article Using PowerShell to Deploy VMware Unified Access Gateway in Horizon Documents

Re: Using PowerShell to Deploy VMware Unified Access Gateway

whibr — Tue, 02 Aug 2016 22:14:25 GMT

Looking for the ap-deploy-27.zip files to download. The AP 2.7 documentation pointed me here, but I can't find them. Can you help?

Re: Using PowerShell to Deploy VMware Unified Access Gateway

markbenson — Thu, 04 Aug 2016 06:24:06 GMT

The script didn't change for Access Point 2.7 so you can just use the latest (apdeploy-260). Make sure your source= line in the .ini file refers to the 2.7 .OVA file.

Re: Using PowerShell to Deploy VMware Unified Access Gateway

alienjoker — Fri, 02 Sep 2016 11:22:43 GMT

Hi Mark,

We've been having problems configuring RSA integration despite following your excellent Video VMware Access Point RSA SecurID Authentication Setup on Vimeo‌ . Put simply, the appliance will not start correctly when we specify the inclusion of the sdconf.rec file (having extracted it directly from the zip file from the Auth Manager). If we configure the INI file with everything else apart from the referenced file, the appliance starts up, but understandably doesn't perform auth.

GSS seem to be scratching their heads too, even stating that SecurID needed to be configured on the connection servers and that I should be using the Fling for the Access Point OVA Deployment Utility which doesn't cater for RSA integration.

I even tried sending the JSON requests directly to a non RSA deployed appliance, but this fails too. Seems like a bit of a black art to get the appliance working properly.

Best regards

Andrew

Re: Using PowerShell to Deploy VMware Unified Access Gateway

markbenson — Fri, 02 Sep 2016 17:10:49 GMT

Hi Andrew.

As you may know, VMware does not support any Fling for production use. The documented method is to use this PowerShell script, which as you say also supports RSA SecurID setup.

You can either set up RSA SecurID authentication on Horizon Connection Server or on Access Point. I'm sorry if you were wrongly advised.

We should be able to resolve your problem.

When you specify the RSA sdconf.rec file when doing an Access Point deployment, it does result in Access Point performing a check at startup. This involves communicating with RSA Authentication Manager Server based on the values within sdconf.rec and the IP addresses you specified in the .ini file. If this check fails, then Access Point will not startup correctly. This check must pass.

Assuming that you are using the 2.5.x version of Access Point as shown in the video, I think there are 4 possible reasons why it is failing.

1. You have the IP addresses incorrectly set in the .ini file. If this is a 1 NIC setup then this will be the IP address of Access Point. You specify this IP address twice in the .ini file.

2. RSA Authentication Manager is not accessible from Access Point (at the UDP/IP layer) at startup time. It uses UDP. I know if RSA Authentication Manager is unavailable or a firewall is blocking that two-way UDP traffic it fails. Monitoring network traffic may help here.

3. RSA Authentication Manager is not set up correctly and is rejecting the check. You can usually find this issue by running the live logging on RSA Authentication Manager and looking for errors. You may need to clear node secret on RSA Authentication Manager.

4. Something is wrong with sdconf.rec.

Look at these 4 things. If it is still failing, "private message" me your .INI file.

Mark

Re: Using PowerShell to Deploy VMware Unified Access Gateway

alienjoker — Mon, 05 Sep 2016 13:55:58 GMT

Hi Mark,

Thanks very much for your response. Item #2 was indeed the culprit here and having discussed the submitted FW rules with the security team, they admitted they had failed to apply one of the UDP ports which continually resulted in the deployment failure.

I hope others find these pointers as useful as I have in getting the access point into production using 2FA.

Kind regards

Andrew

Re: Using PowerShell to Deploy VMware Unified Access Gateway

markbenson — Mon, 05 Sep 2016 14:10:35 GMT

Hi Andrew,

Thanks for posting back. I'm glad you've fixed your firewall issue and that Access Point SecurID two-factor authentication is now working for you.

I've just updated this document to emphasise the need for a firewall to not block the RSA SecurID communication between Access Point and RSA Authentication manager.

Note also, that if you redeploy Access Point at any time, you should "clear node secret" on RSA AM so that the trust can be re-established.

Mark

Re: Using PowerShell to Deploy VMware Unified Access Gateway

VirtualSven — Tue, 06 Sep 2016 08:42:52 GMT

Hi Mark,

Can I configure the Access Point for Horizon to use Radius authentication but also accept passthrough/SAML when a user initiates a session a session through the Identity Manager portal? If I configure Radius on the Access Point the user always needs to enter 2-factor authentication, even when the user already authenticated through Identity Manager with 2-factor. vIDM is using another Access Point BTW.

Re: Using PowerShell to Deploy VMware Unified Access Gateway

markbenson — Tue, 06 Sep 2016 14:14:59 GMT

You can configure Horizon View for RADIUS in which case Access Point can be configured for pass-thru authentication (the default setup). In this case it will pass through RADIUS and SAML requests to Connection Server.

As you say, if you configure Access Point to require RADIUS authentication, then it will do this always, and will not pass-thru SAML.

Another option is to have one Access Point configured for RADIUS and connecting to a Connection Server configured for password. Then have another Access Point configured for pass-thru connecting to a Connection Server configured for SAML.

Mark

Re: Using PowerShell to Deploy VMware Unified Access Gateway

VirtualSven — Wed, 07 Sep 2016 20:17:23 GMT

Thanks, that's what I thought.

Re: Using PowerShell to Deploy VMware Unified Access Gateway

Matrix__1970 — Mon, 19 Sep 2016 06:46:49 GMT

Hi Mark,

thank you for your script. Just a question. The ver. 2.7+ of AP can have more than an edge service (a.k.a I can configure on the same appliance the web reverse proxy role and the other vs a Connection Server). It's correct? If this is correct, how can use this script to accomplish his goal?

Thank you very much

Francesco

Re: Using PowerShell to Deploy VMware Unified Access Gateway

markbenson — Mon, 19 Sep 2016 11:02:44 GMT

Yes. To use multiple "Edge Services" on Access Point, just specify multiple sections in your .INI file. e.g.

[Horizon]

...

[WebReverseProxy]

...

Make sure you use the script in apdeploy-272-v2.zip or newer.

Mark

Re: Using PowerShell to Deploy VMware Unified Access Gateway

wallred — Tue, 27 Sep 2016 21:38:01 GMT

I'm using the apdeploy-272-v2, and the username that it uses is Administrator%40vsphere.local instead of a Administrator@vsphere.local, and the deployment obviously fails.

Any ideas?

Will

Re: Using PowerShell to Deploy VMware Unified Access Gateway

markbenson — Wed, 28 Sep 2016 09:05:44 GMT

Although VMware OVF Tool displays the username as Administrator%40vsphere.local it will actually use the name you specified in the .INI file (i.e. Administrator@vsphere.local). If you look at the PowerShell screen shot above, you'll see the same thing but it works fine. OVF Tool does this because it uses a valid URI format where it just displays @ as %40. A browser URL bar will do the same.

If the command is not working for you, it is probably for some other reason.

Make sure your target= value is correct. Set it to something like:

target=vi://administrator@vsphere.local:PASSWORD@192.168.0.21/Datacenter1/host/esx1.myco.int

PASSWORD in upper case will cause OVF Tool to prompt for the real password so don't put the real password in the .INI file. The IP address 192.168.0.21 is the vCenter Server address. If you are not sure of the host or cluster name after the IP address, just put:

target=vi://administrator@vsphere.local:PASSWORD@192.168.0.21/

It will fail but will show you the possible completions which you can then add one at a time to the target line to complete it.

If it is failing for some other reason, send me a private message and include your .ini file. Also be specific about what error you see or what the symptoms are and I should then be able to help to resolve this.

Mark

Re: Using PowerShell to Deploy VMware Unified Access Gateway

VirtualSven — Thu, 29 Sep 2016 11:05:08 GMT

There is no ap4-radius.ini included in the zip-file. Can you provide an example of configuring radius using powershell and an ini-file?

Re: Using PowerShell to Deploy VMware Unified Access Gateway

markbenson — Thu, 29 Sep 2016 13:26:59 GMT

Oh sorry, it was missing. I've now added it in apdeploy-272-v3.zip and documented all the RADIUS settings in the table above. Thanks for pointing that out!

Re: Using PowerShell to Deploy VMware Unified Access Gateway

VirtualSven — Thu, 29 Sep 2016 13:38:11 GMT

Thanks, just tested it. When deploying it only asks a shared secret for the first RADIUS-host, not for the second, is that correct?

Re: Using PowerShell to Deploy VMware Unified Access Gateway

VirtualSven — Thu, 29 Sep 2016 15:06:23 GMT

Also checked the configuration, the second RADIUS host isn't in the configuration, Added enabledAux=true to the config file, but that doesn't work as well. So it seems that deploying it with the INI file only works with 1 RADIUS server?

Re: Using PowerShell to Deploy VMware Unified Access Gateway

markbenson — Thu, 29 Sep 2016 20:13:00 GMT

apdeploy-272-v4.zip adds supports for a secondary RADIUS server. Email me if you have any issues with this.

Re: Using PowerShell to Deploy VMware Unified Access Gateway

Skeetneet — Thu, 06 Oct 2016 13:12:33 GMT

Hi Mark,

Thank you for the awesome script, really takes away a lot of configuration work. I do have one question however: the configuration settings that I specify within the [Horizon] part and the [WebReverseProxy] part don't seem to get populated in the VM once it has been deployed. I've played around and put those two variables at different places in the .ini-file, but still the deployment won't set these values when the AP is being deployed. Do you have any idea what could be causing this?

Thanks.

Re: Using PowerShell to Deploy VMware Unified Access Gateway

Skeetneet — Mon, 10 Oct 2016 08:09:55 GMT

I've shuffled the [Horizon] and [WebReverseProxy] again and retried redeploying several times, but unfortunately still no bananas. I was wondering: are there any other users who are experiencing this same symptom? Mark, if it might be a misconfiguration, what could it be?