Deploying a new UAG and connecting it with existing connection server

From Notes_Wiki

Home > VMWare platform > VMWare Horizon > Deploying a new UAG and connecting it with existing connection server

To deploy a new UAG and connect it with existing connection server use:

  1. Download *non-FIPS* version of UAG from my vmware site
    Example link at time of this writing https://my.vmware.com/web/vmware/downloads/info/slug/desktop_end_user_computing/vmware_unified_access_gateway/21_06
  2. Deploy downloaded OVA file using "Deploy OVT Template" option. Go to Local file and select the downloaded ova file for UAG
  3. Small UAG "2vCPU, 4GB RAM" should be enough for small sites. For larger sites refer to KB and choose appropriate sizing based on no of remote Horizon users expected.
  4. Choose UAG with Single NIC configuration. In this case UAG will have only one internal LAN IP. We need to use firewall to NAT public IP:ports to UAG private IP:ports.
    If it is not possible to have UAG with single NIC as specified above perhaps refer to documentation to understand two NIC option.
  5. On networks page against all three types of network - Internet / ManagementNetwork / BackendNetwork choose the portgroup on which internal private IP to UAG will be assigned.
  6. IP protocol can be IPv4 (or other suitable option as per your environment)
  7. In case of IPv4 based UAG for "IPMode for NIC 1 (eth0)" select "STATICV4"
  8. Fill in the IP address for UAG private IP at "NIC 1 (eth0) IPv4 Address"
  9. Fill in following
    • DNS server addresses -- Could be AD used for deploying Horizon
    • DNS Search domain -- Could be AD domain for AD used for deploying Horizon
    • NIC1 (eth0) IPv4 netmask
    • IPv4 Default Gateway
    • Unified Gateway Appliance Name (eg uag1)
    • Provide root password
    • Provide Admin password
    • (Optionally) enable ssh and SSH root login using password
  10. Once UAG is deployed access admin interface at https://<UAG-IP>:9443/ and login with admin user. Admin password was specified while deploying UAG ova appliance.
  11. After UAG is deployed go to "Configure Manually"
  12. In the General Settings > Edge Service Settings, click Show.
  13. Click the Horizon Settings gearbox icon.
  14. Enable and Enter "Connection Server URL". UAG should be able to resolve it via its DNS
    We can also specify connection server IP via https://<IP> if DNS resolution is not assured
    We can also do root ssh to UAG and add /etc/hosts entry pointing to connection server IP based on connection server FQDN
    Ping connection server from UAG putty to validate they are connected and that FQDN is resolving to IP correctly.
  15. After this open https://<connection-server> and copy its sha1 thumbprint and configure it as sha1=<value> in "Connection Server URL Thumbprint" page
  16. Enable and Enter "PCOIP External URL". This should be public IP (and not FQDN):port. (Default port 4172)
  17. Enable and Enter "Blast External URL". This can be public FQDN with port (Default port 443)
  18. Enable and Enter Tunnel External URL. This also can be configured via FQDN. We need to specify port with FQDN eg 8443
  19. Change default proxy pattern to 
    /|/downloads(.*)
    Refer https://www.carlstalhood.com/vmware-unified-access-gateway/ Note that original default value for proxy pattern is (/|/view-client(.*)|/portal(.*)|/appblast(.*))
  20. After this configure recognized SSL certificate for UAG Installing properly recognized public external SSL certificate on UAG
    In latest UAG due to strict security enablement self-signed certificate may not work
  21. Edit file 'C:\Program Files\VMware\VMware View\Server\sslgateway\conf\locked.properties' on connection server to have: 
    checkOrigin=false
    

    portalHost1=<UAG-FQDN>
    As per
  22. In horizon admin interface in connection server settings ensure that :
    • "Use Secure Tunnel connection to machine"
    • "Use PCoIP Secure Gateway for PCoIP connections to machine"
    are both not selected
  23. Select "Do not use Blast Secure Gateway".
  24. In all the three text boxes enter correct external URL (Secure Tunnel / Blast) or public IP (PCOip).
  25. After this look at UAG service status under Horizon Settings. If all the service status are green try to access UAG from outside the company network.



Home > VMWare platform > VMWare Horizon > Deploying a new UAG and connecting it with existing connection server

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Deploying_a_new_UAG_and_connecting_it_with_existing_connection_server&oldid=5804"