Unified Access Gateway deployment using the PowerShell

This is an overview of the powershell based deployment process for the unified access gateway. In this lab we have completed the following steps for you:

- Downloaded and installed the VMware OVF tool on the Controlcenter virtual machine.

- Downloaded and extracted the example deployment scripts to your downloads\uagdeploy folder

- Downloaded the UAG virtual appliance image to the Software network location

 

1. Creating the ini file

1. from your controlcenter virtual machine, open a file explorer window and navigate to downloads\uagdeploy. Notice we have extracted a package of .ini and .ps1 files!

2. Select and make a copy of the uag2-Advanced and call it uag2-Advanced-backup.

 

 

3. On the ControlCenter server downloads folder, right click uag2-advanced.ini and then select Edit with Notepad++

Edit the following in the Advanced.ini file

8. To configure the appliance name in the vsphere inventory, next to name change to UAG

9. to identify the appliance image to use, change  source to

source= \\cs1-pd1.euc-livefire.com\software\UAG\euc-unified-access-gateway-3.8.0.0-15239073_OVF10.ova

10. To identify the compute resources to use, Replace "target=vi://[email protected]:[email protected]/Datacenter1/host/esx1.myco.int" with:

target=vi://[email protected]:[email protected]/RegionA01/host/RegionA01-COMP01/esx-02a.euc-livefire.com

Scroll Down to continue...

11. To identify the datastore to use, change ds=Local Disk 1  to ds=CorpLun

12. To identify disk provisioning mode change uncomment #diskMode=thin to diskMode=thin

13. Change the following network settings:

  • to define internet facing portgroup type netInternet=DVPortGroup_VM
  • to define management network type netManagementNetwork=DVPortGroup_VM
  • to define backend network type netBackendNetwork=DVPortGroup_VM
  • to define default gateway type defaultGateway=192.168.110.1
  • to define number of nics type deploymentOption=onenic
  • to define interface ip type ip0=192.168.110.30
  • to define interface network mask netmask0=255.255.255.0
  • to define static routes type routes0=192.168.110.0/24 192.168.110.1

Scroll down to continue...

14.  to define dns server change dns=192.168.0.10 to

dns=192.168.110.10

Scroll Down

15. to specify the certificate to assign to the appliance, under [SSLCert] Change pfxCerts=sslcerts.pfx to

pfxCerts=C:\certificates\WildCard.pfx

 

16.  to define ssl cert information for the admin interface, in the [SSLCertAdmin] section , change pfxCerts=sslcerts.pfx to

 pfxCerts=C:\certificates\WildCard.pfx

17. to define an ip address for a connection server (works with load balancers too) under the [Horizon] section change proxyDestinationUrl=https://192.168.0.209 to

 

 proxyDestinationUrl=https://192.168.110.90

 

18. On your ControlCenter, open your Google Chrome Browser, using Horizon shortcut in the address bar launch the Horizon Administrator  admin console.

19. In the Address Bar select and right-click the secure section, under Certificate select valid, on the Certificate window, select the Details tab and scroll down and select Thumbprint. Use your keyboard to copy the thumbprint by selecting CTRL+C. Switch back to your Advanced.ini file in Notepad++

20.  Using the thumbprint you have just copied, uncoment and change the Hash in the  #proxyDestinationUrlThumbprints=sha1:3e ef ed c6 86 75 a6 15 ff c8 96 27 5a 4c ee 8e 16 fd 6e d3,sha1:3e ef ed c6 86 75 a6 15 ff c8 96 27 5a 4c ee 8e 16 fd 6e d3 section to

proxyDestinationUrlThumbprints=sha1:5a 78 89 3c 8a 2a e5 73 bd a3 d2 20 9a 51 79 fc f1 4f fd 36

Scroll Down

21. to specify external urls and for the horizon protocols, change tunnelExternalUrl=https://uag2.horizon.myco.com:443 and blastExternalUrl=https://uag2.horizon.myco.com:443 to

tunnelExternalUrl=https://uag.euc-livefire.com:443
blastExternalUrl=https://uag.euc-livefire.com:443

22. In the pcoipExternalUrl section change pcoipExternalUrl=10.20.30.90:4172 to

 pcoipExternalUrl=192.168.110.30:4172

  for the purpose of these lab you can leave the pcoipDisableLegacyCertificate=true setting as is.

There are aditional settings that could be included in the file for Workspaceone uem, Vmware Tunnel and Reverse Proxy but they are not within the scope of this course.

2. Deploying the appliance from powershell

ENSURE YOU SAVE THE .ini File before running the powershell command.

1. On your ControlCenter server , launch the powershell shortcut from the Start Menu

2. We will set the script execution is set to unrestricted. Execute the following command.

 Set-ExecutionPolicy -scope currentuser unrestricted
When Prompted select Y

3. to navigate to the scripts folder, within the powershell interface type the following command

 cd C:\Users\Administrator\Downloads\uagdeploy

 

4. to deploy the virtual appliance with the settings from the file you just configured, execute the following command

 .\uagdeploy.ps1 -iniFile uag2-advanced.ini

5. When you get a security warning type: R

6. When you get a second security warning type: R

7. When prompted to enter a root password for UAG, type: VMware1! when prompted to confirm type VMware1!

8. When prompted to Enter an optional admin password for the RESP API and Admin UI management access for UAG: type VMware1!

9. When prompted to Re-Enter an optional admin password : type VMware1!

 

5. When prompted whether or not to join the customer experience program type No

6. When prompted to enter password for the .pfx type: VMware1! , when prompted to confirm type VMware1! again. 

7. You May be prompted to Accept the SSL Fingerprint, in this case type yes to add the fingerprint to the host file.

8. When prompted to enter the password for [email protected] type VMware1! (this password does not fill when you type)

the deployment will take about 10 minutes....

NOTE: Even after it has deployed successfully it can take a few minutes after boot for the service to come online.

 

3. Verifying the deployment

1. from your chrome browser launch your vsphere web client from the link in your bookmark and authenticate with your administrator credentials.

2. in your host and clusters view, select the newly created UAG appliance

3. verify the ip address is 192.168.110.30

4. launch the virtual machine console

5. in the virtual machine console,  click inside the VM screen and use your up and down arrow to highlight Login and press enter

6. verify you are able to login with username: root and password: VMware1!. type exit to log out

7. in a new tab of your chrome browser go to https://uag.euc-livefire.com:9443/admin/index.html

8. login with username: admin and password:VMware1!

9. under configure manually click Select

 

10. under general settings expand Edge Service Settings

11. Click the cog next to Horizon settings

12. Verify that the horizon environment configurations are present.

13. Click cancel and leave the tab open for the next task

 

4. post deployment tasks & tests

1. from the UAG configuration window, under Advanced Settings click on the cog next to System Configuration

2. in the uag name field type UAG01 (this is the friendly name for this UAG as it will be added in the horizon console)

3. On the controlcenter desktop , open the google Chrome browser, select the Horizon Administrator shortcut and Login as administrator with the password VMware1!

4. under view configuration click on Servers

5. in the Gateways tab click on Register

6. in the Register Gateway prompt, in the Gateway Name field type UAG01 and click ok. This proccess this can take 5 -10 minutes

7.  Under View Configuration select Servers, select the Connection Servers tab. Select cs1-pd1.euc-livefire.com and select Edit

8. Ensure that both the HTTP(S) Secure Tunnel check box and the Blast Secure Gateway Check box are unchecked.

9. On the ControlCenter Desktop select the VMware Horizon Client and select + New Server and type in uag.euc-livefire.com and select Connect

10. Login as user1 with the password VMware1!

11. verify  a desktop session can be launched successfully

12. log off and close the horizon client

12. On your controlcenter open your browser and in the address type UAG.euc-livefire.com/portal

13. To the right  of the page select VMware Horizon HTML access, do you notice the UAG failed to connect.

We will now explain why. Firstly this is not a UAG issue, this due to a new secure feature that has been enabled in Horizon 7 called Origin checking which is enabled by default and is a new standard defined in RFC 6454

https://docs.vmware.com/en/VMware-Horizon-7/7.1/com.vmware.horizon-view.security.doc/GUID-AA5D0A57-51A7-4FC1-A79B-AFD15A72499A.html

  • If you want to make surethis is the problem,  in your connection server open file explorer and go to c\:ProgramData\VMware\VDM\logs
  • Open the most current log and look for a keyword "unexpected origin"
  • 2020-01-22T05:54:50.772-08:00 ERROR (0CB8-0EE4) <SimpleDeamonThread> [h] (ajp:broker:Request199) Unexpected Origin: https://uag.euc-livefire.com

42. We need to create a file called locked.properties . On your connection server browse to

C:\Program Files\VMware\VMware View\Server\sslgateway\conf

Open notepad and save the filename as locked.properties. Once created add the following entries.

checkOrigin=false
balancedHost=uag.euc-livefire.com
portalHost.1=uag.euc-livefire.com

Reboot the Connection server

  • Be prepared to wait plus or minus 5 to 10 minutes for the reboot and services to start. Thank you

43. On your controlcenter open your browser and in the address type UAG.euc-livefire.com

41. To the right  of the page select VMware Horizon HTML access

42. Login into the Horizon environment User1 with the password VMware1! Select the W10Pool desktop entitlement

43 . When done log off and close all lab related windows.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.