Configuring High Availability in Unified Access Gateway

Overview

Omnissa provides this operational tutorial to help you with your Omnissa Workspace ONE® environment. In this tutorial, you deploy the Omnissa Unified Access Gateway and configure High Availability on Unified Access Gateway through the administration console.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE UEM administrators of existing production environments.

Knowledge of additional technologies such as network, VPN configuration, Workspace ONE® Intelligence and Workspace ONE® UEM is also helpful.

Deploying Unified Access Gateway with High Availability

This tutorial guides you through the deployment of two Unified Access Gateway appliances and the setup of high availability in both. High availability for Unified Access Gateway simplifies your deployment by reducing the need for a third-party load balancer.

To watch a video demonstrating this procedure, click High Availability on Unified Access Gateway.

Unified Access Gateway high availability supports up to 10,000 concurrent connections in the cluster using a combination of traffic distribution methods:

Source IP Affinity — Maintains the affinity between the client connection and Unified Access Gateway node. All connections with the same source IP address are sent to the same Unified Access Gateway node.
Round Robin Mode with High Availability — Distributes incoming connection requests across the group of Unified Access Gateway nodes sequentially. When the Unified Access Gateway holding the virtual IP address fails, the virtual IP address is reassigned automatically to one of the nodes available in the cluster. The high availability and load distribution occurs among the nodes in the cluster configured with the same Group ID.
Least Connection Mode with High Availability — Sends a new connection request to the Unified Access Gateway node with the fewest number of current connections from the clients.

The following table shows how the session affinity and distribution algorithms differ for each Unified Access Gateway service.

	Session Affinity	Distribution
Horizon 8	Source IP affinity	Round robin mode with high availability
Web Reverse Proxy	Source IP affinity	Round robin mode with high availability
Workspace ONE Tunnel (Per-App VPN)	None	Least connection mode with high availability
Content Gateway	None	Least connection mode with high availability

Architecture

In this tutorial, you learn how to setup and test High Availability on Unified Access Gateway. Before getting started, review the setup used for this tutorial.

Network Interfaces

The Unified Access Gateway server can be partitioned to receive traffic on a single interface or to route traffic to different interfaces. Although Unified Access Gateway can support up to three NICs, this tutorial implements a two NIC deployment. One NIC faces the internet, and the other one is dedicated to management and backend access.

Prerequisites

Before you can perform the exercises to deploy Unified Access Gateway using vSphere HTML5 Client, you must satisfy the following requirements:

VMware vSphere 6.5 U1
Omnissa Unified Access Gateway 3.4+
Set up a VMware vSphere ESXi host with a vCenter Server
Windows 10+ or Windows Server 2020+ with VMware OVF Tool 4.3 or later installed
Obtain a Unified Access Gateway virtual appliance image OVA file, such as .euc-access-point-3.4.X.X-XXXXXXXXXXX.ova (see Omnissa Product Interoperability Matrixes to determine which version to download)
Download the Unified Access Gateway PowerShell script version 3.4+. Navigate to https://my.workspaceone.com > Unified Access Gateway > uagdeploy-VERSION.ZIP.

Note: To perform most of the exercise, you must log in to the vSphere HTML5 client.

Preparing INI Files for Deployment

A INI file containing all the configuration settings is required to deploy the Unified Access Gateway appliance using PowerShell deployment.

In this exercise, you configure two INI files; this example uses uag-HA1.ini and uag-HA2.ini.

The uag-HA1.ini contains all the settings to deploy an instance named UAG-H1, and uag-HA2.ini will deploy an instance named UAG-H2.

Ensure you are logged in to the machine where you will install Unified Access Gateway. Extract the contents of the Unified Access Gateway ZIP file on this machine. The INI file is located in the Unified Access Gateway installer ZIP package.

Edit the INI Files

In this exercise, you use the uag-HA1.ini and uag-HA2.ini files to deploy two Unified Access Gateways, one named UAG-HA1 and the other named UAG-HA2. Each Unified Access Gateway will have two NICs, where NIC one is Internet-facing and NIC two for backend and management.

Navigate to your Unified Access Gateway INI file. In this example, the INI files are located in UAG Resources, open the files with Notepad.

Review the IP Address Assigned to Each Appliance

Note that distinct ip0 and ip1 addresses are used in each configuration file. The IP addresses are the only difference between the two appliances, all other values should be identical.

It is important to review and ensure that all the settings are configured identically, including the edge services on all appliances that will be part of the cluster.

Deploying the Unified Access Gateway Appliance

After you have reviewed the INI files for both Unified Access Gateway deployments, run the uagdeploy.ps1 PowerShell script to deploy each appliance.

Because you are deploying two appliances, the script will be executed twice, passing the correspondent INI file for each deployment.

Open PowerShell.
Navigate to the folder containing your INI file. For example, enter cd '.\Desktop\UAG Resources' then press Enter.

Deploy the UAG-HA1 appliance

After you run the script, it prompts for input. Enter the information requested, such as in the following example.

Enter .\uagdeploy.ps1 .\uag-HA1.ini [PASSWORD] [PASSWORD] false false no

The first [PASSWORD] is the root password for the Unified Access Gateway appliance.
The second [PASSWORD] is the admin password for the REST API management access.
The first false is to NOT skip the validation of signature and certificate.
The second false is to NOT skip SSL verification for the vSphere connection.
The no is to not join the CEIP program.

Enter YOUR CERTIFICATE PASSWORD for the SSLcert and SSLcertAdmin fields when prompted.

To avoid a password request for the certificate, remove the pfxCert values and provide a PEM certificate in the INI file. Set the pemCerts and pemPrivKey for the SSLCert and SSLCertAdmin sections in the INI file.

The deployment starts and you can follow the progress in the same window or on your vSphere Web Client.

Confirm that the PowerShell script deployment completes.

After successfully finalizing the deployment, the script automatically powers on the UAG-HA1 VM.

The Received IP address presented by the script log is a temporary IP. The final IPs for NIC 1 and NIC2 are assigned to the Unified Access Gateway appliance during the first boot. Return to the vSphere Web Client to validate the deployment.

Deploy UAG-2 appliance

Now, deploy the second appliance, called UAG-HA2, passing the uag-HA2.ini file as parameter.

Enter .\uagdeploy.ps1 .\uag-HA2.ini [PASSWORD] [PASSWORD] false false no
The first [PASSWORD] is the root password for the Unified Access Gateway appliance.
The second [PASSWORD] is the admin password for the REST API management access.
The first false is to NOT skip the validation of signature and certificate.
The second false is to NOT skip SSL verification for the vSphere connection.
The no is to not join the CEIP program.
Enter YOUR CERTIFICATE PASSWORD or the SSLcert and SSLcertAdmin fields when prompted.

To avoid a password request for the certificate, remove the pfxCert values and provide a PEM certificate in the INI file. Set the pemCerts and pemPrivKey for the SSLCert and SSLCertAdmin sections in the INI file.

The deployment starts and you can follow the progress in the same window or on your vSphere Web Client.

Validate the deployment

Click VM and Templates.
Click UAG-HA1.
Click View all 2 IP addresses. Note the IP Addresses displayed for the VM.

Repeat steps #2 and #3 for UAG-HA2. The IP addresses for this appliance should differ from UAG-HA1.

Note: If the Unified Access Gateway appliance does not finalize the configuration during the first startup, you receive an error message from vSphere Web Client. If that happens, wait for the appliance to finalize, and refresh the entire Google Chrome browser.

Log in to the Unified Access Gateway Administration Console.
1. Click the New Tab button to open a new tab.
2. Navigate to the first appliance, for example, https://uagha-1.airwlab.com:9443/admin or click the UAG Internal Admin Console bookmark.
3. Enter the username, for example, admin.
4. Enter the password (created for the Admin API in the Deploy OVF Wizard).
5. Click Login.
6. Repeat steps a-e, opening a new tab and log in to the second appliance, for example, using the following URL https://uagha-2.airwlab.com:9443/admin

Confirm the UAG administration console login to the internal network.

A successful login redirects you to the following screen on both appliances, where you can import settings or manually configure the Unified Access Gateway appliance individually.

Click Select under Configure Manually in the UAG-HA1 administration console.
Select the tab to return to the UAG-HA2 administration console.
Click Select under Configure Manually in the UAG-HA2 administration console.

Configuring High Availability

At this point, the Unified Access Gateway has been deployed and you can access the Unified Access Gateway administration console and update the appliance configuration.

In this exercise, you learn how to enable high availability on both deployed appliances, create a cluster, test the high availability component when accessing an internal website through the web reverse proxy edge service, and identify how Unified Access Gateway sets appliances in the cluster as the primary and backup appliances.

Validate Reverse Proxy Settings

Validate the web reverse proxy settings to access the intranet on both appliances, using the administration consoles for UAG-HA1 and UAG-HA2 that you previously logged in to.

Remember to perform the following steps on both UAG-HA1 and UAG-HA2, switching between the two browser tabs as needed to validate the settings on each Unified Access Gateway.

Perform the following steps on each appliance using the administration console.

Click SHOW next to Edge Service Settings, after you click SHOW, it changes to HIDE.
Click the Gear icon next to Reverse Proxy Settings.
Click the Gear icon for the intranet instance.

Perform the following steps on both appliances.

Click the More hyperlink to expand the Settings. Note the Proxy Host Pattern value in this example is set to uagvip.airwlab.com — this address resolves the virtual IP address that is assigned to the primary Unified Access Gateway Appliance, which then forwards the requested traffic to the respective appliance.
No changes are required. Click the Cancel button at the bottom after confirming the Proxy Host Pattern on both Unified Access Gateway appliances.
Click Close to close the reverse proxy settings.

Validate reverse proxy configuration.

Click the arrow down for the Reverse Proxy Settings.
Click the refresh icon for the Edge Service Settings.
Confirm the intranet proxy status is GREEN.
The reverse proxy settings for the intranet website, must be GREEN, which confirms that the appliance can communicate with the intranet website, otherwise it shows RED.

Note: It can take a few minutes for the intranet proxy to show as GREEN. If you do not see it, click the refresh icon in Step #2 until you see the status change to either GREEN or RED.

Configure High Availability on UAG-HA1

In the administration console, the High Availability Settings is currently Not Configured on UAG-HA1 appliance at this point.

Click the High Availability Gear icon to configure.

Add virtual IP address and group ID.

Enter a Virtual IP Address, for example, 192.168.110.50.
Enter the Group ID, for example, 50.
Click Save.

In this configuration, all the incoming traffic on 192.168.110.50 will be balanced by the cluster of Unified Access Gateway appliances on Group ID 50.

Monitor High Availability state.

As you save the configuration, Unified Access Gateway broadcasts a signal on the VIP subnet looking for other appliances on the same Group ID. During that time, the High Availability state shows as Processing.

In the case where no other appliances are found, UAG-HA1 becomes the primary controller and the High Availability state on the administration console switches to Master as shown in the screenshot.

Note: You may need to refresh the Unified Access Gateway administrator console after a few minutes to see the Processing status update to Master.

Configure High Availability on UAG-HA2

Now repeat the same steps to configure the High Availability settings on UAG-HA2.

From your Chrome Browser, return to the tab where you logged into the administration console for UAG-HA2. The URL is https://uagha-2.airwlab.com:9443/admin.

The same Virtual IP Address (192.168.110.50) and Group ID (50) must be used on UAG-HA2 to make this appliance part of the same cluster where UAG-HA1 resides.

Monitor High Availability on UAG-HA2

After you complete the High Availability configuration on UAG-HA2, the high availability status changes to Backup.

Note: You may need to refresh the Unified Access Gateway administrator console after a few minutes to see the Processing status update to Backup.

Validate Virtual IP Address on the UAG-HA1 VM

Return to the vSphere Web Client to validate the assignment of the additional virtual IP address to the primary appliance.

Click VM and Templates.
Select the UAG-HA1 VM.
Click View all 3 IP addresses.
The virtual IP address 192.168.110.50 was assigned to the UAG-HA1 VM, the primary appliance.

Note: You may need to refresh the page to see the IP addresses update properly.

Perform the same steps to view the IP addresses of the UAG-HA2 VM. Notice that it still has two IP addresses, as this appliance is set as the backup appliance on the high availability stack.

Testing High Availability

After you have completed the Unified Access Gateway High Availability component configuration, you can now test this feature.

In this exercise, you access the intranet website through Unified Access Gateway first, shut down the primary appliance and test the access to the intranet website again, which should go through the backup appliance in the cluster.

Access the Intranet Website

In Google Chrome, click the New Tab button to open a new tab.
Enter the floating virtual IP address (VIP) that you configured on the primary Unified Access Gateway when setting up high availability, for example, https://uagvip.airwlab.com/intranet in the address bar and press Enter.

The result is a sample intranet page hosted on an internal IIS server.

Power Off UAG-HA1 Appliance

Return to the vSphere Web Client and Power Off the UAG-HA1 VM.

Click VM and Templates.
Click UAG-HA1 VM.
Click ACTIONS.
Hover over the Power option.
Click Power Off.
Click Yes to confirm Power Off action for UAG-HA1.

Wait for the UAG-HA1 complete shutdown. This triggers the backup Unified Access Gateway appliance in the cluster to become the primary appliance.

Access the Intranet Website after UAG-HA1 Power Off

Click the New Tab button to open a new tab.
Navigate to your intranet address, for example, https://uagvip.airwlab.com/intranet.

The same intranet webpage should show up, without any disruption for the user, however the traffic now is going through the UAG-HA2.

Validate UAG-HA2 High Availability Status

Return to the UAG-HA2 console administration tab (for example, https://uagha-2.airwlab.com:9443/admin), in Google Chrome.

UAG-HA2 is now set as the primary appliance and the virtual IP address is assigned to it.

Note: If the High Availability Settings do not show UAG-HA2 as the Master appliance, refresh the page.

Validate Virtual IP Address on the UAG-HA2 Virtual Machine

Return to the vSphere Web Client to validate the assignment of the additional virtual IP address to the primary appliance.

Click VM and Templates.
Select UAG-HA2 VM.
Click View all 3 IP addresses.
The Virtual IP address 192.168.110.50 is now assigned to the UAG-HA2, the primary appliance.

Note: You may need to refresh the page to see the IP addresses update properly.

This confirms that when the primary Unified Access Gateway appliance was taken offline, the backup Unified Access Gateway appliance was promoted to primary and assigned the 192.168.110.50 virtual IP (uagvip.airwlab.com), and access to the intranet resource was uninterrupted.

Summary and Additional Resources

In these exercises, you have learned how to:

Deploy the Unified Access Gateway on a two NIC configuration using PowerShell script for a high availability scenario
Configure High Availability on Unified Access Gateway through the administration console
Validate the web reverse proxy instance configuration to work in a high availability scenario
Perform tests on a cluster of Unified Access Gateway appliances and confirm their high availability status

For additional documentation, be sure to check:

Additional Resources

For more information about Workspace ONE, explore the Workspace ONE product page on Tech Zone.

Additionally, you can check out the Omnissa Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using Omnissa Workspace ONE and Omnissa Horizon.

Changelog

The following updates were made to this guide:

Date	Description of Changes
2024/09/20	Update links.
2019/03/31	Guide was published.

About the Author and Contributors

This tutorial was written by:

Andreano Lanusse, Staff Architect, Technical Marketing, Omnissa.

Feedback

Your feedback is valuable.

To comment on this paper, either use the feedback button or contact us at tech_content_feedback@omnissa.com.