You can set up Unified Access Gateway for use in your environment.

For more information about Unified Access Gateway configuration, see VMware Unified Access Gateway documentation.

Note: You cannot deploy a Unified Access Gateway VM from a vSphere Windows client. You must deploy it from the vSphere web client.
Note: Default tenant appliance certificates should not be used for configuring Unified Access Gateway. Custom certificates for Tenant should be uploaded from the Service Center user interface and those certificates should be used for configuring Unified Access Gateway.

Procedure

  1. Download the latest version of the Unified Access Gateway OVA file.
  2. Determine the IP addresses (DNS/Netmask/Gateway) for the required networks, as described below.
    Configuration Networks
    3 NIC

    (Recommended configuration)

    Internet (NIC 1) - Any network with internet access

    Management (NIC 2) - This can be your 169 network. Since this does not have its own DNS or Gateway, you can enter any numbers for DNS and set the netmask to 255.255.255.0

    Backend (NIC 3) - Network that the Tenant uses for desktops

    2 NIC

    Internet (NIC 1) - Network the Tenant is on

    Management (NIC 2) - This can be your 169 network. Since this does not have its own DNS or Gateway, you can enter any numbers for DNS and set the netmask to 255.255.255.0

    1 NIC Internet (NIC 1) - Network that the Tenant is on
    Note: If NIC 2 is present, then the administration server (port 9443) that provides the REST APIs will only listen on that NIC. This server is accessed by the "apsetup.sh" script used in Step 5 below. If NIC 2 is not present, then that administration server listens on all of the interfaces.
  3. In the vSphere web client, follow the normal method for deploying a template. In the “Customize template” step, enter information as shown below.
    Note: The fields below may not all appear, depending on your configuration, and may also appear in a different order than that shown below.
    Table 1.
    Networking Properties External IP Address Physical IP address of NIC 1. Note: If user access is via a NAT address, do not enter that address here.
    DNS server addresses IP of the DNS that the Unified Access Gateway will use to resolve Hostnames.
    Management network IP Address If configuration is 3 NIC or 2 NIC, enter Management Network IP from the previous step.
    Backend network IP Address If configuration is 3 NIC, enter Backend Network IP from the previous step.
    Password Options Password for the root user of this VM Initial password for root user. This must be a valid Linux password.
    Password for the admin user, which enables REST API access Password to be used for REST API Admin user. Password must be at least eight characters long and must contain:
    • At least one upper case letter
    • At least one lower case letter
    • At least one number
    • At least one special character (!, @, #, etc.)
    System Properties Locale to use for localized messages en_us
    Syslog server URL Leave blank
    Horizon Properties Horizon server URL Leave blank
    Horizon server thumbprints Leave blank
  4. When you have finished the deployment process, power on the VM and wait for the login screen to appear on the console.
  5. On the tenant appliance, run the following command:
    sudo /usr/local/desktone/scripts/apsetup.sh
  6. Enter yes or no to the initial two prompts, as described below.
    Prompt Value
    Do you want to setup this access point for internal access . . . : Default value is no. If you enter anything other than y or yes, it will default to no and the access point will be configured for external connections in the DMZ network. In most cases you will use the external configuration.

    Enter yes to make this an internal access point so that the PCoIP traffic goes directly to the desktops, bypassing the access point.

    Do you want to allow Horizon Air Helpdesk Console access . . . : Enter yes to allow the Helpdesk Console access though the access point, or no to not allow access.

    The Helpdesk Console is a console access tool that allows you to run health scans, provide remote assistance, and view history and audit information for each VM in your system.

    Note: This is a beta feature and is not supported at this time. For more information about trying this tool, please contact your deployment representative.
    The system now proceeds to the Unified Access Gateway Configuration prompts.
  7. Enter the requested information for the Unified Access Gateway appliance:
    Prompt Value
    Admin Password: Password for the admin user of the Unified Access Gateway.
    Management IP: This is the same address you entered above for Management network IP Address.
    External IP: The IP address for NIC 1 or the NAT IP address of NIC 1.
    External Hostname [xx.xx.xx.xx]: [Default hostname in brackets]
    External PCoIP Port [4172]: Default PCoIP Port shown in brackets: [4172]
    External HTML Access Port [8443]: Default HTML Access Port in brackets: [8443]
    External Tunnel Port [443]: Default Tunnel Port in brackets: [443]

    The response status returned will indicate whether the configuration was successful.

    Response status Result
    200 Configuration successful
    400 Invalid input
    401 Password incorrect. Confirm that password matches admin password configured during OVA deployment.
  8. If dtRAM was in use on this environment previously, set the element.allocator.ram.use policy to false and remove the associated NAT and firewall rules.
  9. Configure NAT and firewall rules to allow access to the Unified Access Gateway appliance through Internet network.
    Note: When you are using an edge gateway load balancer the NAT for ports 80 and 443 are not required. These ports are forwarded automatically.
    Port Usage
    4172/tcp, 4172/udp PCoIP desktop access protocol
    8443/tcp HTML desktop access protocol
    443/tcp Secure web portal access
    80/tcp Insecure web portal access (will be redirected to 443)