Content Gateway deployment on Unified Access Gateway begins with providing the Unified Access Gateway (UAG) parameters to a configured node on the Workspace ONE UEM console.

Prerequisites

You must have an active deployment of the Unified Access Gateway either as an Appliance or using PowerShell to configure Content Gateway. For more information, see Deploying Unified Access Gateway Appliance and Using PowerShell to Deploy Unified Access Gateway in the Unified Access Gateway documentation.

Configure Content Gateway on the UEM Console

Configure Content Gateway settings in the Workspace ONE UEM console to establish a node and pre-configure the settings that get bundled into the configuration file. The pre-configured settings eliminate the need to configure the settings manually post-installation on the server.
Note: You must resave the configuration details on the UAG Admin UI if you make changes to the Content Gateway configurations after starting the Content Gateway service.
Configuration includes selecting the configuration model, associated ports, and if necessary, uploading an SSL certificate.
Note: Content Gateway services are now supported only on the Unified Access Gateway. Legacy Linux and Windows versions of Content Gateway are no longer supported.
  1. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > Content Gateway in the Organization Group of your choice.
  2. Set Enable the Content Gateway to Enabled.

    You might need to select Override to unlock Content Gateway settings.

  3. Click Add.
  4. Complete the text boxes that appear to configure a Content Gateway instance.
    1. Configure the Installation Type.
      Setting Description
      Installation Type Unified Access Gateway appears as the default available platform for Content Gateway.
    2. Configure the Content Configuration settings.
      Setting Description
      Configuration Type
      • Basic – Endpoint configuration with no relay component.
      • Relay – Endpoint configuration with a relay component.
      Name Provide a unique name used to select this Content Gateway instance when attaching it to a Content Repository, Repository Template, or RFS Node.
      Content Gateway Relay Address If implementing a relay configuration, enter the URL used to access the Content Gateway Relay from the Internet.
      Content Gateway Relay Port If implementing a relay configuration, enter the relay server port.
      Content Gateway Endpoint Address Enter the host name of the Content Gateway endpoint. The Public SSL certificate bound on the configured port must be valid for this entry.
      Content Gateway Endpoint Port Enter the endpoint server port.
    3. Configure the Content SSL Certificate settings.
      Setting Description
      Public SSL Certificate (required for Linux requirements)

      If necessary, upload a PKCS12 (.pfx) certificate file with a full chain for the Content Gateway Installer to bind to the port. The full chain includes a password, server certificate, intermediates, root certificate, and a private key.

      Note: To ensure that your PFX file contains the entire certificate chain, you can run commands such as certutil -dump myCertificate.pfx or openssl pkcs12 -in myCertificate.pfx -nokeys using command-line tools such as Certutil or OpenSSL. These commands display the complete certificate information.

      Requirements vary by platform and SSL configuration.

      Ignore SSL Errors (not recommended) If you are using a self-signed certificate, then enable this setting. If enabled, Content Gateway ignores certificate trust errors and certificate name mismatches.
    4. Configure the Certificate Authentication settings.
      Setting Description
      Enable Cross-domain KCD Authentication Enable this setting to authenticate users with the PIV-D Derived Credentials instead of user names and passwords.

      PIV-D certificate authentication is for the users who access the on-prem SharePoint repositories from their devices.

      Client Certificate Chain The certificate chain used to issue client certificates.
      Target SPN

      SPN of the target service.

      Service Account Username User name of the service account that has delegation rights.
      Service Account Password Password for the service account.
      Domain Name of the domain in the Active Directory (AD) containing the users.
      Domain Controller Hostname or IP address of the domain controller for the domain.
    5. Enter the Content Gateway edge service values under the Custom Gateway Settings.

      This step is optional. You must perform this step only if you want to override the default configuration values for Content Gateway.

      With the edge service values set on the UEM console, the configuration file changes are automated and does not require manual updates to the configuration files each time the UAG is upgraded. ICAP Proxy configurations are not supported from Workspace ONE UEM console version 9.7. However, existing configurations can be edited. For information about configuring ICAP Proxy, see https://kb.vmware.com/s/article/2960835.
  5. Select Add and then select Save.
    Note: HTTP traffic is not allowed for Content Gateway on port 80 on Unified Access Gateway because TCP port 80 is used by the edge Service Manager.

    After configuring settings in the UEM Console, download the installer, configure additional nodes, or manage configured nodes.

Custom Values for Content Gateway

The custom configuration values for the Content Gateway on Unified Access Gateway (UAG) can be set on the Workspace ONE UEM console. These custom values when fetched by the UAG server are automatically updated into the Content Gateway configuration files. The automatic updates eliminate the manual effort of updating the configuration files every time the UAG server undergoes an upgrade.
Note: The changes made after starting the Content Gateway service requires resaving of the service configuration on UAG.
The tabulated list contains the keys that are available on the UEM console.
Keys Type Value Description Supported UAG and CG version
aw.server.security-headers.hsts.enabled Boolean False Allows HSTS support in CG. UAG 3.9 (CG 2.11.0) and later
aw.fileshare.client.domain String Default domain with which the users are associated while accessing fileshare repositories. UAG 3.9 (CG 2.11.0) and later
aw.http.cipher-suites String

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256

Comma separates list of allowed ciphers.

UAG 3.9 (CG 2.11.0) and later
aw.http.protocols String SSLv2Hello, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 Values can be separated by comma. UAG 3.10 (CG 2.12.0) and later

Modifying the SMB Configurations

The SMB configurations are stored in smb.conf and smb-connector.conf files under the smb-connector directory at the Content Gateway installation path. To define precisely the custom values for these configuration files, you must obtain the current files from the UAG's log export functionality. A definite sequence is not followed when adding a new custom value to these configuration files. The new value when added appears at the end following all the existing values in the file.

Custom values can be provided in the UEM console using the following syntax:

extconf##FILE_NAME##CHANGE_TYPE[##EXISTING_LINE]=LINE_VALUE
  • FILE_NAME = Name of the file; smb or smb-connector
  • CHANGE_TYPE = ADD, REMOVE, or UPDATE

  • EXISTING_LINE = The current content of the line that needs the required change. If the line is not found in the file, this entry in the Key Value Pair (KVP) is ignored and does not have any impact on the file. It is applicable if there is UPDATE or REMOVE.
  • LINE_VALUE = Value of the line to be inserted or updated. It is ignored if there is REMOVE.

Listed are few examples of modifying the custom values in the SMB configuration files.

Example 1: An environment requires updating minimum smb protocol version from SMB2_02 to SMB3.
Key Type Value Description
extconf##smb##UPDATE##client min protocol = SMB2_02 String client min protocol = SMB3 Update the line in the smb.conf file that equals that client min protocol = SMB2_02 with client min protocol = SMB3

Example 2: Updating the smb-connector logs to debug mode. Default is 1 (error) and allowed values are: 0: Off, 1: Error, 2: Warning, 3: Info, 4: Debug

Key Type Value Description
extconf##smb-connector##UPDATE##log_level 1 String log_level 4 Update the line in the smb-connector.conf file that equals that “log_level 1” with “log_level 4”
Note: All custom values must be provided as a String when inserting or updating the configuration and as Null when removing the configuration.

Modifying Application Log Levels

To update the application logging level to debug, the below KVP entry can be used. Info is the default level and the permitted values include Error, Warn, Info, Debug, and Trace.
Key Type Value Description
extconf##logback##level##com.vmware String debug Update the application logging level to debug.

Configure Content Gateway on Unified Access Gateway

Enable the Content Gateway settings and provide the configuration details required for configuring Content Gateway on Unified Access Gateway.
  1. Open the Unified Access Gateway Admin UI and navigate to General Settings > Edge Service Settings > Content Gateway > Settings and click the gearbox icon.
  2. Select YES to enable Content Gateway settings.
  3. Configure the following settings and click Save.
    Option Description
    Identifier Indicates that this service is enabled.
    API Server URL

    The AirWatch API Server URL [http[s]://]hostname[:port]

    The destination URL must contain the protocol, host name or IP address, and port number. For example: https://load-balancer.example.com:8443.

    Unified Access Gateway pulls Content Gateway configuration from the API server.

    API Server Username

    User name to log into the API server.

    You must assign the Content Gateway role to the admin account.

    API Server Password Password to log into the API server.
    Content Gateway Hostname Host name used to configure edge settings.
    Content Gateway Configuration GUID VMware Content Gateway configuration ID. This ID is automatically generated when the Content Gateway is configured on the Workspace ONE UEM console. The Configuration GUID is displayed on the Content Gateway page on the Workspace ONE UEM console under Settings > Content > Content Gateway.
    Outbound Proxy Host The host where the outbound proxy is installed. If configured, the Unified Access Gateway makes a connection to API Server through an outbound proxy.
    Outbound Proxy Port Port of the outbound proxy.
    Outbound Proxy Username User name to log into the outbound proxy.
    Outbound Proxy Password Password to log into the outbound proxy.
    NTLM Authentication Specify whether the outbound proxy requires NTLM authentication.
    Trusted Certificates Add a trusted certificate to this edge service. Select '+' to select a certificate in the PEM format and add to the trust store. Select '-' to remove a certificate from the trust store. By default, the alias name is the filename of the PEM certificate. To give a different name, edit the alias text box.
    Host Entries

    Enter the details to be added in the /etc/hosts file. Each entry includes an IP, a hostname, and an optional hostname alias in that order, separated by a space.

    For example, 10.192.168.1 example1.com, 10.192.168.2 example2.com example-alias. Select '+' to add multiple host entries.

    Important: The host entries are saved only after you select Save.

Verify Content Gateway Connectivity

Post-installation, test the Content Gateway's connection in the UEM console to verify if the installation is completed successfully.
  1. Navigate to Groups & Settings > All Settings > System > Enterprise Integration >  Content Gateway in the UEM console.
  2. Select Test Connection to verify the connectivity.

Considerations for Content Gateway Configuration

Consider the sync behavior of the repository content when the repository access is set up using the Content Gateway.

When setting up repository access using the Content Gateway, repository content only syncs up to two folder levels. Other subfolders sync as the UEM console or devices request them. On the console, the sync occurs when performing a manual sync action inside a subfolder. On the device, the sync occurs when an end user navigates to a subfolder.

Content Gateway Robustness

Understand how to address performance issues caused by the geographical separations between Content Gateway and Corporate File Servers.

Geographical separations in content infrastructure can lead to latencies that impact performance. Global organizations might encounter issues when syncing content from Corporate File Servers dispersed across the globe through a single Content Gateway connector.

To address the performance issues caused by geographical separations between Content Gateway and the local Corporate File Servers, configure multiple Content Gateway instances at the same Organization Group. It also splits the load for large deployments.

Evaluate your organization's need for multiple Content Gateway nodes. Global organizations with concerns about latencies caused by geographical separations benefit the most from this configuration option.