Release date: May 12th 2019, updated February 21st 2022
Welcome to my VMware Unified Access Gateway series. This topic will cover the deploying of VMware UAG with Powershell.
Prior to deployment I need to download and install VMware OVF Tool on a server/workstation with access to the vCenter. This can be downloaded from: https://www.vmware.com/support/developer/ovf/
I will be using the Powershell scripts I downloaded with the OVA file and the view-uag01.ini-file I created during preparations. Although I planned for a three-nic setup, I will be deploying a two-nic setup, due to the fact that I don’t have a separate management network in my lab.
Before I start deployment in Powershell I set ExecutionPolicy to unrestricted:
Set-ExecutionPolicy Unrestricted
The deployment is done by using the uagdeploy.ps1 script which can be launched using the parameters describe below, which is documented within the ps1-file:
param([string]$iniFile = "uag.ini", [string] $rootPwd, [string] $adminPwd, [switch] $disableVerification, [switch] $noSSLVerify, [string] $ceipEnabled,
[string] $awAPIServerPwd, [string] $awTunnelGatewayAPIServerPwd, [string] $awTunnelProxyAPIServerPwd, [string] $awCGAPIServerPwd, [string] $awSEGAPIServerPwd,
[string] $newAdminUserPwd)
To start the deployment I run the command below, which will deploy the UAG using the view-uag01.ini file for my settings, as described below. Furthermore, I input my passwords for the $rootPwd and the $adminPwd strings. I also input “false” for the $disableVerification and $noSSLVerify string, and no to $ceipEnabled.
.\uagdeploy.ps1 .\view-uag01.ini <MyRootPassword> <MyAdminPassword> false false no
Once the UAG is deployed, I power it up and verify the IP-addresses.
The ini-file I use have 3 sections, under “General” I have the following settings (This ini-file is for a One Nic Setup):
[General]
name=hz-uag-01.ad.admin.frelab.net
ntpServers=no.pool.ntp.org
sshEnabled=true
sshPasswordAccessEnabled=true
adminPasswordExpirationDays=0
healthCheckURL=/favicon.ico
dnsSearch=ad.admin.frelab.net
ceipEnabled=false
source=C:\UAG-Deploy\euc-unified-access-gateway-21.11.2.0-19224741_OVF10.ova
target=vi://administrator@vsphere.local:PASSWORD@172.16.0.125/FreLab Datacenter/host/FreLab Cluster
# "172.16.0.125" = ip of vCenter
# "FreLab Datacenter" = Datacenter-name
# "host" = Where to put the vm, host = Host and Clusters
# "FreLab Cluster = Cluster-name
ds=VMFS3
netInternet=DMZ
netManagementNetwork=DMZ
netBackendNetwork=DMZ
defaultGateway=10.0.100.1
deploymentOption=onenic
ip0=10.0.100.11
netmask0=255.255.255.0
dns=172.16.0.20 172.16.0.18
sessionTimeout=39600000
Next comes a session with Cert-info, so that I can automate the certificate-setup on the UAG as well. The certificates are exported and converted to PEM from my HAProxy appliance beforehand. How to do this, I have documented here: HAProxy Export certificates
[SSLCert]
clientEncryptionMode=ALLOWED/REQUIRED/DISABLED
pemCerts=C:\UAG-Deploy\fullchain.pem
pemPrivKey=privkey_rsa.pem
[SSLCertAdmin]
pemCerts=C:\UAG-Deploy\fullchain.pem
pemPrivKey=C:\UAG-Deploy\privkey_rsa.pem
Finally, I define my VMware Horizon settings. Note that the “proxyDestinationUrl” has to be resolvable from the UAG, otherwise I would recommend using the IP address.
[Horizon]
proxyDestinationUrl=https://hz-cs-01.ad.admin.frelab.net
proxyDestinationUrlThumbprints=19 2f 1c 26 c5 40 1d 5a 5d 47 50 1a 96 a2 25 33 e9 b0 3e 7c
blastExternalUrl=https://desktop.frelab.net:443
Now that the appliance is deployed and looking good, I can configure the UAG-settings, covered here: VMware Unified Access Gateway – Configuration
VMware Unified Access Gateway Documentation
Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.