After configuring the VMware Tunnel in the Workspace ONE UEM console and downloading the OVA file, configure the vSphere template.ini file with your Unified Access Gateway settings. The PowerShell script uses the template to configure your Unified Access Gateway deployment.


  1. Download the Unified Access Gateway Using vSphere ZIP from Workspace ONE UEM Resources.
    Workspace ONE UEM Resources are available at
  2. Unzip the file and locate the template.ini file.
  3. Right click the file and select Open With. Select notepad or your preferred file editor.
  4. Configure the template.ini settings.
    Settings Descriptions

    Enter the Unified Access Gateway unique name.

    Example: name=TunnelAppliance


    Enter the full file path to the OVA file on your local machine.

    Example: source=C:\access-point.ova


    Enter the vCenter user name and address/hostname.

    Then enter the location to place the appliance in vSphere.

    Do not remove the PASSWORD. PASSWORD in upper case results in a password prompt during deployment so that passwords do not need to be specified in this INI file.

    Example: target=vi://






    Enter the number of Network Interface Controllers you want to associate with the appliance for your deployment configuration. Your options are:

    • onenic
    • twonic
    • threenic

    Then enter the address for each NIC you are using. Delete the excess lines if you are not using all three.

    The different IP addresses entered change based on your NIC settings.

    • If you use one NIC, then the IP address is used for all communications.
    • If you use two NICs, then ip0 is for external communications and ip1 is for internal communications.
    • If you use three NICs, then ip0 is for external communications. Ip1 is for the admin UI only and ip2 is for internal communications.

    For best results, consult your network admins.

    Example: deploymentOption=threenic

    For dns=, enter the DNS server address to configure the appliance resolv.conf file. If you use multiple DNS servers, enter the addresses separated by a space value. Do not use commas.

    ds=<DATA_STORE_NAME> Enter the name of your vSphere datastore.
    netInternet=<NIC1_IP_NETWORK_NAME> netManagementNetwork=<NIC2_IP_NETWORK_NAME> netBackendNetwork=<NIC3_IP_NETWORK_NAME>

    Enter the vSphere network names. If you are not using network profiles, manually enter the netmask or prefix for the respective NICs and the IPv4/IPv6 default gateway.

    This specifies network settings such as IPv4 subnet mask, gateway etc.




    Enter the subnet mask for the networks added when configuring the netInternet, netManagementNetwork, and netBackendNetwork settings.
    defaultGateway Enter the gateway for the network added when configuring the netInternet setting.
    honorCipherOrder=<true_or_false> Enter true to force the TLS cipher order to be the order specified by the server.

    Enter true if you are using the VMware Tunnel- Proxy.

    Example: tunnelGatewayEnabled=true

    apiServerUrl=<API_SERVER_URL> Enter the API server URL.

    To find the URL, navigate to Groups & Settings > All Settings > Advanced > Site URLs > REST API URL.

    apiServerUsername=<API_SERVER_USERNAME> Enter the user name of an Workspace ONE UEM console admin user account. This user is an admin user with API permissions. Consider using an account with Console Administrator privleges.
    organizationGroupCode=<ORGANIZATION_GROUP_CODE> Enter the Organization Group ID the VMware Tunnel is configured for.
    airwatchServerHostname= <HOSTNAME> Enter the hostname or IP address for the Unified Access Gateway. Ensure that this field matches what is entered in the Workspace ONE UEM console to prevent installation issues.

    Enter the outbound proxy port if you use an outbound proxy for the initial setup API call or for tunnel traffic.

    This field is commented out by default.

    outboundProxyHost=<OUTBOUND_PROXY_HOST> Enter the outbound proxy host if you use an outbound proxy for the initial setup API call or for tunnel traffic.

    This field is commented out by default.

    airwatchOutboundProxy=<true or false> Enter true to use these proxy settings as the outbound proxy for your VMware Tunnel - Proxy deployment.

    This field is commented out by default.

    ntlmAuthentication=<true or false> Enter true if you use NTLM authentication for the initial setup API call or for tunnel traffic.

    This field is commented out by default.


    Enter additional host entries for the appliance. You can add multiple host entries. Increase the number for each entry. For example hostEntry2, hostEntry3, and so on.

    This field is commented out by default.


    Enter the file path for the trusted certificates. You can add multple trusted certificates. Increase the for each entry. For example, trustedCert2, trustedCert3, and so on.

    This field is commented out by default.

  5. Save the file in the same folder as the PowerShell script and run the PowerShell script.