Hosting the VMware Tunnel and Content Gateway Services on the same UAG Appliance using default Ports

Pre-requisites:

  • AirWatch Console 9.2+ (and corresponding Content Gateway and Tunnel Releases)
  • Unified Access Gateway 3.1+

NOTE: If using the Tunnel Proxy component and the Content Gateway is configured to use Port 443, the TLS Port Sharing feature must be disabled (this requirement will be relaxed in a future UAG Release).

 

Pre-configuration Steps:

As a best practice, we recommend running these steps prior to installing the Unified Access Gateway:

  • Ensure TLS Port Sharing is disabled (more details available in the UAG Guide).
  • Run the following command to confirm the current state of IP rules:
    • iptables -t nat -L
  • Copy the printout and save for validation after the next steps.
  • Modify the ipv4-forwardrules by running the following command:
    • vi /opt/vmware/gateway/conf/ipv4-forwardrules
    • Comment out the following lines (This can be done by adding the # character to the beginning of the line):
      • -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 6443
      • -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 6443
    • Below them, add the following rules: -
      • -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 10443
      • -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 10443
  • Run the following command:
    • iptables-restore /opt/vmware/gateway/conf/ipv4-forwardrules
  • Execute the following command, again: 
    • iptables -t nat -L
  • Compare results to original and you should notice the change in port 443.
    • If you don't see a change in Ports, reboot the Server:
      • reboot now
  • Once the Server is running, run the following commands again: 
    • iptables-restore /opt/vmware/gateway/conf/ipv4-forwardrules
    • iptables -t nat -L

 

Here is an example of what the final changes look like:


*nat
:PREROUTING ACCEPT [5:348]
:INPUT ACCEPT [4:270]
:OUTPUT ACCEPT [2:104]
:POSTROUTING ACCEPT [2:104]
-A PREROUTING -p udp -m udp --dport 443 -j REDIRECT --to-ports 9443
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
#-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 6443
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 10443
-A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 443 -j REDIRECT --to-ports 9443
-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
#-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 6443
-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 10443
COMMIT

You should now be able to run both Services concurrently on the UAG.

Have more questions? Submit a request

0 Comments

Article is closed for comments.