インフラ基盤構築の際にUAGを展開したので備忘録でまとめます。
UAGは、Horizon環境のリモートアクセス用のGatewayや、リバースプロキシ、多要素認証など色々セキュリティを強化する際に使います。
UAGはデプロイ方法が2種類あります。
一つは、vCenterから、OVFテンプレートをデプロイし、パラメータを設定するやり方です。この手法がスタンダードです。
しかしながら、UAGのパラメーターはかなり多いので、デプロイを複数重ねてテストをすることを踏まえると何度も手動で展開する方法は正直大変です。
そこで、2つ目のiniファイルにパラメーターを入れて、Powershellから展開するという方法があります。
こちらの展開であれば、何度も値を入れ直さなくて済むので便利です。
さらに、UAGの冗長構成で2台用意する際も、一部のパラメータを変更するだけで利用できます
では、早速具体的な手順について説明します。
【MyVMware】よりダウンロード
OVFファイルと、PowershellScriptsをダウンロードをします。
Zipを展開して、必要な設定に近いiniファイルを修正します。
今回はuag2-advanced.iniをベースに設定を入れます。
【iniファイルの編集】
iniファイルを修正します。
[General]
#
# UAG virtual appliance unique name (between 1 and 32 characters).
# If name is not specified, the script will prompt for it.
#
#UAGの名前を入れる
name=uag01
#
# Full path filename of the UAG .ova virtual machine image
# The file can be obtained from VMware
#
#OVAファイルパスを指定
source=Z:\Horizon 7.6\euc-unified-access-gateway-3.4.0.0-11037344_OVF10.ova
#
# target refers to the vCenter username and address/hostname and the ESXi host for deployment
# Refer to the ovftool documentation for information about the target syntax.
# See https://www.vmware.com/support/developer/ovf/
# PASSWORD in upper case results in a password prompt during deployment so that passwords do not need
# to specified in this .INI file.
# In this example, the vCenter username is administrator@vsphere.local
# the vCenter server is 192.168.0.21 (this can be a hostname or IP address)
# the ESXi hostname is esx1.myco.int (this can be a hostname or IP address)
#
#target=vi://administrator@vsphere.local:PASSWORD@192.168.0.21/Datacenter1/host/esx1.myco.int
#target=vi://ユーザー名:パスワード@vCenterのIPもしくはホスト名/Datacenter名/host/Cluster名
target=vi://administrator@vsphere.local:PASSWORD@172.22.130.20/DC/host/cluster
#
# vSphere datastore name
#
#Datastore名を指定
ds=ds01
#
# Disk provisioning mode. Refer to OVF Tool documentation for options.
#
#diskMode=thin
#
# vSphere Network names. For pre 3.3 UAG versions, a vSphere Network Protocol Profile (NPP) must be associated with every referenced network name. This specifies
# network settings such as IPv4 subnet mask, gateway etc. UAG 3.3 and newer no longer uses NPPs and so for static IPv4 addresses a netmask0, netmask1 and netmask2
# value must be specified for each NIC. Normally a defaultGateway setting is also required.
#
#netInternet=VM Network
#netManagementNetwork=VM Network
#netBackendNetwork=VM Network
#defaultGateway=192.168.0.1
#deploymentOption=onenic
#ip0=192.168.0.90
#netmask0=255.255.255.0
#routes0=192.168.1.0/24 192.168.0.1,192.168.2.0/24 192.168.0.2
#PortGroupを指定
netInternet=DMZ(100)
netManagementNetwork=DMZ(100)
netBackendNetwork=DMZ(100)
#DefaultGateway
defaultGateway=192.168.100.254
#NICおよびIPの指定。StaticRoute。
deploymentOption=onenic
ip0=192.168.100.1
netmask0=255.255.255.0
#routes0=192.168.100.0/24 192.168.100.254
#deploymentOption=twonic
#ip0=192.168.0.90
#netmask0=255.255.255.0
#ip1=192.168.0.91
#netmask1=255.255.255.0
#routes0=192.168.1.0/24 192.168.0.1,192.168.2.0/24 192.168.0.2
#routes1=192.168.3.0/24 192.168.0.1,192.168.4.0/24 192.168.0.2
#deploymentOption=threenic
#ip0=192.168.0.90
#netmask0=255.255.255.0
#ip1=192.168.0.91
#netmask1=255.255.255.0
#ip2=192.168.0.92
#netmask2=255.255.255.0
#routes0=192.168.1.0/24 192.168.0.1,192.168.2.0/24 192.168.0.2
#routes1=192.168.3.0/24 192.168.0.1,192.168.4.0/24 192.168.0.2
#routes2=192.168.5.0/24 192.168.0.1,192.168.6.0/24 192.168.0.2
#DNSを記入
dns=192.168.100.10
#syslogUrl=syslog://server.example.com:514
#
# Setting honorCipherOrder to true forces the TLS cipher order to be the order specified by the server. This can be set on
# UAG 2.7.2 and newer to force the Forward Secrecy ciphers to be presented first to improve security.
#
honorCipherOrder=true
#
# sessionTimeout value in milliseconds. Default is 36000000 (10 hours). When the session timeout expires,
# the user needs to login again.
#
# 11 hours
sessionTimeout=39600000
# For UAG 3.4 onwards include licenseEdition property to be deployed.
# Options include- Standard, Advanced or Enterprise.
# Please uncomment the UAG license edition based on the Horizon/Workspace ONE licensing.
# licenseEdition=Standard
# licenseEdition=Advanced
# licenseEdition=Enterprise
[SSLCert]
#
# From UAG 3.0 and newer, you can specify the name of a .pfx or .12 format certificate file containing the required certificate and private key and
# any required intermediate certificates. In this case there is no need to use openssl commands to convert the .pfx/.p12 file into the
# associated PEM certificates file and PEM private key file.
#
#pfxCerts=sslcerts.pfx
#pfxCerts=C:\temp\UAG\sslcerts.pfx
#
# If there are multiple SSL certificates with private key in the .pfx file you also need to specify an alias name in order to select the required certificate.
# This is not necessary if there is only one SSL certificate with private key in the file
#
#pfxCertAlias=alias1
#
# The following pemCerts and pemPrivKey settings are only needed if you don't have a .pfx/.p12 file and want to directly use the two PEM format files.
#
# pemCerts refers to a PEM format file containing the SSL server certificate to be deployed. The file should also contain any
# required intermediate CA and root CA certificates.
#
###pemCerts=sslcerts.pem
#
# pemPrivKey refers to a file containing the RSA PRIVATE KEY for the SSL server certificate in the above certificate file.
#
#pemPrivKey=sslcertrsakey.pem
#
# From UAG 3.2 and newer, you can specify a certificate for the admin interface on port 9443. It is in the same format as [SSLCert] above.
#
[SSLCertAdmin]
#pfxCerts=sslcerts.pfx
#pemCerts=sslcerts.pem
#pemPrivKey=sslcertrsakey.pem
###pfxCerts=C:\temp\UAG\sslcerts.pfx
###pemCerts=C:\temp\UAG\sslcerts.pem
####pemPrivKey=C:\temp\UAG\sslcertrsakey.pem
[Horizon]
#
# proxyDestinationUrl refers to the backend Connection Server to which this UAG appliance will connect.
# It can either specify the name or IP address of an individual Connection Server or of a load balanced alias to connect
# via a load balancer in front of multiple Connection Servers.
#
#connection Serverのホスト名
proxyDestinationUrl=https://con01.lab.local
#
# proxyDestinationUrlThumbprints only needs to be specified if the backend Connection Servers do not have
# a trusted CA signed SSL server certificate installed (e.g. if it has the default self-signed certificate only).
# This is a comma separated list of thumbprints in the format shown here.
#
#proxyDestinationUrlThumbprints=sha1:3e ef ed c6 86 75 a6 15 ff c8 96 27 5a 4c ee 8e 16 fd 6e d3,sha1:3e ef ed c6 86 75 a6 15 ff c8 96 27 5a 4c ee 8e 16 fd 6e d3
#
# The following external URLs are used by Horizon Clients to establish tunnel, HTML Access and PCoIP connections
# to this UAG appliance. If they reference a load balancer name or address then the load balancer must be
# configured for source IP hash affinity otherwise the connections may route to the wrong UAG appliance.
#
#UAGのOutbandアクセスする際のURL
tunnelExternalUrl=https://gw.external.jp:443
blastExternalUrl=https://gw.external.jp:443
#
# pcoipExternalUrl must contain an IPv4 address (not a DNS name)
#
#PCoIP用のグローバルIPアドレス
pcoipExternalUrl=xxx.xxx.xxx.xxx:4172
Powershellの実行
iniファイルと、OVFファイルと、psファイルを同じフォルダに配置して、下記コマンドをPSで実行すれば完了です。
実行するPCには、OVF Toolsのインストールが必要です。
ovftool is here
PS C:\temp\UAG> .\uagdeploy.ps1 -iniFIle .\uag2-onenic.ini
root のパスワードとadmin password for the Admin UI and REST API managementのパスワードを入れて、後は待つだけでデプロイが完了します。
次回は、UAGのWebUIからの設定と、HorizonAdministratorの設定をまとめます。
