After configuring the VMware Tunnel in the Workspace ONE UEM console, download and configure the Hyper-V template.ini file with your Unified Access Gateway settings. The PowerShell script uses the template to configure your Unified Access Gateway deployment.

Watch a tutorial video explaining how to deploy the VMware Tunnel Unified Access Gateway using PowerShell: VMware Tunnel Powershell deployment.


  1. Download the Unified Access Gateway Using Hyper-V ZIP from Workspace ONE UEM Resources.
    Workspace ONE UEM Resources are available at VMware Tunnel on Unified Access Gateway v3.3 (Using HyperV).
  2. Unzip the file and locate the template.ini file.
  3. Right click the file and select Open With. Select notepad or your preferred file editor.
  4. Configure the template.ini settings.
    Settings Descriptions

    Enter the Unified Access Gateway unique name.

    This name must be different every time you deploy the Unified Access Gateway.

    Example: name=TunnelAppliance


    Enter the full file path to the OVA file on your local machine.

    Example: source=C:\access-point.ova






    Enter the number of Network Interface Controllers you want to associate with the appliance for your deployment configuration. Your options are:

    • onenic
    • twonic
    • threenic

    Then enter the address for each NIC you are using. Delete the excess lines if you are not using all three.

    The different IP addresses entered change based on your NIC settings.

    • If you use one NIC, then the IP address is used for all communications.
    • If you use two NICs, then ip0 is for external communications and ip1 is for internal communications.
    • If you use three NICs, then ip0 is for external communications. Ip1 is for the admin UI only and ip2 is for internal communications.

    For best results, consult your network admins.

    Example: deploymentOption=threenic

    For dns=, enter the DNS server address to configure the appliance resolv.conf file. If you use multiple DNS servers, enter the addresses separated by a space value. Do not use commas.

    ds=<DATA_STORE_NAME> Enter the name of your Hyper-V datastore.
    netInternet=<NIC1_IP_NETWORK_NAME> netManagementNetwork=<NIC2_IP_NETWORK_NAME> netBackendNetwork=<NIC3_IP_NETWORK_NAME> Enter the virtual switch names. A virtual switch must to be created for the referenced networks.




    Enter the subnet mask for the networks added when configuring the netInternet, netManagementNetwork, and netBackendNetwork settings.
    defaultGateway Enter the gateway for the network added when configuring the netInternet setting.
    honorCipherOrder=<true_or_false> Enter true to force the TLS cipher order to be the order specified by the server.

    Enter true if you are using the VMware Tunnel - Proxy.

    Example: tunnelGatewayEnabled=true

    apiServerUrl=<API_SERVER_URL> Enter the API server URL.

    To find the URL, navigate to Groups & Settings > All Settings > Advanced > Site URLs > REST API URL.

    apiServerUsername=<API_SERVER_USERNAME> Enter the user name of an Workspace ONE UEM console admin user account. This user is an admin user with API permissions. Consider using an account with Console Administrator privleges.
    organizationGroupCode=<ORGANIZATION_GROUP_CODE> Enter the Organization Group ID the VMware Tunnel is configured for.
    airwatchServerHostname= <HOSTNAME> Enter the hostname or IP address for the Unified Access Gateway. Ensure that this field matches what is entered in the Workspace ONE UEM console to prevent installation issues.

    Enter the outbound proxy port if you use an outbound proxy for the initial setup API call or for tunnel traffic.

    This field is commented out by default.

    outboundProxyHost=<OUTBOUND_PROXY_HOST> Enter the outbound proxy host if you use an outbound proxy for the initial setup API call or for tunnel traffic.

    This field is commented out by default.

    airwatchOutboundProxy=<true or false> Enter true to use these proxy settings as the outbound proxy for your VMware Tunnel - Proxy deployment.

    This field is commented out by default.

    ntlmAuthentication=<true or false> Enter true if you use NTLM authentication for the initial setup API call or for tunnel traffic.

    This field is commented out by default.


    Enter additional host entries for the appliance. You can add multiple host entries. Increase the number for each entry. For example hostEntry2, hostEntry3, and so on.

    This field is commented out by default.


    Enter the file path for the trusted certificates. You can add multple trusted certificates. Increase the for each entry. For example, trustedCert2, trustedCert3, and so on.

    This field is commented out by default.

  5. Save the file in the same folder as the PowerShell script and run the PowerShell script.