Table of Contents
Introduction to the VMware Content Gateway
VMware Content Gateway is offered as a service by the Workspace ONE UEM Powered by AirWatch on the Unified Access Gateway appliance. A secure and effective medium is provided by the VMware Content Gateway for end-users to access internal repositories.
Levels of access to the corporate content are offered by utilizing the VMware Content Gateway in combination with VMware Workspace ONE Content. Documentation can be remotely accessed by end-users in addition to board books, financial documents, and more directly from internal file shares or content repositories. The changes are immediately reflected in VMware Workspace ONE Content as files are added or updated within the existing content repository. Based on the existing access control lists, users are granted access to their approved files and folders as defined in the internal repository.
Note: For Windows and Linux, VMware Workspace ONE has announced the End of General Support effective October 17, 2019, for VMware Content Gateway. As an alternative to the standalone solution, the Content Gateway solution on Unified Access Gateway (UAG) has been supported since 2017, which was offered on Windows and Linux servers.
Architecture and Security of Content Gateway
On the Unified Access Gateway using security updates, deploying the Content Gateway as a service eliminates manual configuration and maintenance of Content Gateway. Multiple security audits are provided for the Unified Access Gateway appliance platform, and patches are deployed for security vulnerabilities.
Basic and relay-endpoint architecture models are offered by VMware Content Gateway for deployment. For high-availability and SSL offloading, both configurations support load-balancing. The admin can customize the VMware Content Gateway deployment in a way that best addresses enterprise security needs and existing setup.
In the DMZ, consider using a load balancer to forward traffic to a Workspace ONE UEM component on the configured ports. To terminate the risk of other web applications or services, also consider using dedicated servers which cause performance issues.
Content Gateway with Load Balancing
For improved performance and faster availability, Workspace ONE UEM supports integration with a load balancer.
Some additional client-side configurations are required for successful integration.
- For the Content Gateway, configure the proper network changes to provide access to various internal resources over the necessary ports.
- With an algorithm of choice, to persist a connection from a client to the same load balanced node, configure load balancers. Simple algorithms such as Round Robin as well as more sophisticated ones such as Least Connections are supported by Workspace ONE UEM.
- To Send Original HTTP Headers, configure load balancers to avoid device connectivity problems. To authenticate devices, Content Gateway utilizes information in the request’s HTTP header.
Content Gateway Deployment Models
Using the basic endpoint model, the VMware Content Gateway can be deployed and the relay-endpoint model. Use the deployment model that best fits the enterprise’s needs.
The basic and relay-endpoint deployment models are supported by both SaaS and on-premises Workspace ONE UEM environments. For devices to connect, the VMware Content Gateway must have a publicly accessible endpoint when making a request. A single instance of VMware Content Gateway is available in basic deployment models, which have been configured with a public DNS. Alternatively, the public DNS is mapped to the relay server for the relay-endpoint deployment model in the DMZ. This server connects with the Device Services server. Workspace ONE UEM hosts the API components for SaaS deployments in the cloud. The API component is typically for an on-premises environment installed in the DMZ.
Basic Endpoint Deployment Model
With a publicly available DNS on the Unified Access Gateway appliance, the basic endpoint model has a single instance for the Content Gateway installed. The Content Gateway is situated either in the internal network or DMZ. Content Gateway is put behind a load balancer in the internal network, which is in the DMZ. On the configured ports, the load balancer forwards traffic to the VMware Content Gateway. A direct connection is then made between the VMware Content Gateway and the internal content repositories. A reverse proxy and load balancing are supported by all deployment configurations.
The basic endpoint Content Gateway server connects with API and Devices Services. Device Services links the end-user device to the appropriate Content Gateway.
Proper network changes must be made if the basic endpoint is installed in the DMZ for the VMware Content Gateway to access various internal resources over the defined ports.
Relay-Endpoint Deployment Model
Two instances of the VMware Content Gateway are available in the relay-endpoint deployment model with separate roles. The VMware Content Gateway relay can be accessed from public DNS over the configured ports, and the server resides in the DMZ. In the internal network hosting internal resources, the VMware Content Gateway endpoint server is installed. The relay server can resolve this server which must have an internal DNS record.
The job of the endpoint server is to provide the content requested by the device or connect to the internal repository. At regular intervals, the relay server performs health checks to ensure that the endpoint is active and available.
Deploy Content Gateway on Unified Access Gateway
The admin begins with providing the Unified Access Gateway (UAG) parameters for Content Gateway deployment on Unified Access Gateway to a configured node on the Workspace ONE UEM console.
Either as an Appliance or using PowerShell, the admin must have an active deployment of the Unified Access Gateway to configure Content Gateway. Configure Content Gateway on the
Configure Content Gateway on the UEM Console
In the Workspace ONE UEM console, configure Content Gateway settings to establish a node and pre-customize the settings which are bundled into the configuration file. The need to configure the settings manually is eliminated for the pre-configured settings post-installation on the server.
Configuration includes selecting the associated ports, configuration model, and, if necessary, uploading an SSL certificate.
Note: Only on the Unified Access Gateway, Content Gateway services are now supported. Windows versions and Legacy Linux of Content Gateway are no longer supported.
- Go to Groups & Settings, navigate to All Settings, go to System, select Enterprise Integration, click on Content Gateway in the Organization Group of choice.
- Toggle Enable the Content Gateway to Enabled.
To unlock Content Gateway settings, the admin might need to select Override.
1. Click on Add.
2. To configure a Content Gateway instance, complete the text boxes that appear.
3. The Installation Type is configured.
Installation Type: For Content Gateway, Unified Access Gateway appears as the default available platform.
4. The Content Configuration settings are configured:
- Configuration Type
Basic – No relay component Endpoint configuration.
Relay – A relay component Endpoint configuration.
- Name: When attaching it to a Repository Template, Content Repository, or RFS Node, provide a unique name which is used to select this Content Gateway instance.
- Content Gateway Relay Address: Enter the URL if implementing a relay configuration used to access the Content Gateway Relay from the Internet.
- Content Gateway Relay Port: Enter the relay server port if implementing a relay configuration.
- Content Gateway Endpoint Address: Provide the hostname for the Content Gateway endpoint. Validity must be verified for this entry of the Public SSL certificate bound on the configured port.
- Content Gateway Endpoint Port: Provide the endpoint server port.
5. The Content SSL Certificate settings have to be configured.
- Public SSL Certificate (required for Linux requirements): Upload a PKCS12 (.pfx) certificate file, if necessary, for the Content Gateway Installer with a full chain to bind to the port. The full chain includes a server certificate, intermediates, password, root certificate, and a private key.
Note: The admin can run commands to ensure that the PFX file contains the entire certificate chain, such as OpenSSL pkcs12 -in myCertificate.pfx -nokeys or certutil -dump myCertificate.pfx using command-line tools such as OpenSSL or Certutil. These commands display show complete certificate information. Requirements vary based on platform and SSL configuration:
- Ignore SSL Errors (not recommended): enable this setting if the admin is using a self-signed certificate. Content Gateway ignores certificate name mismatches and certificate trust errors if enabled.
6. The Certificate Authentication settings have to be configured.
- Allow Cross-domain KCD Authentication: To authenticate users with the PIV-D Derived Credentials, enable this setting instead of user names and passwords.
For the endpoint users who access the on-prem SharePoint repositories, PIV-D certificate authentication is required from their devices.
- Client Certificate Chain: To issue client certificates, this certificate chain is used.
- Target SPN: Configure the SPN of the target service.
- Service Account Username: Provide the user name of the service account that has the rights to delegation.
- Service Account Password: Provide a password for the service account.
- Domain: In the Active Directory (AD), the name of the domain contains the users.
- Domain Controller: For the domain, hostname, or IP address of the domain controller.
7. Under the Custom Gateway Settings, provide the Content Gateway edge service values.
This step is optional for the admin. For Content Gateway, only if the admin wants to override the default configuration values, this step must be performed.
The configuration file changes are automated with the edge service values set on the UEM console, and each time the UAG is upgraded does not require manual updates to the configuration files. Using Workspace ONE UEM console version 9.7, ICAP Proxy configurations are not supported. However, existing configurations can be changed.
8. Click on Add and then select Save.
Note: On Unified Access Gateway, HTTP traffic is not allowed for Content Gateway on port 80 because TCP port 80 is utilized by the edge Service Manager.
Download the installer after configuring settings in the UEM Console, manage configured nodes or configure additional nodes.
Custom Values for Content Gateway
On Unified Access Gateway (UAG), the custom configuration values for the Content Gateway can be configured on the Workspace ONE UEM console. When fetched by the UAG server, these custom values are automatically updated into the Content Gateway configuration files. Each time the UAG server undergoes an upgrade, the automatic updates remove the manual effort of updating the configuration files.
Note: Resaving of the service configuration on UAG is required for the changes made after starting the Content Gateway service.
SMB Client Dependencies
The smbclient tool, which is used to connect to the smb repositories, is installed when deploying the Content Gateway services on UAG and packaged with Content Gateway and. This packaging eliminates the manual task of installing the smbclient on the UAG server. However, the admin must install the dependencies needed for the smbclient.
The admin must install the following dependencies:
Modifying the SMB Configurations
At the Content Gateway installation path, under the smb-connector directory, the SMB configurations are stored in smb. conf and smb-connector. conf files. The custom values for these configuration files to define precisely, the admin must obtain the current files from the UAG’s log export functionality. When adding a new custom value, a definite sequence is not followed to these configuration files. Following all the values existing in the file, T\the new value, when added, appears at the end.
Modifying Application Log Levels
The KVP entry can be used to update the application logging level to debug. Info is the level by default, and the permitted values include Warn, Info, Error, Debug, and Trace.
Configure Content Gateway on Unified Access Gateway
Provide the configuration details required and enable the Content Gateway settings for configuring Content Gateway on Unified Access Gateway.
- Navigate to the Unified Access Gateway Admin UI and open General Settings, click on Edge Service Settings, go to Content Gateway, click on Settings and then click the gearbox icon.
- Toggle YES to allow Content Gateway settings.
- The following settings are configured, and then select Save.
- Identifier: This service is enabled as indicated.
- API Server URL: Provide the AirWatch API Server URL [http[s]://]hostname[:port]
The destination URL must contain the hostname, protocol, or IP address, and port number. For instance: https://load-balancer.example.com:8443.
Content Gateway configuration is pulled by Unified Access Gateway from the API server.
- API Server Username: Provide User name to sign into the API server.
The Content Gateway role must be assigned to the admin account.
- API Server Password: Provide the password to sign into the API server.
- Content Gateway Hostname: Provide the Hostname used to customize edge settings.
- Content Gateway Configuration GUIDC: On the Workspace ONE UEM console, this is an ID known as VMware Content Gateway configuration, which is automatically generated when the Content Gateway is configured. On the Workspace ONE UEM console, on the Content Gateway page, the Configuration GUID is present under Settings by navigating to content and selecting Content Gateway.
- Outbound Proxy Host: The outbound proxy is installed in this host. Through an outbound proxy, if configured, the Unified Access Gateway makes a connection to API Server.
- Outbound Proxy Port: Define the Port of the outbound proxy.
- Outbound Proxy Username; Define the User name to sign into the outbound proxy.
- Outbound Proxy Password: Provide the password to sign into the outbound proxy.
- NTLM Authentication: Configure if the outbound proxy needs NTLM authentication.
- Trusted Certificates: To this edge service, add a trusted certificate. Click on ‘+’ to select a certificate in the PEM format and make an addition to the trust store. Click on ‘-‘ to delete a certificate from the trust store. The alias name, by default, is the filename of the PEM certificate. Configure the alias text box to give a different name.
- Host Entries: Provide the details to be added in the /etc/hosts file. Each entry includes a hostname, an IP, and an optional hostname alias, separated by a space.
For instance, 10.192.168.2 example2.com example-alias, 10.192.168.1 example1.com. To add multiple host entries, click on ‘+’.
Important: Only after the admin selects Save, the host entries are saved.
Verify Content Gateway Connectivity
To verify if the installation has been completed successfully, in the UEM console, test the Content Gateway’s connection post-installation.
- In the UEM console, go to Groups & Settings, navigate to All Settings, click on Systems, select Enterprise Integration, and click on Content Gateway.
- To verify the connectivity, select Test Connection.
Considerations for Content Gateway Configuration
Using the Content Gateway, when the repository access is set up, consider the sync behavior of the repository content.
Repository content only syncs up to two folder levels when setting up repository access using the Content Gateway. Other subfolders sync as the device or UEM console requests them. The sync occurs when performing a manual sync action, on the console, inside a subfolder. When an end-user navigates to a subfolder on the device, the sync occurs.
Content Gateway Robustness
Understand performance issues caused by the geographical separations and how to address them between Content Gateway and Corporate File Servers.
Latencies that impact performance are a direct result of Geographical separations in content infrastructure. When syncing content from Corporate File Servers spread across the globe, Global organizations might encounter issues through a single Content Gateway connector.
At the same Organization Group, Configure multiple Content Gateway instances to rectify the performance issues caused by geographical separations between the local Corporate File Servers and the Content Gateway. For large deployments, it also splits the load.
For NFS Repository Sync, Content Gateway Sizing Infrastructure
Evaluate your organization’s requirement for multiple Content Gateway nodes. Global organizations benefit the most from this configuration option which has concerns about latencies caused by geographical separations.
For NFS Repository Sync, Content Gateway Sizing Infrastructure
Network share repositories like SMB, NetApp, and Network File Share (NFS) using VMware Content Gateway as a secure and effective medium that provides content access for end-users. Based on the number of users syncing and accessing the content, the performance of the Content Gateway is affected.
The development team at Workspace One has tested the NFS repository sync performance at Workspace ONE UEM, and configuring NFS with Content Gateway on Unified Access Gateway helps enterprises provide the best experience to the end-users.
NFS Testing Requirements
With Content Gateway, for testing the NFS repository, the infrastructure that the Workspace One development team has used configured on the Unified Access Gateway appliance is listed in this section. For reference purposes, The requirements and details specified in this section can be used. The requirements can change as per enterprise needs and supporting infrastructure.
- It is configured on the same domain, on VMware vSphere, with a Windows share, a single instance of Content Gateway configured in the cascade mode on Unified Access Gateway.
- No-load balancers are utilized.
From the NFS repository sync performance-tested, the following data is derived using Workspace ONE UEM. If the Content Gateway or NFS specifications are changed, the sync test results can vary. When using Content Gateway, use the results as a reference with the NFS repository.
With the presumption that each device makes one request, consider the number of sync requests as device requests.