VMware Unified Access Gateway – Upgrade to v. 2303

Release date: April 7th 2023

Welcome to my VMware Unified Access Gateway series. The new version of Unified Access Gateway, 2303, was GA on March 14th 2023. In this section I will describe how I upgraded my UAG’s to v. 2303. According to VMware’s official documentation, this should be done as step 8 in the supported update sequence.

To check out all the new features and changes with VMware Unified Access Gateway 2303, read the release notes from VMware posted here: Unified Access Gateway 2303 Release Notes. Below are some of the most important changes.

VMware Unified Access Gateway 2303 provides the following new features and enhancements:

  • Enhancements to the existing command line utilities for making configuration changes:
    • adminpwd command (used to reset password of admin and monitoring users) now supports an option to force the user to change the password on first login.
    • adminreset command (used to reset the admin interface settings back to the default settings for password authentication) now supports granular options to reset the individual configurations (like admin TLS certificate, admin SAML configuration, and TLS settings).
  • Added an option in VMware Per-App Tunnel Settings to control if automatic configuration updates from Workspace ONE UEM console are applied.
  • Added support to allow configuration of TLS settings used in communication with Workspace ONE UEM console for pulling initial configurations of VMware Per-App Tunnel, Content Gateway, and Secure Email Gateway edge services. Perpetual API communications for each service still require TLS setting configuration in their source configurations in Workspace ONE UEM.
  • Added support for deployment with PowerShell version 7.3 from an Ubuntu machine.
  • End of Support Life for VMware Tunnel Proxy. The VMware Per-App Tunnel component includes support for the same use cases as VMware Tunnel Proxy component. For more information, see the Knowledge Base (KB) article VMware Tunnel Proxy End of Support Life Announcement (87345).
  • Logging improvements and troubleshooting enhancements.
  • Updates to Photon OS package versions and Java component versions.

First, I download the necessary installation media and Powershell scripts from VMware Customer Connect to my deployment server.

Next, I login to the admin-gui and export the settings before I start upgrading.

I copy the new OVA-file and the updated uagdeploy Powershell files to my working directory

Next, I edit the ini-files with new ova filename

In my previous upgrades, I have reconfigured the SSL Certificates after deployment. This time, I will use the ini-file to configure the SSL Certificate. I first export the certificates from the HAProxy server as described here: HAProxy Export certificates. Next, I need to encrypt my key with RSA, running the command documented by VMware here: Convert Certificate Files to One-Line PEM Format.

openssl rsa -in c:\cert\desktop\privkey.pem -check -out c:\cert\desktop\privkey_rsa.pem

I copy the “privkey_rsa.pem”-file to my working folder and adjust the SSLCert section in the ini-file

Finally, I deploy the UAG’s with the new ova-file using the existing ini-files. As we can see from the screenshot below, the script automatically shuts down the existing UAG’s and deletes them, before deploying the new UAG’s using the settings I defined in the ini-files. NOTE: When executing the uagdeploy.ps1 script, I previously used PASSWORD PASSWORD false false no as parameters, but these no longer works. I replaced PASSWORD with the passwords I wanted to use instead, which works flawlessly. For details see: Using PowerShell to Deploy the Unified Access Gateway Appliance

It is also important to check out the new demands due to the “Re-Write Origin Header” property, as documented by VMware here: Configure Horizon Settings

Reference: Cross-Origin Resource Sharing (CORS) with Horizon 8 and loadbalanced HTML5 access. (85801)

I adjust my locked.properties file as shown below and restart my Connection Servers

When the upgrade is complete, I log in and check that all my settings are correct,

I also login to VMware Horizon Administrator, where I can see that the Gateways are up and running the new version

This completes the UAG upgrade, and I do a test by logging in through the HAProxy and UAG’s. With this done, I can now proceed with upgrading the MDT OSOT components prior to upgrading agents within the Horizon Desktops, covered here: VMware Horizon – Upgrade OSOT MDT Plugin to v. 2303

VMware Unified Access Gateway – Upgrades

VMware Unified Access Gateway planning, deployment etc.

Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.

%d bloggers like this: