- Published on
Deploy VMware Unified Access Gateway Scripting
- Authors
- Name
- Jackson Chen
Requirements
- Download and install correct version of ovftool
- Copy and update the required INI file
- Requires uagdeploy.ps1 and uagdeploy.psm1
Deploy PDC UAG
#
# ************ Deploy PDC UAG ************
# It uses PDC UAG configuration .ini file
#
#Rquires RunAsAdministrator
cls
# Variables
$Computer = $env:COMPUTERNAME
$OVFToolDir = 'C:\Program Files\VMware\VMware OVF Tool'
$uagdeployFille = "\\$Computer\d$\Scripts\UAG\uagdeploy.ps1"
# PDC Datacenter UAG configuration
$iniFileFDC = "\\$Computer\d$\Scripts\UAG\uag-PDC-twonic.ini"
#***************************************************
# Warning:
#
# Set the UAG root& admin password
# Remove the password in the script after deployment
#
#
$rootPwd = "xxxxx"
$adminPwd = "xxxxx"
#
#***************************************************
# ------------------------------------------------------
# Function Name: Show-Menu
# Usage:
# Display PowerShell window for user input
# Display options to user to select
#
#
# ------------------------------------------------------
Function Show-Menu
{
Param (
[String] $Title = " !!!!!! Warning - This Will DELETE UAG if same VM name in VMware cluster !!!!!!"
)
Clear-Host
Write-Host "`n`n ********** $Title ********** " -ForegroundColor Red
Write-Host "`n"
Write-Host "1: Type 'yes' or 'YES' to confirm that you are very sure to deploy VMware Unified Access Gateway. "
Write-Host "2: or press any other key to exit"
}
#*****************************************************
#
# Main
#
#*****************************************************
# Ask user for confirmation
Show-Menu
$Input = Read-Host "Please make a selection."
If ($Input -eq 'yes') {
Write-host "`n Warning: If the ini file does not contain vCenter password, `nYou will be prompt for vCenter password"
Write-Host "`n Warning: If the PowerShell does not contain UAG root & admin password, `nYou will be prompted for UAG root and admin passwrod."
Set-Location $OVFToolDir
#
# *** Deploy UAG appliance with options ***
#
# UAG deployment required the following inputs, if the PowerShell script does not contain these values
# 1. root password
# 2. admin password
# 3. Set CEIP to false
Write-Host "`nDeploy Primary Datacenter UAG." -ForegroundColor Green
#
# It will use the root & admin password from the variables
#
# & $uagdeployFille -iniFile $iniFileFDC $rootPwd $adminPwd false
& $uagdeployFille -iniFile $iniFileFDC $rootPwd $adminPwd false
#
# It will prompt user for root & admin password
#
# *** Deploy UAG appliance and prompt user the following inputs
# 1. root password
# 2. admin password
# 3. Set Customs Experience CEIP option
#& $uagdeployFille $iniFileFDC
}
Else {
Write-Host "`n No VMware Unified Access Gateway will be deployed." -ForegroundColor Green
}
Deploy SDC UAG
When deploy the SDC UAG, replace the ini file with the SDC configuration file
# SDC Datacenter UAG configuration
$iniFileFDC = "\\$Computer\d$\Scripts\UAG\uag-SDC-twonic.ini
Ask user for datacenter UAG deployment
Ask for user to select Primary or Secondary datacenter for UAG deployment
#Rquires RunAsAdministrator
cls
# Variables
$Computer = $env:COMPUTERNAME
$OVFToolDir = 'C:\Program Files\VMware\VMware OVF Tool'
$uagdeployFille = "\\$Computer\d$\Scripts\UAG\uagdeploy.ps1"
# Fyshwick UAG configuration
$iniFileFDC = "\\$Computer\d$\Scripts\UAG\uag-PDC-twonic.ini"
# Hume UAG configuration
$iniFileHDC = "\\$Computer\d$\Scripts\UAG\uag-SDC-twonic.ini"
#***************************************************
# Warning:
#
# Set the UAG root& admin password
# Remove the password in the script after deployment
#
#
$rootPwd = "xxxxx"
$adminPwd = "xxxxx"
#
#***************************************************
# ------------------------------------------------------
# Function Name: Show-Menu
# Usage:
# Display PowerShell window for user input
# Display options to user to select
#
#
# ------------------------------------------------------
Function Show-Menu
{
Param (
[String] $Title = " !!!!!! Warning - This Will DELETE UAG if same VM name in VMware cluster !!!!!!"
)
Clear-Host
Write-Host "`n`n ********** $Title ********** " -ForegroundColor Red
Write-Host "`n"
Write-Host "1: Type 'yes' or 'YES' to confirm that you are very sure to deploy VMware Unified Access Gateway. "
Write-Host "2: or press any other key to exit"
}
# ------------------------------------------------------
# Function Name: Select UAG Environment
# Usage:
# Display PowerShell window for user input
# Display options to user to select
# 1. Fyshwick Datacenter - PDC
# 2. Hume Datacenter - SDC
#
#
# ------------------------------------------------------
Function Show-UAG-Datacenter-Environment-Menu
{
Param (
[String] $Title = " ------------ Select VMware Unified Access Gateway Environment For Deployment ------------"
)
Clear-Host
Write-Host "`n`n ********** $Title ********** "
Write-Host "`n"
Write-Host "1: Type 'pdc' or 'PDC' to confirm that you are deploying UAG to Primary Datacenter."
Write-Host "2: Type 'sdc' or 'SDC' to confirm that you are deploying UAG to Secondary Datacenter. "
Write-Host "3: or press any other key to exit"
}
#*****************************************************
#
# Main
#
#*****************************************************
Set-Location $OVFToolDir
# Ask user for confirmation
Show-Menu
$Input = Read-Host "Please make a selection."
# Deploy UAG if user enter YES to build new UAG
If ($Input -eq "yes") {
Write-host "`n Warning: If the ini file does not contain vCenter password, `nYou will be prompt for vCenter password"
Write-Host "`n Warning: If the PowerShell does not contain UAG root & admin password, `nYou will be prompted for UAG root and admin passwrod."
# Ask user for datacenter environment to deploy UAG
Show-UAG-Datacenter-Environment-Menu
$DataCenterOption = Read-Host "Please select valid datacenter to deploy UAG"
# Deploy UAT in Fyshwick datacenter
If ($DataCenterOption -eq "pdc") {
Write-host "`nDeploy UAG in Primary datacenter."
# *** Deploy UAG appliance with options ***
#
# Deploy UAG and provide the following input
# 1. root password
# 2. admin password
# 3. Set CEIP to false
#
# It will use the root & admin password from the variables
#
# & $uagdeployFille -iniFile$iniFilePDC $rootPwd $adminPwd false
& $uagdeployFille -iniFile $iniFilePDC $rootPwd $adminPwd false
#
# It will prompt user for root & admin password
#
# *** Deploy UAG appliance and prompt user the following inputs
# 1. root password
# 2. admin password
# 3. Set Customs Experience CEIP option
#& $uagdeployFille $iniFilePDC
}
Elseif ($DataCenterOption -eq "sdc") {
Write-host "`nDeploy UAG in Secondary Datacenter."
# *** Deploy UAG appliance with options ***
#
# Deploy UAG and provide the following input
# 1. root password
# 2. admin password
# 3. Set CEIP to false
# & $uagdeployFille -iniFile $iniFileSDC $rootPwd $adminPwd false
& $uagdeployFille -iniFile $iniFileSDC $rootPwd $adminPwd false
#
# *** Deploy UAG appliance and prompt user the following inputs
# 1. root password
# 2. admin password
# 3. Set Customs Experience CEIP option
#& $uagdeployFille $iniFileSDC
}
Else {
Write-Host "`n No VMware Unified Access Gateway will be deployed." -ForegroundColor Green
}
}
Else {
Write-Host "`n No VMware Unified Access Gateway will be deployed." -ForegroundColor Green
}
Input INI file
Enter the required IP address of the PDC or SDC network adapter for the INI file
If deploy PDC, then update with PDC UAG IP addresses and default gateway.
If deploy SDC, then update with SDC UAG IP addresses and default gateway.
[General]
# Notification
eth0ErrorMsg={"netmask":"SUCCESS","ip":"SUCCESS","defaultGateway":"SUCCESS"}
#
# UAG deployment
#
# UAG virtual appliance unique name (between 1 and 32 characters).
# If name is not specified, the script will prompt for it.
#
# VM name
name=<UAG VM Name>
# UAG hostname
uagName=<UAG Hostname FQDN>
#*****************************************************************
#
# Full path filename of the UAG .ova virtual machine image
# The file can be obtained from VMware
#
#*****************************************************************
source=D:\Scripts\UAG\euc-unified-access-gateway-20.09.0.0-16950076_OVF10.ova
#
# target refers to the vCenter username and address/hostname and the ESXi host for deployment
# Refer to the ovftool documentation for information about the target syntax.
# See https://www.vmware.com/support/developer/ovf/
# PASSWORD in upper case results in a password prompt during deployment so that passwords do not need
# to specified in this .INI file.
# In this example, the vCenter username is administrator@vsphere.local
# the vCenter server is 192.168.0.21 (this can be a hostname or IP address)
# the ESXi hostname is esx1.myco.int (this can be a hostname or IP address)
#
# Leave PASSWORD in upper case, Don't enter the actual password. OVF Tool will prompt for the password
target=vi://administrator@vsphere.local:PASSWORD@<vCenterFQDN or IP>/<Datacenter Name>/host/<Cluster Name>
#
# vSphere datastore name
#
ds=<vSphere datastore name>
#
# Disk provisioning mode. Refer to OVF Tool documentation for options.
#
diskMode=thin
#
# vSphere Network names. For pre 3.3 UAG versions, a vSphere Network Protocol Profile (NPP) must be associated with every referenced network name. This specifies
# network settings such as IPv4 subnet mask, gateway etc. UAG 3.3 and newer no longer uses NPPs and so for static IPv4 addresses a netmask0, netmask1 and netmask2
# value must be specified for each NIC. Normally a defaultGateway setting is also required.
#
# netInternet: Portgroup used in vSphere for Interenet/DMZ interface
netInternet=<DMZ Internet dvPG name>
# netManagementNetwork & netBackendNetwork are Portgroup used for internal interface
netManagementNetwork=<DMZ internal dvPG name>
netBackendNetwork=<DMZ internal dvPG name>
# defaultGateway: IP address for the gateway on the netInternet interface
defaultGateway=<gateway IP address>
#
# Mobility UAG with two network adapters
#
deploymentOption=twonic
# ip0: IP address for the netInternet interface
ip0=<Internet adapter IP address>
netmask0=<Netmask>
ip0AllocationMode=STATICV4
# ip1: IP address for the internal interface
ip1=<Internal adapter IP address>
netmask1=<Netmask>
ip1AllocationMode=STATICV4
#
# UAG Internet ip0 is using defaultGateway
# Configure static routes for UAG internal network ip1
#
# Note:
# Configure the static route to route internal networks via internal network default gateway
#
# Example:
# If UAG internal address is 192.168.0.10/24, and it default gateway is 192.168.0.1, also
# Internal servers, such as Horizon Connection Servers, VDI desktop pools are in 10.0.0.0/21, then
# routes1=10.0.0.0/21 192.168.0.1
#
# If there are multiple internal subnets, then need to add multiple static routes in UAG
# routes1=10.0.0.0/21 192.168.0.1,20.0.0.0/21 192.168.0.1
#
routes1=<internal-network-subnet>/24 <gateway IP>
dns=x.x.x.x x.x.x.y
syslogUrl=syslog://<syslog-IP or hostname>:514
#
# Setting honorCipherOrder to true forces the TLS cipher order to be the order specified by the server. This can be set on
# UAG 2.7.2 and newer to force the Forward Secrecy ciphers to be presented first to improve security.
#
#honorCipherOrder=true
#
# sessionTimeout value in milliseconds. Default is 36000000 (10 hours). When the session timeout expires,
# the user needs to login again.
#
# 11 hours
sessionTimeout=39600000
[SSLCert]
#
# From UAG 3.0 and newer, you can specify the name of a .pfx or .12 format certificate file containing the required certificate and private key and
# any required intermediate certificates. In this case there is no need to use openssl commands to convert the .pfx/.p12 file into the
# associated PEM certificates file and PEM private key file.
#
pfxCerts=D:\Scripts\UAG\<certificate>.pfx
#
# If there are multiple SSL certificates with private key in the .pfx file you also need to specify an alias name in order to select the required certificate.
# This is not necessary if there is only one SSL certificate with private key in the file
#
#pfxCertAlias=alias1
#
# The following pemCerts and pemPrivKey settings are only needed if you don't have a .pfx/.p12 file and want to directly use the two PEM format files.
#
# pemCerts refers to a PEM format file containing the SSL server certificate to be deployed. The file should also contain any
# required intermediate CA and root CA certificates.
#
# The UAG SSL certificate pem file
#pemCerts=sslcerts.pem
#
# pemPrivKey refers to a file containing the RSA PRIVATE KEY for the SSL server certificate in the above certificate file.
#
# The UAG SSL certificate private key
#pemPrivKey=sslcertrsakey.pem
#
# From UAG 3.2 and newer, you can specify a certificate for the admin interface on port 9443. It is in the same format as [SSLCert] above.
#
# [SSLCertAdmin]
# pfxCerts=sslcerts.pfx
#pemCerts=sslcerts.pem
#pemPrivKey=sslcertrsakey.pem
# Set locale to Australia
#locale=en_AUS
#ntpServers: F5 VIP for NTP server
ntpServers=<NTP server IP>
#sshEnabled: Leave this blank to NOT enable ssh which is recommended in Production
sshEnabled=
[Horizon]
#
# proxyDestinationUrl refers to the backend Connection Server to which this UAG appliance will connect.
# It can either specify the name or IP address of an individual Connection Server or of a load balanced alias to connect
# via a load balancer in front of multiple Connection Servers.
#
proxyDestinationUrl=https://<Internal VMware Connection Server F5 VIP>
#
# proxyDestinationUrlThumbprints only needs to be specified if the backend Connection Servers do not have
# a trusted CA signed SSL server certificate installed (e.g. if it has the default self-signed certificate only).
# This is a comma separated list of thumbprints in the format shown here.
#
#
# Must use sha1
#
proxyDestinationUrlThumbprints=sha1:xx xx xx xx <SSL thumbprint>
#
# The following external URLs are used by Horizon Clients to establish tunnel, HTML Access and PCoIP connections
# to this UAG appliance. If they reference a load balancer name or address then the load balancer must be
# configured for source IP hash affinity otherwise the connections may route to the wrong UAG appliance.
#
tunnelExternalUrl=https://external.test.lab:443
blastExternalUrl=https://exernal.test.lab:443
#
# pcoipExternalUrl must contain an IPv4 address (not a DNS name)
#
#
# MUST be the F5 VIP IP address that services UAG
#
pcoipExternalUrl=<IP adress>:4172
pcoipDisableLegacyCertificate=true
#
# The following optional sections can be used to create admin users with monitoring role.
#
# Accepts the following inputs for user:
# Username as "name" field. Mandatory filed if user needs to be created.
# Optional status as "enabled" field. Possible values: true (default) / false.
#
# Password for these users can be provided either interactively on the shell or using a parameter.
# To provide as parameter, use the parameter name as "newAdminUserPwd" and value like
# "monitoringUser1:P@ssw0rd1;monitoringUser2:P@ssw0rd2".
#[AdminUser1]
#name=monitoringUser1
#enabled=false
#
#[AdminUser2]
#name=monitoringUser2