The Unified Access Gateway (UAG) is a VMware developed End-User Computing (EUC) appliance that acts as a specialized gateway (or reverse proxy) that manages access to enterprise EUC products deployed in a private or public cloud. It is a hardened (Linux-based) appliance from VMware which is used for many VMware Horizon families, such as:

  • Horizon 7
  • VMware Cloud on AWS
  • VMware Cloud on IBM Cloud
  • VMware Cloud on Azure
  • VMware Horizon DaaS

This blog post will cover the installation process of the UAG appliance for Horizon DaaS specifically.

Formal installation procedure

By following the formal installation procedure for Horizon DaaS, the administrator is required to manually import the .OVA template into vCenter, configuring the network interfaces, storage, and all IP address and host information. The next step is to log on with SSH connection to the primary Service Provider appliance, and from there hop on through the tenant appliance. From the tenant appliance, the administrator needs to run a script and follow a wizard to complete the installation.

As you can read, the deployment of the UAG appliance for Horizon DaaS can be a somewhat time-consuming process. It also leaves much room for manual errors during the input of the wizards.

With this blog post, I will show you how to automate the installation with PowerShell. This procedure eliminates the manual import and tenant script steps, therefore saving implementation time and creating a stable, consistent and working solution in the Horizon DaaS environment.

 

Configuration requirements

Before we are installing anything, we need to acquire information about the configuration. Without this information, it’s not possible to deploy the UAG for Horizon DaaS.

Mandatory configuration items are:

  • Download the correct .OVA version
  • vSphere information
    • vCenter name, DataCentre name, Cluster name
    • Datastore name
  • UAG appliance name
  • Network Interface Card (NIC) deployment option
    • There are three deployment options; Three NIC, Two NIC, and one NIC (*)
  • VM Network name(s)
  • IP Address(es)
    • IP address(es) of the appliance itself
    • Default Gateway of the Internet-facing network
    • Subnet Mask(s)
    • DNS IP Address of the Tenant network
    • Floating IP address of the Tenant Appliances
    • Public IP address from the user portal FQDN
  • Certificate information
    • Server certificate thumbprint from the User Portal
    • Certificate chain and key files in .pem format, or use the .P12 or .PFX extension
  • User Portal FQDN
  • Tenant Active Directory NetBIOS name

(*) I will explain the NIC deployment options for Horizon DaaS in a separate blog post.

 

Installation Requirements

The installation is not very difficult, but has a few requirements:

You can follow this VMware Community page as a reference for the installation procedure. This page will also explain all configuration item settings, including a full list of advanced configuration settings, should this be required for your organization.

 

Creating the Configuration File

You can use the below example configuration file for implementing the UAG for Horizon DaaS.

[General]

#
# UAG virtual appliance unique name (between 1 and 32 characters).
# If name is not specified, the script will prompt for it.
#

name=<UAG appliance Name>

#
# Full path filename of the UAG .ova virtual machine image
# The file can be obtained from VMware
#

source=<Location to UAG .OVA Template>

#
# vSphere environment information
#

target=vi://administrator@vsphere.local:PASSWORD@<vCenter Server Name>/<DataCentre Name>/host/<Cluster Name>/<ESXi Host Name>

#
# vSphere datastore name and provisioning mode example
#

ds=<Datastore Name>
diskMode=thin

#
# Deployment Option – onenice, twonic or threenic
#

deploymentOption=twonic

#
# Supply VM Network names
#

netInternet=<VM Network Name – Internet facing network>
netManagementNetwork=<VM Network Name – Management network>

#
# IP Addresses – Note; nic0 is always the internet facing network – Below are examples.
#

ipMode=STATICV4
ip0AllocationMode=STATICV4
ip1AllocationMode=STATICV4

ip0=192.168.0.10
netmask0=255.255.255.0
routes0=0.0.0.0/0 192.168.0.1

ip1=10.0.0.10
netmask1=255.255.255.0

defaultGateway=192.168.0.1
dns=10.0.0.100

#
# UAG TCP Forward rule – For HACA Console Access from Internet – https://docs.vmware.com/en/VMware-Horizon-DaaS/services/rn/Horizon-DaaS-800-Release-Notes.html#hahc
#

forwardrules=tcp/12433/<Floating IP Address Tenant Appliances>:443

#
# Security & Misc Settings – Cipher Suite will give an A-rating on SSLLabs – Please review settings based on company Security Requirements
#

authenticationTimeout=300000
fipsEnabled=false
tls12Enabled=true
requestTimeoutMsec=3000
tls11Enabled=false
tls10Enabled=false
adminCertRolledBack=false
honorCipherOrder=true
cookiesToBeCached=none
healthCheckUrl=/favicon.ico
quiesceMode=false
isCiphersSetByUser=false
tlsPortSharingEnabled=false
ceipEnabled=false
bodyReceiveTimeoutMsec=5000
monitorInterval=60
cipherSuites=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
adminPasswordExpirationDays=360
httpConnectionTimeout=120
isTLS11SetByUser=false
sessionTimeout=2419200000
ssl30Enabled=false

#
# SSL Certificates
#

[SSLCert]
pfxCerts=<Location to .P12 or .PFX certificate file>

#
# Horizon DaaS 8.0.0 Settings
#

[Horizon]
proxyDestinationUrl=https://<Floating IP Address Tenant Appliances>
disableHtmlAccess=false
healthCheckUrl=/favicon.ico
queryBrokerInterval=300
matchWindowsUserName=false
windowsSSOEnabled=false
samlSP=<Tenant Active Directory NetBIOS Name>
gatewayLocation=External
proxyDestinationUrlThumbprints=sha1:<Certificate Thumbprint User Portal>
tunnelExternalUrl=<User Portal FQDN>:443
blastExternalUrl=<User Portal FQDN>:8443
smartCardHintPrompt=false
proxyPattern=/|/(.*\.action|admin|images/|css/|js/|ajax/|appblast|appblast/|portal|view-client/|appimage/|horizonadmin|xmp|dt-rest|haca).*
pcoipExternalUrl=<Public IP Address User Portal>:4172

 

Installation procedure

So, now we have met all configuration and installation requirements, it’s time to install the UAG appliance!

Once we have downloaded and installed the OVF Tool and created the Configuration File, we can start the PowerShell command by specifying the script name and the configuration file name as shown in this example:

  • .\UAGDeploy.ps1 .\UAG-DaaS.ini

The script will prompt you for the following input:

  • Admin and Root account passwords
  • Join CEIP: yes/no
  • vCenter administrator password
  • Certificate password (If specified .P12 or .PFX file – a certificate and key file provided in .PEM format will not ask for a password)

After this input is correctly filled in, the script will start to import the .OVA template (using the OVF Tool) into vCenter. You can track the progress directly via the script or from within vCenter.

2019-04-30 12_48_18-DED-S19-VDI100

After some minutes the import is complete. The UAG will then initialize and automatically configures the IP addresses specified in the Configuration File.

2019-04-30 12_51_28-DED-S19-VDI100

After the UAG is deployed successfully, you can check/verify if the implementation is working as expected!

 

Conclusion

PowerShell is a very powerful, fast and reliable way to deploy the UAG in Horizon DaaS. The deployment has some configuration and deployment requirements, but once you have met all this, the deployment is relatively easy and fast.

In addition, you have the benefit to re-use the Configuration File as a template for other tenant environments.