VMware Unified Access Gateway Technical Deep Dive
The VMware Unified Access Gateway (formerly called Access Point) is a platform that provides secure edge services and access to defined resources that reside in the internal network. This allows authorized, external users to access internally located resources in a secure manner.
This blog and the accompanying videos give an overview of the Unified Access Gateway. We also cover deployment requirements, options and demonstrations of the two deployment methods. Lastly, we include information on scaling, upgrades, authentication options, logs and troubleshooting.
The Unified Access Gateway can be used for multiple use cases, including:
- Remote access to VMware Horizon 7 desktop and applications
- Reverse proxying of web servers
- Access to on-premises legacy applications that use Kerberos or header-based authentication with identity bridging from SAML or certificates
- Provision of VMware AirWatch or VMware Workspace ONE Per=App Tunnels and Tunnel Proxy to allow mobile applications secure access to internal services
- Running the VMware Content Gateway service to allow VMware Content Locker access to internal file shares or Microsoft SharePoint repositories
These use cases can be mixed to run multiple services on the same Unified Access Gateway instance or separated out on multiple Unified Access Gateway instances, depending on the desired architecture and the scale of the environment.
Unified Access Gateway is usually deployed in the DMZ, run on a hardened version of SUSE Linux Enterprise Server 12 and is currently undergoing FIPS and Common Criteria certification. It is intended as a replacement for older gateway solutions, such as the Horizon security server, the AirWatch Tunnel and the standalone Content Gateway.
To enhance security options, Unified Access Gateway provides many integration options for authentication, including smart card, certificates, SAML pass-through, RADIUS and RSA SecurID. The Unified Access Gateway architecture keeps unauthenticated traffic in the DMZ. Traffic is allowed through to the internal network only after authentication has been successful.
Deployment of Unified Access Gateway
There are two ways to deploy and configure a Unified Access Gateway:
- vSphere OVF template and administrator console
- PowerShell script
Deploying Unified Access Gateway With the vSphere OVF Template
The vSphere OVF template deployment method is a two-phase process. First, use the VMware vSphere Client to deploy the virtual machine using the OVF template option. Second, log in to the Unified Access Gateway administrator console on the deployed virtual machine to configure the Unified Access Gateway appliance and edge services.
https://<IP Address or FQDN>:9443/admin/
Deploying Unified Access Gateway With PowerShell
The PowerShell deployment method for Unified Access Gateway allows for the mastering of all settings into a single INI file, including the Unified Access Gateway appliance settings and the edge services. This means the Unified Access Gateway appliance is fully configured with certificates and edge services on first boot. This aids with repeat installations and upgrades, and expedites large deployments.
To deploy Unified Access Gateway with PowerShell, use the script and sample setting files provided in the community article, “Using PowerShell to Deploy VMware Unified Access Gateway.”
First, get the latest files:
- Download and install the latest OVF tools from my.vmware.com.
- Download the latest Unified Access Gateway OVA file from my.vmware.com.
Next, configure the PowerShell script for your environment.
1. From “Using PowerShell to Deploy VMware Unified Access Gateway,” download the uagdeploy-310-v3.zipor later file and extract the contents.
2. Make a copy and edit one of the sample INI files (such as uag2-advanced.ini).
3. Enter your information as required for the General and SSLCert sections.
Leave all other lines as they are. In the following example, spaces and comment lines have been removed to conserve space.
4. Copy, paste and complete edge service sections from the sample INI files as required.
5. As an example, to add secure external access to Horizon 7 resources, retain or copy in the [Horizon] section of the uag2-advanced.ini file and paste it into your INI file at the end. Change the following to the relevant values for your environment.
In the previous example:
- view.domain.com is the internal address of the Horizon Connection Server (or the internal load balancer address if you have more than one Connection Server).
- horizon.domain.com is the external address used for Horizon connections.
- 220.127.116.11 is the external IP address for horizon.domain.com
Now you are ready to deploy the Unified Access Gateway appliance.
- Open a PowerShell prompt and change to the directory where the scripts and your INI file are located.
- Be sure to use the uagdeploy.ps1, uagdeploy.psm1 and uagdeployhv.ps1 supplied with the uagdeploy-310-v3.zip file or later.
- Make sure that script execution is unrestricted for the current user. You can do this by running the command:
- set-executionpolicy -scope currentuser unrestricted
- You only need to run this once, and only if it is currently restricted.
- If you get a warning about running this script, you can unblock that warning by running the command:
- unblock-file -path .\uagdeploy.ps1
- Run .\uagdeploy.psl .\<filename>.ini and follow the prompts, entering the passwords.
- You can optionally specify the admin and root passwords as parameters which will prevent you being prompted for them.
- After the process is complete, wait a few minutes for the Unified Access Gateway appliance to boot completely.
You can monitor this process in the vSphere Client to see when the assigned IP address is reported on the summary page for the VM. If you have all the settings in the INI file completed correctly, and your certificates are in order, you will have a fully operational Unified Access Gateway that will proxy connections to your Horizon Connection Servers.
Log in to the Unified Access Gateway administrator console to check the configuration and service statuses and to add or change the configuration. If you change any settings, such as adding a new edge service, remember to export the settings and update your INI file to reflect your changes.
Scaling, Upgrades, Authentication Options & Troubleshooting
The next video covers scaling, upgrading, authentication options and troubleshooting.
With a configured Unified Access Gateway, you can export the settings and use those to quickly deploy and configure new appliances. With a load balancer situated in front of the Unified Access Gateway instances, you can scale up and down the number of appliances quickly.
With the exported settings in JSON format or your INI file, if you used the PowerShell method, you can upgrade your Unified Access Gateway appliances to a newer version. The appliance itself is treated as disposable and gets powered off and deleted, then replaced with an appliance with the same configuration. An option in the administrator console allows you to put a Unified Access Gateway appliance into quiesce mode during these types of operations to stop the load balancer from sending traffic to it.
You can configure the Unified Access Gateway service to integrate with authentication services. This allows the Unified Access Gateway to perform certificate, smart card, RSA SecurID, RADIUS and RSA Adaptive Authentication. This also allows unauthenticated traffic to be handled in the DMZ, permitting only authorized traffic through.
Use the Unified Access Gateway to design environments that need secure external access to your organization’s applications. Explore all the possible use cases, including enhancing your security by having the Unified Access Gateway handle authentication requests from the DMZ.
Many thanks to my colleague Graeme Gordon for authoring the original article here.