VMware Hands-on Labs - HOL-1957-08-UEM


Lab Overview - HOL-1957-08-UEM - Workspace ONE UEM - Unified Access Gateway

Lab Guidance


Note: It may take more than 90 minutes to complete this lab. You should expect to only finish 2-3 of the modules during your time.  The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

The Unified Access Gateway can empower your digital workforce by allowing authorized users and devices to securely access internal resources from anywhere.  Learn how to deploy the Unified Access Gateway and understand best practices and deployment configurations for enterprise-level security.  Explorer how the Unified Access Gateway can also provide secure access to internal web applications through certificate authentication and Identity Bridging configurations to cover a variety of use cases.

Lab Module List:

 Lab Captains:

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

 
 

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Click once in active console window

 

In this example, you will use the Online Keyboard to enter the "@" sign used in email addresses. The "@" sign is Shift-2 on US keyboard layouts.

  1. Click once in the active console window.
  2. Click on the Shift key.

 

 

Click on the @ key

 

  1. Click on the "@ key".

Notice the @ sign entered in the active console window.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes you lab has not changed to "Ready", please ask for assistance.

 

Module 1 - Unified Access Gateway Deployment with vSphere

Introduction


This module will guide you through the GUI based deployment and configuration of the Unified Access Gateway OVF in the vSphere Web Client.

The manual provides steps for deploying one Unified Access Gateway Appliance in vSphere using ONE NIC deployment, make use of Administration Console to configure certificate and change network settings.

This manual covers Unified Access Gateway 3.3 deployment in vSphere 6.5 U1.


 

Prerequisites

All of the following pre-requisites are already installed for this Module, the following information is just for your reference.

To deploy Unified Access Gateway using vSphere Web Client, you must use specific versions of VMware products.

Starting with version 3.3, you can deploy Unified Access Gateway without specifying the netmask and default gateway settings in Network Protocol Profiles(NPP). You can specify this networking information directly during deployment of your Unified Access Gateway appliance.

 

Logging In to the vSphere Web Client


To perform most of this exercise, you need to log in to the vSphere Web Client.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab Desktop

 

 

Authenticate to the vSphere Web Client

 

  1. Click the New Tab button.
  2. Click the vSphere Web Client bookmark.  The URL for this bookmark is https://vcsa-01a.corp.local/vsphere-client/?csp.
  3. Enable the Use Windows session authentication option.
  4. Click Login.

After completing the Login, you will be presented with the vSphere Web Client.

NOTE: You can also login without using Windows session authentication by using CORP\Administrator for the username and VMware1! for the password.

 

Deploying Unified Access Gateway with vSphere


In this section, you explore the vSphere Admin UI and learn how to deploy an OVF Template by configuring the necessary fields for the Unified Access Gateway. You deploy the Unified Access Gateway in a one-NIC configuration, meaning that the Internet-facing, internal-facing, and management networks all reside on a single NIC.


 

Deploying the OVF Template

 

  1. Click the VMs and Templates tab.
  2. Right-click the Region named RegionA01.
  3. Click Deploy OVF Template.

 

 

Accessing the Task Console

 

You can follow the status of the OVF deployment through the Task Console.

  1. Click the Home icon
  2. Click Tasks

 

 

Power on UAG Appliance

 

  1. Expand RegionA01-COMP01
  2. Select the UAG-1NIC virtual machine.
  3. Click the Summary tab.
  4. Click the Power On icon.  Wait for the virtual machine to power on.
    NOTE: If the Power On icon is not clickable, you may need to refresh the page first!
  5. Click the Refresh icon to check the status of the virtual machine.  The IP Addresses field will populate once it is powered on.
  6. The screen will appear as the blue login page as soon the initialization completes.
  7. The IP address 192.168.110.150 will be assigned to this virtual machine.

NOTE - Do NOT continue to the next step until the VM receives the associated IP address!  This may take 1-2 minutes.

 

 

Navigate to the UAG Admin UI Login

 

NOTE: The page may say it is unavailable when you try attempting to connecting. This is because the Unified Access Gateway appliance service is still starting up and may take a minute or two before it is available.  

  1. Click the New Tab button.
  2. Enter https://uag.corp.local:9443/admin for the URL and press ENTER.
  3. Click the Advanced link.
  4. Accept the security exception and click the Proceed to uag.corp.local (unsafe) link.

NOTE: The connection is not private because no SSL Certificate has been supplied for our Unified Access Gateway.  We will access the Admin Console to supply a SSL certificate now.  Other Hands on Labs Modules will cover how to deploy Unified Access Gateway with a SSL Certificate in order to skip this step.

 

 

Login to the UAG Admin UI

 

  1. Enter admin for the username.
  2. Enter VMware1! the password created for the Admin API in the Deploy OVF Wizard.
  3. Click Login.

 

 

UAG Import and Configuration Settings

 

A successful login will redirect you to the following screen, where you can import settings or manually configure the UAG appliance.

Click Select for Configure Manually.

 

 

Configuring TLS/SSL Certificates for Unified Access Gateway Appliances

 

Click the Gear icon for TLS Server Certificate Settings under Advanced Settings.

TLS/SSL is required for client connections to Unified Access Gateway appliances. Client-facing Unified Access Gateway appliances and intermediate servers that terminate TLS/SSL connections require TLS/SSL server certificates.

TLS/SSL server certificates are signed by a Certificate Authority (CA). A CA is a trusted entity that guarantees the identity of the certificate and its creator. When a certificate is signed by a trusted CA, users no longer receive messages asking them to verify the certificate, and thin client devices can connect without requiring additional configuration. A default TLS/SSL server certificate is generated when you deploy a Unified Access Gateway appliance.

Up to this point the UAG Appliance is using the default certificate, which is not signed by a trusted CA.

 

Updating network settings


You can now log in to the Unified Access Gateway administration console and update the network settings so that the Unified Access Gateway is deployed on a different IP than originally.


 

Log In to the Unified Access Gateway Administration Console

 

Log in to the Unified Access Gateway administration console (such as https://uag.airwlab.com:9443/admin).

  1. Enter admin for the username.
  2. Enter VMware1! for the password.
  3. Click Login.

 

 

Select Configure Manually

 

Under Configure Manually, click Select.

 

 

Access Network Settings

 

Under Advanced Settings, click the gear icon for Network Settings.

 

 

View and Edit the Network Settings

 

  1. Click the dropdown arrow for NIC 1: Internet facing interface.
  2. This section shows all of the configurations associated with NIC 1.
  3. Click the Gear icon after NIC 1: Internet facing interface to update the IP address.

 

 

Change Network Settings

 

The Unified Access Gateway administration console allows you to update the IPv4 address and IP allocation mode associated to NIC 1.

  1. Enter 192.168.110.151 in the IPv4 Address to update this from 192.168.110.150.
  2. Click Save.

 

 

Wait for Network Settings to Complete

 

After saving, a message appears: NIC1 configuration in progress. This means that the Unified Access Gateway is updating the NIC with the new IP address, and restarting the NIC. Users lose connectivity with the administration console and this message disappears when the configuration is finished.

After the configuration completes, click Close.

 

 

Validate the Network Changes

 

The page should automatically reload to https://192.168.110.151:9443/admin after the appliance configuration updates, which is the IP address you configured.  You may also enter the address manually.

NOTE: The appliance may take several minutes to be reachable at 192.168.110.151 after the change.  You may need to wait several minutes before the below page will load.

  1. Enter https://192.168.110.151:9443/admin and press ENTER, or wait for the page to reload.
  2. Click Advanced.
  3. Click Proceed to 192.168.110.151 (unsafe).

NOTE: Notice that the connection is not private again, since we are browsing to an IP instead of our previous hostname.  This is just to demonstrate the IP address change, so continue to the page for now.

 

Remove Virtual Machines


You are about to move to the next Module.  Before continuing, you will power down and remove the deployed virtual machines you utilized for this exercise.  This will release the storage and resources allocated to this virtual machine, allowing these resources to be utilized by other virtual machines that you will deploy in other modules.


 

Power OFF UAG VM Appliance

 

Return to Google Chrome.  In the vSphere Web Client,

  1. Click on UAG-1NIC.
  2. Click on the Power OFF button.

 

 

Delete the Unified Access Gateway Appliance

 

  1. Click the Refresh button to check if the Unified Access Gateway virtual machine has powered off.
  2. Right-Click the UAG-1NIC virtual machine.
  3. Click Delete from Disk.
    NOTE: If Delete from Disk is not available, the virtual machine is still powering off.  Click the Refresh button until the virtual machine is powered off.

 

Conclusion


In this module, you've learned:

If you are interested in learning more about the Unified Access Gateway, the remaining lab modules will guide you through more advanced topics and will build upon the knowledge you have learned here.  Be sure to check them out for additional learning.

For additional UAG documentation, be sure to check out the VMware Unified Access Gateway Reference page at https://docs.vmware.com/en/Unified-Access-Gateway/.


Module 2 - Unified Access Gateway Deployment with PowerShell

Introduction


This module will guide you through the configuration and deployment of the Unified Access Gateway Appliance using the PowerShell script and how to setup a Reverse Proxy to access internal web sites through the Unified Access Gateway Administration Console.

The Unified Access Gateway Appliance will be deployed with two NICs.  One NIC will be facing the internet and the second NIC will be dedicated to the Management and Backend networks.

This manual covers Unified Access Gateway 3.3 deployment in vSphere 6.5 U1.


 

Prerequisites

All of the following pre-requisites are already installed for this Module, the following information is just for your reference.

To deploy Unified Access Gateway using PowerShell script, you must use specific versions of VMware products.

Starting with version 3.3, you can deploy Unified Access Gateway without specifying the netmask and default gateway settings in Network Protocol Profiles(NPP). You can specify this networking information directly during deployment of your Unified Access Gateway instance.

 

Logging In to the vSphere Web Client


To perform most of this exercise, you need to log in to the vSphere Web Client.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab Desktop

 

 

Authenticate to the vSphere Web Client

 

  1. Click the New Tab button.
  2. Click the vSphere Web Client bookmark.  The URL for this bookmark is https://vcsa-01a.corp.local/vsphere-client/?csp.
  3. Enable the Use Windows session authentication option.
  4. Click Login.

After completing the Login, you will be presented with the vSphere Web Client.

NOTE: You can also login without using Windows session authentication by using CORP\Administrator for the username and VMware1! for the password.

 

Power ON Virtual Machines


You will be utilizing other virtual machines that have already been deployed for you as part of this exercise.  To ensure these virtual machines are powered on and ready for use during later steps, you will power them on now.


 

Navigate to VMs and Templates

 

  1. Click the Home icon.
  2. Click VMs and Templates.

 

 

Power ON Intranet VM

 

  1. Click the arrow by RegionA01 to expand it.
  2. Click the Intranet virtual machine.
  3. Click the Power ON button.

The Intranet virtual machine will act as our web server, and it's named INTRANET.CORP.LOCAL.

This server host two websites on IIS:

  1. INTRANET - This website is available through port 80 and 443.  The hostname INTRANET.CORP.LOCAL and will be used for this module.
  2. IT - This website can be ignored, as it will not be used in this exercise.

 

Starting Windows PowerShell


 

Click on the PowerShell icon located on the Windows Task Bar.

 


 

Navigate to the Unified Access Gateway Resources Directory

 

Navigate to the UAG Resources Directory under the Desktop user folder by entering cd 'C:\Users\Administrator\Documents\HOL\Unified Access Gateway' and then press ENTER.

 

Preparing the INI File for Deployment


You will now learn how the Ini file is used to deploy and configure a UAG using Powershell and how to edit the contents of the Ini file for your UAG deployments.


 

Configuring the General deployment settings

An Initialization (INI) file containing all the configuration settings is required to deploy the Unified Access Gateway Appliance.

In this lab you will use the uag-2NIC.ini file and fill out the respective parameters for your deployment.

You will be deploying a new Unified Access Gateway appliance called UAG-2NIC that has two NICs. NIC1 will be set to the internet facing network and NIC2 for the backend and management networks.

 

Deploying Unified Access Gateway Appliance


Now that you have configured the ini file for your Unified Access Gateway deployment, we will run the uagdeploy.ps1 PowerShell script and provide this ini file as the configuration to automate the deployment.


 

Executing the Deployment Script

 

As the scripts starts a couple questions will be asked, follow the steps below in order to provide the correct information.

  1. Click the PowerShell icon from the taskbar to return to the PowerShell terminal you opened previously.
  2. Enter .\uagdeploy.ps1 .\uag-2NIC.ini VMware1! VMware1! false false no
  3. The first VMware1! is to set the root password for the Unified Access Gateway appliance.
    The second VMware1! is to set the admin password for the REST API management access.
    The first false is to NOT skip the validation of signature and certificate.
    The second false is to NOT skip SSL verification for the vSphere connection.
    The no is in response to joining the VMware CEIP (Customer Experience Improvement Program).
  4. Enter VMware1! as the password for both the SSLcert and SSLcertAdmin fields when prompted.

To avoid password request for the certificate, remove the pfxCerts values and provide a PEM certificate, set the pemCerts and pemPrivKey for the SSLCert and SSLCertAdmin sections of the INI file.

The deployment starts and you can follow the progress on the same window or on your vSphere Web Client, which we leaved open at the beginning of this module.

 

 

Confirm the PowerShell Script Deployment Completes

 

After the deployment script completes, the UAG-2NIC virtual machine will be automatically powered on.  The script will output Completed successfully once the process has completed.

The Received IP address presented by the script log is a temporary IP, the final IPs for NIC 1 and NIC2 will be assigned to the Unified Access Gateway appliance during the first start. You can return to the vSphere Web Client to validate that as described on the next step.

 

 

Validating the deployment

 

Return to the VMware vSphere Web Client in Google Chrome.

  1. Click on the VM and Templates tab.
  2. Click on UAG-2NIC.
  3. Click the Summary tab.
  4. Click on View all 2 IP addresses.
  5. Confirm the IP Addresses listed are 192.168.110.160 and 192.168.120.160.  
    These are the IPs you specified in the INI file used by the PowerShell script.
  6. The the IP Addresses have not populated, you may need to click the Refresh button and check again.

NOTE: In case the Unified Access Gateway appliance has not finalized the configuration during the first startup, you will receive a error message from vSphere Web Client.  If this happens, wait for the Appliance to finish deploying and refresh the whole Chrome Browser.

 

 

Log In to the Unified Access Gateway Administration Console

 

  1. Click the New Tab button.
  2. Enter https://uag-intranet.corp.local:9443/admin and then press ENTER.
  3. Enter admin for the username.
  4. Enter VMware1! for the password.
    NOTE: This password was created for the Admin API during the PowerShell script deployment.
  5. Click Login.

 

 

Choose Manual Configuration

 

A successful login redirects you to the window where you can import settings or manually configure the Unified Access Gateway appliance.

Under Configure Manually, click Select.

You will be returning to the Unified Access Gateway administration consoleand modifying the configuration manually in upcoming steps, so leave this page open.

 

Configuring Web Reverse Proxy


At this point, the Unified Access Gateway has been deployed and you have accessed the Unified Access Gateway Admin Console.  This exercise will teach you how the Unified Access Gateway can be used as a Web Reverse Proxy.


 

Access Reverse Proxy Settings

 

  1. Click the Show toggle by Edge Service Settings. After you click it, it will switch to Hide.
  2. Click the Gear icon next to Reverse Proxy Settings.

 

 

Validating Reverse Proxy Configuration

 

  1. Click on the arrow down for the Reverse Proxy Settings.
  2. Click on the refresh icon for the Edge Service Settings.
  3. Confirm the intranet proxy status is GREEN.

After you added the reverse proxy settings for intranet, the Unified Access Gateway appliance tests the communication between the appliance and the intranet endpoint.  The status turns GREEN if a connection is possible, otherwise it will show RED.

NOTE - It may take a few minutes for the intranet proxy to show as GREEN.  If you do not see it, click the refresh icon in Step #2 until you see the status change to either GREEN or RED.

 

 

Accessing Intranet through Reverse Proxy

 

  1. Click the New Tab button to open a new tab.
  2. Enter https://uag-internet.corp.local/intranet/ in the address bar and press ENTER.
    NOTE: uag-internet.corp.local resolves to 192.168.110.160, which is the IP address associated with the Unified Access Gateway internet-facing NIC that you configured as part of the deployment through the PowerShell script.
  3. Confirm that the sample Intranet site is displayed.

For further clarification about the traffic routing to the Unified Access Gateway:

 

Power OFF and Remove Virtual Machines


You are about to move to the next Module.  Before continuing, you will power down and remove the deployed virtual machines you utilized for this exercise.  This will release the storage and resources allocated to these virtual machine, allowing these resources to be utilized by other virtual machines that you will deploy in other modules.

NOTE: ONLY delete the virtual machines explicitly instructed in the following steps! Some virtual machines are intended to be used across multiple exercises (the Intranet virtual machine, for example) that you DO NOT want to remove!


 

Power OFF UAG VM Appliance

 

Return to Google Chrome.  In the vSphere Web Client,

  1. Click the VMs and Templates tab if you are not already there.
  2. Click the UAG-2NIC virtual machine.
  3. Click the Power OFF button.

 

 

Delete the Unified Access Gateway Appliance

 

  1. Click the Refresh button to check if the Unified Access Gateway virtual machine has powered off.
  2. Right-click the UAG-2NIC virtual machine.
  3. Click Delete from Disk.
    NOTE: If Delete from Disk is not available, the virtual machine is still powering off.  Click the Refresh button until the virtual machine is powered off, which is indicated by no longer having the Green Power On icon next to the UAG-2NIC virtual machine icon.

 

Conclusion


In this module, you've learned:

For additional UAG documentation, be sure to check out the VMware Unified Access Gateway Reference page at https://docs.vmware.com/en/Unified-Access-Gateway/


Module 3 - Web Reverse Proxy secure access to Internal Websites

Introduction


This module will guide you through the configuration of a Web Reverse Proxy instance to access an intranet website using device certificate as authentication method on the Unified Access Gateway.

This exercise provides steps to deploy the Unified Access Gateway Appliance with two NICs, configure multiple Web Reverse Proxy instance using HTTP and HTTPS, and securing with Device Certificate Authentication. All the configuration will be done through the Unified Access Gateway administration console.

This manual covers Unified Access Gateway 3.3 deployment and configuration in vSphere 6.5 U1.


 

Prerequisites

All of the following pre-requisites are already installed for this Module, the following information is just for your reference.

To deploy Unified Access Gateway using PowerShell script, you must use specific versions of VMware products.

 

Logging In to the vSphere Web Client


To perform most of this exercise, you need to log in to the vSphere Web Client.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab Desktop

 

 

Authenticate to the vSphere Web Client

 

  1. Click the New Tab button.
  2. Click the vSphere Web Client bookmark.  The URL for this bookmark is https://vcsa-01a.corp.local/vsphere-client/?csp.
  3. Enable the Use Windows session authentication option.
  4. Click Login.

After completing the Login, you will be presented with the vSphere Web Client.

NOTE: You can also login without using Windows session authentication by using CORP\Administrator for the username and VMware1! for the password.

 

Power ON Virtual Machines


 

  1. Click the Home icon
  2. Click VMs and Templates

 

Power ON Intranet VM

 

  1. Click the arrow by Nested_Datacenter to expand it.
  2. Select Intranet VM
  3. Click the Power ON button

The Intranet VM will act as our Web Server, and it's named INTRANET.CORP.LOCAL

This server host two web sites on IIS:

  1. INTRANET website - website available through port 80 and 443, DNS name INTRANET.CORP.LOCAL and will be used for this module.
  2. IT website - this one won't be used on this module.

 

Deploying Unified Access Gateway Appliance


The Unified Access Gateway ini file is already configured and contain all the required information to automate this deployment.


 

Launch PowerShell

 

Launch PowerShell by clicking the PowerShell icon from the Taskbar

 

 

Executing the Deployment Script

 

As the scripts starts a couple questions will be asked, follow the steps below in order to provide the correct information.

  1. Enter cd 'C:\Users\Administrator\Documents\HOL\Unified Access Gateway' to navigate to the directory with the Unified Access Gateway deployment scripts.  Press ENTER.
  2. Enter .\uagdeploy.ps1 .\uag-appliance.ini VMware1! VMware1! false false no. Press ENTER.
    The first VMware1! is the root password for the Unified Access Gateway appliance.
    The second VMware1! is the admin password for the REST API management access.
    The first false is to NOT skip the validation of signature and certificate.
    The second false is to NOT skip SSL verification for the vSphere connection.
    The no is to NOT join the VMware CEIP program.
  3. Enter VMware1! as the password for the SSLcert and SSLcertAdmin fields when prompted.

The deployment starts and you can follow the progress on the same window or on your vSphere Web Client, which we leaved open at the beginning of this module.

NOTE: To avoid password request for the certificate, remove the pfxCerts values and provide a PEM certificate, set the pemCerts and pemPrivKey for the SSLCert and SSLCertAdmin sections of the INI file.

 

 

Confirm the PowerShell Script Deployment Completes

 

  1. Confirm the Unified Access Gateway deployed successfully.  The Completed successfully text will be shown in the output.
  2. Click Close.

After successfully finalized the deployment the script will automatic Power on the VM UAG-2NIC.

The Received IP address presented by the script log is a temporary IP, the final IPs for NIC one and NIC two will be assigned to the Unified Access Gateway appliance during the first start. You can return to the vSphere Web Client to validate that as described on the next step.

NOTE: Deploying the Unified Access Gateway may take a several minutes to complete.  Please be patient while the task is fully completed.

 

 

Validating the deployment

 

  1. Ensure that you are in the menu VMs and Templates
  2. If you do not see the UAG-2NIC VM under RegionA01, you may need to click Refresh first.
  3. Click on UAG-2NIC.
  4. Click the Summary tab.
  5. Click on View all 2 IP addresses.
  6. The IP Addresses should show:
    192.168.110.160
    192.168.120.160

NOTE: If the Unified Access Gateway appliance has not finalized the configuration during the initial start-up, you will receive an error message from the vSphere Web Client. If this happens, refresh the Google Chrome browser.

 

 

Log In to the Unified Access Gateway Administration Console

 

  1. Click the New Tab button to open a new tab.
  2. Browse to https://uag-intranet.corp.local:9443/admin.
    NOTE: This is the hostname for the intranet facing NIC that the Unified Access Gateway was deployed on (192.168.120.110).
  3. Enter admin for the username.
  4. Enter VMware1! for the password .
    NOTE: This password was created for the admin account as part of the PowerShell script deployment.
  5. Click Login.

 

 

Confirm the Unified Access Gateway Administration Console Login on the Internal Network

 

A successful login will redirect you to the following screen, where you can import settings or manually configure the Unified Access Gateway Appliance.

Click Select under Configure Manually.

 

Configuring Web Reverse Proxy to access non-SSL website (HTTP/Port 80)


At this point, the Unified Access Gateway has been deployed and you are able to access the Unified Access Gateway administration console to add and change configurations of your Unified Access Gateway appliance.

This exercise shows you how Unified Access Gateway can be used as a Web reverse proxy, and can act as either a plain reverse proxy or an authenticating reverse proxy in the DMZ. In this exercise, you learn how to set up a plain reverse proxy.


 

Access to the Reverse Proxy Settings

 

  1. Click the Show toggle by Edge Service Settings, clicking on it will cause it to switch to Hide.
  2. Click the Gear icon next to Reverse Proxy Settings.

 

 

Validating Reverse Proxy Configuration

 

  1. Click on the arrow down for the Reverse Proxy Settings
  2. Click on the refresh icon for the Edge Service Settings
  3. Confirm the intranet proxy status is GREEN

After you added the reverse proxy settings for intranet, the Unified Access Gateway appliance tests the communication between appliance and intranet and the status turn GREEN if a connection is possible, otherwise it will show RED.

NOTE - It may take a few minutes for the intranet proxy to show as GREEN.  If you do not see it, click the refresh icon in Step #2 until you see the status change to either GREEN or RED.

 

 

Access Intranet through Reverse Proxy

 

  1. Click the New Tab button to open a new tab.
  2. Enter https://uag-internet.corp.local/intranet/ in the address bar and press ENTER.
    NOTE: The uag-internet.corp.local hostname resolves to the Internet facing NIC that you deployed the Unified Access Gateway on (192.168.110.160).

The result is a sample intranet page hosted on an internal IIS Server.

 

Configuring Web Reverse Proxy to access SSL website (HTTPS/Port 443)


In order to access an internal website over HTTPS, an additional configuration is required to establish trust between Unified Access Gateway and the internal website. This exercise will explain how configure this trust using the current Intranet Reverse Proxy instance.


 

Access to the Reverse Proxy Settings

 

  1. Click Close for the Intranet site tab that you opened for https://uag-internet.corp.local/intranet/.
  2. Click the Unified Access Gateway Admin UI tab.
  3. Click the Gear icon next to Reverse Proxy Settings

 

 

Validating Reverse Proxy Configuration

 

  1. Click on the arrow down for the Reverse Proxy Settings
  2. Click on the refresh icon for the Edge Service Settings
  3. Confirm the intranet proxy status is GREEN

After you added the reverse proxy settings for intranet, the Unified Access Gateway appliance tests the communication between appliance and intranet and the status turn GREEN if a connection is possible, otherwise it will show RED.

NOTE - It may take a few minutes for the intranet proxy to show as GREEN.  If you do not see it, click the refresh icon in Step #2 until you see the status change to either GREEN or RED.

 

 

Accessing Intranet through Reverse Proxy

 

  1. Click the New Tab button to open a new tab
  2. Enter https://uag-internet.corp.local/intranet/ in the address bar and press ENTER.
    NOTE: The uag-internet.corp.local hostname resolves to the Internet facing NIC that you deployed the Unified Access Gateway on (192.168.110.160).

The result is the same intranet page hosted on an internal IIS Server. However, the Unified Access Gateway is now accessing the Intranet site on port 443 via HTTPS instead of port 80 via HTTP.

 

Add Certificate Authentication to the Intranet website


The current intranet website configuration through Reverse Proxy on the Unified Access Gateway is open to anyone to access.  You can restrict access to the intranet website to certain users by configuing a device certificate as the authentication method on the Unified Access Gateway Appliance.

Adding certificate as authentication method will restrict access to the intranet site for only those users who have a certificate installed on their device. The user certificate must match the root certificate set on the Unified Access Gateway appliance.


 

Enabling the X.509 Certificate Settings

 

  1. Click Close for the Intranet site tab that you opened for https://uag-internet.corp.local/intranet/.
  2. Click the Unified Access Gateway Admin UI tab.
  3. Click on Show for the Authentication Settings.
  4. Click the Gear icon next to X.509 Certificate.

 

 

Enabling Certificate Authentication for Intranet Web Site

 

Select the Gear icon for the Reverse Proxy Settings.

The next steps is to tell the Unified Access Gateway that certificate authentication will be required in order to access the Intranet website through the Reverse Proxy. This means that the client device must have a user certificate that matches to the root certificate upload to the Unified Access Gateway Appliance.

 

 

Importing the User Certificate to the local Windows Store

 

  1. On Google Chrome Browser click the Options button.
  2. Click on Settings.

 

 

Testing the Certificate Authentication

 

  1. In Google Chrome, click Options.
  2. Click New incognito window.

 

Power OFF Virtual Machines


You are about to move to the next Module, to complete the next Module successful it's required to follow the next steps to power the current Unified Access Gateway Appliance and Intranet Server.

Return to the vSphere Web Client on your Google Chrome browser.


 

Power OFF Intranet VM

 

In the vSphere Web Client,

  1. Click the VM and Templates tab.
  2. Click the Intranet VM.
  3. Click the Power OFF icon.

 

 

Power OFF UAG VM Appliance

 

  1. Click on UAG-2NIC.
  2. Click the Power OFF icon.

 

 

Delete the UAG VM Appliance

 

You will remove the Unified Access Gateway Appliance since other Modules may require that you re-deploy the Unified Access Gateway Appliance with the same name but with other configurations.

  1. Right-Click UAG-2NIC.
  2. Click Delete from Disk.

 

 

Confirm the Delete

 

Click Yes to confirm the delete.

 

Conclusion


In this module, you've learned how to:

For additional UAG documentation, be sure to check out the VMware Unified Access Gateway Reference page at https://docs.vmware.com/en/Unified-Access-Gateway/.


Module 4 - Identity Bridging and Single Sign-On access to Legacy Web Applications

Introduction


This module will guide you through on how to setup Identity Bridging to provide Single Sign On (SSO) to legacy Web Application using Kerberos Constrained Delegation (KCD).

Unified Access Gateway in identity bridging mode acts as the service provider that passes user authentication to the configured legacy applications. VMware Identity Manager acts as an identity provider and provides SSO into SAML applications. When users access legacy applications that require KCD or header-based authentication, Identity Manager authenticates the user. A SAML assertion with the user's information is sent to the Unified Access Gateway. Unified Access Gateway uses this authentication to allow users to access the application.

During the lab you will:

 

This manual covers Unified Access Gateway 3.3 integrated with VMware Identity Manager 3.2.0, both hosted on vSphere 6.5 U1.


 

Prerequisites

All of the following pre-requisites are already installed for this Module, the following information is just for your reference.

To configure Identity Bridging in Unified Access Gateway, you must use specific versions of VMware products.

 

Kerberos Delegation Overview


Kerberos Delegation means a system and user is configured to request Kerberos tokens on behalf of another user.

Since Unified Access Gateway is not joined to the domain we need to add AD Domain Kerberos support to Unified Access Gateway. This is done with the help of generating a Keytab file. This file contains necessary security tokens/hashes for Unified Access Gateway to interact with AD. The Keytab file contains the information about the user delegated to request Kerberos tokens on another users’ behalf.

Microsoft recommends that each internal Web Application has its own delegated user and therefore different Keytab file, technically you can have one delegated user and Keytab file for many different internal apps, but you are taking the risk in case the Keytab file is compromised to give access to all internal apps. When you have one user / Keytab file per application this allows you to disable access to only one system at a time.

While creating the user and keytab file for each application requires more administration it has its clear security benefits.

REALM is often something you hear talking about Kerberos. A REALM is basically your trust boundaries. In AD Kerberos that is your clients, AD servers and application servers all joined to the domain. Each one trusts each other since they are all part of the same Kerberos REALM.

Environment configuration:


 

Authentication Flow

The below diagram describe step by step the authentication flow that you will be configuring in this lab.

 

  1. Client navigates to application URL https://uag-internet.corp.local/itbudget.
  2. Client is redirected to the Identity Provider (IdP), which is Workspace ONE in this setup, for authentication (https://vidm.corp.local). The IdP issue a SAML assertion upon authentication.
  3. Client passes the SAML assertion to the Unified Access Gateway (http://uag-internet.corp.local). The Unified Access Gateway validates the SAML assertion is from the trusted IdP by using the SAML certificate from the IdP Metadata uploaded.
  4. The Unified Access Gateway extracts the client’s username from the SAML assertion and requests a Kerberos ticket from Active Directory (CORP.LOCAL) on behalf of that user.
  5. Unified Access Gateway authenticates against the internal web server (https://it.corp.local) using the Kerberos ticket obtained from AD.

 

Logging In to the vSphere Web Client


To perform most of this exercise, you need to log in to the vSphere Web Client.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab Desktop

 

 

Authenticate to the vSphere Web Client

 

  1. Click the New Tab button.
  2. Click the vSphere Web Client bookmark.  The URL for this bookmark is https://vcsa-01a.corp.local/vsphere-client/?csp.
  3. Enable the Use Windows session authentication option.
  4. Click Login.

After completing the Login, you will be presented with the vSphere Web Client.

NOTE: You can also login without using Windows session authentication by using CORP\Administrator for the username and VMware1! for the password.

 

Power ON Virtual Machines


 

  1. Click the Home icon
  2. Click VMs and Templates

 

Power ON Intranet VM

 

  1. Select Intranet VM
  2. Click the Power ON button

The Intranet VM will act as our Web Server, and it's named INTRANET.CORP.LOCAL

This server host two WebSites on IIS:

  1. INTRANET website - this one won't be used on this module
  2. IT website - website available through port 443 only, DNS name IT.CORP.LOCAL and will be used for this module.

 

 

Power ON Identity Manager Appliance

 

  1. Select vIDM-3.2.0 VM
  2. Click the Power ON button

VMware Identity Manager instance that will be used to integrated with Unified Access Gateway.

 

Deploying Unified Access Gateway Appliance


You will be using the PowerShell script to deploy the Unified Access Gateway using an .ini file that has already been configured with you to setup a similar configuration to what you configured in Module 3 as a starting point.  You will use this starting point to configure Kerberos Delegation and Identity Bridging.


 

Open PowerShell window

 

Click on the PowerShell icon

 

 

Deploying Unified Access Gateway Appliance via PowerShell

 

As the scripts starts a couple questions will be asked, follow the steps below in order to provide the correct information.

  1. Enter cd 'C:\Users\Administrator\Documents\HOL\Unified Access Gateway' then press ENTER.
  2. Enter .\uagdeploy.ps1 .\uag-ReverseProxy.ini VMware1! VMware1! false false no then press ENTER.
    The first VMware1! is the root password for the Unified Access Gateway appliance.
    The second VMware1! is the admin password for the REST API management access.
    The first false is to NOT skip the validation of signature and certificate.
    The second false is to NOT skip SSL verification for the vSphere connection.
    The no is to NOT join the VMware CEIP program.
  3. Enter VMware1! as the password for the SSLcert and SSLcertAdmin fields when prompted.

To avoid password request for the certificate, remove the pfxCerts values and provide a PEM certificate, set the pemCerts and pemPrivKey for the SSLCert and SSLCertAdmin sections of the INI file.

The deployment starts and you can follow the progress on the same window or on your vSphere Web Client.

 

 

Confirm the PowerShell Script Deployment Completes

 

  1. Confirm the Unified Access Gateway deployment completed successfully.  The Completed successfully text will be shown in the output.
  2. Click Close.

After successfully finalized the deployment the script will automatic Power on the VM UAG-2NIC.

The Received IP address presented by the script log is a temporary IP, the final IPs for NIC one and NIC two will be assigned to the Unified Access Gateway appliance during the first start. You can return to the vSphere Web Client to validate that as described on the next step.

NOTE: Deploying the Unified Access Gateway may take a several minutes to complete.  Please be patient while the task is fully completed.

 

 

Validating the deployment

 

Return to the VMware vSphere Web Client in Google Chrome.

  1. Click on the VM and Templates tab.
  2. Click on UAG-2NIC.
  3. Click the Summary tab.
  4. Click on View all 2 IP addresses.
  5. Confirm the IP Addresses listed are 192.168.110.160 and 192.168.120.160.  
    These are the IPs you specified in the INI file used by the PowerShell script.
  6. The the IP Addresses have not populated, you may need to click the Refresh button and check again.

NOTE: In case the Unified Access Gateway appliance has not finalized the configuration during the first startup, you will receive a error message from vSphere Web Client.  If this happens, wait for the Appliance to finish deploying and refresh the whole Chrome Browser.

You will continue with configuring Kerberos and other tasks while you wait for the Unified Access Gateway appliance to finish deploying and enabling the various services that were configured as part of the PowerShell deployment.

 

Configuring Kerberos Authentication on IIS Website


 

Return to the vSphere Web Client,

  1. Click the Intranet VM.
  2. Click the Summary tab.
  3. Click the Gear icon on the Intranet Screen.
  4. Click Launch Remote Console.

NOTE: A new browser tab will open and the VMware Remote Console will load after a few seconds.


 

Login to the Intranet VM

 

The VMware Remote Console may take a few seconds to launch.  Once the VMware Remote Console launches,

  1. Press the Ctrl+Atl+Delete button to open the login page.
  2. Enter VMware1! for the password
  3. Click the Login button, or press ENTER.

 

 

Launch IIS

 

Click the IIS Manager icon from the toolbar

 

 

Configure IIS WebSite

 

Open IIS (Internat Information Server) located on the Task Bar at the bottom

  1. Click on Arrow Down to expand the INTRANET node
  2. Click on Arrow Down to expand the Sites node
  3. Click on IT Site
  4. Double Click on Authentication

 

 

Configure IIS Application Pool

On this step you are configuring the Application Pool to launch from a specific account (corp\iis_it) that is already created.

 

Configuring Kerberos Delegation


You will now configure Kerberos Delegation for the IIS IT service account that has been assigned to handle Kerberos Delegation for the IIS website.


 

Active Directory Setup

 

From the Main Console (NOT the Intranet VM opened in the VMware Remote Console!),

  1. Click the Windows button.
  2. Type active directory to search.
  3. Click Active Directory Users and Computers.

 

 

Create a Keytab file

 

Keytab is the token that will be used to connect to Active Directory and request an authentication ticket without a login password.  Keytab files contains a pair of Kerberos principals and encrypted keys which allows authentication using Kerberos without the need to enter a password.  Keytabs can only be generated through Windows Server OS.

To generate the Keytab file, access the Command Prompt from the Main Console again (do NOT return to the Intranet VM).

  1. Click on the Command Prompt icon from the Main Console.
  2. Enter the following command:
    ktpass -princ HTTP/it.corp.local@CORP.LOCAL -mapuser iis_IT@CORP.LOCAL -mapOp set -pass VMware1! -crypto all -ptype KRB5_NT_PRINCIPAL -out C:\it.keytab and press ENTER

After you execute this command a file named  it.keytab will be created in C:\. This file will be used later during the configuration of the Identity Bridging on the Unified Access Gateway.

Each parameter we passed to the ktpass toll is explained below:

 

 

Download IdP Metada from VMware Identity Manager

 

As part of this exercise, you will configure a VMware Identity Manager tenant and make a web application available to your users that allows them to access the https://it.corp.local intranet site with Kerberos and Identity Bridging through the Unified Access Gateway.  Some setup of VMware Identity Manager has already been configured for you to focus the scope of this lab.

Return to Google Chrome on the Main Console,

  1. Click the New tab button.
  2. Enter https://vidm.corp.local and press ENTER.
    NOTE: This is the hostname that points to the VMware Identity Manager appliance that is deployed within vSphere that you powered on earlier in this exercise.
  3. Select System Domain.
  4. Uncheck Remember this setting.
  5. Click Next.

 

Log In to the Unified Access Gateway Admin Console


 

NOTE: The Unified Access Gateway appliance may take 5 - 10 minutes to fully deploy and be accessible.  If you are not able to connect using the below URL, please wait and try again in a few minutes.

  1. Click the New Tab button to open a new tab.
  2. Browse to https://uag-intranet.corp.local:9443/admin.
  3. NOTE: This is the hostname for the intranet facing NIC that the Unified Access Gateway was deployed on (192.168.120.110).
  4. Enter admin for the username.
  5. Enter VMware1! for the password .
  6. NOTE: This password was created for the admin account as part of the PowerShell script deployment.
  7. Click Login.

 

Validate Configuration Settings

 

A successful login will redirect you to the following screen, where you can import settings or manually configure the Unified Access Gateway Appliance.

Click Select under Configure Manually.

 

Confirm the itbudget Reverse Proxy Settings were Configured


 

Following the steps below to see that a Web Reverse Proxy instance named itbudget has been automatically configured, later you will enable Identity Bridging feature for this Instance.

The Unified Access Gateway Appliance has been pre-configured with a Reverse Proxy named itbudget which was configured as part of the .ini file used during the PowerShell deployment.  This has has been done to limit the setup time required for this exercise and is similar to the setup seen in Module 3. You will later enable the Identity Bridging feature for this itbudget instance.

  1. Click SHOW for the Edge Service Settings, after you click it will switch to HIDE.
  2. Click the dropdown arrow for the Reverse Proxy Settings.
  3. Confirm the itbudget Reverse Proxy instance exists.

Configuring Identity Bridging on Unified Access Gateway


You are now ready to configure the Identity Bridging feature on the Unified Access Gateway appliance.  By providing the IdP Metadata XML from the VMware Identity Manager tenant and the Keytab file generated for the IIS_IT@corp.local user, you will be able to configure the Unified Access Gateway to authenticate users with SAML to your it.corp.local intranet website.


 

Configure Identity Provider

 

  1. Scroll down until you see the option for Identity Bridging Settings
  2. Click the Gear for Upload Identity Provider Metadata under Advanced Settings.

 

 

Configure Keytab

 

Click the Gear for Upload Keytab Settings under Advanced Settings

 

 

Configure REALM

 

Click the Gear for Realm Settings under Advanced Settings.

 

 

Configure Identity Bridging

 

  1. Click the SHOW toggle for the Edge Service Settings.  This will change to HIDE after you click it.
  2. Select the Gear icon for Reverse Proxy Settings.

 

Configure a Web App in VMware Identity Manager


 

  1. Return to the VMware Identity Manager Admin Console tab.
  2. Click the drop-down arrow by Catalog.
  3. Click Web Apps.
  4. Click New.

 

Configure the Web App

 

  1. Enter IT Budget for Name.
  2. Enter Internal website for IT Budget planning for Description.
  3. Click Next.

 

 

Assign Web App to a AD Group

 

  1. Enter ALL USERS in the Users / User Groups field.
  2. Click the ALL USERS result.

 

Testing Web Application and SSO through Identity Bridging


 

You now have the IT Budget Web App configured and added to the catalog.

  1. Click on the three dots on the right top side of Google Chrome Browser.
  2. Select New incognito window.

 

Access the itbudget Site

 

Enter https://uag-internet.corp.local/itbudget/ and press ENTER.

 

 

Select the Corp.Local Domain

 

You will be redirect to VMware Identity Manager for authentication on the CORP.LOCAL domain.

Click Next.

 

 

Enter Corp.Local User Credentials

 

  1. Enter aduser for the username.
  2. Enter VMware1! for the password.
  3. Click Sign in.

 

 

Confirm Access after Successful Authentication

 

You should see the IT Budget website now after successfully authenticating.

 

 

 

Validating Kerberos Authentication

 

Return to the Intranet Web Server machine that you previously accessed through VMWare Remote Console.

  1. Click the MVware Remote Console icon from the Main Console task bar to return to the Intranet VM.
  2. Click the Event Viewer icon from the Intranet VM task bar.

 

 

View Logon Logs

 

  1. Expand the Windows Logs node.
  2. Click on Security.
  3. Select the latest Logon Task Category event.
  4. Click the Details tab.
  5. Click the XML View toggle.
  6. Scroll down to find the EventData section.
  7. The Log Details show an authentication on behalf of the user ADUSER using Kerberos.

 

 

Conclusion


In this module, you've learned how to:

For additional UAG documentation, be sure to check out the VMware Unified Access Gateway Reference page at https://docs.vmware.com/en/Unified-Access-Gateway/.


Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1957-08-UEM

Version: 20181104-123630