Release date: May 12th 2019, updated February 21st 2022
Welcome to my VMware Unified Access Gateway series. This topic will cover the deploying of VMware UAG with Powershell.
Prior to deployment I need to download and install VMware OVF Tool on a server/workstation with access to the vCenter. This can be downloaded from: https://www.vmware.com/support/developer/ovf/
I will be using the Powershell scripts I downloaded with the OVA file and the view-uag01.ini-file I created during preparations. Although I planned for a three-nic setup, I will be deploying a two-nic setup, due to the fact that I don’t have a separate management network in my lab.
Before I start deployment in Powershell I set ExecutionPolicy to unrestricted:
The deployment is done by using the uagdeploy.ps1 script which can be launched using the parameters describe below, which is documented within the ps1-file:
param([string]$iniFile = "uag.ini", [string] $rootPwd, [string] $adminPwd, [switch] $disableVerification, [switch] $noSSLVerify, [string] $ceipEnabled, [string] $awAPIServerPwd, [string] $awTunnelGatewayAPIServerPwd, [string] $awTunnelProxyAPIServerPwd, [string] $awCGAPIServerPwd, [string] $awSEGAPIServerPwd, [string] $newAdminUserPwd)
To start the deployment I run the command below, which will deploy the UAG using the view-uag01.ini file for my settings, as described below. Furthermore, I input my passwords for the $rootPwd and the $adminPwd strings. I also input “false” for the $disableVerification and $noSSLVerify string, and no to $ceipEnabled.
.\uagdeploy.ps1 .\view-uag01.ini <MyRootPassword> <MyAdminPassword> false false no
Once the UAG is deployed, I power it up and verify the IP-addresses.
The ini-file I use have 3 sections, under “General” I have the following settings (This ini-file is for a One Nic Setup):
[General] name=hz-uag-01.ad.admin.frelab.net ntpServers=no.pool.ntp.org sshEnabled=true sshPasswordAccessEnabled=true adminPasswordExpirationDays=0 healthCheckURL=/favicon.ico dnsSearch=ad.admin.frelab.net ceipEnabled=false source=C:\UAG-Deploy\euc-unified-access-gateway-184.108.40.206-19224741_OVF10.ova target=vi://firstname.lastname@example.org:PASSWORD@172.16.0.125/FreLab Datacenter/host/FreLab Cluster # "172.16.0.125" = ip of vCenter # "FreLab Datacenter" = Datacenter-name # "host" = Where to put the vm, host = Host and Clusters # "FreLab Cluster = Cluster-name ds=VMFS3 netInternet=DMZ netManagementNetwork=DMZ netBackendNetwork=DMZ defaultGateway=10.0.100.1 deploymentOption=onenic ip0=10.0.100.11 netmask0=255.255.255.0 dns=172.16.0.20 172.16.0.18 sessionTimeout=39600000
Next comes a session with Cert-info, so that I can automate the certificate-setup on the UAG as well. The certificates are exported and converted to PEM from my HAProxy appliance beforehand. How to do this, I have documented here: HAProxy Export certificates
[SSLCert] clientEncryptionMode=ALLOWED/REQUIRED/DISABLED pemCerts=C:\UAG-Deploy\fullchain.pem pemPrivKey=privkey_rsa.pem [SSLCertAdmin] pemCerts=C:\UAG-Deploy\fullchain.pem pemPrivKey=C:\UAG-Deploy\privkey_rsa.pem
Finally, I define my VMware Horizon settings. Note that the “proxyDestinationUrl” has to be resolvable from the UAG, otherwise I would recommend using the IP address.
[Horizon] proxyDestinationUrl=https://hz-cs-01.ad.admin.frelab.net proxyDestinationUrlThumbprints=19 2f 1c 26 c5 40 1d 5a 5d 47 50 1a 96 a2 25 33 e9 b0 3e 7c blastExternalUrl=https://desktop.frelab.net:443
Now that the appliance is deployed and looking good, I can configure the UAG-settings, covered here: VMware Unified Access Gateway – Configuration
Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.