Navigation
- Change Log
- Overview
- PowerShell Deploy Script Method – both upgrade and new
- vSphere Client Deploy OVF method – Upgrade Existing, or Deploy New
- Web-based Admin Interface
- Add UAG to Horizon Console
- Monitor Sessions
- Logs and Troubleshooting
- Load Balancing
- UAG Authentication – SAML, RADIUS
- Other UAG Configurations – High Availability, Network Settings, System Settings
💡 = Recently Updated
Change Log
- 2024 July 27 – updated Import OVF section for UAG 2406
- 2024 Jan 31 – SHA-1 thumbprint no longer supported. Replace with SHA-256 thumbprint (fingerprint).
- 2021 Sep 30 – Horizon Edge configuration – added instructions to disable CORS to fix HTML Access in Horizon 2106 and newer.
Overview
Unified Access Gateway provides remote connectivity to internal Horizon Agent machines. For an explanation of how this works (i.e., traffic flow), see Understanding Horizon Connections at Omnissa Tech Zone.
Unified Access Gateway (formerly known as Access Point) is a replacement for Horizon Security Servers. Advantages include:
- You don’t need to build extra Connection Servers just for pairing. However, you might want extra Horizon Connection Servers so you can filter pools based on tags.
- Between Unified Access Gateway and Horizon Connection Servers you only need TCP 443. No need for IPSec or 4001 or the other ports. You still need 4172, 22443, etc. to the View Agents.
- No need to enable Gateway/Tunnel on the internal Horizon Connection Servers.
- Additional security with DMZ authentication. Some of the Authentication methods supported on Unified Access Gateway are RSA SecurID, RADIUS, CAC/certificates, etc.
However:
- It’s Linux. You can deploy and configure the appliance without any Linux skills. But you might need some Linux skills during troubleshooting.
Horizon View Security Server has been removed from Horizon 2006 (aka Horizon 8).
- Some of the newer Blast Extreme functionality only works in Unified Access Gateway. See Configure the Blast Secure Gateway at Omnissa Docs.
More information at VMware Blog Post Technical Introduction to VMware Unified Access Gateway for Horizon Secure Remote Access.
Horizon Compatibility – Refer to the interoperability matrix to determine which version of Unified Access Gateway is compatible with your version of Horizon.
- The latest version of UAG is 2406.
- You usually want the Non-FIPS version.
- Then download the PowerShell deployment scripts on the same UAG download page.
- You usually want the Non-FIPS version.
- If you are running an ESB version of Horizon, then make sure you run the ESB version of Unified Access Gateway. Get it from the same page as your Horizon download.
- Use the Select Version drop-down to select the version of Horizon you have deployed.
- Then open the downloads for the edition that you are entitled to: Standard, Advanced, or Enterprise.
- Scroll down the page to see the Unified Access Gateway downloads. You usually want the Non-FIPS version.
- Then download the PowerShell deployment scripts on the same UAG download page.
- Use the Select Version drop-down to select the version of Horizon you have deployed.
Firewall
Omnissa Tech Zone Blast Extreme Display Protocol in Horizon, and Firewall Rules for DMZ-Based Unified Access Gateway Appliances at Omnissa Docs.
Open these ports from any device on the Internet to the Unified Access Gateway Load Balancer VIP:
- TCP and UDP 443
- TCP and UDP 4172. UDP 4172 must be opened in both directions. (PCoIP)
- TCP and UDP 8443 (for HTML Blast)
Open these ports from the Unified Access Gateways to internal:
- TCP 443 to internal Connection Servers (through a load balancer)
- TCP and UDP 4172 (PCoIP) to all internal Horizon View Agents. UDP 4172 must be opened in both directions.
- TCP 32111 (USB Redirection) to all internal Horizon View Agents.
- TCP and UDP 22443 (Blast Extreme) to all internal Horizon View Agents.
- TCP 9427 (MMR and CDR) to all internal Horizon View Agents.
Open these ports from any internal administrator workstations to the Unified Access Gateway appliance IPs:
- TCP 9443 (REST API)
- TCP 80/443 (Edge Gateway)
PowerShell Deploy Script
Omnissa Docs Using PowerShell to Deploy VMware Unified Access Gateway. The script runs OVF Tool to deploy and configure Unified Access Gateway. The PowerShell script is updated as newer versions of Unified Access Gateways are released. This is the recommended method of deploying Unified Access Gateway.
If you prefer to use vSphere Client to Deploy the OVF file, skip ahead to Upgrade or Deploy.
The PowerShell deployment script is downloadable from the UAG download page.
The PowerShell deploy script requires the OVF Tool:
- Download ovftool from Broadcom.
- If OVF Tool is already installed, then you’ll have to uninstall the old version before you can upgrade it.
- On the machine where you will run the UAG Deploy script, install VMware-ovftool-…-win.x86_64.msi.
- In the Welcome to the VMware OVF Tool Setup Wizard page, click Next.
- In the End-User License Agreement page, check the box next to I accept the terms and click Next.
- In the Destination Folder page, click Next.
- In the Ready to install VMware OVF Tool page, click Install.
- In the Completed the VMware OVF Tool Setup Wizard page, click Finish.
Create or Edit a UAG .ini configuration file:
- Extract the downloaded uagdeploy PowerShell scripts for your version of Unified Access Gateway.
- If you have an existing UAG appliance, then you can download an INI of the configuration from the UAG Administrator page.
- Or copy and edit one of the downloaded .ini files, like uag2-advanced.ini.
- Or copy and edit one of the downloaded .ini files, like uag2-advanced.ini.
- A full explanation of all configuration settings can be found at Using PowerShell to Deploy Unified Access Gateway at Omnissa Docs.
- For any value that has spaces, do not include quotes in the .ini file. The script adds the quotes automatically.
- The name setting specifies the name of the virtual machine in vCenter. If this VM name already exists in vCenter, then OVF Tool will delete the existing VM and replace it.
- Add a uagName setting and specify a friendly name. You’ll later add this name to Horizon Console so you can view the health of the UAG appliance in Horizon Console.
- You can optionally enable SSH on the appliance by adding sshEnabled=true.
- For the source setting, enter the full path to the UAG .ova file.
- For the target setting, leave PASSWORD in upper case. Don’t enter an actual password. OVF Tool will instead prompt you for the password.
- For the target setting, specify a cluster name instead of a host. If spaces, there’s no need for quotes. For example:
target=vi://admin@corp.local:PASSWORD@vcenter02.corp.local/Datacenter/host/Cluster 1
- Specify the exact datastore name for the UAG appliance.
- Optionally uncomment the diskMode setting.
- For a onenic configuration (recommended), set the netInternet, netManagementNetwork, and netBackendNetwork settings to the same port group name.
- Multiple dns servers are space delimited.
- For pfxCerts, UNC paths don’t work. Make sure you enter a local path (e.g. C:\). OVA Source File can be UNC, but the .pfx file must be local.
- There’s no need to enter the .pfx password in the .ini file since the uagdeploy.ps1 script will prompt you for the password.
- proxyDestinationUrl should point to the internal load balancer for the Horizon Connection Servers.
- For proxyDestinationUrlThumbprints, paste in the sha256 or higher thumbprint of the Horizon Connection Server certificate in the format shown.
- If your Horizon Connection Servers each have different certificates, then you can include multiple thumbprints (comma separated).
- Make sure there’s no hidden character between sha256 and the beginning of the thumbprint. Or you can just paste the thumbprint without specifying sha256. Note: sha1 is no longer supported. Edge and Chrome can show sha256 certificate fingerprint.
- Change the ExternalUrl entries to an externally-resolvable DNS name and a public IP address. For multiple UAGs, the FQDNs and public IP address should resolve to the load balancer. Note: your load balancer must support persistence across multiple port numbers (443, 8443, 4172).
When you run the PowerShell script, if the UAG appliance already exists, then the PowerShell script will replace the existing appliance. There’s no need to power off the old appliance since the OVF tool will do that for you.
- Open an elevated PowerShell prompt.
- Paste in the path to the uagdeploy.ps1 file. If there are quotes around the path, then add a & to the beginning of the line so PowerShell executes the path instead of just echoing the string.
- Add the -iniFile argument and enter the path to the .ini file that you modified. Press <Enter> to run the script.
- You’ll be prompted to enter the root password for the UAG appliance. Make sure the password meets password complexity requirements.
- You’ll be prompted to enter the admin password for the UAG appliance. Make sure the password meets password complexity requirements.
- For CEIP, enter yes or no.
- For .pfx files, you’ll be prompted to enter the password for the .pfx file. Note: the .pfx file must be local, not UNC.
- OVF Tool will prompt you for the vCenter password. Special characters in the vCenter password must be encoded. Use a URL encoder tool (e.g., https://www.urlencoder.org/) to encode the password. Then paste the encoded password when prompted by the ovftool. The UAG passwords do not need encoding, but the vCenter password does.
- The deploy script will display the IP address of the powered on UAG appliance.
- Review settings in the UAG admin interface.
- Add the new UAG appliance to Horizon Console.
Upgrade
To upgrade from an older appliance, you delete the old appliance and import the new one. Before deleting the older appliance, export your settings:
- Login to the UAG at https://<Your_UAG_IP>:9443/admin/index.html.
- In the Configure Manually section, click Select.
- Scroll down to the Support Settings section, and then click the JSON button next to Export Unified Access Gateway Settings.
- Note: the exported JSON file does not include the UAG certificate, so you’ll also need the .pfx file. If RADIUS is configured, then during import you’ll be prompted to enter the RADIUS secret.
Deploy New
Horizon Compatibility – Refer to the interoperability matrix to determine which version of Unified Access Gateway is compatible with your version of Horizon.
- The latest version of UAG is 2406.
- You usually want the Non-FIPS version.
- You usually want the Non-FIPS version.
- If you are running an ESB version of Horizon, then make sure you run the ESB version of Unified Access Gateway. Get it from the same page as your Horizon download.
- Use the Select Version drop-down to select the version of Horizon you have deployed.
- Then open the downloads for the edition that you are entitled to: Standard, Advanced, or Enterprise.
- Scroll down the page to see the Unified Access Gateway downloads. You usually want the Non-FIPS version.
- Use the Select Version drop-down to select the version of Horizon you have deployed.
To deploy the Unified Access Gateway using VMware vSphere Client:
- If vSphere Client, right-click a cluster, and click Deploy OVF Template.
- Select Local File and click Upload Files. In the Open window, browse to the downloaded euc-unified-access-gateway.ova file, and click Next.
- In the Select a name and folder page, give the machine a name, and click Next.
- In the Review Details page, click Next.
- In the Select configuration page, select a Deployment Configuration. See Network Segments at Unified Access Gateway Architecture at Omnissa Tech Zone. Click Next.
- In the Select storage page, select a datastore, select a disk format, and click Next.
- In the Select networks page, even if you select Single NIC, the OVF deployment wizard asks you for multiple NICs. UAG typically goes in the DMZ.
- In the Customize template page, select STATICV4, and scroll down.
- In the NIC1 (eth0) IPv4 address field, enter the NIC1 (eth0) IPv4 address. Scroll down.
- Enter DNS addresses, Gateway, and Subnet Mask. Scroll down.
- Scroll down and enter more IP info.
- Scroll down.
- Enter a Unified Gateway Appliance Name.
- Scroll down.
- UAG 2207 and newer let you specify the local root username.
- Enter passwords.
- UAG 20.12 (2012) and newer let you specify Password Policy settings when deploying the OVF.
- UAG 20.12 (2012) and newer let you specify Password Policy settings when deploying the OVF.
- Scroll down and enter the password for the admin user.
- UAG 2207 and newer have an adminreset command if you mess up the admin interface login. There’s also an adminpwd command to reset the password.
- UAG 2207 and newer have an option to enable DISA STIG compliance, usually on the FIPS version of UAG.
- There’s a checkbox for Enable SSH.
- In UAG 3.9 and newer, there’s an option to login using a SSH key/pair instead of a password.
- Newer versions of UAG have more SSH options.
- UAG 2207 adds Commands to Run on First Boot or Every Boot.
- Click Next.
- In the Ready to complete page, click Finish.
UAG Admin Interface
- Power on the Unified Access Gateway appliance.
- Point your browser to https://My_UAG_IP:9443/admin/index.html and login as admin. It might take a few minutes before the admin page is accessible.
- UAG 2207 and newer have an adminreset command if you mess up the admin interface login. There’s also an adminpwd command to reset the password.
Import Settings
- If you have previously exported settings, you can import it now by clicking Select in the Import Settings section.
- Browse to the previously exported UAG_Settings.json file and then click Import. Note that this json file might have old settings, like old ciphers. Review the file to ensure you’re not importing legacy configurations. If the .json file has a SHA-1 thumbprint, then edit the file and replace it with SHA-256 thumbprint (fingerprint).
- It should say UAG settings imported successfully. If you don’t see this, then your .json file probably has a SHA-1 thumbprint.
- Press <F5> on your keyboard to refresh the browser.
- The .json file does not include the certificate so you’ll have to do that separately. In the Admin console, in the Advanced Settings section, click TLS Server Certificate Settings.
- In the top row labelled Apply certificate to, select Internet interface.
- Change the drop-down for Certificate Type to PFX.
- In the row Upload PFX, click Select and browse to your PFX file.
- In the Password field, enter the PFX password and then click Save.
Configure Horizon Settings
- To manually configure the appliance, under Configure Manually, click Select.
- Click the slider for Edge Service Settings.
- Click the slider for Enable Horizon.
- As you fill in these fields, hover over the information icon to see the syntax.
- The Connection Server URL should point to the internal load balanced DNS name (URL) for your internal Connection Servers.
- For the Connection Server URL Thumbprint, get the thumbprint from the internal Horizon certificate. Point your browser to the internal Horizon Connection Server FQDN (load balanced) and click the padlock icon to open the certificate.
- On the Details tab, copy the SHA-256 Fingerprint. Note that SHA-1 thumbprint is no longer supported.
- For the Connection Server URL Thumbprint, get the thumbprint from the internal Horizon certificate. Point your browser to the internal Horizon Connection Server FQDN (load balanced) and click the padlock icon to open the certificate.
- In the Proxy Destination URL Thumb Prints field, type in
sha256=
and paste the certificate thumbprint. - At the beginning of the Thumbprint field, immediately after the equals sign, there might be a hidden character. Press the arrow keys on the keyboard to find it. Then delete the hidden character.
- Enable the three PCOIP, Blast, and Tunnel Gateways and perform the following configurations:
- For PCOIP External URL, enter the external IP and
:4172
. The IP should point to your external load balancer that’s load balancing UDP 4172 and TCP 4172 to multiple Unified Access Gateways. - For Blast External URL, enter https://<FQDN>:8443 (e.g. https://view.corp.com:8443). This FQDN should resolve to your external load balancer that’s load balancing UDP 8443 and TCP 8443 to multiple Unified Access Gateways.
- You could change the Blast port to 443 but this would increase CPU utilization on UAG. See Omnissa 78419 Unified Access Gateway (UAG) high CPU utilization.
- Link: Troubleshooting Blast at Omnissa Discussions
- For Enable UDP Tunnel Server, enable the setting.
- For Tunnel External URL, enter https://<FQDN>:443 (e.g., https://view.corp.com:443). This FQDN should resolve to your external load balancer that’s load balancing TCP 443 to multiple Unified Access Gateways.
- The external load balancer must be capable of using the same persistence across multiple port numbers. On NetScaler, this feature is called Persistency Group. On F5, the feature is called Match Across.
- For PCOIP External URL, enter the external IP and
- Then click More.
- Unified Access Gateway has a default list of paths it will forward to the Horizon Connection Server. You can edit the Proxy Pattern and add
|/downloads(.*)
to the list so that users can also download Horizon Clients that are stored on your Horizon Connection Servers as detailed elsewhere at carlstalhood.com. Make sure you click Save at least once so it saves the default Proxy Pattern. Then go back in and add|/downloads(.*)
to the end of the Proxy Pattern but inside the last parentheses. In UAG 2406, the default Proxy Pattern looks something like below:
(/|/view-client(.*)|/portal(.*)|/appblast(.*)|/iwa(.*)|/downloads(.*))
- Scroll down and click Save when done.
- If you click the arrow next to Horizon Settings, then it shows you the status of the Edge services.
- If all you see is Not Configured, then refresh your browser and then click the Refresh Status icon.
- If all you see is Not Configured, then refresh your browser and then click the Refresh Status icon.
- In your Horizon Connection Servers, the Secure Gateways (e.g. PCoIP Gateway) should be disabled.
- Go to Horizon Console.
- Expand Settings and click Servers.
- On the right, switch to the tab named Connection Servers.
- Highlight your Connection Servers and click Edit.
- Then uncheck or disable all three Tunnels/Gateways.
- HTML Access probably won’t work through Unified Access Gateway. You’ll probably see the message Failed to connect to the Connection Server.
- To fix this, configure on each Connection Server the file C:\Program Files\VMware\VMware View\Server\sslgateway\conf\locked.properties to disable Origin Check (checkOrigin=false) or configure the Connection Server’s locked.properties with the UAG addresses. Also see 2144768 Accessing the Horizon View Administrator page displays a blank error window in Horizon 7.
- Horizon 2106 and newer enable CORS by default so you’ll need to either disable CORS by adding enableCORS=false to C:\Program Files\VMware\VMware View\Server\sslgateway\conf\locked.properties, or configure the portalHost entries in locked.properties as detailed at 85801 Cross-Origin Resource Sharing (CORS) with Horizon 8 and loadbalanced HTML5 access.
- After modifying the locked.properties file, restart the VMware Horizon View Security Gateway Component service.
Add UAG to Horizon Console
In Horizon 7.7 and newer, you can add UAG 3.4 and newer to Horizon Console so you can check its status in the Dashboard.
- In UAG Admin console, under Advanced Settings, click the gear icon next to System Configuration.
- At the top of the page, change the UAG Name to a friendly name. You’ll use this case-sensitive name later.
- Click Save at the bottom of the page.
- In Horizon Console, on the left, expand Settings and click Servers.
- On the right, switch to the tab named Gateways.
- Click the Register button.
- In the Gateway Name field, enter the case-sensitive friendly name you specified earlier, and then click OK.
See status of UAG appliances:
- Use a Horizon Client to connect through a Unified Access Gateway. Horizon Console only detects the UAG status for active sessions.
- In Horizon Console 7.10 and newer, to see the status of the UAG appliances, on the top left, expand Monitor and click Dashboard.
- In the top-left block named System Health, click VIEW.
- With Components highlighted on the left, on the right, switch to the tab named Gateway Servers.
- This tab shows the status of the UAG appliances, including its version. If you don’t see this info, then make sure you launch a session through the UAG.
To see the Gateway that users are connected to:
- In Horizon Console 7.10 or newer, go to Monitor > Sessions.
- Search for a session and notice the Security Gateway column. It might take a few minutes for it to fill in.
UAG Authentication
SAML is configured in UAG 3.8 and newer in the Identity Bridging Settings section.
- Upload Identity Provider Metadata.
- Then in UAG Admin > Edge Service Settings > Horizon Settings > More (bottom of page), you can set Auth Methods (near top of page) to SAML only, which requires True SSO implementation, or SAML and Passthrough, which requires two logins: one to IdP, and one to Horizon.
- For complete True SSO instructions, see https://www.carlstalhood.com/vmware-horizon-true-sso-uag-saml/.
- For Okta and True SSO, see Enabling SAML 2.0 Authentication for Horizon with Unified Access Gateway and Okta: VMware Horizon Operational Tutorial at Omnissa Tech Zone.
- For Azure MFA, see Sean Massey Integrating Microsoft Azure MFA with VMware Unified Access Gateway 3.8.
For RADIUS authentication:
- Enable the Authentication Settings section and configure the settings as appropriate for your requirements. See Configuring Authentication in DMZ at VMware Docs.
- When configuring RADIUS, if you click More, there’s a field for Login page passphrase hint.
- When configuring RADIUS, if you click More, there’s a field for Login page passphrase hint.
- Then in Edge Service Settings > Horizon Settings > More (bottom of page), you can set Auth Methods (near top of page) to RADIUS.
- If you scroll down the Horizon Settings page, you’ll see additional fields for RADIUS.
- In UAG 3.8 and newer, Passcode label field can be customized for MFA providers like Duo.
- If your RADIUS is doing Active Directory authentication (e.g. Microsoft Network Policy Server with Azure MFA), then Enable Windows SSO so the user isn’t prompted twice for the password.
Other UAG Configurations
- UAG 3.8 and newer shows when the admin password expires in Account Settings in the Advanced Settings section.
- Ciphers are configured under Advanced Settings > System Configuration.
- The default ciphers in UAG 2406 are the following and include support for TLS 1.3.
TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- In UAG older than 2103, Syslog is also configured here. In UAG 2103 and newer, Syslog is in a different menu as described below.
- At the bottom of the System Configuration page are several settings for SNMP, DNS, and NTP.
- UAG 20.12 (2012) and newer support SNMPv3.
- UAG 3.10 and newer have Admin Disclaimer Text.
- You can add NTP Servers.
- The default ciphers in UAG 2406 are the following and include support for TLS 1.3.
- Session Timeout is configured in System Configuration. It defaults to 10 hours.
- UAG 3.6 and newer let you add static routes to each NIC.
- Click Network Settings.
- Click the gear icon next to a NIC.
- Click IPv4 Configuration to expand it and then configure IPv4 Static Routes.
- Click Network Settings.
- UAG 2103 and newer have a different menu item for Syslog Server Settings.
- You can specify up to two Syslog servers.
- You can include System Messages.
- UAG 2207 supports MQTT when adding Syslog servers.
- UAG 20.09 (2009) and newer can automatically install patches/updates when the appliance reboots.
- In the Advanced Settings section, click Appliance Updates Settings.
- For Apply Updates Scheme, select an option. Click Save.
- In the Advanced Settings section, click Appliance Updates Settings.
- UAG supports High Availability Settings.
- With the High Availability Virtual IP address, you might not need load balancing of the UAG appliances. See Unified Access Gateway High Availability at Omnissa Docs.
- The High Availability feature requires three IP addresses and three DNS names:
- One IP/FQDN for the High Availability Virtual IP.
- And one IP/FQDN for each appliance/node.
- The Horizon Edge Gateways should be set to node-specific IP addresses and node-specific DNS names. Each appliance is set to a different IP/FQDN.
- The Virtual IP (and its DNS name) is only used for the High Availability configuration.
- The YouTube video High Availability on VMware Unified Access Gateway Feature Walk-through explains the High Availability architecture.
- The High Availability feature requires three IP addresses and three DNS names:
- Set the Mode to ENABLED.
- Enter a new Virtual IP Address which is active on both appliances.
- Enter a unique Group ID between 1 and 255 for the subnet.
- Click Save.
- On the second appliance, configure the exact same High Availability Settings.
- With the High Availability Virtual IP address, you might not need load balancing of the UAG appliances. See Unified Access Gateway High Availability at Omnissa Docs.
- To upload a valid certificate, scroll down to the Advanced Settings section, and next to TLS Server Certificate Settings, click the gear icon.
- In Unified Access Gateway 2312 and newer, click Edit in the Internet section.
- In Unified Access Gateway 3.2 and newer, you can apply the uploaded certificate to Internet Interface, Admin Interface, or both.
- In Unified Access Gateway 3.0 and newer, change the Certificate Type to PFX, browse to a PFX file, and then enter the password. This PFX file certificate must match the Public FQDN (load balanced) for Unified Access Gateway. If your load balancer is terminating SSL, then the certificate on the UAG must be identical to the certificate on the load balancer.
- Leave the Alias field blank.
- Click Save.
- If you changed the Admin Interface certificate, then you will be prompted to close the browser window and re-open it.
- In Unified Access Gateway 2312 and newer, click Edit in the Internet section.
- Or, you can upload a PEM certificate/key (this is the only option in older UAG). Next to Private Key, click the Select link.
- Browse to a PEM keyfile. If not running Unified Access Gateway 3.0 or newer, then certificates created on Windows (PFX files) must be converted to PEM before they can be used with Unified Access Gateway. You can use openssl commands to perform this conversion. The private key should be unencrypted.
- Browse to a PEM certificate file (Base-64) that contains the server certificate, and any intermediate certificates. The server certificate is on top, the intermediate certificates are below it. The server certificate must match the public FQDN (load balanced) for the Unified Access Gateway.
- Click Save when done.
- Browse to a PEM keyfile. If not running Unified Access Gateway 3.0 or newer, then certificates created on Windows (PFX files) must be converted to PEM before they can be used with Unified Access Gateway. You can use openssl commands to perform this conversion. The private key should be unencrypted.
- UAG 3.1 and newer have an Endpoint Compliance Check feature. The feature requires an OPSWAT subscription. Newer versions of UAG can deploy the OPSWAT agent. It’s pass/fail. See Configure OPSWAT as the Endpoint Compliance Check Provider for Horizon at VMware Docs.
- UAG 3.9 and newer let you upload the Opswat Endpoint Compliance on-demand agent executables. Horizon Client downloads the executables from UAG and runs them. See Upload OPSWAT MetaAccess on-demand agent Software on Unified Access Gateway at VMware Docs.
- In UAG 20.09 and newer, Outbound Proxy Settings can be configured to allow UAG to contact the Opswat servers when checking for device compliance.
- UAG 3.9 and newer let you upload the Opswat Endpoint Compliance on-demand agent executables. Horizon Client downloads the executables from UAG and runs them. See Upload OPSWAT MetaAccess on-demand agent Software on Unified Access Gateway at VMware Docs.
- Scroll down to Support Settings and click the icon next to Export Unified Access Gateway Settings to save the settings to a JSON file. If you need to rebuild your Unified Access Gateway, simply import the the JSON file.
- The exported JSON file does not include the UAG certificate, so you’ll also need the .pfx file.
- The exported JSON file does not include the UAG certificate, so you’ll also need the .pfx file.
- If you point your browser to the Unified Access Gateway external URL, you should see the Horizon Connection Server portal page. Horizon Clients should also work to the Unified Access Gateway URL.
Monitor Sessions
In UAG 3.4 and newer, in the UAG Admin interface,
- At the top of the page, next to Edge Service Settings, you can see the number of Active Sessions on this appliance.
- At the bottom of the page, under Support Settings, click Edge Service Session Statistics to see more details.
In older versions of UAG, to see existing Horizon connections going through UAG, point your browser to https://uag-hostname-or-ip-addr:9443/rest/v1/monitor/stats.
Logs and Troubleshooting
You can download logs from the Admin Interface by clicking the icon next to Log Archive.
You can also review the logs at /opt/vmware/gateway/logs
. You can less
these logs from the appliance console.
Or you can point your browser to https://MyApplianceIP:9443/rest/v1/monitor/support-archive. This will download a .zip file with all of the logfiles. Much easier to read in a GUI text editor.
For initial configuration problems, check out admin.log.
For Horizon View brokering problems, check out esmanager.log.
By default, tcpdump is not installed on UAG. To install it, login to the console and run /etc/vmware/gss-support/install.sh
- More info at Justin Johnson Troubleshooting Port Connectivity For Horizon’s Unified Access Gateway 3.2 Using Curl And Tcpdump
Load Balancing
If NetScaler, see https://www.carlstalhood.com/vmware-horizon-unified-access-gateway-load-balancing-citrix-adc/ load balance Unified Access Gateways.
To help with load balancing affinity, UAG 3.8 and newer can redirect the load balanced DNS name to a node-specific DNS name. This is configured in Edge Service Settings > Horizon Settings > More (bottom of page).
Related Pages
- Back to Omnissa Horizon 8
Hi Carl,
Can we implement UAG and connection servers without external and internal third party load balancer? Does it have any inbuilt solution? I m planning to use Horizon 7.8 with UAG 3.5.
Thanks
UAG has a High Availability feature that doesn’t need a load balancer.
For Connection Servers, you’d want a load balancer to provide high availability. Citrix ADC Express Edition is free for low bandwidth. There’s also DNS round robin, Windows Network Load Balancing, and free open source load balancers. Virtual load balancers are usually not very expensive.
I’ve set up a UAG 3.4 / 3.5 on a single basic 6.7 ESXi server as proof of concept for a client. I’ve imported the OVA, did the simplest 1 NIC installation, used DHCP to assign the IP. The appliance seems to load up fine, I can ping the IP. But when I try to connect on 9443 for the admin page all I get is “err_conection_refused” on all browsers. I followed installation guides to the letter. I get same problem on two different EsX servers (6.5 and 6.7) in different locations and with both UAG version 3.4. 3.5. Same problem.. only common denominator is hardware are HP DL380. No firewalls, no AV active
if anyone has any clues as to what i’m doing wrong.
Does it work with Static instead of DHCP?
I usually have to reboot the appliance after initial import to get it to work.
Same issue with static. It’s the oddest thing. I’ve even tried creating a private non routable network inside my VMware, pointed a vm workstation to the UAG and same problem. I have a Airwatch Configuration session with VMWare on Monday, I sure hope they can figure it out. thanks.
Can you log into the console? In UAG 3.5, you can enable SSH while deploying the OVA. Does SSH work?
The solution was to fire up a eval Vcentre, join the stand alone ESXi host to the Vcentre, deploy the UAG ova via vCentre and that resolved the issue – that sure is not in any of the documentation.
I managed to fix it. There was no IP Conflict. For some reason it doesnt work if i assign a static IP during the OVF deployment. So i set it to DHCP during OVF deployment and once up changed it to Static using ./vami_config_net . It’s up and working good now, not sure if it is a bug.
Hello Carl, Thanks for the great article. I deployed UAG3.4, however the admin interface neither the user interface doesn’t open. I tried to telnet on 9443 and UAG wont respond, i’ve deployed multiple times and ensured settings are correct.
Can you help me on what i might be missing?
Hi Carl, Can you assist on this pls
IP Conflict? Can you ping it? If so, when you shut off the VM, are you still able to ping the IP?
In our organization they are asking us to do Vulnerability Remediation for some vulnerabilities found on UAG appliances. is it possible to do the remediation’s of Vmware Vulnerabilities or it will break the appliance.
Are you asking if you can patch the appliance? I think the only supported method is to replace the appliance with the latest version.
Hi Carl,
can you explain how to generate the CSR for UAG.
Thank you
I usually do it on a Windows server IIS, then export as PFX, and upload to UAG.
Hello Carl,
we use the UAG-3.4 and we get no more HTML Access with Safari, Chrome, Edge. Only IE works fine. So we use the Default Proxy pattern
(/|/view-client(.*)|/portal(.*)|/appblast(.*))
Any ideas About htat?
Regards Olly
I think checkOrigin=false solve my problem….
Hi,
is it possbile to redirect the the landing page to VMware Horizon HTML Access – so the user don´t have to check “Check here to skip this screen and always use HTML Access”?
Thx!
Maybe set enable.download=false https://docs.vmware.com/en/VMware-Horizon-7/7.6/horizon-upgrades/GUID-10FAB7F4-D1AC-455F-8F99-3EDAF316E7AB.html
Hi Carl,
Great work. I’m having issues connecting to HTML blast from an external network. After I land to the eternal HTML site and login, I see my desktop. After connecting to it, it hangs then times-out.
Hi Carl, we are having a problem with the html access connection via our UAG version 3.3.1. Since the heavy client, everything goes perfectly, but when we go through a web browser, we have a relatively long waiting time before landing on the login page, and once we arrive at we log in after a long wait, it shows us this error message: “failed to resolve proxying route for request”
Yet we have checked everything, all the ports are correctly open …
Would you have been a track?
Thank you very much
What proxyPattern do you have configured?
Hello Carl, I am facing the same problem.. I used the proxy pattern that you described above and also tried leaving the field empty (to use default) .. but no worked for me ..
Hi Carl, quick question that’s not specified in the You Tube video or may have missed it – in UAG High Availability mode, what happens to the Users connected sessions (Blast in our case) that are tunnelled through a UAG that ‘goes off-line’ for whatever reason – are they automatically redirected through one of the other UAGs in the Cluster, thus not being disconnected? Or will they still have to reconnect their session?
Cheers,
Paul.
Since it’s a different IP address, I’m guessing they drop and have to reconnect. Also, I think UAGs require a https session to be established on the UAG before it allows Blast through, which is why load balancing persistence is so important.
Hi all,
I need some help.
I’ve been maintaining a HPE HC380 VDI with Horizon for 3 years now.
Several updates in the past, less and less problems, more and more speed and reliability.
But I just upgraded to ESXi 6.5 U1 with Horizon 7.6 (+ nVIDIA drivers for K1).
All is good EXCEPT … Blast is not working anymore !!!
Machine is available, I can connect, get the desktop… and after a few seconds, I get ” Desktop Disconnected. The connection to remote computer ended.”
If I try with PCoIP, all is good.
I have an UAG 3.3 if that’s envy help.
Hi Carl,
I am having problems with external HTML access, users are unable to connect to https://my.company.com.au to access it via their browser. They receive a 404 not found error
Funny thing is that it works when typing in https://my.company.com.au/portal/webclient/index.html#/
Would there be any configuration required to make https://my.company.com.au work? The client works externally without any problems. We are using 2 x UAG’s sitting behind a NetScaler load balancer. The 4 x connection servers are also sitting behind a load balancer.
What is your Proxy Pattern? Is “/” in the list?
Hi Carl, I found what the problem was, and you pointed it out! The proxy pattern needed to be (/|/view-client(.*)). Thanks for you prompt reply and keep up the good work with your guides. You’ve helped alot of us guys out there!
UAG 3.4 HA does not support HA of UDP (PCoIP used UDP)
Limitations
– IPv4 is supported for floating Virtual IP address. IPv6 is not supported.
– Only TCP high availability is supported.
– UDP high availability is not supported.
The documentation link that talks about the limitation in HA feature used in UAG 3.4:
https://docs.vmware.com/en/Unified-Access-Gateway/3.4/uag-34-deploy-config-guide.pdf
(Page#21)
– IPv4 is supported for floating Virtual IP address. IPv6 is not supported.
Is this stil an issue with UAG 3.10?
I doubt this is an issue with Horizon as phase 1 always is TCP, and phase 2 (possibly UDP) never passes the HA VIP.
The connection to Blast and PCoIP desktop is black screen via UAG.
Then show the error dialog box:
The connection to the remote computer ended.
Have you seen this troubleshooting guide? https://communities.vmware.com/message/2802266#2802266
I checked my environment:
the 443 port is OK. ( telnet IP 443 )
I understand bsg.log. about timeout:
Node.js version: v8.12.0
[2018-12-05 06:08:47.430] [INFO] 9711 [absg-master] – ABSG configuration: { PlayStoredLog: [Function],
fipsMode: false,
destHttps: true,
localPort: 8443,
localAddr: ”,
localHttps: true,
localHttpsCipherSpec: ‘!aNULL:kECDH+AESGCM:ECDH+AESGCM:kECDH+AES:ECDH+AES’,
localHttpsProtocolLow: ‘tls1.1’,
localHttpsProtocolHigh: ‘tls1.2’,
hmacAlgorithms: [ ‘sha1’, ‘sha256’ ],
enableUDP: true,
localUDPPort: 8443,
localUDPAddr: ”,
advertiseUDPPort: 8443,
advertiseThumbprintSHA1: ”,
advertiseThumbprintSHA256: ”,
externAddr: ‘photon-machine’,
externPort: 8443,
externHttps: true,
externDomain: ”,
adminAddr: ‘127.0.0.1’,
adminPort: 8123,
autostart: false,
logReplaceConsole: true,
logLevel: ‘INFO’,
logFilesize: 8388608,
logBackupCount: 5,
logFilename: ‘/opt/vmware/gateway/logs/bsg.log’,
logTraceUDP: 0,
certificateStore: ‘windows-local-machine’,
certificateFolder: ‘MY’,
certificateName: ‘vdm’,
productMode: true,
displayConfig: true,
maxUriLength: 2083,
requestTimeout: 120000,
sessionIdleTimeout: 60000,
webSocketSessionIdleTimeout: 120000,
removeUserAgentHeader: false,
addProxyAgentHeader: true,
removeJSessionId: false,
allowMany2OneAccess: false,
allowManyRoutesToDest: true,
ipProtocol: ‘Dual4’,
useExternalForwarder: true,
labelGenerationMaxRandomAttempts: 10000,
auxFlowLabelPrefixGenerationMaxRandomAttempts: 10000,
auxFlowsAllowed: true,
externalForwarderFlowCleanUpPeriodSec: 600,
externalForwarderFlowCleanUpEnabledMainFlow: true,
externalForwarderFlowCleanUpEnabledAuxFlow: true,
https: {},
localOnlyAddr: ‘127.0.0.1’,
anyInterfaceAddr: ”,
numWorkers: 2,
hideToken: false,
doLoadbalance: false,
pidWidth: 7,
externalForwarderPath: ‘/opt/vmware/gateway/bin/udpforwarder’,
numUDPWorkers: 1,
udpVersion: 2,
isTraceEnabled: false,
isDebugEnabled: false }
[2018-12-05 06:08:47.430] [INFO] 9711 [absg-master] – Loaded key and certificate from default files.
I don’t have Load balancer .
I don’t configue UAG certificate.
The connection server certificate has been configured.
443 port is OK.
web is OK use HTML
Hi, were you able to figure out the issue? I’m currently experiencing same problem.
Do you connect your UAG’s to a .local connection server?
Same thing 🙁 black screen in PCoIP over two UAG’s, triple checked all ports – everything OK.
HTML and Blast working, PCoIP nope!
Did you fixed that?
Has anybody had any luck configuring UAG 3.3.1 with DUO TFA?
We are in the POC stage of deploying Horizon View 7.6 and I am working on this part currently.
Everything I have seen so far mentions UAG and DUO but there are no clear instructions on how to get it working.
We use Duo and view with UAG, however we configure it on the connection server not on the UAG.
Mike
Never mind, I was able to figure out the problem
What was the fix?
I just did this implementation UAG 3.3.1 with DUO Security RADIUS directly into UAG 3.3.1. And usign F5 to load balance the traffic. I did a documentation and I sent it to DUO for review.
Steve, Did DUO review your document? I really would like to read your documentation if you’re willing to share.
Hi Carl, we have exact the same configuration as above, but we use Kemp load balancers. We are currently in a test environment.
When we connect from an external network and we shutdown the UAG that we are connected with, the session freezes. We have to disconnect and reconnect to make sure the session can continue. So it does not balance us automatically to the other UAG.
I know that kemp is not your expertise, but can you maybe give us some suggestions?
Waiting for your response.
Best regards,
Behroez Moosavi
Behroez, Make sure that Kemp Load balancer can support mulit port affinity. F5 does- I know the A10’s do not. Or should i say they say it should but is does not. We had to have three VIPs and point the blast gateway and tunnel directly to the UAG external ip addresses to get it working.
Also point the pciop to the ip address of the UAG’s direclty. This solved our issue.
vdi.mywork.com
vdi.mywork01.com
vdi.mywork02.com
The a10 was able to support 443 but when it goes to the secondary ports 4172 it would fail. So once authentication is done and you click on the desktop point the tunnel and blast gateway directly to the 01 and 02 on each UAG. It is a supported config.
Look at option 3 in the article it might help your situation.
https://communities.vmware.com/docs/DOC-32792
Hello Carl
First of all great website …
We have an environment as shown in your image “Unified Access Gateway in DMZ Topology”. The UAGs are configure for MFA with two loadbalanced Radius servers. Everything works fine so far.
We got only one problem, after login with MFA on one of the UAGs you have to login on the view portal a second time. This login page shows the Active Directory drop down menu with all our domains. After login with correct domain you can start the session.
Is there a posiblity to do a SSO after MFA login on the UAGs?
Kind regards
Tom
Hi Tom and Carl,
I have the same setup as Tom and I have the same issue. It kind of login twice. Have you able to configure the SSO after the MFA login? I even enable the setting for “Enable the Windows SSO” but still not work for me.
Best regards,
Tony
Hello,
unfortunately, after the update from Horizon Server 7.3.1 to 7.6, the UAG does not work anymore. All points are green but the Horizon target server is red, this would be shut down. In the logs I find the following:
ERROR client.HttpClient[exceptionCaught: 286][]: Exception caught while communication to backend: javax.net.ssl.SSLException: Received fatal alert: handshake_failure
ERROR view.ViewEdgeService[onFailure: 650][]: unable to query Horizon Broker: javax.net.ssl.SSLException: Received fatal alert: handshake_failure
Does anyone have an idea what has changed with version 7.6? I have already tried the latest UAG appliance and installed a fresh server with 7.6, but unfortunately the same error.
Thank you for any support! :-))
Did the Connection Server certificate change? Does the UAG have the correct thumbprint?
Hello Carl,
thank you for your answer. No certificates are used, the thumbprint has remained the same and has been tested. I’ve installed a new Connection Server trial with a new thumbprint but unfortunately this does not work either. Except the update via the Connection Server over it run was not changed.
I have the same issue. Have you found a solution?
Unfortunately not yet, but yesterday I opened a ticket with VMware and wait for an answer from the support. Should the gateways work again I will share the solution.
ok, the problem here was pretty “simple”. We had used a UAG FIPS the whole time, but you probably need a server with FIPS enabled and the CS with FIPS. The CS 7.3 was no matter the UAG ran, but with the 7.6 does not work anymore. Just rolled out a new UAG without FIPS and in two minutes everything went well again.
Thanks. That resolved it for me as well.
Any command you can run on a UAG v3.2.1 to get the number is sessions going through the at point in time. Just checking if it’s taken out of the VIP, when the sessions are cleared off it. Cheers, Paul.
See https://communities.vmware.com/message/2795558#2795558
Also see http://andrewmorgan.ie/2018/03/viewing-vmware-unified-access-gateway-statistics-with-rest/
You could use vROPS for Horizon or Horizon Helpdesk to get this information.
IMHO network profile for version 3.3 is still needed. But the OVA logic installs the profile automatically in your environment, so no need to create the settings yourself
Hello everyone,
i have a question.
One customer from me have the following demand.
200 Licenses.
One VDI Pool (Horizon 7.5)
One UAG
It should maximum 50 user connect to over the UAG to the one pool.
The customer wish 150 free licenses for internal students.
A secound pool is not desired.
Do I have a way to do this?
Thanks for helping.
HI Carl,
We have a similar setup to what you are depicting in your diagram with NetScalers in the DMZ but no load balancers on the internal network. Essentially 1 UAG(3.1) speaks to 1 Connection server (7.3.1) only. The Netscalers VPX 200 (11) use SSL_BRIDGE to connect to the UAGs as per one of your previous posts.
I need to to document Client IPs and MAC addresses hitting the SSL_BRIDGE service so only external connections. I was wondering if you could recommend the best way to achieve this
I need to document 6 months worth of SRC IP SRC MACr. I presume the NetScaler would be the place or perhaps the UAGs.
I hope you are able to point me to the right path on this one.
Thanks
T
You can bind a Responder that has User Defined Logging configured. https://support.citrix.com/article/CTX200908 and https://serverfault.com/questions/833925/log-source-ip-of-traffic-destined-to-cirtix-netscaler/834013
Carl,
Have you seen where users randomly are not allowed to connect over pcoip thru the UAC? They can connect over BLAST. We’re experiencing this right now, and it was working a couple of days ago.
hi Carl
why cann’t i save radius configuration? i keep getting and error \”Error in saving the authentication method”
@above
Use the PowerShell method to deploy: https://communities.vmware.com/docs/DOC-30835
[Horizon]
proxyDestinationUrl=https://view.xxx.com
tunnelExternalUrl=https://workspace.xxx.com:443
blastExternalUrl=https://workspace.xxx.com:443
pcoipExternalUrl=80.xxx.xxx.xxx:4172
[WebReverseProxy1]
instanceId=VIDM
proxyDestinationURL= https://workspace.xxx.com
proxyPattern=(/|/SAAS(.*)|/hc(.*)|/web(.*)|/catalog-portal(.*))
unSecurePattern=(/catalog-portal(.*)|/|/SAAS/|/SAAS|/SAAS/API/1.0/GET/image(.*)|/SAAS/horizon/css(.*)|/SAAS/horizon/angular(.*)|/SAAS/horizon/js(.*)|/SAAS/horizon/js-lib(.*)|/SAAS/auth/login(.*)|/SAAS/jersey/manager/api/branding|/SAAS/horizon/images/(.*)|/SAAS/jersey/manager/api/images/(.*)|/hc/(.*)/authenticate/(.*)|/hc/static/(.*)|/SAAS/auth/saml/response|/SAAS/auth/authenticatedUserDispatcher|/web(.*)|/SAAS/apps/|/SAAS/horizon/portal/(.*)|/SAAS/horizon/fonts(.*)|/SAAS/API/1.0/POST/sso(.*)|/SAAS/API/1.0/REST/system/info(.*)|/SAAS/API/1.0/REST/auth/cert(.*)|/SAAS/API/1.0/REST/oauth2/activate(.*)|/SAAS/API/1.0/GET/user/devices/register(.*)|/SAAS/API/1.0/oauth2/token(.*)|/SAAS/API/1.0/REST/oauth2/session(.*)|/SAAS/API/1.0/REST/user/resources(.*)|/hc/t/(.*)/(.*)/authenticate(.*)|/SAAS/API/1.0/REST/auth/logout(.*)|/SAAS/auth/saml/response(.*)|/SAAS/(.*)/(.*)auth/login(.*)|/SAAS/API/1.0/GET/apps/launch(.*)|/SAAS/API/1.0/REST/user/applications(.*)|/SAAS/auth/federation/sso(.*)|/SAAS/auth/oauth2/authorize(.*)|/hc/prepareSaml/failure(.*)|/SAAS/auth/oauthtoken(.*)|/SAAS/API/1.0/GET/metadata/idp.xml|/SAAS/auth/saml/artifact/resolve(.*)|/hc/(.*)/authAdapter(.*)|/hc/authenticate/(.*)|/SAAS/auth/logout|/SAAS/common.js|/SAAS/auth/launchInput(.*)|/SAAS/launchUsersApplication.do(.*)|/hc/API/1.0/REST/thinapp/download(.*)|/hc/t/(.*)/(.*)/logout(.*))
loginRedirectURL=/SAAS/auth/login?dest=%s
authCookie=HZN
@carl
Please add a note that deploying anything but ‘Single NIC’ isn’t supported with the HTML OVF Deployment Wizard, they require Flex (Flash Interface) or PowerShell. And of course Horizon 7.5 is also supported with 3.3.
Thanks. I updated the article.
Carl,
Any reason you can think of why we’d be getting an error of “The connection Server authentication failed. The tunnel server presented a certificate that didn’t match the expected certificate.”? We get this when coming in through the UAGs with our Horizon client, but only when Tunnel is enabled. If tunnel is disabled, we don’t get it, we get it fine, but, obviously functions like USB redirection do not work. I’m using a wildcard cert. I’m thrown off by the error because if it’s a cert mismatch, why do I only get it when Tunnel is enabled?
We utilize F5 as our load balancer. Essentially all users, internally and externally, go to a GTM. We’ll call it https://vdi.site.com. For this discussion, since it’s UAG, we’ll stick to external use case.
When they hit the GTM, there are 2 LTMs behind it:
DC1LTM = UAG 1, UAG 2
DC2LTM = UAG 1, UAG 2
The UAGs themselves are pointed at another LTM for connectivity to their Horizon brokers.
In my Horizon client, I’m telling it to use the DC1 UAG LTM to test, and this is where I run into the error above. What’s odd is, if I leave tunnel enabled, but switch the external URL to DC1LTMFQDN:8443 (the dialog box in the UAG says use 8443 but I see your screenshot uses 443; I tried both), I get an error of “tunnel re-connection is not permitted”.
Not sure how related it is to my issue, but, the one line from the deployment guide from F5 that I keep going back to about changing, is the one that states:
In the Virtual Servers and Pools section, complete the following. a. Type the IP address for the virtual server. b. Type the FQDN to which external clients will connect with the Horizon Client.
For point B. we’re actually putting in that field the LTM FQDN of whicever iApp we’re configuring at that time. I’m wondering if instead we should be putting in the GTM. Our F5 admin put in the LTM and I can see where he’s going with that, but, I wonder if that’s a mistake and we should use the GTM, since quite literally the users are indeed going to the GTM, that then hands them off to the LTM.
Hi,
Can anyone please advise I am trying to setup RSA SecureID but iam getting the following error message.
“Failed to set adapter configuration. A SecurID connectivity or configuration error has occurred.”
UAG is in DMZ and RSA Security ID is on internal network. the following ports are open but still no luck. has anyone managed to setup RSA SecurID authentication with UAG.
Port: 5500 Protocol: udp
Port: 5550 Protocol: tcp
Port: 5580 Protocol: tcp
Hi assirnadeemNad,
How did you resolve this? I’m having the same Issue
Hi Iannone sorry for late reply my issue was related to gateway entry and DNS was not resolving RSA. After adding gateway address and correct DNS the issue was resolved thx
Hello,
The locked.properties article referenced in the HTML access configuration part is no longer correct. This is the one that I found for Horizon 7 7.4: https://docs.vmware.com/en/VMware-Horizon-7/7.4/horizon-installation/GUID-FE26A9DE-E344-42EC-A1EE-E1389299B793.html
Great work Carls,
Just need a bit help setting up UAG with two nic deployment. I am confused how to setup network protocol profiles for external network and internal network. Can you please advise how can I achieve this.
Thanks,
Nad
Hi Carl,
Thanks you for such a detailed post. I would like to understand few things
1. Can we configure horizon port 8443 and workspace ONE port 443 both service on single UAG 3.2 appliance.
2. How it works as we hit FQDN without specific port.
e.g :
1 vdi.domain.com – for horizon
2 wpone.domain.com – for workspace one.
Want to know how it will work with given port sharing feature enabled.
I tried but only 1 of the service is responding at a time.
Appreciate your help in advance.
Issue resetting admin password. I use the normal firstboot option to change the admin password. but when I login ans get the change password screen it failed to update it.
{“timestamp”:1515581855647,”status”:401,”error”:”Unauthorized”,”message”:”login.error”,”path”:”/rest/v1/config/adminusers/change-password”}
can’t fine anyting on VMWARE.com about this
I assume VMware would recommed re-deploying the appliance.
Hi Carl, Fantastic blog as always. I have a question about 2-factor authentication. I have successfully configured 2-factor on my customers UAG. The issue is, they have a list of public IP addresses that need to bypass Duo 2-factor. Is this something that would be configured on the Unified Access Gateway appliance or would this need to be configured on the customers on their F5 Access Policy Manager?
You would configure this in Duo.
Is it normal to have the VCS server to report Unknown in red under the Security Servers in the Dashboard?
Everything works fine, but the VCS server is reporting Unknown since we moved to UAG.
Hi carls,
I have a problem with SSL certificates to use BLAST and HTML ACCESS.
I don’t use AEG or Security Server. I applied on my parent machine: the Horizon agent with HTML Access.
On this machine we have a Blast certificate in the personal Windows store. I insert my CA root and intermediate CA authority certificates in the personal store and trusted editors.
I also apply a Wildcard generated from our CA root. When I deploy, I find my VDI machines with the certificates but unfortunately I still suffer from non-approved certificate warnings regardless of the web browser.
Any ideas ?
I read the HTML Access PDF, the KB 2088354, the forum https://communities.vmware.com/thread/496892
I successfully managed to use UAG instead of Security server. But in my Horizon Dashboard, the old Sec server is still there and showing as red… How can I remove that and eventually have the UAG showing up ?
external IP is the same…
See https://docs.vmware.com/en/VMware-Horizon-7/7.3/horizon-administration/GUID-57609AEE-9B64-4173-BE0F-E93B32549BC3.html#GUID-57609AEE-9B64-4173-BE0F-E93B32549BC3
Have a question about the Blast Gateway, with the certificate error received if behind the UAG should that Gateway be enabled so it routes internal users to UAG rather than directly to the agent where the client will get a certificate error? Thanks
If you need HTML Blast, and if you want to prevent certificate errors, you can proxy the connection through your Connection Servers by enabling the Blast Gateway, or you can proxy the connection through a UAG, or you can install valid certificates on each Agent.
How do I know which interface is which in the config? How do I know if the “netManagementNetwork” config setting in the script is the target interface for the “ip1” setting?
Trying to do a threenic installation. Deployment runs fine, but the appliance never responds on the management IP. Tried to reboot the appliance several times, but to no avail.
What version of netscaler is required for this configuration?
If VPX, you’ll need one of the newer versions (I think 11+) to support TLS 1.2 on the back end.
standard, platinum? 100Mb should do right?
For regular load balancing, Standard is fine.
How many concurrent UAG connections? I’m assuming PCoIP/Blast are going through NetScaler.
Your NetScaler might be doing decrypt/re-encrypt of Blast, which means fewer users than maximum bandwidth. If PCoIP, it should be just forwarding as is.
possibly 3000
One UAG I think is rated for 2,000 users.
If you assume 250K per active user, that’s around 732 Mbps. So VPX would need to be at least 1000, which gives you two more vCPUs.
does F5 present any advantage to NS having 2000-3000 users?
F5 can replace UAG. NetScaler can replace UAG for PCoIP only. I assume NetScaler will eventually add Blast protocol.
Otherwise, it’s standard load balancing.
BTW I didn’t know blast would require decrypt / re-encrypt by NS…any recommendation for possibly 3000 users. Most of them are internal but just out of curiosity.
Internal traffic doesn’t go through NetScaler and instead goes directly from Horizon Client to Horizon Agent. Thus not much traffic needed on NetScaler. It’s only UAG users that send traffic through NetScaler.
I don’t see point of replacing UAG, in both cases NS and F5 can I just use standard LB and let UAG do the job for any protocol?
Hi Carl Just last question. Without replacing UAG, F5 license just to load balance service, internal and external, F5 “Good” license should be enough right?
Yep. It’s just normal load balancing. The only extra bit is persistent “Match Across”.
Since UAG is in Prod, users receive this : VMWare Horizon Client – Logout Request by system.
As long as we don’t click OK, it is fine except that USB is not working…
We are on 7.2
Hello Carl, I was wondering about the sentence ” Open these ports from any device on the Internet to the Unified Access Gateway Load Balancer VIP:
TCP and UDP 443 (includes Blast Extreme)
TCP and UDP 4172. UDP 4172 must be opened in both directions. (PCoIP)
TCP and UDP 8443 (for HTML Blast) “.
In our case – this traffic goes to the REAL IP Addresses of the Firewall, which forward the traffic to the security servers in question. In other words, if the settings for the different gateway protocols – PCoIP, BLAST and HTML blast all points to something which is not the load balancer’s IP Address one would not need to open them at all.
By my understanding, once authenticated to UAG, a client will receive and process an URL which should be used for further “secondary” protocols. If this “link”/setting/url does not lead to the IP of the load balancer -then this traffic will not traverse the load balancer at all.
Please correct me if I am wrong.
You can do it either way. If your load balancer supports persistence across multiple port numbers, then you can send all ports through a single public IP that resolves to one VIP. Otherwise, you send 443 to the load balancer, and 4172 and 8443 directly to each UAG.
Hi Carl,
Can you explain why on the Connections Servers the Gateways have to be disabled?
Before we were using Security Server on Windows in the DMZ and had all these gateways enabled.
We could connect through Blast Secure Gateway on HTML Access on the URL of the Security Server (from outside the office) and to the URL of the Connection Server for internal HTML Access.
We now have disabled all the Gateways on the Connection Server and now it’s not possible to use HTML Access through the Connection Server. It seems like it’s want to connect to the IP of the linked clone directly instead of through the Connection Server.
Why can’t I enable the Blast Secure Gateway for internal HTML Access to the View Desktops?
Enabling it on Connection Servers overrides the same functionality on UAG.
One option is to build separate VCSs for internal users and enable it on them. Make sure UAG doesn’t connect to those VCSs.
Hi Carl, just a quick observation – if I make the change to the portal-links-html-access.properties file to disable the enable download feature (=false) it works when connecting directly via the Connection Servers (v7.2) or internal VIP, but breaks the UAG access (v3.0) and the Proxy Destination Server turns red on the Admin page.
If I change it back, the UAG access works again, but obviously still shows the download option.
Is there a proxy pattern I need to enter to permit UAG access as it seems to be having an issue talking to the Connection Server? (I’ve tried a few combinations to no avail….)
Thanks!
Quick heads up – seems to be an issue with the VIP/Load Balancing as when make the change the internal vip shows the Connection Servers are unavailable…..
Question: The time out setting under advanced config…it’s set to 3600000 milliseconds – or ten hours – IS there a know way to set that to never timeout? Like can I use -1 or zero or something so that sessions are never disconnected? VMware support said to fill it with 9’s and that’s the best I can do.
Is that true?
I haven’t personally tried it up the tooltip with 3.3.1 (at least) says to set it to 0 to disable the timeout.
Got a working UAG v2.9 and replaced it with UAG 3.0, but UAG 3.0 does not work. I get a certificate error when accessing Horizon with a browser. It seems like the UAG 3.0 does not like SANs in the certificate. Tried both PFX and PEM methods for UAG 3.0 deployment. Booting up the UAG 2.9 again, and all works again.
Any thougts on that?
Hi Carl,
Tupid question but I can’t find the answer anywhere… how do I change the IP address of the UAG 3.0 after deployment ??
Thanks
Fabian
You might have to delete it and re-deploy it. You can save the config to a file. Re-deploy. Then upload the config again.
OK, Done that.. but I struggle with it.
I’m left with
Proxy Destination Server RED.
I only have one Connection server and replacing the Secure server by UAG on the same IP.
Any hint on what am I doing wrong here ?
Either UAG can’t resolve the DNS name, can’t talk to the destination address, or the certificate thumbprint you imported doesn’t match the certificate on the Connection Server (or load balancer).
It is SUSE linux so find in google how to change IP in this distribution. I changed the IP yesterday by editing ifcfg-eth0 file (sigle NIC deployment).
Hi Carl,
We’ve been using UAG for a long time now.. and the latest build 3.0 has been fine for a month or so but now within a few days of each other, two of the three UAG’s have gone offline (or somehow stopped passing user traffic). They just stopped working…
I can pull up the admin site, but if I disable “server 1 and 2” so only “server 3” is active in the netscaler LB… i cant connect the Horizon client. A few days ago it was server three…. so i took it out of the mix… Today server 2 did it….
A reboot of the UAG fixes it.. but kinds annoying… as no users can get in that the netscaler decides to hand off to that UAG for access…
Anyone else have this issue?
I really don’t want to open a ticket… as it’ rather irritating how long tickets take to work with VMware… especially on a issue like this.
Three 3.0 UAG servers behind a netscaler, load balanced following the articles you’ve got here.
They connect to two 7.2 connection servers, also on a VIP.
I recently built a new Horizon environment for a client a few weeks ago, and we just had this issue today. It is a very small environment with no load balancer, with all traffic going through the UAG. This caused a production outage. I checked the UAG and all of the services were green. Rebooting the UAG fixed the issue. I have them opening a ticket with VMware support and will let you know what we find out.
Known issue with 3.0. Resolved with 3.1 (resolved issues in release notes) and later. Also, 3.0 not supported with 7.2.
Better late than never…
Hello Carl, Following ur site since a while now and i m wondering if u have any suggestion regarding the monitoring of the VMware Unified Access Gateway.
I m usually using snmp agent or shinken agent to monitor our infrastructure but it seem that VMware didn’t plan to do any of those.
For now i doing a simple snmp check to make sure the gateway is alive and some http check.
Any suggestion would be very welcome 🙂
Thx u for all those great articles !
Hi Carl
Some updates needed on the UAG version supported,
– For VMW Horizon minimum version of UAG is 2.8.1 or higher except for Horizon 6.2/6.2.1/6.2.2 is UAG_v2.5.1
– for vIDM min version of UAG is v2.8/2.8.1 or higher
http://partnerweb.vmware.com/comp_guide2/sim/interop_matrix.php#interop&152=&260=&153=&154=&140=&23=
Thanks.
Carl, I’d like to ask a question. I deployed two UAGs with PS and the first one came up fine, but the second one, well, I can’t get to the web interface. I used the exact same PS script except that I changed the name and IP address and the datastore, but still the web admin interface will not load. I can ping it and in VMware, I can console to it, so I’m at a loss as to what happened. Any thoughts?
I figured this out. It was the PEM cert that was causing the problem.
Hi carls,
I need your help in configuring reverse proxy in access point for my IDM URL so that my users can open the IDM URL from internet and they can access published application and desktops. I am listing down my infrastructure details can you please guide me how to achieve this.
1. I have 2 AP configured in the DMZ and both are in single NIC configuration
2. both the AP is configured behind a Netscaler load balancer in the DMZ
3. The external URL which is configured in the AP is VDI.Gridtech.com and I have the same URL for internal access as well
4.I have deployed and configured two IDM 2.8 appliance with an internal FQDN as IDM01.gridtech.grid.com and IDM02.gridtech.grid.com
5. Created a DNS entry as workspace.gridtech.com internally
6.i can access workspace.gridtech.com internally and I am able to launch the applications and desktop seamlessly through the workspace portal
7. I want to access the same URL from internet and reverse proxy needs to be configured through my access point
can you please help me with the steps which I need to do.
I’m trying the same thing not a lot of luck thus far. VMware support has not been very helpful either.