Deploying with Unified Access Gateway (UAG)

System Requirements

To deploy, your system must meet the following hypervisor, software and hardware requirements.

Hypervisor: A hypervisor is required to deploy the virtual appliance. You must have a dedicated admin account with full privileges to deploy the OVF. VMware Tunnel supports both VMware vSphere 6.0+ web client and Microsoft Hyper-V on Windows Server 2012 R2 or Windows Server 2016.

Software: The most recent version of UAG. supports backwards compatibility between Unified Access Gateway and the Workspace ONE UEM console. The backward compatibility allows you to upgrade your VMware Tunnel Server shortly after upgrading your Workspace ONE UEM console. To ensure parity between Workspace ONE UEM console and VMware Tunnel, consider planning an early upgrade.

Hardware: The OVF package for Unified Access Gateway automatically selects the virtual machine configuration that VMware Tunnel requires. Although you can change these settings, do not change the CPU, memory, or disk space to smaller values than the default OVF settings. To change the default settings, power off the VM in vCenter. Right-click the VM and select Edit Settings. The default configuration uses 4 GB of RAM and 2 CPUs. You must change the default configuration to meet your hardware requirements. To handle all the device loads and maintenance requirements, consider running a minimum of two Tunnel Servers.


Number of Devices	Up to 40,000	40,000-80,000	80,000-120,000	120,000-160,000
Number of Servers	2	3	4	5
CPU Cores	4 CPU Cores*	4 CPU Cores each	4 CPU Cores each	4 CPU Cores each
RAM (GB)	8	8	8	8
Hard Disk Space (GB)	400 MB for installer ~10 GB for log file space, but scale the log file size based on your log use and requirements for storing the logs.

While it is possible to deploy only a single VMware Tunnel appliance as part of a smaller deployment, consider deploying at least two load-balanced servers with four CPU Cores each regardless of the number of devices for uptime and performance purposes.

Note: UAG needs to use the External AWCM endpoint and not the internal endpoint.

Network Requirements for VMware Tunnel

When configuring the ports listed below, note that all the traffic is uni-directional (outbound) from the source component to the destination component.


Source Component	Destination Component	Protocol	Port	Verification	Note
Devices (from Internet and Wi-Fi)	Tunnel Proxy	HTTPS	2020*	After installation, run the following command to validate: netstat -tlpn \| grep [Port]	1
Devices (from Internet and Wi-Fi)	Tunnel Per-App Tunnel	TCP/UDP	8443*	After installation, run the following command to validate: netstat -tlpn \| grep [Port]	1
Admin UI	Unified Access Gateway	TCP	9443		1

Table 1. VMware Tunnel Basic Endpoint Configuration
Source Component	DestinationComponent	Protocol	Port	Verification	Note
VMware Tunnel	AirWatch Cloud Messaging Server**	HTTPS	SaaS: 443 On-Prem: 2001*	curl -Ivv https://<AWCM URL>:<port>/awcm/status The expected response is `HTTP 200–OK`.	2
VMware Tunnel	Workspace ONE UEM REST API Endpoint SaaS: https://asXXX.awmdm.com On-Prem: Most commonly your DS or Workspace ONE UEM console	HTTP or HTTPS	SaaS: 443 On-Prem: 80 or 443	curl -Ivv https://<API URL>/api/mdm/ping The expected response is `HTTP 401–unauthorized`.	5
VMware Tunnel	Internal resources	HTTP, HTTPS, or TCP/UDP	80, 443, Any TCP/UDP	Confirm that Tunnel can access internal resources over the required port.	4
VMware Tunnel	Syslog Server	UDP	514*
Workspace ONE UEM console	VMware Tunnel Proxy	HTTPS	2020	On-premises customers can test the connection using the following telnet command: `<Tunnel Proxy URL> <Port>`	6

Table 2. VMware Tunnel Cascade Configuration
Source Component	DestinationComponent	Protocol	Port	Verification	Note
VMware Tunnel Front-End	AirWatch Cloud Messaging Server**	TLS v1.2	SaaS: 443 On-Prem: 2001*	Verify by using `wget`to https://<AWCM URL > :<port > /awcm/status and ensure that you receive `HTTP 200` response.	2
VMware Tunnel Front-End	Tunnel Back-End	TLS v1.2	8443*	Telnet from Tunnel Front-End to the Tunnel Back-End server on port.	3
VMware Tunnel Back-End	AirWatch Cloud Messaging Server**	TLS v1.2	SaaS: 443 On-Prem: 2001*	Verify by using `whet` to https://<AWCM URL > :<port > /awcm/status and ensure that you receive `HTTP 200` response.	2
VMware Tunnel Back-End	Internal websites/web apps	TCP/UDP	80 or 443		4
VMware Tunnel Back-End	Internal resources	TCP/UDP	80, 443, Any TCP/UDP		4
VMware Tunnel Front-End and Back-End	Workspace ONE UEM REST API Endpoint SaaS: https://asXXX.awmdm.com On-Prem: Most commonly your DS or Workspace ONE UEM console	TLS v1.2	80 or 443	curl -Ivv https://<API URL>/api/mdm/ping The expected response is `HTTP 401–unauthorized`.	5

Table 3. VMware Tunnel Relay-Endpoint Configuration
Source Component	DestinationComponent	Protocol	Port	Verification	Note
VMware Tunnel Relay	AirWatch Cloud Messaging Server**	HTTP or HTTPS	SaaS: 443 On-Prem: 2001*	curl -Ivv https://<AWCM URL>:<port>/awcm/status. The expected response is `HTTP 200–OK`.	2
VMware Tunnel Endpoint and Relay	Workspace ONE UEM REST API Endpoint SaaS: https://asXXX.awmdm.com On-Prem: Most commonly your DS or Workspace ONE UEM console	HTTP or HTTPS	80 or 443	curl -Ivv https://<API URL>/api/mdm/ping The expected response is `HTTP 401–unauthorized`. The Tunnel Endpoint requires access to the REST API Endpoint only during the initial deployment.	5
VMware Tunnel Relay	Tunnel Endpoint	HTTPS	2010*	Telnet from Tunnel Relay to the Tunnel Endpoint server on port.	3
VMware Tunnel Endpoint	Internal resources	HTTP, HTTPS, or TCP	80, 443, Any TCP	Confirm that the Tunnel can access internal resources over the required port.	4
VMware Tunnel	Syslog Server	UDP	514*
Workspace ONE UEM console	Tunnel Proxy	HTTPS	2020	On-premises customers can test the connection using the telnet command: `<Tunnel Proxy URL> <Port>`	6

All *s mean that this port number can be changed if needed based on your environment's restrictions.

Note Reference:

Devices connect to the public DNS configured for Tunnel over the specified port. If 443 is used, Per-App Tunnel component listens on port 8443.
For the Tunnel to query the Workspace ONE UEM console for compliance and tracking purposes.
For Tunnel Relay topologies to forward device requests to the internal Tunnel endpoint only.
For applications using Tunnel to access internal resources.
The Tunnel must communicate with the API for initialization. Ensure that there is connectivity between the REST API and the Tunnel server. Navigate to Groups & Settings > All Settings > System > Advanced > Site URLS to set the REST API server URL. This page is not available to SaaS customers. The REST API URL for SaaS customers is most commonly your Console or Devices Services server URL.
This is required for a successful "Test Connection" to the VMware Tunnel Proxy from the Workspace ONE UEM console. The requirement is optional and can be omitted without loss of functionality to devices. For SaaS customers, the Workspace ONE UEM console must already have inbound connectivity to the Tunnel Proxy on port 2020 due to the inbound Internet requirement on port 2020.

Network Interface Connection Requirements: You can use one, two, or three network interfaces, and the VMware Tunnel virtual appliance requires a separate static IP address for each. Many DMZ implementations use separated networks to secure the different traffic types. Configure the virtual appliance according to the network design of the DMZ in which it is deployed. Consult your network admin for information regarding your network DMZ.

One network interface is appropriate for POCs (proof of concept) or testing. With one NIC, external, internal, and management traffic is all on the same subnet.
With two network interfaces, external traffic is on one subnet, and internal and management traffic are on another subnet.
With a third NIC, external, internal, and management traffic all has their own subnets.

Deploying with UAG by Single-Tier (Basic) Mode

In the Workspace ONE UEM console, you will want to use the installer to configure Single-Tier mode and also select the basic-endpoint mode.

The basic endpoint deployment model of VMware Tunnel is a single instance of the product installed on a server with a publicly available DNS (domain name system). Basic Tunnel is typically installed in the internal network behind a load balance r in the DMZ (demilitarized zone) that forwards traffic on the configured ports to the VMware Tunnel, which then connects directly to your internal Web applications. All deployment configurations support load balancing and reverse proxy.

The basic endpoint Tunnel server communicates with API and AWCM (VMware AirWatch Cloud Messaging) to receive a allowlist of clients allowed to access VMware Tunnel. The Tunnel component supports using an outbound proxy to communicate with API/AWCM in this deployment model. When a device connects to Tunnel, it is authenticated based on unique X.509 certificates issued by Workspace ONE UEM. Once a device is authenticated, the Tunnel (basic endpoint) forwards the request to the internal network.

If the basic endpoint is installed in the DMZ, the proper network changes must be made to allow the VMware Tunnel to access various internal resources over the necessary ports. Installing this component behind a load balancer in the DMZ minimizes the number of network changes to implement the Tunnel and provides a layer of security because the public DNS is not pointed directly to the server that hosts the VMware Tunnel.

Image shows both Saas and On-Premises Single-Tier Models

Deploying with UAG by Multi-Tier (Cascade) Mode

In the Workspace ONE UEM console, you will want to use the installer to configure Multi-Tier mode and also select the Cascade-endpoint mode. The cascade deployment model architecture includes two instances of the VMware Tunnel with separate roles. In cascade mode, the front-end server resides in the DMZ (demilitarized zone) and communicates to the back-end server in your internal network.

Devices access the front-end server for cascade mode using a configured hostname over configured ports. The default port for accessing the front-end server is port 8443. The back-end server for cascade mode is installed in the internal network hosting your intranet sites and web applications. This deployment model separates the publicly available front-end server from the back-end server that connects directly to internal resources, providing an extra layer of security.

The front-end server facilitates authentication of devices by connecting to AWCM (VMware AirWatch Cloud Messaging) when requests are made to the VMware Tunnel. When a device makes a request to the Tunnel, the front-end server determines if the device is authorized to access the service. Once authenticated, the request is forwarded securely using TLS over a single port to the back-end server.

The back-end server connects to the internal DNS or IP requested by the device.

Cascade mode communicates using TLS connection (or optional DTLS connection). You can host as many front-end and back-end servers as you like. Each front-end server acts independently when searching for an active back-end server to connect devices to the internal network. You can set up multiple DNS entries in a DNS lookup table to allow load balancing.

Both the front-end and back-end servers communicate with the Workspace ONE UEM API server and AWCM. The API server delivers the VMware Tunnel configuration and the AWCM delivers device authentication, device access control list, and traffic rules. The front-end and back-end server communicates with API/AWCM through direct TLS connections unless you enable outbound proxy calls. Use this connection if the front-end server cannot reach the API/AWCM servers. If enabled, front-end servers connect through the back-end server to the API/AWCM servers. This traffic, and the back-end traffic, route using server-side traffic rules.

The following diagram illustrates the Multi-Tier deployment for the Tunnel component in cascade mode:

Image shows both Saas and On-Premises Multi-Tier Models

Configure VMware Tunnel Settings in the Unified Access Gateway UI

After deploying the Unified Access Gateway, you must configure the Tunnel edge service settings to meet your organizational needs. To configure these settings, go to your Unified Access Gateway admin UI that is hosted on your Unified Access Gateway.

Go to the URL of your Unified Access Gateway admin UI. The URL uses this format: https://[IP ADDRESS]:9443/admin/.
Enter "admin" as the username.
Enter your admin UI password. Select Login.
Select Configure Manually.
Next to Edge Service Settings, select Show.
Next to VMware Tunnel Settings, select the settings icon (
) to configure your VMware Tunnel deployment.

Customize VMware Tunnel Settings.

Settings	Descriptions
Enable VMware Tunnel Settings	Set to Yes to use the configured VMware Tunnel settings. After configuration, setting this option to No does not deactivate the Tunnel.
API Server URL	Enter the URL to your Workspace ONE UEM API server. To find the URL, go to Groups & Settings > All Settings > Advanced > Site URLs > REST API URL. The appliance contacts the Workspace ONE UEM API server to fetch your Tunnel configuration. For example, https://asXXX.example.com.
API Server Username	Enter the username of a Workspace ONE UEM console admin user account. The account must have Console Administrator privileges at a minimum. For the Tunnel Edge Service on UAG, the admin account used to save the Tunnel Service settings is only used at initial configuration. Once the Tunnel Edge Service is successfully saved and configured, further UEM API communication is secured through certificate-based authentication. The admin account will only be needed for a manual update to the Tunnel Edge Service. VMware Tunnel will continue to function even if this admin account is inactive.
API Server Password	Enter the password of a Workspace ONE UEM console admin user account. You must have Console Administrator privileges at a minimum.
Organization Group ID	Enter the Group ID for the organization group the VMware Tunnel is configured.
Tunnel Server Hostname	Enter the hostname for your Tunnel configuration. The hostname must match the hostname entered in the Tunnel configuration wizard. The Unified Access Gateway configures the instance as a relay server or an endpoint server based on the hostname. Ensure that you properly enter the hostname to avoid any issues in deployment. This is the Tunnel server hostname.

(Optional) Select the More drop-down menu to configure additional settings including Workspace ONE UEM Outbound Proxy Settings if you use an outbound proxy to make the initial call to the API server.

Setting	Description
Outbound Proxy Host	Enter the outbound proxy hostname.
Outbound Proxy Port	Enter the outbound proxy port.
Outbound Proxy User	Enter the user name if you proxy requires authentication.
Outbound Proxy Password	Enter the password for your outbound proxy if your proxy requires authentication.
NTLM Authentication	Enable if your proxy requires NTLM authentication.
Use for VMware Tunnel Proxy	Enable to use these proxy settings as the outbound proxy for your Tunnel- Proxy deployment.
Host Entries	Enter the host entries for the server. You can enter multiple host entries separated by commas. They must follow this format: IP address hostname hostname alias (optional). For example, 10.192.168.1 example1.com, 10.192.167.2 example2.com. Use this option if your DNS is not publicly available or accessible from the DMZ.
Trusted Certificates	Select to upload a PEM certificate to add to the trusted store. Select the plus icon to upload additional certificates. This feature only supports PEM certificates.

(Optional) On the Support Settings screen on this page, download the Log Archive and export your custom settings using the Export Access Point Settings option.
To finish, select Save.
The Workspace ONE UEM Appliance Agent starts immediately and the monitoring services for VMware Tunnel start after 60 seconds.

Installing Tunnel with UAG by Using vSphere

After configuring your Tunnel settings, deploy Tunnel as an edge service on the VMware Unified Access Gateway appliance to simplify the installation process. VMware supports installation using either VMware vSphere and Unified Access Gateway Admin UI or PowerShell scripting.

To Install with vSphere: There are a few steps below to complete BEFORE you begin. Then after configuring the Workspace ONE UEM console, you will download that VMware Unified Access Gateway OVA file. Then use VMware vSphere to install the Unified Access Gateway onto your server. The UAG simplifies installation of the VMware Tunnel.

Complete These Steps First:

Dedicated vSphere Admin Account with full privileges to deploy OVF.
Communication between the Windows machine used to deploy the OVA and your vSphere instance.
Confirm you are using vSphere 6.0+
Confirm vSphere ESX host with a vCenter Server.
Determine the number of network interfaces and static IP addresses to configure for the Unified Access Gateway appliance.

Important: VMware Tunnel Unified Access Gateway deployment does NOT support the VMware vSphere desktop client. You must use the VMware vSphere web client or the PowerShell deployment method.

Now you are ready to install VMware Tunnel using vSphere.

Log in to the vSphere Web client.
Navigate to VMs and Templates.
Select the folder where you want to deploy the Unified Access Gateway OVA file. Right-click the file and select Deploy OVF Template.
Select the OVA file on your local machine or enter the URL for the OVA file. Click Next.
Review the template details and select Next.
Enter a unique Name for the deployment, and then select the folder or data center to hold the OVA file and select Next.
Select the number of Network Interface Controllers (NICs) you want to associate with the appliance for your deployment configuration. Click Next.
On the Select a Resource screen, select a location to run the template.
Select the storage and disk format options. When finished, select Next.
1. Virtual Disk Format: For evaluation and testing, select the Thin Provision format. For production environments, select one of the Thick Provision formats.
2. VM Storage Policy: The values in this text box are defined by your vSphere administrator.
Configure the Network Mapping settings. Enter the vSphere network names. The network protocol profiles associated with every referenced network name determine the DNS servers, gateway, and subnet mask. If it is absent, you must enter the values in the next step. When finished, select Next.
Configure the Properties settings. These settings include the Network Properties and the Password Options:
1. Customize the Network Properties as they relate to your VMware Tunnel network configuration.
2. Configure the password for the root user of the VM.
3. Configure the password for the REST API access. The REST API password is the password for the admin UI. You must follow the password requirements:
  - The password must be 8 characters long.
  - The password must contain at least one special character which includes !@#$*() .
  - The password must contain at least one lowercase character.
  - The password must contain at least one uppercase character.
  Note: If you do not properly follow the password requirements, installation fails without explanation. There is no validation at the end of this deployment. If you mistakenly enter in the wrong password, there is no warning informing you of an incorrect password.
4. When finished, select Next.
Review the OVA settings and select the Power on after deployment.
Select Finish to deploy the Unified Access Gateway.
To complete the configuration of the VMware Tunnel, you must log into the Unified Access Gateway admin UI to customize your settings.

Installing Tunnel with UAG by Using PowerShell Script

After configuring your Tunnel settings, deploy Tunnel as an edge service on the VMware Unified Access Gateway appliance to simplify the installation process. An alternative to using the vSphere client to deploy the VMware Tunnel OVA file, you can use a PowerShell script. The PowerShell method provides settings validation checks to prevent errors during deployment. PowerShell enables you to deploy multiple instances of VMware Tunnel quickly and easily. Use the same .ini template to run the script multiple times.

The PowerShell method will require adding your Tunnel configuration settings to the .ini template and running the script. When the script runs, it prompts the user for necessary authentication to appliance root user, REST API (admin UI), Workspace ONE UEM administrator, optional outbound proxy password, and vCenter. Each password is then validated so you can easily troubleshoot why the deployment failed.

Configure the vSphere .INI Template

After configuring Tunnel in the Workspace ONE UEM console and downloading the OVA file, configure the vSphere template.ini file with your Unified Access Gateway settings. The PowerShell script uses the template to configure your Unified Access Gateway deployment.

Complete the following steps to configure the vSphere .INI Template:

Download the Unified Access Gateway Using vSphere ZIP from Workspace ONE UEM Resources. Workspace ONE UEM Resources are available at https://resources.air-watch.com/view/sbfsfykltpqfxhvg9tpy/en.
Download the Unified Access Gateway Using vSphere ZIP from Workspace ONE UEM Resources.
Unzip the file and locate the template.ini file.
Right click the file and select Open With. Select notepad or your preferred file editor.

Configure the template.ini settings.


Settings	Descriptions
name=<VIRTUAL_MACHINE_NAME>	Enter the Unified Access Gateway unique name. Example: name=TunnelAppliance
source=<OVA_FILE_PATH>	Enter the full file path to the OVA file on your local machine. Example: source=C:\access-point.ova
target=vi://<USERNAME>:PASSWORD@<VSPHEREDOMAIN>/<LOCATION/TO/PLACE/APPLIANCE/IN/VSPHERE>	Enter the vCenter user name and address/hostname. Then enter the location to place the appliance in vSphere. Do not remove the PASSWORD. PASSWORD in upper case results in a password prompt during deployment so that passwords do not need to be specified in this INI file. Example: target=vi://admin@vmware.com:PASSWORD@vsphere.com/MyMachines/host/Development/Resources/MyResourcePool
deploymentOption=<NUMBER_OF_NICS> dns=<DNS_IP> ip0=<NIC1_IP_ADDRESS> ip1=<NIC2_IP_ADDRESS> ip2=<NIC3_IP_ADDRESS>	Enter the number of Network Interface Controllers you want to associate with the appliance for your deployment configuration. Your options are: onenic twonic threenic Then enter the address for each NIC you are using. Delete the excess lines if you are not using all three. The different IP addresses entered change based on your NIC settings. If you use one NIC, then the IP address is used for all communications. If you use two NICs, then ip0 is for external communications and ip1 is for internal communications. If you use three NICs, then ip0 is for external communications. Ip1 is for the admin UI only and ip2 is for internal communications. For best results, consult your network admins. Example: deploymentOption=threenic For dns=, enter the DNS server address to configure the appliance resolv.conf file. If you use multiple DNS servers, enter the addresses separated by a space value. Do not use commas.
ds=<DATA_STORE_NAME>	Enter the name of your vSphere datastore.
netInternet=<NIC1_IP_NETWORK_NAME> netManagementNetwork=<NIC2_IP_NETWORK_NAME> netBackendNetwork=<NIC3_IP_NETWORK_NAME>	Enter the vSphere network names. If you are not using network profiles, manually enter the netmask or prefix for the respective NICs and the IPv4/IPv6 default gateway.This specifies network settings such as IPv4 subnet mask, gateway etc.
netmask0=<NIC1_NETMASK> netmask1=<NIC2_NETMASK> netmask2=<NIC3_NETMASK>	Enter the subnet mask for the networks added when configuring the netInternet, netManagementNetwork, and netBackendNetwork settings.
defaultGateway	Enter the gateway for the network added when configuring the netInternet setting.
honorCipherOrder=<true_or_false>	Enter true to force the TLS cipher order to be the order specified by the server.
tunnelGatewayEnabled=<true_or_false>	Enter true if you are using the VMware Tunnel- Proxy. Example: tunnelGatewayEnabled=true
apiServerUrl=<API_SERVER_URL>	Enter the API server URL.To find the URL, navigate to Groups & Settings > All Settings > Advanced > Site URLs > REST API URL.
apiServerUsername=<API_SERVER_USERNAME>	Enter the user name of an Workspace ONE UEM console admin user account. This user is an admin user with API permissions. Consider using an account with Console Administrator privleges.
organizationGroupCode=<ORGANIZATION_GROUP_CODE>	Enter the Organization Group ID the VMware Tunnel is configured for.
airwatchServerHostname= <HOSTNAME>	Enter the hostname or IP address for the Unified Access Gateway. Ensure that this field matches what is entered in the Workspace ONE UEM console to prevent installation issues.
outboundProxyPort=<OUTBOUND_PROXY_PORT>	Enter the outbound proxy port if you use an outbound proxy for the initial setup API call or for tunnel traffic. This field is commented out by default.
outboundProxyHost=<OUTBOUND_PROXY_HOST>	Enter the outbound proxy host if you use an outbound proxy for the initial setup API call or for tunnel traffic. This field is commented out by default.
airwatchOutboundProxy=<true or false>	Enter true to use these proxy settings as the outbound proxy for your VMware Tunnel - Proxy deployment. This field is commented out by default.
ntlmAuthentication=<true or false>	Enter true if you use NTLM authentication for the initial setup API call or for tunnel traffic. This field is commented out by default.
hostEntry1=<HOSTNAME>	Enter additional host entries for the appliance. You can add multiple host entries. Increase the number for each entry. For example, hostEntry2, hostEntry3, and so on. This field is commented out by default.
trustedCert1=<CERT_FILE_PATH>	Enter the file path for the trusted certificates. You can add multiple trusted certificates. Increase the for each entry. For example, trustedCert2, trustedCert3, and so on. This field is commented out by default.

Save the file in the same folder as the PowerShell script and run the PowerShell script.

Configure the Hyper-V .INI Template

After configuring the Tunnel in the Workspace ONE UEM console, download and configure the Hyper-V template.ini file with your Unified Access Gateway settings. The PowerShell script uses the template to configure your Unified Access Gateway deployment. Watch a tutorial video explaining how to deploy the VMware Tunnel Unified Access Gateway using PowerShell: VMware Tunnel Powershell deployment.

Complete the following steps to configure the Hyper-V .INI Template:

Download the Unified Access Gateway Using Hyper-V ZIP from Workspace ONE UEM Resources.Workspace ONE UEM Resources are available at VMware Tunnel on Unified Access Gateway v3.3 (Using HyperV).
Unzip the file and locate the template.ini file.
Right click the file and select Open With. Select notepad or your preferred file editor.

Configure the template.ini settings.


Settings	Descriptions
name=<VIRTUAL_MACHINE_NAME>	Enter the Unified Access Gateway unique name. This name must be different every time you deploy the Unified Access Gateway. Example: name=TunnelAppliance
source=<OVA_FILE_PATH>	Enter the full file path to the OVA file on your local machine. Example: source=C:\access-point.ova
deploymentOption=<NUMBER_OF_NICS> dns=<DNS_IP> ip0=<NIC1_IP_ADDRESS> ip1=<NIC2_IP_ADDRESS> ip2=<NIC3_IP_ADDRESS>	Enter the number of Network Interface Controllers you want to associate with the appliance for your deployment configuration. Your options are: onenic twonic threenic Then enter the address for each NIC you are using. Delete the excess lines if you are not using all three. The different IP addresses entered change based on your NIC settings. If you use one NIC, then the IP address is used for all communications. If you use two NICs, then ip0 is for external communications and ip1 is for internal communications. If you use three NICs, then ip0 is for external communications. Ip1 is for the admin UI only and ip2 is for internal communications. For best results, consult your network admins. Example: deploymentOption=threenic For dns=, enter the DNS server address to configure the appliance resolv.conf file. If you use multiple DNS servers, enter the addresses separated by a space value. Do not use commas.
ds=<DATA_STORE_NAME>	Enter the name of your Hyper-V datastore.
netInternet=<NIC1_IP_NETWORK_NAME> netManagementNetwork=<NIC2_IP_NETWORK_NAME> netBackendNetwork=<NIC3_IP_NETWORK_NAME>	Enter the virtual switch names. A virtual switch must to be created for the referenced networks.
netmask0=<NIC1_NETMASK> netmask1=<NIC2_NETMASK> netmask2=<NIC3_NETMASK>	Enter the subnet mask for the networks added when configuring the netInternet, netManagementNetwork, and netBackendNetwork settings.
defaultGateway	Enter the gateway for the network added when configuring the netInternet setting.
honorCipherOrder=<true_or_false>	Enter true to force the TLS cipher order to be the order specified by the server.
tunnelGatewayEnabled=<true_or_false>	Enter true if you are using the VMware Tunnel - Proxy. Example: tunnelGatewayEnabled=true
apiServerUrl=<API_SERVER_URL>	Enter the API server URL.To find the URL, navigate to Groups & Settings > All Settings > Advanced > Site URLs > REST API URL.
apiServerUsername=<API_SERVER_USERNAME>	Enter the user name of an Workspace ONE UEM console admin user account. This user is an admin user with API permissions. Consider using an account with Console Administrator privleges.
organizationGroupCode=<ORGANIZATION_GROUP_CODE>	Enter the Organization Group ID the VMware Tunnel is configured for.
airwatchServerHostname= <HOSTNAME>	Enter the hostname or IP address for the Unified Access Gateway. Ensure that this field matches what is entered in the Workspace ONE UEM console to prevent installation issues.
outboundProxyPort=<OUTBOUND_PROXY_PORT>	Enter the outbound proxy port if you use an outbound proxy for the initial setup API call or for tunnel traffic. This field is commented out by default.
outboundProxyHost=<OUTBOUND_PROXY_HOST>	Enter the outbound proxy host if you use an outbound proxy for the initial setup API call or for tunnel traffic. This field is commented out by default.
airwatchOutboundProxy=<true or false>	Enter true to use these proxy settings as the outbound proxy for your VMware Tunnel - Proxy deployment. This field is commented out by default.
ntlmAuthentication=<true or false>	Enter true if you use NTLM authentication for the initial setup API call or for tunnel traffic. This field is commented out by default.
hostEntry1=<HOSTNAME>	Enter additional host entries for the appliance. You can add multiple host entries. Increase the number for each entry. For example hostEntry2, hostEntry3, and so on. This field is commented out by default.
trustedCert1=<CERT_FILE_PATH>	Enter the file path for the trusted certificates. You can add multiple trusted certificates. Increase the for each entry. For example, trustedCert2, trustedCert3, and so on. This field is commented out by default.

Save the file in the same folder as the PowerShell script and run the PowerShell script.

Run the VMware Tunnel PowerShell Script

After configuring the .ini template file, run the PowerShell script to configure the OVA and deploy Tunnel. The PowerShell script provides validation checks that are not available when deploying the OVA using vSphere.

The following tools are required:

Windows administrator privileges
PowerShell 4: The PowerShell script runs on Windows 8.1 or later machines or Windows Server 2008 R2 or later. The machine can also be a vCenter Server running on Windows or a separate Windows machine.
VMware OVF Tool 4.1 (available on my.vmware.com)
Configured .ini template file to pass the configuration values to the appliance (part of the OVA download package available on Workspace ONE UEM Resources at https://resources.air-watch.com/view/sbfsfykltpqfxhvg9tpy/en)
PowerShell script to configure the appliance (part of the OVA download package available on Workspace ONE UEM Resources at https://resources.air-watch.com/view/sbfsfykltpqfxhvg9tpy/en)
Communication between the Windows machine used to deploy the OVA and your vSphere instance
Supported Hypervisor: vSphere v5, 5.1, 5.5, or 6 - vSphere ESX host with a vCenter Server or Microsoft Hyper-V - Windows Server 2012 R2 or Windows Server 2016

Complete the following steps to run the Tunnel PowerShell Script:

Open PowerShell as an administrator.
Navigate to the folder containing your PowerShell script and modified .ini template.
Enter the following command: For vSphere deployments: .\uagdeploy.ps1 <Ini file name>, For Hyper-V: .\uagdeployhv.ps1 <Ini file name>
```
.\uagdeploy.ps1 AWTunnel.ini
```

Enter the password for each prompt:


Setting	Description
Appliance Password	Enter password for the root user.
REST API	Enter the admin UI password.
API server password	Enter the API server password.
Outbound proxy	Optional. If using a proxy with authentication, enter outbound proxy.
vSphere User password	If using vSphere, enter the password for the vSphere User that can deploy VMs.

After entering each password, PowerShell validates the entered password.

Once all passwords are entered, the Unified Access Gateway uploads to the hypervisor and the machine configures itself and installs. You must wait for the script to finish for the network to initialize. Progress can be tracked by viewing the machine from vSphere or Hyper-V.

Running the PowerShell with the values matching an existing instance in vSphere destroys the existing appliance and deploys a new instance instead. You cannot run the same INI template for Hyper-V. The Unified Access Gateway name must be different each time you deploy through PowerShell.

After a successful deployment, the Workspace ONE UEM Appliance Agent starts immediately and the monitoring services for VMware Tunnel start after 60 seconds.

Upgrade VMware Tunnel Deployed with Unified Access Gateway

VMware Tunnel is backwards compatible with updated versions of the Workspace ONE UEM console. Upgrade the Tunnel product whenever you perform any major version upgrades.

The Unified Access Gateway appliance supports a Zero Downtime Upgrade process. For more information, see the Unified Access Gateway Documentation.

Upgrade VMware Tunnel Deployed with Unified Access Gateway Using vSphere

Complete the following steps to Upgrade VMware Tunnel Deployed with Unified Access Gateway Using vSphere

Access the Unified Access Gateway admin UI from a browser.
Select Configure Manually.
Scroll down to the bottom and select Export Unified Access Gateway Settings.
Download the new OVA package from Workspace ONE UEM Resources. Workspace ONE UEM Resources are available at Download Unified Access Gateway.
Deploy the new OVA in place of the existing OVA. Follow the steps you used before. See Install VMware Tunnel using vSphere.
Instead of manually configuring the settings, select Import Settings.
Browse for the downloaded export JSON file.
Select Import.

Upgrade VMware Tunnel Deployed with Unified Access Gateway using the PowerShell Script

You can upgrade VMware Tunnel deployed with Unified Access Gateway using the PowerShell Script.

Download the new OVA package from Workspace ONE UEM Resources. Workspace ONE UEM Resources are available at Download Unified Access Gateway.
Use the same .ini template from your previous deployment with the PowerShell script.
Run the VMware Tunnel PowerShell Script.