UAG-3219: Server Name Identification (SNI) rule in HA proxy file is incorrect for Relay-Endpoint configurations in UAG 3.3

Version Identified

Unified Access Gateway 3.3

Identifier

UAG-3219

 

Symptoms

Installation of Content Gateway in Relay-Endpoint mode results in test connection failure from console when Relay is configured on port 443 and Endpoint on 443 or any other port. This is due to the re-direct rules for relay content gateway server from 443 to internal port 10443 being incorrectly added in HAProxy.conf file by the appliance agent on the Unified Access Gateway (UAG) machine.

 

Workaround

To resolve the issue HAProxy.conf file must be edited with the correct values.

Scenario 1

When Relay Content Gateway is configured 443 and Endpoint Content Gateway on 443, perform the following steps:

  1. Open the vSphere client and then navigate to the UAG relay machine , open the console and cd to /opt/vmware/gateway/conf
  2. Edit the haproxy.conf file using the command ($ vi haproxy.conf)
  3. Edit the haproxy.conf file and find the endpoint hostname (e.g. endpoint.domain.com) in the file, replace it with that of relay’s hostname (e.g. relay.domain.com).
  4. Save the file and quit.
  5. Reload the haproxy file by running the command ($ systemctl reload haproxy.service)

Scenario 2

When Relay Content Gateway is configured on 443 and Endpoint Content Gateway is configured on any other port and not on 443, perform the following steps:

  1. Open the vSphere client and then navigate to the UAG relay machine , open the console and cd to /opt/vmware/gateway/conf
  2. Edit the haproxy.conf file using the command ($ vi haproxy.conf)

  3. In the haproxy.conf file add the highlighted content displayed in the below screenshot and replace the ‘RELAYHOSTNAME’ keyword with the actual relay’s hostname: (Please note that the indentations should be the same as shown in the below screenshot, any miss in indentation will result in the file not being read). 

    Example: Relay’s hostname should be a fully qualified domain name (FQDN) such as relay.domain.com.
    Picture1.png
  4. Save the file and quit.
  5. Reload the haproxy file by running the command ($ systemctl reload haproxy.service)

 

Fix Version

Our product team has been engaged and is actively working to resolve the issue.

Other Languages: 日本語

Have more questions? Submit a request

0 Comments

Article is closed for comments.