Deploy and configure VMware Access Point with the GUI
VMware changed their remote access strategy in the past years by slowly replacing the VMware Security server with the Access Point. In the beginning deployment was only possible with a PowerShell script, not difficult but you couldn’t manage the device after you deployed it. VMware had a strategy, or they told us, that there was no management and the Access Point strategy was destroy and deploy. The article about deploying the VMware Access Point with the script and with two-factor authentication is found here – Deploying VMware Access Point with PowerShell – VMware Access Point Radius two-factor authentication with SafeNet (SAS) – VMware Access Point: adding static routes. Now with the GUI I decided to deploy with the GUI, one other reason was that the customer is using DHCP with reserved addresses instead of static ones. The PowerShell script needs a static IP address. So a GUI deployment it was.
As of now the Access point is renamed the VMware Unified Access Gateway… I will leave the article as it is for now but just that you know.
Deploying the VMware Access Point
First step is to deploy the VMware Access Point in a VMware environment. This is a basic deployment and not that difficult. All the configuration is done afterwards in the GUI. First you pick the OVA file you downloaded from the VMware website.
In the above pictures you see how to deploy the VMware Access Point, there are two screens important here. At one point you select the number of network interfaces. Deploy the VMware Access Point with one, two or three NIC’s. If you don’t want any routing hassle pick one NIC.
The other screen you you need to attend to is the VLAN selection screen, even if you pick one NIC you need to make sure all networks have to right VLAN selected. With one NIC you set the rest to the same one as the one you use.
Configure the appliance
After the deployment is finished you can configure the VMware Access Point appliance, Go to the vApp settings and fill in the blanks. If you have static IP addresses you enter IPv4 (if you use IPv4). In the filed NIC1 you fill in the IP address and so on and so on.
The last two options are important, you have to fill in the passwords for root and for the admin console. The root password can be pretty simple (not saying you should do that but you can). The admin password should be something more complex as it says there.
One interesting option is that you can configure the DHCP setting in the vApp options. By default, even if you configured the vApp properties blank (should be DHCP it says) it stil be revert to static. You need to go into the Advanced option to configure the DHCP option + IPv4 if you use DHCP. If you don’t no need to look here and just go on.
When you configure all this you can start the VMware Access Point, after a while you see the login screen after which you can configure the Access Point with the GUI.
Configure VMware Access Point
Open a browser https://FQDN of the VMware Access Point:9443/Admin and you will see the logon screen as shown below.
You logon with the admin credentials as you just configured in the vApp settings. Once you logon you see two options, you can either import VMware Access Point settings (handy if you deploy multiple ones) or you can do a manual configuration.
You can select a Json file with the settings and import them. This is a very interesting way to deploy and do upgrades. As mentioned before the upgrade is destroy and deploy the new one.
So I we click the configure manual option you see the following screen. The two top options are the configurations you need to look at, The top one are the VMware Horizon settings and more. The lower one is the Authentication setting where you configure the two-factor authentication.
The lower part of the screen is the configuration of the appliance. You can do the system settings, add an SSL server certificate, SAML and so on. Also in the event of an error you can easily export the logs and export the settings. When you open the Edge settings (strange the button turns grey when it is closed and not stays green even when it is configured) you see the option you can configure here.
Next to the Horizon settings but also for instance some AirWatch settings like a per app tunnel and SEG settings. VMware Access Point is becoming more important in the VMware portfolio.
Let’s look a bit at the Horizon settings. the settings in the GUI are (you are not surprised) the same as in the PowerShell, you need to set the following settings;
- Connection Server URL
- Thumb Prints of the connection server (make sure they are the same on all the servers)
- PCoIP External URL
- Blast External URL
The Authentication settings, when you open them, show the options you have there. I had to configure Radius here so I wil show the Radius settings.
The Radius settings you need to set the following settings:
- Authentication type
- Shared secret
- Number of authentication attempts allowed
- Number of attempts to Radius server
- Server timeout
- Radius server host name
- Authentication port : 1812
With all this in place you can logon to you Horizon environment and use a RADIUS token for two factor.
Deploying the Access Point with a GUI instead of a PowerShell script was a first one for me. I have to say that the GUI is nice to work with. It is easy to work with and shows the information swiftly. One small this that I would like to be changed is that the buttons show colour when you configured something. Now they don’t and it looks like you didn’t configure anything.
Hope this blog helps you, if you have questions please ask.