The Unified Access Gateway (UAG) is a VMware developed End-User Computing (EUC) appliance that acts as a specialized gateway (or reverse proxy) that manages access to enterprise EUC products deployed in a private or public cloud. It is a hardened (Linux-based) appliance from VMware which is used for many VMware Horizon families, such as:
- Horizon 7
- VMware Cloud on AWS
- VMware Cloud on IBM Cloud
- VMware Cloud on Azure
- VMware Horizon DaaS
This blog post will cover the installation process of the UAG appliance for Horizon DaaS specifically.
Formal installation procedure
By following the formal installation procedure for Horizon DaaS, the administrator is required to manually import the .OVA template into vCenter, configuring the network interfaces, storage, and all IP address and host information. The next step is to log on with SSH connection to the primary Service Provider appliance, and from there hop on through the tenant appliance. From the tenant appliance, the administrator needs to run a script and follow a wizard to complete the installation.
As you can read, the deployment of the UAG appliance for Horizon DaaS can be a somewhat time-consuming process. It also leaves much room for manual errors during the input of the wizards.
With this blog post, I will show you how to automate the installation with PowerShell. This procedure eliminates the manual import and tenant script steps, therefore saving implementation time and creating a stable, consistent and working solution in the Horizon DaaS environment.
Before we are installing anything, we need to acquire information about the configuration. Without this information, it’s not possible to deploy the UAG for Horizon DaaS.
Mandatory configuration items are:
- Download the correct .OVA version
- Determine the supported UAG version with Horizon DaaS in the interoperability list from VMware.
- vSphere information
- vCenter name, DataCentre name, Cluster name
- Datastore name
- UAG appliance name
- Network Interface Card (NIC) deployment option
- There are three deployment options; Three NIC, Two NIC, and one NIC (*)
- VM Network name(s)
- IP Address(es)
- IP address(es) of the appliance itself
- Default Gateway of the Internet-facing network
- Subnet Mask(s)
- DNS IP Address of the Tenant network
- Floating IP address of the Tenant Appliances
- Public IP address from the user portal FQDN
- Certificate information
- Server certificate thumbprint from the User Portal
- Certificate chain and key files in .pem format, or use the .P12 or .PFX extension
- User Portal FQDN
- Tenant Active Directory NetBIOS name
(*) I will explain the NIC deployment options for Horizon DaaS in a separate blog post.
The installation is not very difficult, but has a few requirements:
- Download the PowerShell script
- Download and install the OVF Tool
- Create a UAG Configuration File – See below chapter
You can follow this VMware Community page as a reference for the installation procedure. This page will also explain all configuration item settings, including a full list of advanced configuration settings, should this be required for your organization.
Creating the Configuration File
You can use the below example configuration file for implementing the UAG for Horizon DaaS.
# UAG virtual appliance unique name (between 1 and 32 characters).
# If name is not specified, the script will prompt for it.
name=<UAG appliance Name>
# Full path filename of the UAG .ova virtual machine image
# The file can be obtained from VMware
source=<Location to UAG .OVA Template>
# vSphere environment information
target=vi://firstname.lastname@example.org:PASSWORD@<vCenter Server Name>/<DataCentre Name>/host/<Cluster Name>/<ESXi Host Name>
# vSphere datastore name and provisioning mode example
# Deployment Option – onenice, twonic or threenic
# Supply VM Network names
netInternet=<VM Network Name – Internet facing network>
netManagementNetwork=<VM Network Name – Management network>
# IP Addresses – Note; nic0 is always the internet facing network – Below are examples.
# UAG TCP Forward rule – For HACA Console Access from Internet – https://docs.vmware.com/en/VMware-Horizon-DaaS/services/rn/Horizon-DaaS-800-Release-Notes.html#hahc
forwardrules=tcp/12433/<Floating IP Address Tenant Appliances>:443
# Security & Misc Settings – Cipher Suite will give an A-rating on SSLLabs – Please review settings based on company Security Requirements
# SSL Certificates
pfxCerts=<Location to .P12 or .PFX certificate file>
# Horizon DaaS 8.0.0 Settings
proxyDestinationUrl=https://<Floating IP Address Tenant Appliances>
samlSP=<Tenant Active Directory NetBIOS Name>
proxyDestinationUrlThumbprints=sha1:<Certificate Thumbprint User Portal>
tunnelExternalUrl=<User Portal FQDN>:443
blastExternalUrl=<User Portal FQDN>:8443
pcoipExternalUrl=<Public IP Address User Portal>:4172
So, now we have met all configuration and installation requirements, it’s time to install the UAG appliance!
Once we have downloaded and installed the OVF Tool and created the Configuration File, we can start the PowerShell command by specifying the script name and the configuration file name as shown in this example:
- .\UAGDeploy.ps1 .\UAG-DaaS.ini
The script will prompt you for the following input:
- Admin and Root account passwords
- Join CEIP: yes/no
- vCenter administrator password
- Certificate password (If specified .P12 or .PFX file – a certificate and key file provided in .PEM format will not ask for a password)
After this input is correctly filled in, the script will start to import the .OVA template (using the OVF Tool) into vCenter. You can track the progress directly via the script or from within vCenter.
After some minutes the import is complete. The UAG will then initialize and automatically configures the IP addresses specified in the Configuration File.
After the UAG is deployed successfully, you can check/verify if the implementation is working as expected!
PowerShell is a very powerful, fast and reliable way to deploy the UAG in Horizon DaaS. The deployment has some configuration and deployment requirements, but once you have met all this, the deployment is relatively easy and fast.
In addition, you have the benefit to re-use the Configuration File as a template for other tenant environments.