Can you deploy UAG directly on ESXi host?

I am writing this post, because I burned my fingers recently, thinking that I can outsmart the process. Long story short:

Can you deploy it on ESXi host without a vCenter server? No, you can’t – you need to have a vCenter server.

Unless you want to see me struggling, there is no point on reading further. 😀

Recently I was deploying a UAG for a couple of customers and they didn’t have a vCenter in their DMZ or at all. But I though, what the hell it’s just a OVA file I can crack it and make it run…

The deployment

The deployment process is something that will run and it will look like everything is fine. No matter if you chose to do it manually (using vSphere console) or using PowerShell you will not see any errors in the process.

The target string for the PowerShell deployment ini file is:


The boot up

The machine will boot up and here I started to see first issues.

It won’t boot with a networking no matter what I tried (single NIC, multi NIC etc.). If you have DHCP in your network segment it will default to DHCP and not set the static IP.

No big deal you might think, because the screen is already providing me with instructions, to run this command:


And sure enough I can set the network. But looks like the admin UI is not running on port 9443. You can check that by running:

netstat -nltp | grep 9443

Let’s try what a typical IT guy would try – let’s reboot the machine.

The reboot

Well, what a unpleasant surprise. After the reboot all the networking I’ve configured is gone…

That’s the nature of PhotonOS OVF appliance. On each boot it will try to set the machine according to the deployment options you set in either PowerShell INI file or manual through vSphere, but as we know this is corrupted, because I don’t have the vCenter.

I can workaround this issue too. I can delete the script, which is causing this.

rm -f /opt/vmware/share/vami/vami_set_network

Now I have a machine with persistent networking. But still there is no admin UI, where I would be able to manage the machine.

The end

My last attempt was to somehow force the admin UI to start. I checked on a different UAG, what is the process serving this UI:

 ps -elf | grep admin
4 S gateway   1555  1529  0  80   0 - 909533 futex_ Mar16 ?       00:05:16 /usr/java/jre-vmware/bin/java -Djdk.tls.useExtendedMasterSecret=false -Djdk.tls.allowLegacyResumption=true -Djdk.tls.allowLegacyMasterSecret=true -Djdk.tls.rejectClientInitiatedRenegotiation=true -Djdk.tls.server.enableStatusRequestExtension=true -Djdk.tls.stapling.responseTimeout=1000 -Dlogging.config=/opt/vmware/gateway/conf/ -jar /opt/vmware/gateway/lib/admin-

I hoped that if I run the same command on the broken UAG it will give me at least temporary access to admin UI.

#  /usr/java/jre-vmware/bin/java -Djdk.tls.useExtendedMasterSecret=false -Djdk.tls.allowLegacyResumption=true -Djdk.tls.allowLegacyMasterSecret=true -Djdk.tls.rejectClientInitiatedRenegotiation=true -Djdk.tls.server.enableStatusRequestExtension=true -Djdk.tls.stapling.responseTimeout=1000 -Dlogging.config=/opt/vmware/gateway/conf/ -jar /opt/vmware/gateway/lib/admin-
[logaudit] is an unknown syslog facility. Defaulting to [USER].
[logaudit] is an unknown syslog facility. Defaulting to [USER].

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 :: Spring Boot ::       (v2.2.11.RELEASE)

[logaudit] is an unknown syslog facility. Defaulting to [USER].
[logaudit] is an unknown syslog facility. Defaulting to [USER].

Looked promising. Netstat reported a listener on port 9443.

root@uag-2ef596ce-a116-4287-a4f3-505badd819df [ ~ ]# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0    *               LISTEN      450/sshd
tcp6       0      0 :::22                   :::*                    LISTEN      450/sshd
tcp6       0      0 :::9443                 :::*                    LISTEN      2188/java
tcp6       0      0          :::*                    LISTEN      888/java
tcp6       0      0          :::*                    LISTEN      889/java

But neither browser nor telnet was able to establish a session on that port.

At this point I gave up – with knowing that even if I would discover a solution it would be unsupported and not suitable for any real deployment.