VMware Unified Access Gateway Firewall Rule Generator

Hello Folks,

When deploying Virtual Desktop/Application remote access solutions you often need to engage with ‘The Firewall Guy’. This can often be a difficult conversation involving lots of questions such as “what?”, “from where?”, “to where?” and “why?”

To this end I have created a Unified Access Gateway Firewall Rules Generator which you can download. You just need to plug in the parameters on the lookup tab and it will pre-populate the firewall rules for you. Other than the standard back end stuff which you (as the Virtual Desktop Consultant) should already know, the only things you need to ask the firewall guy for are:

1. Unified Access owned IP addresses in the DMZ
2. Internet facing IP Address for the NAT rule  – You don’t actually need to know this yourself but it helps in order to provide a fully completed rule set
3. Certificates – May be from someone else entirely

Hopefully you won’t even need to talk to the firewall guy at all after that! You can fill in the sheet and email it off to him/her. Here’s a diagram I put together with the ports:

A Few points to note:

• This is based upon the information from this VMware article which I found to be missing items such as DNS and RADIUS so I have added these in
• The deployment mode is based upon the two IP addresses per Access Point; Single IP will work fine, just enter the same IP in both the Front-End and Back-End Management sections
• When Deploying the Unified Access Gateway either via PoSH or OVF, the first IP entered becomes the external one, not the Management/Backend Communication one, which is the second one entered
• If you want to read a blog on actually deploying UAG, this by Carl Stalhood is probably the best one out there

I’ve used the PowerShell deployment method before but since 2.8 the OVF deployment actually works properly so it’s just as easy to deploy it that way then import your predefined settings from a JSON file.