Elevating Your Monitoring Strategy for the Unified Access Gateway with Edge Services Observability

Over the last year or so, I have written a ton about the Unified Access Gateway (UAG). The importance of the UAG as grown so much for Workspace ONE and with that grows the need to monitor and gather data to help you support its complexity. Thank to a few engineers at VMware, we can now elevate that strategy with the Edge Services Observability Fling. We are going to cover what this Fling offers, how to deploy it, adding your UAGs to the ESO, and working with the ESO dashboards. I promise you will love its potential because it’s pretty good!

Season 5 Finger Guns GIF by Curb Your Enthusiasm

What is Edge Services Observability?

The main question that you may ask yourself is why do I need this? Most people think that having SysLog integration and Tunnel Access Logs is good enough. The UAG has a ton of complexity in general, which can create some challenges from a support perspective.

The ESO takes your monitoring endpoint e.g.: https://syn-uag01.synterex.com:9443/rest/v1/monitor/stats and parses that data to build effective dashboards for your UAG edge services like Content Gateway, Tunnel, and Horizon. ESO focuses mainly on utilization, traffic usage, device traffic rules, and numerical-based metrics.

ESO also has the potential to take things one step further and alert your administrators based on thresholds that surface. Let’s talk about the main technology underneath: Grafana

What is Grafana?

Grafana is an interesting open source solution, which reminds me a bit of Kibana. Grafana has a few main focuses:

  • Unifying data regardless of its home e.g. cloud services, Kubernetes, spreadsheets, etc.
  • Data accessibility that doesn’t require you to be a rocket scientist to use.
  • Simplistic and dynamic dashboards that are easy to build and work with.
  • Highly-flexible and versatile dashboards through queries and data transformation.
Kubernetes capacity

You’re going to find when exploring ESO that it’s barely scratching the surface of what Grafana can do. In the near future, I hope VMware will implement more of the capabilities within Grafana especially with embedding the dashboard into your Team sites in SharePoint to empower your teams with more data and visibility.

Now, Let’s walk through the OVA build process and cover its onboarding.

Deploying ESO via OVF Template

Let’s start by covering a demo on the OVF deployment. Once we have explored that, we can cover some potential improvements they can make to the OVF deployment process.

As you saw, the OVF deployment is pretty easy, but I would recommend a bit of cleanup. I think my main issue is the networking setup doesn’t mimic the UAG. As you can see below, they should just let you input the Subnet vs. selecting the Network Prefix. It’s a minimal/stupid thing, but I think consistency is good as a general rule.

Overall, I love the simplicity of the OVF deployment especially with the server credentials on the same page as everything else. This definitely keeps it simple and light. Let’s move onto adding UAGs to the service.

Adding UAGs to the Edge Services Observability Server

Overall, you will find the whole process is similar to your UAGs. You deploy the OVF and then go and login and do your stuff. Pretty basic. Let’s cover a short demo that shows you how to add your UAGs:

One of the things that I love about this fling is there is help everywhere you turn. Whether it’s this great article here or just built into the GUI, it’s a really sweet thing:

As you saw, the adding of a UAG is pretty basic. The only thing to remember is this small piece of code in OpenSSL to get the proper fingerprint:

openssl s_client -connect syn-uag01.synterex.com:9443 | openssl x509 -fingerprint -noout -sha256

The process is pretty simple in general. Don’t forget if you encounter any bugs to file them at Project ESO Fling with your /root/manager/log/exporter.log and screenshots as that will help advance the product development. As this is a fling, the one thing that I would like to see is a better UI experience in the main page, which is a pretty small effort. I believe this is a product that low-tech people can use so by making it more appealing will really help with adoption:

Working with the ESO Dashboards

As we discussed earlier, Grafana is the platform that visualizes your data for the UAG and gives you useful dashboards that you can leverage. Check out the demo below to see more:

The explore tab in Grafana will give you a good idea of the exposed areas that they have ingested via the monitor stats endpoint. The main issue I currently is lack of supportability for service status. Based on some communications, their next release of ESO will support non-numerical data. Today, your status responses look like this:

<airwatchSEGStats>
<backendStatus>
<reason>Reachable</reason>
<status>RUNNING</status>
</backendStatus>

You can clearly see that is non-numerical and I hope those get pulled in soon. From my perspective, that is the most important area that needs to be on any UAG dashboard.

Bringing SEG into ESO

Additionally, SEG support isn’t quite there yet. From awhile back, you will see on my Github that I shared out a complete dump of the API commands for the UAG. On top of that, you do have a few URLs they could pull into this solution:

These URLs pull in the full SEG diagnostics data and the SEG Health Stats. I believe if they add these two areas into ESO that it will really benefit some of these on-premise customers that rely so heavily on the UAG.

VMware Tunnel Capabilities in ESO/Grafana

A List of the capabilities currently for VMware Tunnel in Grafana can be seen below:

  • Cascade Mode Backend and Backend Down Stats
  • Connection Manager/Session Manager Snapshot Connections Per Sec, Down Bit Per Sec, Handshake Per Sec, Up Bit Per Sec
  • Connection Stats, Connection High Watermarks,
  • Tunnel CPU Cores, CPU Usage, Total CPU Usage
  • Edge Service Session Stats for Authenticated Sessions, Failed Login Attempts, High Watermark of Sessions, Total Sessions, Unauthenticated Sessions, User Count
  • Flow Collectors, Flow Collectors Highwater Mark, Flow Collectors Total Since Start
  • Internal Session Stats
  • NAT TCP/UDP Down Bits Per Sec, Highwater Mark, Segments Retransmitted, Segments Sent, Up Bits Per Sec, NAT TCP/UDP Stats, UDP Total Since Start
  • Session Closed and Failed Handshakes
  • Session Stats, Highwater Mark, Timer Highwater Mark, Timers
  • Total NAT TCPs Since Start, Total SSL Connections Since Start, Total Sessions Since Start, Total TCP/UDP Connections Since Start
  • Traffic Rule Proxies

Hopeful Capabilities for Edge Services Observability in the Next Few Releases

After a solid review, I thought I’d share some of my hopeful items that they will put in soon:

  • Email Alerts for thresholds is an absolute must for this to be successful.
  • SEG implementation as mentioned earlier.
  • Embedding Dashboards
  • Supporting non-numerical data for stop lights
  • Easy accessibility/modification of the Grafana Config

Final Thoughts

From my perspective, I think this is a really solid initial release. We have to be realistic in that this is a Fling. Being a VMware Fling, we must temper expectations. At a minimum, this project shows us the potential of leveraging and bending the API to provide huge value.

We definitely need to continue to drive the use of REST API as UEM practitioners and not shy away from it because its different or hard. I would say that without a doubt the most rewarding thing I ever did was dig deep on REST to orchestrate and automate my organization. If you need help or want to implement this Fling or many others, please reach out and we can definitely help you.

1 thought on “Elevating Your Monitoring Strategy for the Unified Access Gateway with Edge Services Observability”

  1. Pingback: VMware Forklift: Supersize your Change Management Strategy in Workspace ONE - Mobile Jon's Blog

Leave a Reply

Scroll to Top
%d bloggers like this: