Arfer99
Enthusiast
Enthusiast

UAG Appliance v3.3.1 - Trying to configure PerAPP, Browser and Content Locker all on one box

We have installed a Cascade of the v3.3.1 UAG appliances - one in the DMZ and one on the LAN.
I initially only configured the PerAPP Tunnel on Port 8443 and this worked correctly. I have then added the settings for the Content Gateway and SDK Apps (Browser) into the Console. Even after restarting the UAGs they do not seem to be applying the new settings, e.g. Port 2010 & 2010. Running a NETSTAT command on the appliance doesn't show these ports open.
Does the UAG appliance only apply the settings from the Console on the initial deployment? or can it be updated with new settings once deployed?
Labels (1)
20 Replies
ThomasCheng
Enthusiast
Enthusiast

I am interested in finding out about this as well. In my case, I run both Browser and Content Gateway on separate Windows hosts. I  plan on consolidating them with the UAG also.
Did you not have to check off specific settings within the UAG to support Browser and Content Gateway?
0 Kudos
Arfer99
Enthusiast
Enthusiast

As far as I can tell (and there is a distinct lack of understandable documentation) you just configure the various Content/Browser-SDK/Tunnel settings in the Console. The UAG then downloads the appropriate config using the device name you specify within the ' VMware Tunnel Settings'  and the ' Content Gateway Settings'  within the UAG. The device then creates the appropriate listening Ports.
I have two problems. Where is the Browser/SDK settings within the UAG? Is it part of the Tunnel Settings?
And also does the UAG change its config on-the-fly when you make changes within the Console? Or do you have to redeploy?
I can see why people are abandoning the UAG and using the Linux server instead......
0 Kudos
Arfer99
Enthusiast
Enthusiast

I've raised a Support Case for this as I cannot find anything in the documentation
0 Kudos
ThomasCheng
Enthusiast
Enthusiast

Keep us posted Phil. I actually prefer UAG so I wouldn't worry about much of the OS upkeep. Simply delete and re-deploy with the same or newer version as needed.
0 Kudos
nessaja
Enthusiast
Enthusiast

Hi Phil, any news from the support? I'm also looking for some documentations. Thanks
0 Kudos
Mario_Giese
Contributor
Contributor

Hi,
we are trying to build Tunnel Proxy and per App VPN and Content Gateway on one UAG too, but with Cascade Mode.
Configurations were applied on the UAG (marked green at Edge Services) but it is not running. Console-test for Tunnel Proxy is green but we can't access the sites from end devices. Console-test for Content Gatway is red and shares are not accessible from end devices.
Network team finds it hard to configure IPs and Routing on the UAG and we find it hard to find the error. We can't find anything in the UAG Logs. It is like a blackbox. A telnet or netcat function on the UAG would be helpful to test network connections from the UAG itself.
We will see what Support can do. I can update you if we find the problem.
0 Kudos
ThomasCheng
Enthusiast
Enthusiast

Thanks Mario. Please do keep us posted. This will be my new design in 2019 to consolidate all three components into one host.
0 Kudos
MikeHoganMikeHo
Contributor
Contributor

I'm having a similar issue with a setup I'm currently trying to get working.  I'm going to try a new single server configuration tomorrow and build that into a cascade configuration once working.  The wizard on the console and the Admin UI all look easy enough to configure, but it's not currently working.  When I netstat on the UAG it doesn't even show that it's listening on the correct ports for per app VPN or Tunnel (8443 and 2020 by default.  On the Content Gateway, does it need a public trusted certificate and matching DNS name, the same as the Windows hosted CG does?  If you are trying to test the Tunnel for browsing you will need to enable the AirWatch using safari or chrome you will need to setup network access rules.  If during my setup I can find out what is causing the issue, I'll post.
0 Kudos
Mario_Giese
Contributor
Contributor

Hi,
we had to update to UAG 3.3.2 and now it works.
0 Kudos
RADP
Contributor
Contributor

I dont have any solutions to the problems listed above but i can add to the discussion that we recently migrated from linux mag tunnel/perapp and windows content gateway. All now running on UAG 3.3.2 in a relay/endpoint installation. Works good but the documentation is poor. The only issue i ran into was the abilitiy to browse a Sharepoint repository in content locker. I had to import the root and intermediate certificates into the Java keystore.
0 Kudos
b52junebug
Contributor
Contributor

Do any of you have an internal proxy? We use to use the Proxy Tool, but as that doesnt apply in the Appliance, we dont know where to add that information and make it stick.
0 Kudos
jahuu
Contributor
Contributor

Hi Robert!
You wrote ' I had to import the root and intermediate certificates into the Java keystore'  - from which device? The UAG? Via Admin UI? I try to use an internal CA (for my Testenvironment) - i can browse the FileShare Structure but i cannot open/download/upload a file in the share.
I use UAG 3.5 Relay-Endpoint - Test Connection from DS/CS to UAG (with Tunnel and CG) works great. Workspace One UEM Version 1902.06.
Any Idea?
Best Regards
Olaf
0 Kudos
RADP
Contributor
Contributor

Hi Olaf,
Sorry for the late response i've been out of office.
I imported it directly to the UAG operating system. Not possible trough Admin UI i think. Altough i dont think this will help you since you are able to browse the content. Sounds more like a FW block?
Regards,
Robert
0 Kudos
NNOOHU
Contributor
Contributor

Hi Robert,

Am interested to find from you related to the similar setup. We have UAG 3.3 running on DMZ configured with 2 nics. The netstat shows tunnel proxy configured and shows green. When i browse the internal websites am getting web page not available with the error : ERR_PROXY_AUTH_UNSUPPORTED. Please any idea??

Regards,
Nabeel
0 Kudos
RADP
Contributor
Contributor

Hi Nabeel,
Is there a load balancer in front? Any outbound Proxy? Only 2 Machines on DMZ or 2 Endpoints on the inside also? Did you try to import the root and intermidiate certificates in the Java keystore? Sorry for all the questions, this is not trivial and there is a bunch of things that could go wrong.

Regards,
Robert
0 Kudos
NNOOHU
Contributor
Contributor

Hi Robert,

Thanks for your response. Only one UAG appliance with 2 nics one for Internal and another for Internet traffic. No LB at this place.
Outbound proxy is there but I didn't set proxy yet. I have Public certificate uploaded in TLS Server Certificate Settings , I didn't try to upload the certificate in Java keystone. Would it be possible to share the details to upload the certificate in keystore of UAG appliance.

Thanks;
0 Kudos
RADP
Contributor
Contributor

Hi Nabeel,
Sure, first thing first you will need root access to the server.
Heres my notes from the last time i did it:
• Navigate to the SharePoint URL and check the certification details in a Web Browser. 
• Export the full certificate chain and import it to the Content Gateway server
• Copy the certificate file(s) to: C: or Program Files or Java or jre{version} or lib or security. This Path will vary based on the JRE version installed.
• Open a Command Window into the same … or lib or security folder where we copied the certificate file(s)
• In the command line, run the following command:
• keytool -importcert -keystore cacerts -trustcacerts -alias ALIAS_NAME - file FILE_NAME -storepass KEYSTORE_PASSWORD –noprompt
• …where ALIAS_NAME can be any name to help you identify this certificate within the Java Keystore at a later time
• …where  FILE_NAME is the name of the root or intermediate .cer/.crt file that we copied into the folder in step 2
• …where KEYSTORE_PASSWORD is the Java Keystore password. By default the password is “changeit”.
• If importing multiple certificates into the Java Keystore (such as both the root and intermediate certificates), complete step 4 for each certificate
Perform an IISreset and confirm that you can now access the files

Regards,
Robert Söderlund
0 Kudos
MauroArellano
Contributor
Contributor

Hello Robert,
One question regarding monitoring and alerts, hope you can shed some light on this please. Do you use any third party software for heath check and service availability of UAG? My team is also working on migrating these services from Linux boxes to UAG but not sure if vcenter/vrOPs from VMware are the way to go.
0 Kudos
RADP
Contributor
Contributor

Hi Mauro,
We use some basic Health checks on the ports in the load balancer thats all. Nothing on memory, cpu etc on the UAG's in vCenter. I guess we could setup some monitoring points in our third party software but during the years know that we used UAG i havent ever seen any issues with the machines. We focus on upgrading them frequently and the users are our main monitoring point, they will start a case pretty quick if something aint right. For us that works but if the function is graded higher we probably would configure more.
Not sure but isnt there a chapter on monitoring for the UAG in the vmware documentation if you need more info?

Regards,
Robert Söderlund
0 Kudos