VMware Workspace ONE Community
jordanjahn
Contributor
Contributor

UAG v3.4- Configure Tunnel AND Content Gateway

We a have cascade/relay Photon UAG deployment (one DMZ and one internal) to be used for Tunnel and Content Gateway so we can deliver per-app VPN as well as access to network shares (primary focus on iOS at the moment).  We are able to enable Tunnel services successfully but we are having issues setting up Content Gateway.  Tunnel uses ports 2020 frontend and then 2010 to the backend.  Content Gateway is setup to use port 443.  UEM is configured for both services and each UAG has been setup for Tunnel and Content Gateway Edge services.  The error we get in UEM when testing CG isn't real specific-

The underlying connection was closed: The connection was closed unexpectedly.

The front-end UAGs are fronted by an F5 VIP/URL which is the Content Gateway Relay Address and the Tunnel Frontend Hostname.  Has anyone had success with setting up Photon UAGs for CG AND Tunnel?  What are the tips/tricks to getting this to work?  The only note I see about having both services on each UAG is something about port sharing and does not go into details.  Do you need to configure the Tunnel and CG settings in UEM and THEN pull down the OVF file?  We just used the non-FIPS v3.4 UAG OVF to image the appliances.  Any logs I can pull from the UAGs to help with this error?  Nothing I have found as far as logs have been any help.  Note that this is a new setup and has not worked prior.  We have not paid for VMware Professional Services so support has not been particularly helpful since this is a new install.  Help please!
Labels (1)
8 Replies
jordanjahn
Contributor
Contributor

As magical as it seems, we enabled tcpdump on our Linux appliance which suddenly allowed us to telnet to the appliance on port 443.  Once layer 2 network connection was confirmed, we were able to deduce that the issue was with the F5 proxy intercepting and decrypting/re-encrypting the traffic which needed to be turned off to allow the data to just pass through.  We were also applying an HTTP profile from the F5 to the data which needed to removed.  All is working now!
Reply
0 Kudos
LowellFafard
Contributor
Contributor

Hi Jordan, do you have a Windows File share repository in use in Content Gateway? 
Thanks
Lowell
Reply
0 Kudos
Stansfield
Enthusiast
Enthusiast

We have just been trying to setup the content gateway and never could get it to connect on the UAG like you were describing was there anything else at all you did differently when it worked (even having another component communicating)?
Reply
0 Kudos
LALEWIS2120
Contributor
Contributor

We are running into the same sorta scenario here as well. Any traffic to 443, 8443, 2020 etc seems to dead end. Network team confirms they see the traffic all the way till the UAG and then brick wall
Reply
0 Kudos
Stansfield
Enthusiast
Enthusiast

Do you have a ticket by any chance we are working with support and they keep blaming it on our network
Reply
0 Kudos
LALEWIS2120
Contributor
Contributor

I've had various tickets opened for the UAG. Nothing open at the moment. We are getting push back that we should use professional services. I'd hate to have to use professional services to supplement poorly written documentation. I've never had so much trouble standing up a service in my life.
Reply
0 Kudos
jahuu
Contributor
Contributor

Hi!
I belive UAG 3.4 was a veeerrryy poor kind of software. Since 3.5 the UAG works, since 3.6 it works mostly perfect (SEG Support).
UAG 3.4: I cannot get it work - same settings in Version 3.5 - everything starts working...???..
Since 3.6 I use same UAG for Content Gateway, Tunnel (Relay&Endpoint / Cascading) and SEG.
Problems I have was wrong order of Certificates (Intermediate and Root for Internal PKI), missing host-entries.
Reply
0 Kudos
cpatterson84
Enthusiast
Enthusiast

This is very funny because I've had the same ticket open for almost 6 months because I couldn't get the SEG working after having the Tunnel and Gateway working. Every support person said that each service has to be on its own UAG which seems wrong considering how the old SEG/CG's were setup. I had one support person have me delete the UAGs and deploy just as a SEG to only find it never would keep the settings. Random issues...I think their appliance has problems their documentation does not support and no one is willing to admit it.

Reply
0 Kudos