The Unified Access Gateway (UAG) is a VMware developed End-User Computing (EUC) appliance that acts as a specialized gateway (or reverse proxy) that manages access to enterprise EUC products deployed in a private or public cloud. It is a hardened (Linux-based) appliance from VMware which is used for many VMware Horizon families, such as:
- Horizon 7
- VMware Cloud on AWS
- VMware Cloud on IBM Cloud
- VMware Cloud on Azure
- VMware Horizon DaaS
This blog post will cover the installation process of the UAG appliance for Horizon DaaS specifically.
Formal installation procedure
By following the formal installation procedure for Horizon DaaS, the administrator is required to manually import the .OVA template into vCenter, configuring the network interfaces, storage, and all IP address and host information. The next step is to log on with SSH connection to the Primary Service Provider appliance, and from there hop on through the tenant appliance. From the tenant appliance, the administrator needs to run a script and follow a wizard to complete the installation.
As you can read, the deployment of the UAG appliance for Horizon DaaS can be a somewhat time-consuming process. It also leaves much room for manual errors during the input of the wizards.
With this blog post, I will show you how to automate the installation with PowerShell. This procedure eliminates the manual import and tenant script steps, therefore saving implementation time and creating a stable, consistent and working solution in the Horizon DaaS environment.
Before we are installing anything, we need to acquire information about the configuration. Without this information, it’s not possible to deploy the UAG for Horizon DaaS.
Mandatory configuration items are:
- Download the correct .OVA version
- Determine the supported UAG version with Horizon DaaS in the interoperability list from VMware.
- vSphere information
- vCenter name, DataCentre name, Cluster name
- Datastore name
- UAG appliance name
- Network Interface Card (NIC) deployment option
- There are three deployment options; Three NIC, Two NIC, and one NIC (*)
- VM Network name(s)
- IP Address(es)
- IP address(es) of the appliance itself
- Default Gateway of the Internet-facing network
- Subnet Mask(s)
- DNS IP Address of the Tenant network
- Floating IP address of the Tenant Appliances
- Public IP address from the user portal FQDN
- Certificate information
- Server certificate thumbprint from the User Portal
- Certificate chain and key files in .pem format, or use the .P12 or .PFX extension
- User Portal FQDN
- Tenant Active Directory NetBIOS name
(*) I will explain the NIC deployment options for Horizon DaaS in a separate blog post.
The installation is not very difficult, but has a few requirements:
- Download the PowerShell script (use the corresponding script for the UAG version)
- Download and install the OVF Tool
- Create a UAG Configuration File – See below chapter
You can follow this VMware Community page as a reference for the installation procedure. This page will also explain all configuration item settings, including a full list of advanced configuration settings, should this be required for your organization.
Creating the Configuration File
You can use the below example configuration file for implementing the UAG for Horizon DaaS -> Copy entire configuration, starting from [General] -> Do NOT use the FireFox browser
# UAG virtual appliance VM name and hostname.
# If name is not specified, the script will prompt for it.
name=<UAG VM name>
# Full path filename of the UAG .ova virtual machine image
# The file can be obtained from VMware
source=<Location to UAG .OVA Template>
# vSphere environment information. Enter your domain (service) account credentials in UPN or a local vsphere account as shown in the example.
# Do NOT fill in the password. The script will prompt for the password.
target=vi://<email@example.com>:PASSWORD@<vCenter Server Name>/<DataCentre Name>/host/<Cluster Name>/<ESXi Host Name>
# vSphere datastore name and provisioning mode example
# Deployment Option – onenic, twonic or threenic – Below is an example of a twonic configuration. Please discuss with Security & Network teams which configuration suits your organization the best.
# Supply VM Network names
netInternet=<VM Network Name – Internet facing network>
netManagementNetwork=<VM Network Name – Management network>
#netBackendNetwork=<VM Network Name – Tenant network>
# IP Addresses – Note; nic0 is always the internet facing network. Below IP Addresses are examples.
# UAG TCP Forward rule – For Console Access from Internet – https://docs.vmware.com/en/VMware-Horizon-DaaS/services/rn/Horizon-DaaS-800-Release-Notes.html#hahc
forwardrules=tcp/12443/<Floating IP Address Tenant Appliances>:443
# Security & Misc Settings – Cipher Suite will give an A rating on SSLLabs – Please review settings based on company Security Requirements
# SSH Access – Default is false. Enables console ssh access on TCP port 22. This is NOT recommended for production deployments
# Logging & Monitoring.
# Syslog – Provide an external Syslog server
# SNMP – Enables SNMP GET and GETNEXT support on UDP port 161. This is to provide basic information and monitoring data such as sysDescr, sysName, sysUptimeInstance and CPU and memory information using the SNMP protocol.
# SSL Certificates – use PEM format or P12/PFX – below is an example of PFX
# The PEM file should contain the SSL Server certifacte and any intermediate and root certificates
pfxCerts=<Location to .P12 or .PFX certificate file>
#pemCerts=<Location to SSL certificate .PEM file>
#pemPrivKey=<Location to SSL certificate key file>
# Horizon DaaS 8.0.x or 9.0.x Settings
proxyDestinationUrl=https://<Floating IP Address Tenant Appliances>
samlSP=<Tenant Active Directory NetBIOS Name>
proxyDestinationUrlThumbprints=sha1:<Certificate Thumbprint User Portal>
tunnelExternalUrl=<User Portal FQDN>:443
blastExternalUrl=<User Portal FQDN>:443
pcoipExternalUrl=<Public IP Address User Portal>:4172
# UAG High Availability Settings – Note: Optional, see https://docs.vmware.com/en/Unified-Access-Gateway/3.5/com.vmware.uag-35-deploy-config.doc/GUID-B9AA5302-4D7E-4F27-AEAD-066529FD4E41.html for configuration and limitations.
So, now we have met all configuration and installation requirements, it’s time to install the UAG appliance!
Once we have downloaded and installed the OVF Tool and created the Configuration File, we can start the PowerShell command by specifying the script name and the configuration file name as shown in this example:
- .\UAGDeploy.ps1 .\UAG-DaaS.ini
The script will prompt you for the following input:
- Admin and Root account passwords
- Join CEIP: yes/no
- vCenter administrator password
- Certificate password (If specified .P12 or .PFX file – a certificate and key file provided in .PEM format will not ask for a password)
After this input is correctly filled in, the script will start to import the .OVA template (using the OVF Tool) into vCenter. You can track the progress directly via the script or from within vCenter.
After some minutes the import is complete. The UAG will then initialize and automatically configures the IP addresses specified in the Configuration File.
After the UAG is deployed successfully, you can check/verify if the implementation is working as expected!
Failed to send http data?
Getting the error “failed to send http data”?
Most likely, this is related to your (self-signed) certificate of the ESXi host. Open the configured ESXi host (which is specified in the target section of the configuration file) via a browser and accept the certificate. After this step, try to run the script again!
PowerShell is a very powerful, fast and reliable way to deploy the UAG in Horizon DaaS. The deployment has some configuration and deployment requirements, but once you have met all this, the deployment is relatively easy and fast.
In addition, you have the benefit to re-use the Configuration File as a template for other tenant environments.