Every now and then the VMware UAG or Unified Access Gateway puts out something fun. This week, UAG 2209 is delivering some interesting new capabilities. The last time I covered some of these new features was for 2106 a year or so ago. We are going to discuss a few of these new and fun features with some demos and some code to make life much easier. Let’s get started by covering these items off.
The UAG Cert Utility
People on Workspace ONE often struggle quite a bit with certificates. I’ve done a ton of this work myself over the years so it’s something that I know far too well. It’s known as uagcertutil
Let’s cover how it works. The command has a few different modes you can leverage:
- newcsr
- bind
Before we get into them, we need to look at the working directory for the utility is /opt/vmware/certutil. Firstly, the files inside of that folder are:
- uagcertutil.conf
- any CSRs or keys we have generated (lives inside of the pk folder).
The UAG CertUtil Configuration File
So, we will begin by configuring the uagcertutil.conf file:
The first part is the configuration section below:
Just to highlight the areas within:
- keySize is just the key size in the CSR
- csrPath is where you update the name of the CSR
- csrSignAlg is just the signature algorithm which you can probably leave as is
- pkFile is where you update the name of the private key file
- signedCert is where you update the date of the signed certificate
- target implies if you want to bind to just 9443 or 443 or both
- deleteKeyFileAfterBind is HUGE and you absolutely want to make sure it does clean things up, so you don’t get dinged!
The other portion are the details of your certificate which you need to set for your environment:
Building the CSR
Now, we run the command to create our CSR:
uagcertutil --newcsr
**you can use the --config flag if you store your config file elsewhere**you can see after running it, the artifacts are now present:
Once done, you just grab the uag.csr and submit it to your CA. Next, you copy that certificate down to the location of the signedCert field you set in the config file. Once done, we will move onto the import magic!
As a FYI, you 100% want to use WinSCP to copy files up easily:
Importing the Certificate
The certificate import is super easy. You just need to do this:
uagcertutil --bind
You can see the private key was eliminated (yay!):
Basic Auth and SAML Co-Existence
This item is simple. You can now create basic authentication accounts that can co-exist for stuff like API integrations when SAML is enabled. You just create them in Account Settings:
The main key with this is that you MUST create a monitoring account without “Pre-expire Password”
Once you have done so, you can use this sort of code for your authentication:
##Requires you manually create a Monitoring User without"Pre-Expire Password"##
$Username = Read-Host -Prompt 'Enter the Username'
$Password = Read-Host -Prompt 'Enter the Password' -AsSecureString
#Convert the Password
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Password)
$UnsecurePassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
#Base64 Encode AW Username and Password
$combined = $Username + ":" + $UnsecurePassword
$encoding = [System.Text.Encoding]::ASCII.GetBytes($combined)
$cred = [Convert]::ToBase64String($encoding)
$script:header = @{
"Authorization" = "Basic $cred";
"Content-Type" = "application/json";}
Invoke-RestMethod -Uri 'https://uag:9443/rest/v1/config/settings' -Headers $headerPowerShell Deployments in Microsoft Azure
The last item I want to cover are PowerShell Deployments for Azure. Let’s start by showing how we setup the Windows Client:
Preparing PowerShell and Azure for Deployments in Azure
The first steps that we will go through is configuring your PowerShell environment for the deployments via Azure:
As you saw, that was pretty painless. Just a few commands:
- Install-Module -Name AzureRM -Force (For PowerShell 5) or Install-Module -Name Az -Force (For PowerShell 7)
- The Connect-AzurermAccount (for PowerShell 5) or Connect-AzAccount (For PowerShell 7) to connect your session to Azure
Now, we will go through the setup for the Azure environment. I setup most of it in the video you can see below:
The Azure setup is basically a few specific tasks, that we do via PowerShell:
- Create Azure Resource Groups
- Create Storage Accounts and a Blob Container
- Create Virtual Network
- Create Subnets (if desired)
- Create Security Groups
- Create Public IP Address
Copying the UAG VHD Binary to Azure for Deployment
Now, we will shift our focus to copying the UAG VHD up to Azure, which is needed to do your actual deployment. Check out this video below:
That was relatively painless luckily. As promised, you can access the VHD installer here. Once that is done, we will do the UAG deployment!
Deploying VMware Unified Access Gateway via PowerShell with UAGDeploy
Yeah I know its called UAGDeployAZ, but I will call it UAGDeploy still. I won’t bore anyone with how to build a config file, which I have covered in my other articles. Basically, write your config file as they show you here which has some new fandangled Azure-specific keys. Once done, let it rock and roll like you can see in my video:
I wanted to share my overall PowerShell scripts that I ran through these videos to share the wealth:
$resourceGroup="VMwareUAGDemo"
$location="East US"
New-AzResourceGroup -Name $resourceGroup -Location $location
New-AzStorageAccount -ResourceGroupName $resourceGroup -AccountName synterexuag -Location $location -SkuName Standard_LRS
New-AzRmStorageContainer -Name vhds -ResourceGroupName $resourceGroup -StorageAccountName synterexuag
New-AzVirtualNetwork -Name VirtualNetwork -ResourceGroupName $resourceGroup -Location $location -AddressPrefix "10.0.0.0/16"
New-AzRmPublicIpAddress -Name UAG1PublicIP -ResourceGroupName $resourceGroup -AllocationMethod Static -Location $location
$imageURI = "https://synterexuag.blob.core.windows.net/vhds/uag-2209.vhd"
$imagePath = "C:\UAGDeploy\uag-2209.vhd"
Add-AzVhd -ResourceGroupName $resourceGroup -LocalFilePath $imagePath -Destination $imageURI -NumberOfUploaderThreads 32A Few Final Points
As you saw, it was actually easier than an On-Premise deployment once things are setup. Let’s finish this article with hitting a few bullets that are also available in this patch:
- Certificate-Based Authentication (CBA) for NFS on Content Gateway (Probably still requires PIV-D so boo!)
- New support for handling HTTP redirects from the horizon broker. Basically, you can now handle affinity yourself instead of having to rely on your network team (insert snarky comment here).
- New Photon OS and Java versions.
- Misc. bug fixes
