Update the Unified Access Gateway Appliance Using PowerShell

Hi, Today I decided to Update the Unified Access Gateway Appliance (UAG) with PowerShell.

What is UAG?

Unified Access Gateway equips remote workers anywhere, anytime with secure access to Horizon virtual desktops and applications.

How can I update it?

UAG doesn’t have an update engine solution on itself. You must install it again from scratch, and replace the configuration on it. You must spend more time installing it again. But you can use the PowerShell script for quick deployment.

What is the requirement?

1- You need to download Unified Access Gateway (UAG) PowerShell Scripts.

2- You need to download the INI file of the UAG configuration.

3- You need to download the OVF Tool. (The PowerShell deploy script requires these tools)

Procedure:

Step 1- Download the OVF Tool from Here.

I downloaded the OVF Tool for Windows 64-bit.

1-1 -Install the OVF Tool on the VM where you are going to run the UAG Deploy script.

1-2 – Click Next

1-3 – I accept the terms in the License Agreement.

1-4 – Choose the destination Folder

1-5 -Install it.

1-6- Click on the Finish button

Step 2– Download the Unified Access Gateway OVA from the Customer Connect portal to your machine.

You download the latest version.

Step 3– Create an INI configuration file for the Unified Access Gateway virtual appliance.

3-1 – Login to UAG server: https://UAG_Address_Server:9443/admin

3-2 – Click on the Configure Manually button

3-3 – In the Support Settings Section, Click on the INI and download it.

Step 4– Download the Unified Access Gateway (UAG) XXX PowerShell Scripts files into a folder on the machine. The ZIP files are available on the Customer Connect page for the Unified Access Gateway.

4-1 – Extract the Zip file and copy and paste the UAG ova file and INI file here.

Step 5– open UAG_Settings.ini, you need to configure these parameters:

5-1 – You can choose diskMode deployment is thin or thick:

5-2 – You must write the vsphere datastore name for deploying UAG OVA.

5-3 – Give a name for your UAG VM.

name= khoshraftar-UAG01

5-4 – Enter the Backend Network port group

netBackendNetwork= Edge-PG-MGMT-V3001

5-5 – Enter the Internet Network port group

netInternet= khoshraftar-DMZ

5-6 -Enter the management Network port group

netManagementNetwork=Edge-PG-MGMT-V3001

5-4 – You must write the path of UAG OVA

source= C:\uagdeploy-23.09.0.0-22617266\uagdeploy\euc-unified-access-gateway-23.03.0.0-21401666_OVF10.ova

5-5 – You must write vCenter_name/ Datacenter_name/ host/ Cluster_name

(you must use host in your address)

target= vi://vc01.khoshraftar.com/DatacenterA/host/ClusterMGMT/

5-6 – If you have an error, you can change secureRandomSource from default to /dev/random

secureRandomSource= /dev/random

5-7 – save the INI file.

Step 6– Open PowerShell as administrator and use this command

& "C:\uagdeploy-23.09.0.0-22617266\uagdeploy\uagdeploy.ps1" -iniFile "C:\uagdeploy-23.09.0.0-22617266\uagdeploy\UAG_Settings.ini"

I use &, Because I have quotes in INI and PS1 path, PowerShell executes the path instead of just echoing the string.

6-1 – Enter admin user password for UAG

6-2 – Re-enter the admin user password for UAG

6-3 -Enter the admin user password for UAG Admin UI and Rest API

6-4 -Re-enter the admin user password for UAG Admin UI and Rest API

6-5 – For CEIP, enter no.

6-6 – Accept SSL fingerprint

6-6 – Enter the Username and Password of the vCenter server

6-7 -Deploying Start

The transfer is completed.

For more information, use this link.

Finish 🙂

NSX Multi-Tenancy and VPC

Hi, Today I would like to talk about NSX Multi-tenancy and VPC.

Multi-tenancy

Multi-tenancy is the ability to offer NSX networking and security services to multiple tenants completely isolated from each other. Every tenant will also have its own RBAC configuration and can be assigned quotas to limit the number of objects that can be created inside a tenant. Multi-Tenancy has been a long-awaited feature in NSX which enables not only service providers but also end customers to provide NSX services tailored and scoped down to a department/team level on the same NSX instance, previously that was only possible by deploying different NSX instances per tenant/department.

Multi-Tenancy in NSX is achieved by creating NSX projects, where every project represents a logical container of network and security resources (tenant) where every project can have its own set of users, assigned privileges, and quotas. Multi-Tenancy has different use cases such as offering networking as a Service, Firewall as a Service, and so on.

Multi-Tenancy was introduced in NSX UI starting from VMware NSX 4.1, and it uses a two-tier data model, the first tier is called /Infra tier which is referred to as Default space, Default space contains non-isolated objects and is accessible to Enterprise admin and other system-wide users who are not a member of projects. In short, the Default view contains NSX objects that do not belong to any project. The other data model is referred to as the Org model (branch) under which projects (tenants) provision their resources, which implies that every tenant (project) will also have a sub-Infra branch with only objects that are created and available to that project (tenant).

Project configurations are set up under /orgs/default/projects/<project-id>/infra

NSX Virtual Private Clouds (VPC)

Starting in NSX 4.1.1, a project can optionally contain one or more NSX Virtual Private Clouds (VPC).

A VPC represents a self-contained private network within an NSX project that application developers or DevOps engineers in your organization can use to host their applications and consume networking and security objects by using a self-service consumption model.

NSX VPCs can be created only in projects. They cannot be created in the default space.

VPC configurations are set up under the following path of the NSX Policy data model:

/orgs/default/projects/<project-id>/vpcs/<vpc-id>
 

Tier-0 gateways and edge clusters are owned by the default space, and they can be allocated to projects under the org. You cannot create tier-0 gateways and edge clusters inside a project.

Each project can optionally have its own tier-1 gateways, which must be configured in the project. In other words, the tier-1 gateways must be owned by the project. A project cannot use the tier-1 gateways that are configured in the default space.

The first figure shows the default space and two projects under the org.

  • Multi-tenancy Policy data model shows the default space, org, and two projects under the org.The next figure shows the hierarchy of objects in both projects. Under the org, projects 1 and 2 have their own hierarchy of NSX networking and security objects that are created inside the project. Hierarchy of NSX objects in projects 1 and 2 under the org.

How we can create it?

When an Enterprise Admin logs into NSX Manager, the Default view is displayed, as shown in the following screen capture.

 
 

Click on Default

Click on the Manage

Click on the ADD PROJECT, I give a name to it.

I create 3 projects.

I click on the khoshraftar-Production, You can see this project has its own Menu, You can also create a VPC in your project.

In the future, I am going to create a VPC in another post.

Finish 🙂

Step by Step, Install vCenter 8.0 update1

Hi, Today I want to install vCenter 8.0 Update1.

You can find system prerequisites on this page.

I downloaded VCSA 8.0 ISO from VMware.com and run the installer.

I choose Install.

1-Introduction

Note: The external Platform Services Controller deployment has been deprecated.

Note: Installing the vCenter Server is a two-stage process. The first stage involves deploying a new vCenter Server to the target ESXi host or a compute resource in the target vCenter Server. The second stage completes the setup of the deployed vCenter Server. Next

2- License agreement, click on the checkbox. Next

3- Specify the vCenter Server deployment target settings. The target is the ESXi host or vCenter Server will be deployed.

On this page, fill in all the blank fields, Next

Accept the certificate warning and click  NEXT

4- Enter the new VM name for your VCSA 7.0 Update 3 and set the root password for it, NEXT

5- Select your deployment size, I choose Medium Size. NEXT

6- Select data store, you can select Thin or Thick disk mode, NEXT

7- Configure your network settings, NEXT

10- The installer will begin deploying the new VCSA according to the settings you provided. Finish

1- The second stage process. NEXT

2- Set your Time and NTP servers, and you can enable or Disable SSH access to vCenter Server.

3- You have two option2: 1-Create a new SS domain or 2-Join an existing SSO domain

4- You can now join VMware Customer Experience Improvement Program. This basically allows VMware to collect certain sanitized data from your environment, which could help with future releases.

5-Install – Stage 2

6- This process took about 45 minutes for me.

9- Login to the VCSA by the FQDN or IP address and proceed.

Finish 🙂

Adding additional storage to a node in Aria Operations

Hi, Today I had a problem, my vRops UI not working and show me a text: Redirect vRops UI

This is caused when happens vRops db has not had sufficient space.

I SSH to my vRops.

df -h

Note: You can’t extend the current /storage/db logical volume in vRops, and must add a new hard to each vRops analytic node.

Resolution

Ensure the vRealize Operations cluster is Offline, then log into the VMware vSphere client as an administrator.

  1. Right-click the desired vRealize Operations node and click Power > Shut Down Guest OS.
  2. Right-click the powered-off node and click Edit Settings.
  3. Click the Hardware tab and click Add.

Note: Do NOT expand an existing disk.

  1. Click Hard Disk and click Next.
  2. Select Create a new virtual Disk and click Next.
  3. Set Disk Size to an appropriate value.
  4. Select a disk provisioning format, if applicable.
    • Note: When possible, select the Thick Provision Eager Zeroed option.
  5. Select a location to store the disk and click Next.
  6. Accept the default Virtual Device Node and click Next.
  7. Review the information and click Finish.
  8. Click OK. The new storage is now added to the node.
  9. Right-click the node and click Power On.
  10. Repeats steps 1-13 on all other analytic nodes.
    • Note: All analytic nodes must have the same amount of space in the /storage/db logical volume.
  11. Log into the Admin UI as admin and click the Bring Online button to bring the cluster online.
  12. The node discovers the additional storage and adds it to the /storage/db logical volume automatically during boot.
  13. I SSH to my vRops and type df -h

Finish 🙂

2Factor Authentication for Horizon8

Hi, Today I would like to configure Multifactor Authentication for Horizon8 through Keycloak.

What is MFA?

Multifactor authentication (MFA) is a multistep account login process that requires users to enter more information than just a password. For example, along with the password, users might be asked to enter a code sent to their email, answer a secret question, or scan a fingerprint.

Which MFA Protocol Supports Horizon?

You can enable a Connection Server instance for RSA SecurID authentication or RADIUS authentication by modifying Connection Server settings in Horizon Administrator.

Prerequisites

Install and configure the two-factor authentication software, such as the RSA SecurID software or the RADIUS software, on an authentication manager server.

1- For RSA SecurID authentication, export the sdconf.rec file for the Connection Server instance from RSA Authentication Manager. See the RSA Authentication Manager documentation.

2- For RADIUS authentication, follow the vendor’s configuration documentation. Make a note of the RADIUS server’s hostname or IP address, the port number on which it is listening for RADIUS authentication (usually 1812), the authentication type (PAP, CHAP, MS-CHAPv1, or MS-CHAPv2), and the shared secret. You will enter these values in Horizon Administrator. You can enter values for a primary and a secondary RADIUS authenticator.

Procedure

  1. Log into Horizon Server, and select View Settings> Servers.
  2. On the Connection Servers tab, select your connection server and click Edit.
  3. On the Authentication tab, from the 2-factor authentication drop-down list in the Advanced Authentication section, select RADIUS.
  4. To force RADIUS usernames to match usernames in Active Directory, select Enforce 2-factor and Windows username matching.
    If you select this option, users must use the same RADIUS username for Active Directory authentication. If you do not select this option, the names can be different.
  5. For RADIUS authentication, complete the rest of the fields:
    1. Select Use the same username and password for RADIUS and Windows authentication if the initial RADIUS authentication uses Windows authentication that triggers an out-of-band transmission of a token code, and this token code is used as part of a RADIUS challenge.
      If you select this check box, users will not be prompted for Windows credentials after RADIUS authentication if the RADIUS authentication uses the Windows username and password. Users do not have to reenter the Windows username and password after RADIUS authentication.
    2. From the Authenticator drop-down list, select Create New Authenticator and complete the page.

6. Click Add

Give a name for the Authenticator name field. This name is displayed when users want to log in. You can customize username and passcode labels.

7. Click next
Give your Keycloak Radius information

Hostname/Address: keycloak.khoshraftar.com\

Authentication Port: 1812

Accounting Port: 0

Set the Accounting port to 0 unless you want to enable RADIUS accounting. Set this port to a non-zero number only if your RADIUS server supports collecting accounting data. If the RADIUS server does not support accounting messages, and you set this port to a nonzero number, the messages will be sent and ignored and retried a number of times, resulting in a delay in the authentication.

Accounting data can be used in order to bill users based on usage time and data. Accounting data can also be used for statistical purposes and for general network monitoring.

Authentication Type: PAP-CHAP-MSCAHP1-MSCHAP2

Shared Secret: ***********

Must same with your radius shared secret

If you specify a realm prefix string, the string is placed at the beginning of the username when it is sent to the RADIUS server. For example, if the username entered in Horizon Client is Mohammad and the realm prefix Khoshraftar\ is specified, the username khoshraftar\Mohammad is sent to the RADIUS server. Similarly, if you use the realm suffix, or postfix, string @khoshraftar.com, the username mohammad@khoshraftar.com is sent to the RADIUS server.

Click Next

8. Click OK to save your changes.

You do not need to restart the Connection Server service. The necessary configuration files are distributed automatically, and the configuration settings take effect immediately.
 

What is Keycloak?

Keycloak is an open-source identity and access management solution.

How to install Keycloak?

You can download Keyclock from here. But for this project, I need to Radius, radius is not on Keycloak default. So, you can config a manual radius from this link.

But, I want to write a simple configuration about keycloak radius in my blog.

  1. I download a java base keycloak application from here.
  2. I installed an Ubuntu server and install an openjdk 11 on it.
  3. Copy the keycloak files on the Ubuntu server.
  4.  unzip keycloak-radius.zip -d keycloak-radius
  5. cd keycloak-radius/
  6. export KEYCLOAK_ADMIN=admin
  7. export KEYCLOAK_ADMIN_PASSWORD=admin
  8. bin/kc.sh start-dev
  9. Open http://Server-IP-Address:8080

10. Username: admin

11. Password: admin

12. Under Manage–> Select Clients and Create client

13. Choice radius protocol from the drop-down menu and Fill in a Client ID

Note: This name must be the same as the authenticator name in the Horizon config in the previous section.

14. Click Next

15. Click Save

16. Click on the Users section and click Add Users

Note: If you want to log in with a password, leave the required user actions, Blank.

Click on Create and then click on the user that you created.

17. Click on the Set password button. Type your password and If you turn on Temporary you must change your password in the first login. I turn off it. And Save it.

Note: If you want to use an OTP, select Configure OTP from the menu

You go to step 17 and create a password for your user and then go to this page.

18. http://your-ip-address:8080/realms/master/account/#/

Enter the username and password that you created.

19. Install one of the following applications on your mobile:

Google Authenticator

Microsoft Authenticator

FreeOTP

20. Open the application and scan the barcode.

21. Enter the one-time code provided by the application and submit it to finish the setup.

22. Open Horizon client

For the first Scenario with password only, Enter the user and password that you create in step 16.

For the second Scenario with password + OTP password, Enter the user and password and OTP password that you create in steps 16 and 18.

23. We can need active directory users, You must go to Configure section and click on the User Federation.

24. Click on the Add new provider

25. Enter a UI display name and Connection URL: ldap://dc1.khoshraftar.com

Select Bind DN, where your active directory user exists, to connect to the domain controller.

Enter the password in the Bind credential and other parameters.

26. Click on the Save button.

27. Import your users from the Users section and config them like a local user in the 16 section.

Finish 🙂

Install vCloud Director 10.X Step by Step 06

Hi, Today, I want to create an organization and organization VDC in the vCloud Director.

An Organization is the fundamental vCloud Director grouping that contains users, the vApps that they create, and the resources the vApps use. It is a top-level container in a cloud that contains one or more Organization Virtual Data Centers (Org VDCs) and Catalog entities. It owns all the virtual resources for a cloud instance and can have many Org VDCs.

An organization can be internal to your company providing the vCloud Director or to a customer organization that is using your Cloud Director.

Let’s start.

Step 1, I create an organization.

1- Log in to https://vCloud_IP/provider –> Resources –> Cloud Resources –> Organizations –> Click NEW

2- Enter a name and a full name for your organization.

3- You can log in to your Organization portal :

https://vCloud_IP/tenant/Customer1-org

Step 2, I create an Organization VDCs:

1- Log in to https://vCloud_IP/provider –> Resources –> Cloud Resources –> Organizations VFCs –> Click NEW

2-Enter a Name and Select Enable the Organization VDC

3- Select the Organization that you would like to add this VDC

4- Select the Provider VDC

5- Select an allocation Model for this Organization VDC, I choose Pay-As-You-Go

OptionDescription
Allocation poolA percentage of the resources you allocate from the provider VDC are committed to the organization VDC. You can specify the percentage for both CPU and memory.
Pay-as-you-goResources are committed only when users create vApps in the organization VDC.
Reservation poolAll the resources you allocate are immediately committed to the organization VDC.
FlexYou can control the resource consumption at both the VDC and the individual virtual machine levels. The flex allocation model supports the capabilities of organization VDC compute policies. The flex allocation model supports all allocation configurations that are available in the other allocation models.

6- Configure the allocation settings


OptionDescription
CPU QuotaThe maximum amount of CPU consumption for this organization VDC.
CPU resources guaranteedThe percentage of CPU resources that you want to guarantee to a virtual machine running in this organization VDC. You can control the over-commitment of CPU resources by guaranteeing less than 100 percent. For an Allocation Pool allocation model, the percentage guarantee also determines what percentage of the CPU allocation is committed to this organization VDC.
vCPU SpeedThe vCPU speed. Virtual machines running in the organization VDC are assigned this amount of GHz per vCPU.
Memory QuotaThe maximum amount of memory consumption for this organization VDC.
Memory resources guaranteedThe percentage of memory resources that you want to guarantee to virtual machines running in the organization VDC. You can over-commit resources by guaranteeing less than 100 percent. For an Allocation Pool allocation model, the percentage guarantee also determines what percentage of the memory allocation is committed to this organization VDC.
Maximum number of VMsThe maximum number of virtual machines that can exist in the organization VDC.

7- Configure the storage settings for this organization VDC

Allocation Type: To limit the amount of the allocated storage capacity for a selected storage policy.

Default instantiation policy: To change the default storage policy.

Thin provisioning: To activate thin provisioning for virtual machines in the organization VDC.

Fast provisioning: To deactivate fast provisioning for virtual machines in the organization VDC.

8- Configure the Network Pool for this organization VDC

You can skip this level at this stage.

Note:

Organization VDCs that are backed by NSX-T Data Center only support Geneve network pools.

9- Click Next.

Finish 🙂

Install vCloud Director 10.4 Step by Step 05

Hi, Today, I want to create a Provider VCD in the vCloud Director.

What is a provider VCD?

The provider VDC is an abstraction of a vSphere cluster or a resource pool.

A provider virtual data center (VDC) provides resources to a provider.

To make vSphere compute, memory, and storage resources available to vCloud Director, you create a provider VDC.

For network resources, a provider VDC can use NSX-T Data Center.

Note:

• Creating a provider VDC is a system administrator task.
• The provider VDC can be created only from the provider portal.
• Provider VDCs are linked to vCenter Server clusters or resource pools.

Prerequisite:

Create a resource pool in your vCenter server.

Let’s start.

1-Log into https://vCloud_IP/provider –> Resources –>Provider VDCs –> NEW

Khoshraftar.com

2- Enter a name and description for the new provider VCD.

3- Select a vCenter server to provide resource pools for this provider VDC.

4- Select the available resource pool that you created before in the vCenter server.

5- Select storage policies this provider VDC will offer.

Khoshraftar.com

6- Choose a network pool option for creating this provider VDC.

Khoshraftar.com

7- Review and click on the finish button.

Khoshraftar.com

Finish 🙂

Install vCloud Director 10.4 Step by Step 04

Hi, Today, I want to create a Network Pool in the vCloud Director.

What is Network Pool?

A network pool is a collection of isolated layer-2 network segments that you can use to create vApp networks and certain types of organization VDC networks on demand.

Network pools must be created before organization VDC networks and vApp networks. If they do not exist, the only network option available to an organization is the direct connection to an external network.

Only a system administrator can create a network pool.

Supported by:

  • Port Groups Backed
  • VLAN ID Backed
  • Geneve Backed (NSX-T Overlay Transport Zone)
  • VXLAN Backed (NSX-V)

Note:

  • Each organization VDC can have one Network Pool
  • Multiple organization VDC can share a Network Pool
  • With VCD 10.3, You can create a provider VDC without any Network Pools.

Let’s start.

1-Log into https://vCloud_IP/provider –> Resources –>Network Pools –> NEW

2- Enter a name and description for the new network pool.

3- Select Network Pool Type Geneve Backed

4- Select NSX-T Manager to provide the Geneve transport zone that this network pool will use.

5- Select your Transport Zone that you have created before in NSX-T console.

6- Next

Finish 🙂

Install vCloud Director 10.4 Step by Step 03

Hi, Today, I want to add the NSX-T to vCloud Director.

Let’s start.

1-Log into https://vCloud_IP/provider –> Resources –> Infrastructure Resources –> NSX-T –> NSX-T Managers –> ADD

vCloud-khoshraftar-01

2-Enter NSX-T information

Note: NSX-T URL must be exactly like the name on its certificate.

vCloud-khoshraftar-02

3-It’s done.

vCloud-khoshraftar-03

Finish 🙂

Install vCloud Director 10.4 Step by Step 02

Hi, Today, I want to add the vCenter server to vCloud Director.

Let’s start.

1-Log into https://vCloud_IP/provider –> Resources –> Infrastructure Resources –> vCenter Server Instances –> Click ADD

vCloud-khoshraftar-01

2-Enter the connection information for the new vCenter server –> Next

vCloud-khoshraftar-02

3-I don’t use NSX-V Manager, I use NSX-T, Next

vCloud-khoshraftar-03

4-Access Configuration

  • -If you want to add a tenant-dedicated vCenter Server that will not be used as a provider VDC, turn on the Enable tenant access toggle.
  • After you add the vCenter Server instance to VMware Cloud Director, the tenant-related information appears in the details view of the instance.
  • – If you want VMware Cloud Director to generate default proxies for the vCenter Server instance and SSO services, turn on the Generate proxies toggle.
  • After you add the vCenter Server instance to VMware Cloud Director, the proxies appear in the Proxies tab under vSphere Resources.
vCloud-khoshraftar-04

5-It’s Ready

vCloud-khoshraftar-05
vCloud-khoshraftar-06

Finish 🙂