Published on

VMware Unified Access Gateway

Authors
  • Name
    Jackson Chen

Refereces

Carl Stalhood has quite details deloyment Document

https://www.carlstalhood.com/vmware-unified-access-gateway/

https://thevirtualhorizon.com/category/uncategorized/

VMare Unified Access Gateway Document

https://docs.vmware.com/en/Unified-Access-Gateway/index.html

In production, a threenic deployment separates the Internet (Outer) with its own NIC, and separates management and backend systems onto two dedicated networks. Management traffic is using HTTPS port TCP 9443.

https://docs.vmware.com/en/Unified-Access-Gateway/3.1/com.vmware.uag-31-deploy-config.doc/GUID-FFC6B49E-07E2-42F0-AA6D-8811E5340BD6.html

It includes "Unified Access Gateway Three NIC Optoins"

------------Internet--------------
        | Default Gateway (0.0.0.0 - Global Gateway)
        |
     F5 Load Balancers
        |       
        | NIC1 (eht0)
      UAG-Appliances ------------- NIC2 (eth1) - Management
        |                  (No route between managemnt and internal, via firewall only)
        |
        |NIC3 (eth2)
-------------DMZ Internal Network-----------------
        |
        |
     Firewalls Separation
        |
        |
     F5 Load Balancing
    |           |
    |           |
    |           |
  Connection  Servers

NIC3 (eth2) needs static route to the F5 Load Balancing VIP network. This will allow internet (outer) Horizon View clients access traffic flow through the following path and with the same return path. Without the static route configured at UAT NIC3 (eth2), the return traffic will try to via UAG default gateway NIC1 (eth0)

UAG 3.10 does not require netowrk profiles to be created for Distributed Port Groups that are used by the UAG. This provides more fexibility and also simplifies the UAT deployable.

Firewall Rules for DMZ-Based Unified Access Gateway Appliances

https://docs.vmware.com/en/Unified-Access-Gateway/3.10/com.vmware.uag-310-deploy-config.doc/GUID-F197EB60-3A0C-41DF-8E3E-C99CCBA6A06E.html

UAG Port requierements

https://communities.vmware.com/t5/Horizon-Documents/Using-PowerShell-to-Deploy-VMware-Unified-Access-Gateway/ta-p/2782995

Port Requirements for Horizon Connection Server
Port    Protocol    Source  Target  Description
443     TCP         Internet    Unified Access Gateway  For web traffic, Horizon Client XML - API, Horizon Tunnel, and Blast Extreme
443     UDP         Internet    Unified Access Gateway  UDP 443 is internally forwarded to UDP 9443 on UDP Tunnel Server service on Unified Access Gateway.
8443    UDP         Internet    Unified Access Gateway  Blast Extreme (optional)
8443    TCP         Internet    Unified Access Gateway  Blast Extreme (optional)
4172    TCP and UDP Internet    Unified Access Gateway  PCoIP (optional)
443     TCP         Unified Access Gateway  Horizon Connection Server   Horizon Client XML-API, Blast extreme HTML access, Horizon Air Console Access (HACA)
22443   TCP and UDP Unified Access Gateway  Desktops and RDS Hosts  Blast Extreme
4172    TCP and UDP Unified Access Gateway  Desktops and RDS Hosts  PCoIP (optional)
32111   TCP         Unified Access Gateway  Desktops and RDS Hosts  Framework channel for USB Redirection
9427    TCP         Unified Access Gateway  Desktops and RDS Hosts  MMR and CDR

UAG Traffic Detail

https://communities.vmware.com/t5/Horizon-Documents/Load-Balancing-across-VMware-Unified-Access-Gateway-Appliances/ta-p/2777028

Network Ports Required for Horizon 7

https://techzone.vmware.com/resource/network-ports-vmware-horizon-7

F5 Load Balancing Unified Access Gateway

https://www.f5.com/pdf/solution-center/load-balancing-vmware-unified-access-gateway-servers-deployment-guide.pdf

Using PowerShell to Deploy the Unified Access Gateway Appliance

PowerShell scripts prepare your environment with all the configuration settings. When you run the PowerShell script to deploy Unified Access Gateway, the solution is ready for production on first system boot.

Important:
With a PowerShell deployment, you can provide all the settings in the INI file, and the Unified Access Gateway instance is production-ready as soon as it is booted up. 

If you do not want to change any settings post-deployment, you need not provide the Admin UI password.
However, both Admin UI and the API are not available if the Admin UI password is not provided during deployment. 

If you do not provide the Admin UI password at the time of deployment, you cannot add a user later to enable access to either the Admin UI or the API.
You must redeploy your Unified Access Gateway

https://docs.vmware.com/en/Unified-Access-Gateway/2012/uag-deploy-config/GUID-03C78817-84E3-46C8-8D6A-01C503CDAE56.html#GUID-03C78817-84E3-46C8-8D6A-01C503CDAE56

If you want to upgrade Unified Access Gateway while preserving the existing settings, edit the .ini file to change the source reference to the new version and rerun the .ini file: uagdeploy.ps1 uag1.ini. This process can take up to 3 minutes.

[General]
name=UAG1
source=C:\temp\euc-unified-access-gateway-3.2.1-7766089_OVF10.ova

Network Ports in VMware Horizon 7

https://techzone.vmware.com/resource/network-ports-vmware-horizon-7#about-this-guide

Understand Horizon connections

https://techzone.vmware.com/blog/understanding-horizon-connections

How to deploy UAG

https://www.carlstalhood.com/vmware-unified-access-gateway/

https://communities.vmware.com/t5/Horizon-Documents/Using-PowerShell-to-Deploy-VMware-Unified-Access-Gateway/ta-p/2782995

Verify UAG and Horizon compatibility

Verify UAG and Horizon compatibility

https://interopmatrix.vmware.com/Interoperability?col=326,&row=569,&isHideGenSupported=false&isHideTechSupported=false&isHideCompatible=false&isHideNTCompatible=false&isHideIncompatible=false&isHideNotSupported=true&isCollection=false

Ensure download the compatible version of UAG for the deployed Horizon.

UAG 3.9 supports wide range of Horizon, up-to N-1 version of Horizon 2111
Deploy UAG 3.9

UAG 3.9 supports Horizon version 7.3 till N-1 version of Horizon, as the current version is 2203.

More information on Unified Access Gateway (UAG) deployment and configuration covering UAG 3.9, also see the tutorial in this VMware Knowledge Base article.

https://kb.vmware.com/s/article/78420

Note: 
   UAG 3.9.1 support Horizon 7.3.0 till 7.13, and Horizon 2111 (N-1, as N version is 2203)
Important: Only download UAG 3.9.1 for deployment

1. Install ovftool 4.3 Windows 64-bit (msi) on the Jumpbox.
# Note: If ovftool already installed, uninstall and install the new version.

The PowerShell deploy script requires the OVF Tool:
For vSphere 6.7, go to Open Virtualization Format Tool (ovftool) on VMware {code}. The latest release for vSphere 6.7 is 4.3.0 P02. Patch 2 is newer than Update 3.

VMware-ovftool-4.3.0-15755677-win.x86_64.msi
File size: 27.5 MB
File type: msi
Release Date: 2020-04-28
Build Number: 15755677

VMware OVF Tool for Windows 64-bit
Download VMware OVF Tool installer for Windows 64-bit
MD5SUM: cc298de9440cbd0d5bdd2ecabde2f89d
SHA1SUM: dff66a31cfa8372a8a979a0b95415d808be7fd6e
SHA256SUM: a20eaf50065052b13dbc898481d35c0e86fe900497804b6d4ed014cb21d5f15f


2. Create or Edit a UAG .ini configuration file:
Extract the downloaded uagdeploy PowerShell scripts for your version of Unified Access Gateway.

Or copy and edit one of the downloaded .ini files, like uag2-advanced.ini.

For pfxCerts, UNC paths don’t work. Make sure you enter a local path (e.g. C:\). 
   OVA Source File can be UNC, 
   but the .pfx file must be local.

There’s no need to enter the .pfx password in the .ini file,
   since the uagdeploy.ps1 script will prompt you for the password.


# When you run the PowerShell script, if the UAG appliance already exists, 
   then the PowerShell script will replace the existing appliance. 
Important: 
    There’s no need to power off the old appliance since the OVF tool will do that for you.


#*** Other UAG Configurations ***
UAG 3.8 and newer shows when the admin password expires in Account Settings in the Advanced Settings section.
    Advanced Settings -> Account Settings


Ciphers are configured under Advanced Settings > System Configuration.

a. The default ciphers in UAG 3.10 are the following and include support for TLS 1.3.
TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

b. Carlo Costanzo at How to get an A+ from Qualys SSLLabs on your Horizon UAG deployment recommends the following cipher suites in older UAG appliances:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

c. Also enable Honor Cipher Order in older versions of UAG.


# Syslog
In UAG older than 2103, Syslog is also configured here

# SNMP, DNS, and NTP
At the bottom of the System Configuration page are several settings for SNMP, DNS, and NTP

# PEM format
Browse to a PEM keyfile. If not running Unified Access Gateway 3.0 or newer, then certificates created on Windows (PFX files) must be converted to PEM before they can be used with Unified Access Gateway. You can use openssl commands to perform this conversion. The private key should be unencrypted

UAG Workspace ONE deployment

https://techzone.vmware.com/deploying-vmware-unified-access-gateway-workspace-one-operational-tutorial#configuring-tlsssl-certificates

Learning learned from UAG deployment for Workspace ONE https://mobile-jon.com/2021/04/26/lessons-learned-with-uag-deployments-for-workspace-one/

Logs and Troubleshooting

You can download logs from the Admin Interface by clicking the icon next to Log Archive.

You can also review the logs at /opt/vmware/gateway/logs. You can less these logs from the appliance console.

Or you can point your browser to https://MyApplianceIP:9443/rest/v1/monitor/support-archive. This will download a .zip file with all of the logfiles. Much easier to read in a GUI text editor.

For initial configuration problems, check out admin.log.

For Horizon View brokering problems, check out esmanager.log.

# Install tcpdump
By default, tcpdump is not installed on UAG. To install it, login to the console and run 
      /etc/vmware/gss-support/install.sh

tcpdum and curl Troubleshooting

More info at Justin Johnson Troubleshooting Port Connectivity For Horizon’s Unified Access Gateway 3.2 Using Curl And Tcpdump

https://www.evengooder.com/2018/01/troubleshooting-port-connectivity-for.html

How to add Static Route and Routing Table

https://ivandemes.com/vmware-unified-access-gateway-oops-forgot-my-static-routes/

# Show the current routes
   route -n
   route -FC

# How to add static route
route add -net <subnet IP> gw <gateway IP> netmask <subnet mask> <nic>
   Example
   route add -net 192.168.1.0 gw 192.168.5.1 netmask 255.255.255.0 eth1
      Where eth1 is the nic for the management interface/LAN in my case.

# To delete route from the routing table
   route del default    # Example

Update from UAG management interface

1. Access UAG management web interface
   https://uag-fqdn:9443
2. Login as admin
3. Below Configure Manually click Select
4. Under Advanced Settings click the gear icon next to Network Settings
5. Click the gear icon next to the nic interface for which you want to add a static route.
6. Open up the IPv4 Configuration and enter your static route in the IPv4 Static Routes field.
   Note:
      Use the CIDR notation for specifying a static route.
      <CIDR> <gateway IP>
         For example
            192.168.1.0/24 192.168.5.1
Important:
   Do not forget to click the (+) button to actually really add the static route. 
7. click Save

# The Static Route Script(s)
Now that the static route has been configured, an ipv4Routes.sh script has been created in the folder 
   /opt/vmware/gateway/conf

This script is triggered by the routes.sh script in the same folder. 
This makes sure the static route will always be configured during each reboot.
UAG management interface

Connect to the UAG management interface (:9443) using a web browser and login using the user name admin and the password that you configured during the UAG appliance deployment.

How to troubleshooting UAG root login issue or reset root password

https://docs.vmware.com/en/Unified-Access-Gateway/2009/uag-deploy-config/GUID-F1B90F5A-DC1A-4175-B345-A4984F9AF757.html

By default
1. The root password expires 365 days after deploying the OVA file
2. The admin password expires 60 days after deploying the OVA file

# To reset the "forgotten" root password you must:
1. have login access to vCenter
2. know the vCenter login password
3. have permission to access the appliance console

# Procedure
1. Restart the appliance from vCenter and immediately connect to the console.
2. As soon as the Photon OS splash screen appears, press e to enter GNU GRUB edit menu
3. In the GNU GRUB edit menu, go to the end of the line that starts with linux, add a space and type 
   /boot/$photon_linux root=$rootpartition rw init=/bin/bash
   
   After adding these values, GNU GRUB edit menu should look exactly like this:
   setparams 'Photo'
      linux /boot/$photon_linux root=$rootpartition rw init=/bin/bash
      if [ -f /boot/$photon_initrd ]; then
         initrd /boot/$photon_initrd
      fi

Note:
For a FIPS appliance, the line should be 
   linux /boot/$photon_linux root=$rootpartition rw init=/bin/bash fips=1

4. Press the F10 key and at the bash command prompt enter passwd to change the password.
   passwd
   New password:
   Retype new password:
   passwd: password updated successfully

   Note: If required, then type
      umount /

5. Reboot the appliance 
   reboot -f
6. After the appliance boots, log in as root with the newly set password

If you know the existing UAG root password, then ssh to UAG

1. To change root password, ssh to UAG as root
2. type
      passwd

You can also check and reset user locks caused due to failed logins by utilizing the commands below:

# Show the current status of a user
pam_tally2 -user root
or
   /sbin/pam_tally2 -u root

# Reset any locks currently tied to the root account
   pam_tally2 -u root -r
OR
   /sbin/pam_tally2 --reset --user root
How to reset UAG admin password
# Procedure
1. Log in to the operating system of the Unified Access Gateway console as the root user.
2. Enter the following commands to reset the password of the administrator.
   adminpwd
   New password for user "admin": ********
   Retype new password: ********

   The following message is displayed.
   adminpwd: password for "admin" updated successfully

3. Enter the following commands to reset the password of an administrator with less privileges.
   adminpwd [-u <username>]

Certificate Thumbprint

Deploy the UAG with Powershell which is the recommended way. After the deployment, we had to add the Certificate thumbprints of the Connection Servers because they were issued by an internal CA.

1. Login to UAG management URL
2. Navigate to Horizon Settigns -> toggle "Enable Horizon"
3. Configure and enable the following
a. Connection Server URL
      https://uag-external-access-url:443
b. Connection Server URL Thumbprint
      sha1=xx xx xx .....
      Note:
         We had SHA-256 certificates and entered sha256=AE:B6
   Important:
      Always use sha1= even if you have a different Secure Hash Algorithm
c. Enable PCOIP  <--- Enable
d. PCOIP External URL
      uag-external-access-url-ip:4172
e. Enable Blast <--- Enable
f. Blast External URL
      https://uag-external-access-url:8443
g. BSG UDP Tunnel Server   <--- Enable
h. Enable Tunnel  <----- Enable
i. Tunnel External URL
      https://uag-external-tunnel-url:443

UAG Deployments in DMZ

https://communities.vmware.com/t5/Horizon-Documents/DMZ-Design-for-VMware-Unified-Access-Gateway-and-the-use-of/ta-p/2795918

Routing

During UAG deployment it is common to specify a default gateway. In complex environments involving multiple NICs and routing through more than one gateway, UAG also supports the ability to specify explicit IP routes. These are routes that don't use the default gateway.

For example, with a TWONIC UAG deployment, the network routing may involve a default gateway for all IP traffic destined for Internet located devices. Additionally network routing to the Internal Network may involving routing through a separate back-end gateway.

# Example UAG with two NICs

Front-end DMZ Network: 192.168.9.0/24
UAG Front-end IP address (ip0): 192.168.9.51
Internet Access gateway: 192.168.9.1

Backend and Management DMZ Network: 192.168.0.0/24
UAG Back-end IP address (ip1): 192.168.0.51
Internal network Access gateway: 192.168.0.1

Internal Network: 10.0.0.0/16

The configuration for UAG would be:
ip0=192.168.9.51
ip1=192.168.0.51
defaultGatteway=192.168.9.1
routes1=10.0.0.0/16 192.168.0.1  # routes1 is for "Internal Networks"

When UAG needs to connect to a host on the Internal network with an IP address of say 10.0.0.120, the routing entry on UAG would force this connection to go via the back-end gateway 192.168.0.1 on the second NIC (eth1). The NIC used by UAG for any outgoing IP traffic is selected based on the destination IP address and for destinations not on any local segment, the contents of the routing table. For any destination not on any of the local segments, UAG will look for an explicit route for that network. If no routes are found, it will direct traffic via the default gateway which is normally the gateway to the Internet.

From the UAG console, where you login as root, you can run "ifconfig" to look at the addresses for each NIC (eth0 and eth1 in a TWONIC setup) and run the "route -n" command to show the active routing table.

# ssh to UAG as root
   ifconfig    # verify eth0, eth1   for internet and back-end & management network adapters

   route -n    # show active routing table

# To check the routing table for any IP destination address,
  run command to see details of the route
   tracepath -n destination-ip-address-or-hostname

   Example
      tracepath -n 10.0.0.10

When you have multiple internal servers subnets, you can specify these as in this example:

routes1=10.0.0.0/8 192.168.0.1,172.16.0.0/12 192.168.0.1,192.168.0.0/16 192.168.0.1

Then all possible private addresses will be accessed via the second (eth1) NIC via the 192.168.0.1 gateway. This saves having to specify multiple individual subnets for internal routing. The default gateway for public Internet IP addresses would be the default gateway on the Internet facing NIC (eth0).

How to access UAG management console

Point your browser to https://My_UAG_IP:9443/admin/index.html and login as admin.

How to add static route in UAG

https://ivandemes.com/vmware-unified-access-gateway-oops-forgot-my-static-routes/

route add -net <subnet IP> gw <gateway IP> netmask <subnet mask> <nic>

   For example
      route add -net 192.168.1.0 gw 192.168.5.1 netmask 255.255.255.0 eth1

Where eth1 is the nic for the management interface/LAN in my case.

Adding the static route regained access to the management interface. However, static routes that are configured from the command line are not retained during an UAG appliance reboot. Only static routes that are configured in the management interface will be retained during an UAG appliance reboot. Since we regained access to the management interface, we will now configure the static route there.

# Use the CIDR notation for specifying a static route
   <CIDR> <gateway IP>

   For example
      192.168.1.0/24 192.168.5.1

Important:
Do not forget to click the (+) button to actually really add the static route. And click Save.

After access UAG management console, and add the static routes. Now that the static route has been configured, an ipv4Routes.sh script has been created in the folder /opt/vmware/gateway/conf. This script is triggered by the routes.sh script in the same folder. This makes sure the static route will always be configured during each reboot.

# To view the static routes after update from UAG management console
1. ssh to UAG and login as root
2. run commands
   ls -l /opt/vmware/gateway/conf   # verify
   cat /opt/vmware/gateway/conf/ipv4routes.sh

This helps when forgetting to configure static routes during UAG deployment or are unable to redeploy.

OVF Tool PowerShell UAG Deployment

https://communities.vmware.com/t5/Horizon-Documents/Using-PowerShell-to-Deploy-VMware-Unified-Access-Gateway/ta-p/2782995

Lesson from the filed deployment

1. Install ovftool and use the default installation path c:\Program Files
2. Edit input ini file, such as uagadvance.ini
Verify 
a. NIC0 is the Internet NIC and default gateway
b. It has static routes to reply to our load balancer for health monitoring 
   Note: 
      You must do health monitoring on the Internet NIC
c. We then have a single static route on NIC1 for our internal network 
      e.g. routes1=10.0.0.0/8 10.0.1.1

Requirements

  1. Install OVF Tool on the management Jumpbox in C:\Program Files directory.
  2. Update ini input file for single NIC, two NIC or three NIC deployment
  3. Run PowerShell script for the deployment
#Rquires RunAsAdministrator
set-executionpolicy -scope currentuser unrestricted

cls

# Variables
$Computer = $env:COMPUTERNAME
$OVFToolDir = 'C:\Program Files\VMware\VMware OVF Tool'
$uagdeployFille = "\\$Computer\d$\Scripts\Workbench\UAG2009\TEST\uagdeploy.ps1"
$iniFile = "\\$Computer\d$\Scripts\Workbench\UAG2009\TEST\uag-twonic-test.ini"


#************************
#
# Main
#
#************************

unblock-file -path $uagdeployFille

Set-Location $OVFToolDir

# Deploy UAG appliance
& $uagdeployFille -iniFile $iniFile

Update the ini input file

# File Name: uag-twonic-test.ini

[General]
# Notification
eth0ErrorMsg={"netmask":"SUCCESS","ip":"SUCCESS","defaultGateway":"SUCCESS"}

# UAG deployment
# 
# UAG virtual appliance unique name (between 1 and 32 characters).
# If name is not specified, the script will prompt for it.
#

# VM name
name=TESTUAG99

# UAG hostname
uagName=testuag99

#*****************************************************************
# 
# Full path filename of the UAG .ova virtual machine image
# The file can be obtained from VMware
#
#*****************************************************************

source=D:\Testing\UAG2009\euc-unified-access-gateway-20.09.0.0-16950076_OVF10.ova

#
# target refers to the vCenter username and address/hostname and the ESXi host for deployment
# Refer to the ovftool documentation for information about the target syntax.
# See https://www.vmware.com/support/developer/ovf/
# PASSWORD in upper case results in a password prompt during deployment so that passwords do not need
# to specified in this .INI file.
# In this example, the vCenter username is administrator@vsphere.local
#                  the vCenter server is 192.168.0.21 (this can be a hostname or IP address)
#                  the ESXi hostname is esx1.myco.int (this can be a hostname or IP address)
#

# Leave PASSWORD in upper case, Don't enter the actual password. OVF Tool will prompt for the password
target=vi://administrator@vsphere.local:PASSWORD@<vCenter-FQDN|IP-address>/<Datacenter-Name>/host/<cluster-name>

#
# vSphere datastore name
#

ds=<datastore-name>

#
# Disk provisioning mode. Refer to OVF Tool documentation for options.
#

diskMode=thin

#
# vSphere Network names. For pre 3.3 UAG versions, a vSphere Network Protocol Profile (NPP) must be associated with every referenced network name. This specifies
# network settings such as IPv4 subnet mask, gateway etc. UAG 3.3 and newer no longer uses NPPs and so for static IPv4 addresses a netmask0, netmask1 and netmask2
# value must be specified for each NIC. Normally a defaultGateway setting is also required.
#

# netInternet: Portgroup used in vSphere for Interenet/DMZ interface
netInternet=<dvPG-portgroup-Internet-DMZ-name>

# netManagementNetwork & netBackendNetwork are Portgroup used for internal interface
netManagementNetwork=<dvPG-Portgroup-internal-name>
netBackendNetwork=<dvPG-Portgroup-internal-name>

# defaultGateway: IP address for the gateway on the netInternet interface
defaultGateway=<external-outer-Internet-facing-NIC-IP>

# deploymentOption=onenic
# ip0=192.168.0.90
# netmask0=255.255.255.0
# routes0=192.168.1.0/24 192.168.0.1,192.168.2.0/24 192.168.0.2

deploymentOption=twonic

# ip0: IP address for the netInternet interface
ip0=<internet-facing-NIC-IP>
netmask0=255.255.255.0
ip0AllocationMode=STATICV4

# ip1: IP address for the internal interface
ip1=<inner-facing-NIC-IP>
netmask1=255.255.255.0
ip1AllocationMode=STATICV4

# Verify whether routes configuration are requried
# Internet facing NIC routes
routes0=x.x.x.x/24 <gateway-IP>

# Inner facing NIC routes
routes1=x.x.x.y/24 <gateway-IP>

dns=x.x.x.x x.x.x.y

syslogUrl=syslog://<syslog-VIP|IP|fqdn>:514

#
# Setting honorCipherOrder to true forces the TLS cipher order to be the order specified by the server. This can be set on
# UAG 2.7.2 and newer to force the Forward Secrecy ciphers to be presented first to improve security.
#

#honorCipherOrder=true

#
# sessionTimeout value in milliseconds. Default is 36000000 (10 hours). When the session timeout expires,
# the user needs to login again. 
#

# 11 hours
sessionTimeout=39600000


[SSLCert]

#
# From UAG 3.0 and newer, you can specify the name of a .pfx or .12 format certificate file containing the required certificate and private key and
# any required intermediate certificates. In this case there is no need to use openssl commands to convert the .pfx/.p12 file into the
# associated PEM certificates file and PEM private key file.
#

#
# Option 1 - using the pfx certificate
#
pfxCerts=D:\Testing\UAG2009\TEST\broker.pfx

#
# If there are multiple SSL certificates with private key in the .pfx file you also need to specify an alias name in order to select the required certificate.
# This is not necessary if there is only one SSL certificate with private key in the file
#

#pfxCertAlias=alias1

#
# The following pemCerts and pemPrivKey settings are only needed if you don't have a .pfx/.p12 file and want to directly use the two PEM format files.

#
# pemCerts refers to a PEM format file containing the SSL server certificate to be deployed. The file should also contain any
# required intermediate CA and root CA certificates.
#

#
# Option 2 - using server certificate chain pem file and private key pem file
#

# The mobility SSL certificate pem file
pemCerts=D:\Testing\UAG2009\TEST\sslcerts.pem

#
# pemPrivKey refers to a file containing the RSA PRIVATE KEY for the SSL server certificate in the above certificate file.
#

#
# Convert the "private.key" file to rsa PEM file
# openssl rsa -in private.key -text > privatekey.pem
#

# The mobility SSL certificate private key
pemPrivKey=D:\Testing\UAG2009\TESTsslcertrsakey.pem

#
# From UAG 3.2 and newer, you can specify a certificate for the admin interface on port 9443. It is in the same format as [SSLCert] above.
#

# [SSLCertAdmin]

# pfxCerts=sslcerts.pfx
#pemCerts=sslcerts.pem
#pemPrivKey=sslcertrsakey.pem

# Set locale to Australia
#locale=en_AUS

#ntpServers: F5 VIP for NTP server
ntpServers=<ntp-server-IP>

#sshEnabled: Leave this blank to NOT enable ssh which is recommended in Production
sshEnabled=


[Horizon]

#
# proxyDestinationUrl refers to the backend Connection Server to which this UAG appliance will connect.
# It can either specify the name or IP address of an individual Connection Server or of a load balanced alias to connect
# via a load balancer in front of multiple Connection Servers.
#

proxyDestinationUrl=https://test.lab

#
# proxyDestinationUrlThumbprints only needs to be specified if the backend Connection Servers do not have
# a trusted CA signed SSL server certificate installed (e.g. if it has the default self-signed certificate only).
# This is a comma separated list of thumbprints in the format shown here.
#

proxyDestinationUrlThumbprints=sha256:xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx

#
# The following external URLs are used by Horizon Clients to establish tunnel, HTML Access and PCoIP connections
# to this UAG appliance. If they reference a load balancer name or address then the load balancer must be
# configured for source IP hash affinity otherwise the connections may route to the wrong UAG appliance. 
#

tunnelExternalUrl=https://external.test.lab:443
blastExternalUrl=https://external.test.lab:443

#
# pcoipExternalUrl must contain an IPv4 address (not a DNS name)
# This is the UAG external URL access IP address
#

pcoipExternalUrl=x.x.x.x:4172
pcoipDisableLegacyCertificate=true


#
# The following optional sections can be used to create admin users with monitoring role.
#
# Accepts the following inputs for user:
#   Username as "name" field. Mandatory filed if user needs to be created.
#   Optional status as "enabled" field. Possible values: true (default) / false.
#
# Password for these users can be provided either interactively on the shell or using a parameter.
# To provide as parameter, use the parameter name as "newAdminUserPwd" and value like
# "monitoringUser1:P@ssw0rd1;monitoringUser2:P@ssw0rd2".

#[AdminUser1]
#name=monitoringUser1
#enabled=false
#
#[AdminUser2]
#name=monitoringUser2

Example of Two NIC deployment

https://tech.iot-it.no/vmware/vmware-unified-access-gateway/vmware-unified-access-gateway-routing/

view-uag01.ini
[General]
#
name=view-uag01.ad.admin.frelab.net
#
source=C:\Temp\euc-unified-access-gateway-3.5.0.0-12645341_OVF10.ova

# PASSWORD will prompt for vCenter administrator password
target=vi://administrator@vsphere.local:PASSWORD@172.16.0.125/FreLab
Datacenter/host/FreLab Cluster
# "172.16.0.125" = ip of vCenter
# "FreLab Datacenter" = Datacenter-name
# "host" = Where to put the vm, host = Host and Clusters
# "FreLab Cluster = Cluster-name
ds=VMFS1
#
#diskMode=thin
#
netInternet=DMZ
netManagementNetwork=admin.frelab.net
netBackendNetwork=admin.frelab.net
defaultGateway=10.0.100.1
#
deploymentOption=twonic
ip0=10.0.100.11
netmask0=255.255.255.0
ip1=172.16.0.75
netmask1=255.255.255.0
routes1=10.0.23.0/24 172.16.0.1
dns=172.16.0.20 172.16.0.18
#
# 11 hours
sessionTimeout=39600000
#
[SSLCert]
#
#pfxCerts=C:\APs\certs\secure-WC.pfx
#
#pfxCertAlias=alias1
#
#pemCerts=sslcerts.pem
#
#pemPrivKey=sslcertrsakey.pem
#
[SSLCertAdmin]
#pfxCerts=sslcerts.pfx
#pemCerts=sslcerts.pem
#pemPrivKey=sslcertrsakey.pem
#
[Horizon]
Page 1

Run the PowerShell command

Set-ExecutionPolicy Unrestricted

Set-location d:\UAG-Deployment

.\uagdeploy.ps1 .\view-uag02.ini PASSWORD PASSWORD false false no


# Note
1. It will prompt for vCenter administrator password
2. The deployment will use self-signed TLS server certificate
   To use signed SSL certificate, update ini file with required SSL PEM and private key

How to set UAT Admin and Root Password Expiration

# Set UAG admin user passwrod expiry
1. Access UAG admin console
   https://<uag-fqdn|uag-ip>:9443/admi
2. Login as admin
3. On the Account Settings page
4. In the Password expires in (days) field provides the countdown in number of days until the date on which the password expires.
# Set root password expiry
1. ssh to UAG as root, or access UAG console
2. Enter command
   chage -m 0 M <#Days> -E -1 root     # where #days is the number of days, default is 365 days
3. Verify password expiry
   chage -l root
How to Recover the Admin using the adminreset Command

https://docs.vmware.com/en/Unified-Access-Gateway/2207/uag-deploy-config/GUID-9380C0E3-5418-4AC5-BCC4-2645755434A8.html

Use this command to reset the admin access settings to defaults and restart the admin service. This command allows you to recover the Unified Access Gateway admin portal when the portal cannot be accessed due to misconfiguration of settings like TLS ciphers, admin SAML Authentication.

# Procedure
1. Log in to Unified Access Gateway console with configured user (usually root).
2. Enter the following command to reset the admin access settings.
   adminreset
Note:
If a non-root administrator is configured for Unified Access Gateway OS login, 
run the command with sudo. For example, 
   sudo adminreset.
3. Enter y to confirm.

How to reset UAG admin password

# To set the admin password, run command
   adminpwd

New password for user "admin": ********
Retype new password: ********