My postings are my own and don’t necessarily represent VMware’s positions, strategies or opinions.
Network settings and interfaces
Settings are stored in /etc/systemd/network/ folder, 10-eth0-network.config, 10-eth1-network.config, 10-eth2-network.config files.
(a little outdated, no SEG component shown, to be renewed)
In UAG 3.7.1 the SEG admin console port is TCP44444 and is only available from localhost itself!
Temporary solutions for troubleshooting:
- Write a FORWARDING rule using iptables;
- Open SSH port and use SSH Tunneling:
Then use the browser to access https://127.0.0.1:44444 to access the console.
- Use SSH and CURL tool
Network Troubleshooting in UAG
External links on UAG:
- Arsen blog on UAG network tools
- ADV1798BU – Unified Access Gateway Securing Virtual Desktop and App Access
- ADV2668BU – Comprehensive architectural overview and deep-dive troubleshooting on UAG
Invoke special command to activate troubleshooting tools:
Also a packet sniffer can be made with Python, see page on my sniffer for vIDM/Access.
External links on tcpdump:
External links on ethtool:
It appears that the new systemd-resolved method in UAG 3.8+ uses .local for multicast DNS exclusively. Fortunately there is a way to fix this issue. Edit /etc/systemd/resolved.conf and uncomment the Domains line and adding in your .local domain there.
See https://roderikdeblock.com/vmware-uag-not-using-dns/ for details.
There are two passwords to configure when deploying.
- root account password
- admin account password
The root account is the console login account, the admin account is what you need for e.g. the web-based GUI. When you deploy the Access Point/ Unified Access Gateway with the PowerShell script it will mention if the passwords are usable. The admin password is the tricky one, it needs special characters. When you deploy GUI-based it will not tell you if the password is usable, it will deploy.
When you try to logon to the web-based GUI you will not be able to do so. It will say 'Invalid credentials', leaving you wondering. If you deployed GUI-based and you face this issue, open the console, logon with root and reset the password according to the lines below.
After the restart which the last command orders, the page is available again and you can log on instantly.
HTML Access won’t work through Unified Access Gateway unless you disable Origin Check or configure the Connection Server’s locked.properties with the Access Point addresses.
Create a file called install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties.
Enter 1 of 2 lines:
where load-balancer-name is the hostname used in the URL by the remote access user. e.g. myvdi.myco.com.
Disable Secure Tunnel
By default, internal Horizon Clients connect using Blast or PCoIP to virtual desktops by tunneling through a Horizon Connection Server. It would be more efficient for the internal Horizon Clients to connect directly to the virtual desktops.
- In View Administrator, on the left, expand View Configuration, and click Servers.
- On the right, switch to the Connection Servers tab.
- Click the Connection Server to highlight it, and click Edit.
- On the General tab, uncheck the boxes next to HTTP(S) Secure Tunnel and the Blast Gateway. Do NOT disable PCoIP Gateway, because PCoIP UDP apparently need to be tunneled in order to get to the destination Horizon Client.
Where PCoIP Secure Gateway address is local Connection Server address.
- Click OK. Note: if you are using HTML5 Blast internally, then disabling the Blast Secure Gateway will cause HTML5 Blast connections to go directly to the Horizon Agent, and the Agent certificate is probably not trusted.
- Unified Access Gateway Load Balancing Topologies
- Load Balancing across VMware Unified Access Gateway Appliances