In the last part of this series, I walked through the different remote access options for a Horizon 7 environment. In this post, I’ll cover how to install and configure an Access Point appliance for a Horizon environment.
Note: The Access Point appliance has been renamed to the Unified Access Gateway as of Horizon 7.1. This post began before the product was renamed, and the old naming convention will be used.
Before we go into deploying the appliance, let’s dive into what the appliance does and how it’s built.
As I said in the previous post, the Access Point is a purpose built virtual appliance that is designed to be the remote access component for VMware Horizon, VMware Identity Manager, and Airwatch. The appliance is hardened for deployment in a DMZ scenario, and it is designed to only pass authorized traffic from authenticated users into a secure network. In some ways, the Access Point is designed to replace VPNs, but it doesn’t provide full access to an internal network like a VPN would.
When deploying an Access Point, I highly recommend using the PowerShell Deployment Script. This script was written by Mark Benson, the lead developer of the Access Point. The script uses an INI configuration file that can be customized for each appliance that is deployed. I like the PowerShell script over deploying the appliance through vCenter because the appliance is ready to use on first boot, it allows administrators to track all configurations in a source control system such as Github or Bitbucket Server, and this provides both documentation for the configuration and change tracking. It also makes it easy to redeploy or upgrade the access point because I rerun the script with my config file and the new OVA file.
The PowerShell script requires the OVF Tool to be installed on the server or desktop where the PowerShell script will be executed. The latest version of the OVF Tool can be downloaded from the My VMware site. PowerCLI is not required when deploying the Access Point as OVF Tool will be deploying the Access Point and injecting the configuration.
The steps for deploying the Access Point are:
1. Download the PowerShell deployment script for the version of the Access Point you will be deploying. You can download the script from here.
2. Right click on the downloaded zip file and select Properties.
3. Click Unblock. This step is required because the file was downloaded from the Internet, and is untrusted by default, and this can prevent the script from executing.
4. Extract the contents of the downloaded ZIP file to a folder on the system where the deployment script will be run. The ZIP file contains the apdeploy.ps1 script file and five INI template files. As of January 2017, four of the template files are example configurations for Horizon, and one is a sample configuration for vIDM.
When deploying the access points for Horizon, I recommend starting with the AP2-Advanced.ini template. This template provides the most options for configuring Horizon remote access and networking. Once you have the AP deployed successfully, I recommend copying the relevant portions of the SecurID or RADIUS auth templates into your working AP template. This allows you to test remote access and your DMZ networking and routing before adding in MFA.
5. Before we start filling out the template for our first access point, there are some things we’ll need to do to ensure a successful deployment. These steps are:
A. Ensure that the OVF Tool is installed on your deployment machine.
B. Locate the Access Point’s OVA file and record the full file path. The OVA file can be placed on a network share.
C. We will need a copy of the certificate, including any intermediate and root CA certificates, and the private key in PEM format. The certificate files should be concatenated so that the certificate and any CA certificates in the chain are in one file, and the private key should not have a password on it. Place these files into a folder on the local or network folder and record the full path.
D. We need to create the path to the vSphere resources that OVF Tool will use when deploying the appliance. This path looks like: vi://user@PASSWORD:vcenter.fqdn.orIP/DataCenter Name/host/Host or Cluster Name/
Do not replace the uppercase PASSWORD with any value. This is an OVF Tool variable that prompts the user for a password before deploying the appliance. OVF Tool is case sensitive, so make sure that the datacenter name and host or cluster names are entered as they are displayed in vCenter.
E. Generate the passwords that you will use for the appliance Root and Admin passwords.
F. Get the SSL Thumbprint for the certificate on your Connection Server or load balancer that is in front of the connection servers.
6. Fill out the template file. The file has comments for documentation, so it should be pretty easy to fill out. There are a couple of things that I’ve noticed when deploying the access point using this method. You need to have a valid port group for all three networks, even if you are only using the OneNic deployment option.
7. Save your INI file as <APName>.ini in the same directory as the deployment scripts.
8. Open PowerShell and change to the directory where the deployment scripts are stored.
9. Run the deployment script. The syntax is .\APDeploy.ps1 –inifile <apname>.ini
10. Enter the appliance root password twice.
11. Enter the admin password twice. This password is optional, however, if one is not configured, the REST API and Admin interface will not be available.
12. If RADIUS is configured in the INI file, you will be prompted for the RADIUS shared secret.
13. After the script opens the OVA and validates the manifest, it will prompt you for the password for accessing vCenter. Enter it here.
14. If an access point with the same name is already deployed, it will be powered off and deleted.
15. The appliance OVA will be deployed. When the deployment is complete, the appliance will be powered on and get an IP address from DHCP.
16. The appliance configuration defined in the INI file will be injected into the appliance. It may take a few minutes for configuration to be completed.
Testing the Access Point
Once the appliance has finished it’s deployment and self-configuration, it needs to be tested to ensure that it is operating properly. The best way that I’ve found for doing this is to use a mobile device, such as a smartphone or cellular-enabled tablet, to access the environment using the Horizon mobile app. If everything is working properly, you should be prompted to sign in, and desktop pool connections should be successful.
If you are not able to sign in, or you can sign in but not connect to a desktop pool, the first thing to check is your firewall rules. Validate that TCP and UDP ports 443 and 4172 are open between the Internet and your Access Point. You may also want to check your network routes in your configuration file. If your desktops live in a different subnet than your access points and/or your connection servers, you may need to statically define your routes. An example of a route configuration may look like the following:
routes1 = 192.168.2.0/24 192.168.1.1,192.168.3.0/24 192.168.1.1
If you need to make a routing change, the best way to handle it is to update the ini file and then redeploy the appliance.