Installing VMware Tunnel with Unified Access Gateway

After configuring your VMware Tunnel settings, deploy VMware Tunnel as an edge service on the VMware Unified Access Gateway appliance to simplify the installation process. VMware supports installation using either VMware vSphere and Unified Access Gateway Admin UI or PowerShell scripting.

Install VMware Tunnel using vSphere

After configuring the VMware Tunnel in the Workspace ONE UEM console and downloading the VMware Unified Access Gateway OVA file, use VMware vSphere to install the Unified Access Gateway onto your server. The Unified Access Gateway simplifies installation of the VMware Tunnel.

Complete the following steps before you begin:

Dedicated vSphere Admin Account with full privileges to deploy OVF
Communication between the Windows machine used to deploy the OVA and your vSphere instance
vSphere 6.0+.
vSphere ESX host with a vCenter Server.

Determine the number of network interfaces and static IP addresses to configure for the Unified Access Gateway appliance.

Important:

VMware Tunnel Unified Access Gateway deployment does not support the VMware vSphere desktop client. You must use the VMware vSphere web client or the PowerShell deployment method.

Complete the following steps to install VMware Tunnel using vSphere

Log in to the vSphere Web client.
Navigate to VMs and Templates.
Select the folder where you want to deploy the Unified Access Gateway OVA file. Right-click the file and select Deploy OVF Template.
Select the OVA file on your local machine or enter the URL for the OVA file. Click Next.
Review the template details and select Next.
Enter a unique Name for the deployment, and then select the folder or data center to hold the OVA file and select Next.
Select the number of Network Interface Controllers (NICs) you want to associate with the appliance for your deployment configuration. Click Next.
For more information, see the Unified Access Gateway Documentation Center at Unified Access Gateway Documentation.
On the Select a Resource screen, select a location to run the template.

Select the storage and disk format options. When finished, select Next.

Table 1.
Settings	Descriptions
Virtual Disk Format	For evaluation and testing, select the Thin Provision format. For production environments, select one of the Thick Provision formats
VM Storage Policy	The values in this text box are defined by your vSphere administrator.

Configure the Network Mapping settings. Enter the vSphere network names. The network protocol profiles associated with every referenced network name determine the DNS servers, gateway, and subnet mask. If it is absent, you must enter the values in the next step. When finished, select Next.
Configure the Properties settings.
These settings include the Network Properties and the Password Options.
- 1. Customize the Network Properties as they relate to your VMware Tunnel network configuration.
  2. Configure the password for the root user of the VM.
  3. Configure the password for the REST API access.
    The REST API password is the password for the admin UI. You must follow the password requirements:
    - The password must be 8 characters long.
    - The password must contain at least one special character which includes !@#$*() .
    - The password must contain at least one lowercase character.
    - The password must contain at least one uppercase character.
      
      Caution:
      If you do not properly follow the password requirements, installation fails without explanation. There is no validation at the end of this deployment. If you mistakenly enter in the wrong password, there is no warning informing you of an incorrect password.
  4. When finished, select Next.
Review the OVA settings and select the Power on after deployment.
Select Finish to deploy the Unified Access Gateway.

To complete the configuration of the VMware Tunnel, you must log into the Unified Access Gateway admin UI to customize your settings.

Install VMware Tunnel using PowerShell Script

As an alternative to using the vSphere client to deploy the VMware Tunnel OVA file, you can use a PowerShell script. The PowerShell method provides settings validation checks to prevent errors during deployment.PowerShell enables you to deploy multiple instances of VMware Tunnel quickly and easily. Use the same .ini template to run the script multiple times.

The PowerShell method requires adding your VMware Tunnel configuration settings to the .ini template and running the script. When the script runs, it prompts the user for necessary authentication to appliance root user, REST API (admin UI), Workspace ONE UEM administrator, optional outbound proxy password, and vCenter. Each password is then validated so you can easily troubleshoot why the deployment failed.

Configure the vSphere .INI Template

After configuring the VMware Tunnel in the Workspace ONE UEM console and downloading the OVA file, configure the vSphere template.ini file with your Unified Access Gateway settings. The PowerShell script uses the template to configure your Unified Access Gateway deployment.

Complete the following steps to configure the vSphere .INI Template:

Download the Unified Access Gateway Using vSphere ZIP from Workspace ONE UEM Resources. Workspace ONE UEM Resources are available at https://resources.air-watch.com/view/sbfsfykltpqfxhvg9tpy/en.
Download the Unified Access Gateway Using vSphere ZIP from Workspace ONE UEM Resources.
Unzip the file and locate the template.ini file.
Right click the file and select Open With. Select notepad or your preferred file editor.

Configure the template.ini settings.


Settings	Descriptions
name=<VIRTUAL_MACHINE_NAME>	Enter the Unified Access Gateway unique name. Example: name=TunnelAppliance
source=<OVA_FILE_PATH>	Enter the full file path to the OVA file on your local machine. Example: source=C:\access-point.ova
target=vi://<USERNAME>:PASSWORD@<VSPHEREDOMAIN>/<LOCATION/TO/PLACE/APPLIANCE/IN/VSPHERE>	Enter the vCenter user name and address/hostname. Then enter the location to place the appliance in vSphere. Do not remove the PASSWORD. PASSWORD in upper case results in a password prompt during deployment so that passwords do not need to be specified in this INI file. Example: target=vi://admin@vmware.com:PASSWORD@vsphere.com/MyMachines/host/Development/Resources/MyResourcePool
deploymentOption=<NUMBER_OF_NICS> dns=<DNS_IP> ip0=<NIC1_IP_ADDRESS> ip1=<NIC2_IP_ADDRESS> ip2=<NIC3_IP_ADDRESS>	Enter the number of Network Interface Controllers you want to associate with the appliance for your deployment configuration. Your options are: onenic twonic threenic Then enter the address for each NIC you are using. Delete the excess lines if you are not using all three. The different IP addresses entered change based on your NIC settings. If you use one NIC, then the IP address is used for all communications. If you use two NICs, then ip0 is for external communications and ip1 is for internal communications. If you use three NICs, then ip0 is for external communications. Ip1 is for the admin UI only and ip2 is for internal communications. For best results, consult your network admins. Example: deploymentOption=threenic For dns=, enter the DNS server address to configure the appliance resolv.conf file. If you use multiple DNS servers, enter the addresses separated by a space value. Do not use commas.
ds=<DATA_STORE_NAME>	Enter the name of your vSphere datastore.
netInternet=<NIC1_IP_NETWORK_NAME> netManagementNetwork=<NIC2_IP_NETWORK_NAME> netBackendNetwork=<NIC3_IP_NETWORK_NAME>	Enter the vSphere network names. If you are not using network profiles, manually enter the netmask or prefix for the respective NICs and the IPv4/IPv6 default gateway.This specifies network settings such as IPv4 subnet mask, gateway etc.
netmask0=<NIC1_NETMASK> netmask1=<NIC2_NETMASK> netmask2=<NIC3_NETMASK>	Enter the subnet mask for the networks added when configuring the netInternet, netManagementNetwork, and netBackendNetwork settings.
defaultGateway	Enter the gateway for the network added when configuring the netInternet setting.
honorCipherOrder=<true_or_false>	Enter true to force the TLS cipher order to be the order specified by the server.
tunnelGatewayEnabled=<true_or_false>	Enter true if you are using the VMware Tunnel- Proxy. Example: tunnelGatewayEnabled=true
apiServerUrl=<API_SERVER_URL>	Enter the API server URL.To find the URL, navigate to Groups & Settings > All Settings > Advanced > Site URLs > REST API URL.
apiServerUsername=<API_SERVER_USERNAME>	Enter the user name of an Workspace ONE UEM console admin user account. This user is an admin user with API permissions. Consider using an account with Console Administrator privleges.
organizationGroupCode=<ORGANIZATION_GROUP_CODE>	Enter the Organization Group ID the VMware Tunnel is configured for.
airwatchServerHostname= <HOSTNAME>	Enter the hostname or IP address for the Unified Access Gateway. Ensure that this field matches what is entered in the Workspace ONE UEM console to prevent installation issues.
outboundProxyPort=<OUTBOUND_PROXY_PORT>	Enter the outbound proxy port if you use an outbound proxy for the initial setup API call or for tunnel traffic. This field is commented out by default.
outboundProxyHost=<OUTBOUND_PROXY_HOST>	Enter the outbound proxy host if you use an outbound proxy for the initial setup API call or for tunnel traffic.This field is commented out by default.
airwatchOutboundProxy=<true or false>	Enter true to use these proxy settings as the outbound proxy for your VMware Tunnel - Proxy deployment.This field is commented out by default.
ntlmAuthentication=<true or false>	Enter true if you use NTLM authentication for the initial setup API call or for tunnel traffic.This field is commented out by default.
hostEntry1=<HOSTNAME>	Enter additional host entries for the appliance. You can add multiple host entries. Increase the number for each entry. For example hostEntry2, hostEntry3, and so on. This field is commented out by default.
trustedCert1=<CERT_FILE_PATH>	Enter the file path for the trusted certificates. You can add multple trusted certificates. Increase the for each entry. For example, trustedCert2, trustedCert3, and so on. This field is commented out by default.

Save the file in the same folder as the PowerShell script and run the PowerShell script.

Configure the Hyper-V .INI Template

After configuring the VMware Tunnel in the Workspace ONE UEM console, download and configure the Hyper-V template.ini file with your Unified Access Gateway settings. The PowerShell script uses the template to configure your Unified Access Gateway deployment. Watch a tutorial video explaining how to deploy the VMware Tunnel Unified Access Gateway using PowerShell: VMware Tunnel Powershell deployment.

Complete the following steps to configure the Hyper-V .INI Template:

Download the Unified Access Gateway Using Hyper-V ZIP from Workspace ONE UEM Resources.Workspace ONE UEM Resources are available at VMware Tunnel on Unified Access Gateway v3.3 (Using HyperV).
Unzip the file and locate the template.ini file.
Right click the file and select Open With. Select notepad or your preferred file editor.

Configure the template.ini settings.


Settings	Descriptions
name=<VIRTUAL_MACHINE_NAME>	Enter the Unified Access Gateway unique name. This name must be different every time you deploy the Unified Access Gateway. Example: name=TunnelAppliance
source=<OVA_FILE_PATH>	Enter the full file path to the OVA file on your local machine. Example: source=C:\access-point.ova
deploymentOption=<NUMBER_OF_NICS> dns=<DNS_IP> ip0=<NIC1_IP_ADDRESS> ip1=<NIC2_IP_ADDRESS> ip2=<NIC3_IP_ADDRESS>	Enter the number of Network Interface Controllers you want to associate with the appliance for your deployment configuration. Your options are: onenic twonic threenic Then enter the address for each NIC you are using. Delete the excess lines if you are not using all three. The different IP addresses entered change based on your NIC settings. If you use one NIC, then the IP address is used for all communications. If you use two NICs, then ip0 is for external communications and ip1 is for internal communications. If you use three NICs, then ip0 is for external communications. Ip1 is for the admin UI only and ip2 is for internal communications. For best results, consult your network admins. Example: deploymentOption=threenic For dns=, enter the DNS server address to configure the appliance resolv.conf file. If you use multiple DNS servers, enter the addresses separated by a space value. Do not use commas.
ds=<DATA_STORE_NAME>	Enter the name of your Hyper-V datastore.
netInternet=<NIC1_IP_NETWORK_NAME> netManagementNetwork=<NIC2_IP_NETWORK_NAME> netBackendNetwork=<NIC3_IP_NETWORK_NAME>	Enter the virtual switch names. A virtual switch must to be created for the referenced networks.
netmask0=<NIC1_NETMASK> netmask1=<NIC2_NETMASK> netmask2=<NIC3_NETMASK>	Enter the subnet mask for the networks added when configuring the netInternet, netManagementNetwork, and netBackendNetwork settings.
defaultGateway	Enter the gateway for the network added when configuring the netInternet setting.
honorCipherOrder=<true_or_false>	Enter true to force the TLS cipher order to be the order specified by the server.
tunnelGatewayEnabled=<true_or_false>	Enter true if you are using the VMware Tunnel - Proxy. Example: tunnelGatewayEnabled=true
apiServerUrl=<API_SERVER_URL>	Enter the API server URL.To find the URL, navigate to Groups & Settings > All Settings > Advanced > Site URLs > REST API URL.
apiServerUsername=<API_SERVER_USERNAME>	Enter the user name of an Workspace ONE UEM console admin user account. This user is an admin user with API permissions. Consider using an account with Console Administrator privleges.
organizationGroupCode=<ORGANIZATION_GROUP_CODE>	Enter the Organization Group ID the VMware Tunnel is configured for.
airwatchServerHostname= <HOSTNAME>	Enter the hostname or IP address for the Unified Access Gateway. Ensure that this field matches what is entered in the Workspace ONE UEM console to prevent installation issues.
outboundProxyPort=<OUTBOUND_PROXY_PORT>	Enter the outbound proxy port if you use an outbound proxy for the initial setup API call or for tunnel traffic. This field is commented out by default.
outboundProxyHost=<OUTBOUND_PROXY_HOST>	Enter the outbound proxy host if you use an outbound proxy for the initial setup API call or for tunnel traffic.This field is commented out by default.
airwatchOutboundProxy=<true or false>	Enter true to use these proxy settings as the outbound proxy for your VMware Tunnel - Proxy deployment.This field is commented out by default.
ntlmAuthentication=<true or false>	Enter true if you use NTLM authentication for the initial setup API call or for tunnel traffic.This field is commented out by default.
hostEntry1=<HOSTNAME>	Enter additional host entries for the appliance. You can add multiple host entries. Increase the number for each entry. For example hostEntry2, hostEntry3, and so on. This field is commented out by default.
trustedCert1=<CERT_FILE_PATH>	Enter the file path for the trusted certificates. You can add multple trusted certificates. Increase the for each entry. For example, trustedCert2, trustedCert3, and so on. This field is commented out by default.

Save the file in the same folder as the PowerShell script and run the PowerShell script.

Run the VMware Tunnel PowerShell Script

After configuring the .ini template file, run the PowerShell script to configure the OVA and deploy VMware Tunnel. The PowerShell script provides validation checks that are not available when deploying the OVA using vSphere.

Configure the INI file to pass the VMware Tunnel configuration to the OVA file.

The following tools are required:

Windows administrator privileges
PowerShell 4
The PowerShell script runs on Windows 8.1 or later machines or Windows Server 2008 R2 or later.
The machine can also be a vCenter Server running on Windows or a separate Windows machine.
VMware OVF Tool 4.1 (available on my.vmware.com)
Configured .ini template file to pass the configuration values to the appliance (part of the OVA download package available on Workspace ONE UEM Resources at https://resources.air-watch.com/view/sbfsfykltpqfxhvg9tpy/en)
PowerShell script to configure the appliance (part of the OVA download package available on Workspace ONE UEM Resources at https://resources.air-watch.com/view/sbfsfykltpqfxhvg9tpy/en)
Communication between the Windows machine used to deploy the OVA and your vSphere instance
Supported Hypervisor:
- vSphere v5, 5.1, 5.5, or 6 - vSphere ESX host with a vCenter Server
- Microsoft Hyper-V - Windows Server 2012 R2 or Windows Server 2016

Complete the following steps to run the VMware Tunnel PowerShell Script:

Open PowerShell as an administrator.
Navigate to the folder containing your PowerShell script and modified .ini template.
Enter the following command: .
1. For vSphere deployments: .\uagdeploy.ps1 <Ini file name>
2. For Hyper-V: .\uagdeployhv.ps1 <Ini file name>
```
.\uagdeploy.ps1 AWTunnel.ini
```

Enter the password for each prompt:


Setting	Description
Appliance Password	Enter password for the root user.
REST API	Enter the admin UI password.
API server password	Enter the API server password.
Outbound proxy	Optional. If using a proxy with authentication, enter outbound proxy.
vSphere User password	If using vSphere, enter the password for the vSphere User that can deploy VMs.

After entering each password, PowerShell validates the entered password.

Once all passwords are entered, the Unified Access Gateway uploads to the hypervisor and the machine configures itself and installs. You must wait for the script to finish for the network to initialize. Progress can be tracked by viewing the machine from vSphere or Hyper-V.

Running the PowerShell with the values matching an existing instance in vSphere destroys the existing appliance and deploys a new instance instead. You cannot run the same INI template for Hyper-V. The Unified Access Gateway name must be different each time you deploy through PowerShell.

After a successful deployment, the Workspace ONE UEM Appliance Agent starts immediately and the monitoring services for VMware Tunnel start after 60 seconds.