How to Upgrade VMware UAG 3.3 to 3.4 (Universal Access Gateway)

Upgrade UAG to 3.4

VMware released the new Universal Access Gateway (UAG) 3.4 a while ago (What’s New) and I finally got a chance to upgrade my 3.3 appliance to 3.4.  Here’s a breakdown of that process.

Since the upgrade procedure is really just a DEPLOY and MIGRATE (there is no actual upgrading), you will need to first download and install the OVFTool to deploy the OVA.


Once downloaded, you can install with a typical Next, Next, Next, Install, Finish sequence.

ScreenClip ScreenClip ScreenClip ScreenClip ScreenClip

At this point, you will want to download both the 3.4 OVA file from VMware and also the sample PowerShell deployment scripts.

I typically unzip everything into a C:\UAGs\ directory.


Depending on your particular setup, you can start with one of VMware’s sample INI files.  Choose one that is appropriate (one nic, two nic, etc..) and open up in your favorite editor.

Then go to your EXISTING 3.3 UAG and export your configuration as an INI file.  (You can also export as a JSON to use as an import later if some details are missing from your INI)

You will have to take the appropriate entries from your exported INI and move them into your sample (deployment) INI.  This will vary from setup to setup but some of the things I look out for are:

1) SSL Certificates
2) MFA authentication pieces (including SecurID Conf.rec files)
3) Datastore Names
4) Target
5) License Edition

Regarding Target, this drove me crazy for a while.  All over the internet and in the samples itself, you will see the following example:


I found this EXTREMELY confusing when it came to my ENTERPRISE deployments where I needed to use a cluster as the target and not an individual host.  For that scenario, use the following example:

target=vi://[email protected]:PASSWORD@vCenterIP/

In the example above, you leave the word host alone and only change out the Datacenter and Cluster name.  Took what seemed like FOREVER to figure this out for me (I might just be dense).

Once you have your INI file ready to go, fire up PowerShell and run the command : C:\UAGs\uagdeploy.psm [deployment INI]


Be sure to use a different naming scheme for the new UAG virtual machine since if the script sees the same name, it will power off and delete the old VM.

Once this deployment is complete, wait a few minutes for everything to power up and be ready then you can proceed to validate everything in the Admin UI. HTTPS://uag:9443/admin

Additionally, any persistent HOST ROUTES that need to be added can be added with the following command on the Linux shell

route add –host [HOST IP] gw [GATEWAY IP] eth0 >> /opt/vmware/gateway/logs/vami.log 2>&1

Once all of your configuration is tested and validated, you can proceed to remove the old powered off appliance.  If anything goes sideways during testing, you can always fire up the old appliance and try again.

Be sure to also check out my other blog post here that details how to get an A+ rating on the UAG from Qualys SSLLabs.

Happy Upgrading!