This is a small blog post on solving a DNS issue with the VMware Unified Access Gateway version 3.7 and above when using a .local domain.
At one of our costumers I was asked to upgrade their VMware Unified Access Gateways from version 3.5 to 3.8. Usually this is an quick and easy task. But this time I ran into an issue. I was unable to setup RSA authentication on the Unified Access Gateways. The RSA applicances of this customer are part of a .local domain.
I deployed the OVA, exported and imported the JSON and then I checked the admin interface. This shows that RSA authentication is not configured. After this I tried to setup the RSA configuration manually but it showed on error “unable to save configuration”. This message says nothing to me, so I had to troubleshoot this issue. In the documentation of the UAG’s I found that are is an authbroker.log logfile on the applicance. This file contains log messages from the AuthBroker process, which handles Radius and RSA SecurID authentication. Authbroker.log is located at /opt/vmware/gateway/logs.
The log shows that the service is unable to resolve the names of the RSA appliances. After searching the internet for this issue I found the following article:
https://www.reddit.com/r/vmware/comments/e30k2p/horizon_uag_37_not_using_configured_dns/
It appears that the new systemd-resolved method uses .local for multicast DNS exclusively. Fortunately there is a way to fix this issue. Edit /etc/systemd/resolved.conf and uncomment the domains line and adding in your .local domain to the domains there.
At last I rebooted the appliance and was able to configure RSA on the UAG’s.
3 Comments