy a Unified Access Gateway VM from a vSphere Windows client. You must deploy it from the vSphere web client.
Note: Default tenant appliance certificates should not be used for configuring Unified Access Gateway. Custom certificates for Tenant should be uploaded from the Service Center user interface and those certificates should be used for configuring Unified Access Gateway.
Procedure
- Download the Unified Access Gateway 3.2.0 OVA file.
Note: Use of other versions of Unified Access Gateway is not supported.
- Determine the IP addresses (DNS/Netmask/Gateway) for the required networks, as described below.
Configuration Networks 3 NIC (Recommended configuration)
Internet (NIC 1) - Any network with internet access
Management (NIC 2) - This can be your 169 network. Since this does not have its own DNS or Gateway, you can enter any numbers for DNS and set the netmask to 255.255.255.0
Backend (NIC 3) - Network that the Tenant uses for desktops
2 NIC Internet (NIC 1) - Network the Tenant is on
Management (NIC 2) - This can be your 169 network. Since this does not have its own DNS or Gateway, you can enter any numbers for DNS and set the netmask to 255.255.255.0
1 NIC Internet (NIC 1) - Network that the Tenant is on Note: If NIC 2 is present, then the administration server (port 9443) that provides the REST APIs will only listen on that NIC. This server is accessed by the "apsetup.sh" script used in Step 5 below. If NIC 2 is not present, then that administration server listens on all of the interfaces. - In the vSphere web client, follow the normal method for deploying a template. In the “Customize template” step, enter information as shown below.
Note: The fields below may not all appear, depending on your configuration, and may also appear in a different order than that shown below.
Networking Properties External IP Address Physical IP address of NIC 1. Note: If user access is via a NAT address, do not enter that address here. DNS server addresses IP of the DNS that the Unified Access Gateway will use to resolve Hostnames. Management network IP Address If configuration is 3 NIC or 2 NIC, enter Management Network IP from the previous step. Backend network IP Address If configuration is 3 NIC, enter Backend Network IP from the previous step. Password Options Password for the root user of this VM Initial password for root user. This must be a valid Linux password. Password for the admin user, which enables REST API access Password to be used for REST API Admin user. Password must be at least eight characters long and must contain: - At least one upper case letter
- At least one lower case letter
- At least one number
- At least one special character (!, @, #, etc.)
System Properties Locale to use for localized messages en_us Syslog server URL Leave blank Horizon Properties Horizon server URL Leave blank Horizon server thumbprints Leave blank - When you have finished the deployment process, power on the VM and wait for the login screen to appear on the console.
- On the tenant appliance, run the following command:
sudo /usr/local/desktone/scripts/apsetup.sh
- Enter yes or no to the initial two prompts, as described below.
The system now proceeds to the Unified Access Gateway Configuration prompts.Prompt Value Do you want to setup this access point for internal access . . . : Default value is no. If you enter anything other than y or yes, it will default to no and the access point will be configured for external connections in the DMZ network. In most cases you will use the external configuration. Enter yes to make this an internal access point so that the PCoIP traffic goes directly to the desktops, bypassing the access point.
Do you want to allow Horizon Air Helpdesk Console access . . . : Enter yes to allow the Helpdesk Console access though the access point, or no to not allow access. The Helpdesk Console is a console access tool that allows you to run health scans, provide remote assistance, and view history and audit information for each VM in your system.
Note: This is a beta feature and is not supported at this time. For more information about trying this tool, please contact your deployment representative. - Enter the requested information for the Unified Access Gateway appliance:
Prompt Value Admin Password: Password for the admin user of the Unified Access Gateway. Management IP: This is the same address you entered above for Management network IP Address. External IP: The IP address for NIC 1 or the NAT IP address of NIC 1. External Hostname [xx.xx.xx.xx]: [Default hostname in brackets] External PCoIP Port [4172]: Default PCoIP Port shown in brackets: [4172] External HTML Access Port [8443]: Default HTML Access Port in brackets: [8443] External Tunnel Port [443]: Default Tunnel Port in brackets: [443] The response status returned will indicate whether the configuration was successful.
Response status Result 200 Configuration successful 400 Invalid input 401 Password incorrect. Confirm that password matches admin password configured during OVA deployment. - If dtRAM was in use on this environment previously, set the element.allocator.ram.use policy to false and remove the associated NAT and firewall rules.
- Configure NAT and firewall rules to allow access to the Unified Access Gateway appliance through Internet network.
Note: When you are using an edge gateway load balancer the NAT for ports 80 and 443 are not required. These ports are forwarded automatically.
Port Usage 4172/tcp, 4172/udp PCoIP desktop access protocol 8443/tcp HTML desktop access protocol 443/tcp Secure web portal access 80/tcp Insecure web portal access (will be redirected to 443)
