Unified Access Gateway – PowerShell Deployment

Unified Access Gateway is a swiss knife in your DMZ, which can help you securely publish your internal resources and data to any device no matter where is the device located. UAG plays a crucial role in VMware’s Zero Trust security model as it can block unauthorized sessions in DMZ before even reaching your internal networks.

Unified Access Gateway is a hardened Linux virtual appliance and can be deployed in two general ways:

  • Using vSphere Client GUI – only when deploying to vSphere 🙂
  • Using PowerShell script – when deploying to vSphere or any other place (Azure, AWS…). This method will be covered in this blog post.

The main benefits of PowerShell deployment are, that is can be (partially) automated, it’s reusable, reliable, simple and quick.

Preparation

Download the OVF Tool: https://my.vmware.com/group/vmware/details?downloadGroup=OVFTOOL430&productId=742

Download the UAG appliance: https://my.vmware.com/group/vmware/details?downloadGroup=UAG-371&productId=923&rPId=37769

Download the UAG PowerShell deployment scripts: https://my.vmware.com/group/vmware/details?downloadGroup=UAG-371&productId=923&rPId=37769

Deployment

First things first, copy everything to a single location for simplification let’s say it will be C:\UAG. Extract the ZIP file with PowerShell Scripts and install the OVF tool locally on the machine.

The next thing to do is to prepare our INI deployment file. There are plenty of examples packaged in the ZIP file, but the bare minimum (at least for me) looks like this:

[General]
name=uag01
uagName=uag01

source=C:\UAG\euc-unified-access-gateway-3.7.1.0-14660734_OVF10.ova

target=vi://administrator@vsphere.local:PASSWORD@vcenter.minarik.local/Lab/host/Cluster
ds=ESX-01-PRIMARY
diskMode=thin

deploymentOption=onenic

netInternet=NSX-LAB-NETWORK
netManagementNetwork=NSX-LAB-NETWORK
netBackendNetwork=NSX-LAB-NETWORK

ip0=10.0.0.39
netmask0=255.255.255.0
defaultGateway=10.0.0.1
dns=10.0.0.2
ntpServers=pool.ntp.org

honorCipherOrder=true

If you need more parameters and I am sure you will need more because the whole point of this exercise is to automate the deployment so you don’t need to do any post-deployment manual stuff – go and check the official documentation page.

When you are ready just execute the .\uagdeploy.ps1 -iniFile deploy.ini. And it should look similar to this:

Know before you go…

There is a couple of things that might slow you down during the deployment.

  1. The INI configuration is case sensitive!
  2. Make sure you have connectivity from the machine running the script to your vCenter.
  3. If you keep the PASSWORD in the target property, it will interactively prompt you for the vCenter account password. You don’t need to hardcode any passwords to the INI file.
  4. Root and Admin passwords expect certain complexity – one lower case, one uppercase, one number, and one symbol, but only from this set !@#$%*()
  5. Make sure you are compatible with other systems (such as Horizon, Workspace ONE UEM Console…) by first checking Interoperability Matrix
  6. If you run the script and there is a VM with the name specified, it will assume that you are doing an upgrade and the first thing the script will do is deleting the VM. Just be sure, that it’s not your running production UAG, when just playing with the script. 😀