Omnissa Unified Access Gateway 2412

Last Modified: Jan 29, 2025 @ 4:53 pm

Navigation

💡 = Recently Updated

Change Log

Overview

Unified Access Gateway provides remote connectivity to internal Horizon Agent machines. For an explanation of how this works (i.e., traffic flow), see Understand and Troubleshoot Horizon Connections at Omnissa Tech Zone.

Unified Access Gateway (formerly known as Access Point) is a replacement for Horizon Security Servers. Advantages include:

  • You don’t need to build extra Connection Servers just for pairing. However, you might want extra Horizon Connection Servers so you can filter pools based on tags.
  • Between Unified Access Gateway and Horizon Connection Servers you only need TCP 443. No need for IPSec or 4001 or the other ports. You still need 4172, 22443, etc. to the View Agents.
  • No need to enable Gateway/Tunnel on the internal Horizon Connection Servers.
  • Additional security with DMZ authentication. Some of the Authentication methods supported on Unified Access Gateway are RSA SecurID, RADIUS, CAC/certificates, etc.

However:

  • It’s Linux. You can deploy and configure the appliance without any Linux skills. But you might need some Linux skills during troubleshooting.

Horizon View Security Server has been removed from Horizon 2006 (aka Horizon 8).

More information at VMware Blog Post Technical Introduction to VMware Unified Access Gateway for Horizon Secure Remote Access.

Horizon Compatibility – Refer to the interoperability matrix to determine which version of Unified Access Gateway is compatible with your version of Horizon.

  • The latest version of UAG is 2412.
    • You usually want the Non-FIPS version.
    • Then download the PowerShell deployment scripts on the same UAG download page.
  • If you are running an ESB version of Horizon, then make sure you run the ESB version of Unified Access Gateway. Get it from the same page as your Horizon download.
    1. Use the Select Version drop-down to select the version of Horizon you have deployed.
    2. Then open the downloads for the edition that you are entitled to: Standard, Advanced, or Enterprise.
    3. Scroll down the page to see the Unified Access Gateway downloads. You usually want the Non-FIPS version.
    4. Then download the PowerShell deployment scripts on the same UAG download page.
  •  

Firewall

Omnissa Tech Zone Omnissa Horizon Blast Extreme Display Protocol, and Firewall Rules for DMZ-Based Unified Access Gateway Appliances at Omnissa Docs.

Open these ports from any device on the Internet to the Unified Access Gateway Load Balancer VIP:

  • TCP and UDP 443
  • TCP and UDP 4172. UDP 4172 must be opened in both directions. (PCoIP)
  • TCP and UDP 8443 (for HTML Blast)

Open these ports from the Unified Access Gateways to internal:

  • TCP 443 to internal Connection Servers (through a load balancer)
  • TCP and UDP 4172 (PCoIP) to all internal Horizon View Agents. UDP 4172 must be opened in both directions.
  • TCP 32111 (USB Redirection) to all internal Horizon View Agents.
  • TCP and UDP 22443 (Blast Extreme) to all internal Horizon View Agents.
  • TCP 9427 (MMR and CDR) to all internal Horizon View Agents.

Open these ports from any internal administrator workstations to the Unified Access Gateway appliance IPs:

  • TCP 9443 (REST API)
  • TCP 80/443 (Edge Gateway)

PowerShell Deploy Script

Omnissa Docs Using PowerShell to Deploy VMware Unified Access Gateway. The script runs OVF Tool to deploy and configure Unified Access Gateway. The PowerShell script is updated as newer versions of Unified Access Gateways are released. This is the recommended method of deploying Unified Access Gateway.

If you prefer to use vSphere Client to Deploy the OVF file, skip ahead to Upgrade or Deploy.

The PowerShell deployment script is downloadable from the UAG download page.

The PowerShell deploy script requires the OVF Tool:

  1. Download ovftool from Broadcom.
  2. On the machine where you will run the UAG Deploy script, install VMware-ovftool-…-win.x86_64.msi.
  3. In the Welcome to the VMware OVF Tool Setup Wizard page, click Next.
  4. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  5. In the Destination Folder page, click Next.
  6. In the Ready to install VMware OVF Tool page, click Install.
  7. In the Completed the VMware OVF Tool Setup Wizard page, click Finish.

Create or Edit a UAG .ini configuration file:

  1. Extract the downloaded uagdeploy PowerShell scripts for your version of Unified Access Gateway.
  2. If you have an existing UAG appliance, then you can download an INI of the configuration from the UAG Administrator page.

    • Or copy and edit one of the downloaded .ini files, like uag2-advanced.ini.
  3. A full explanation of all configuration settings can be found at Using PowerShell to Deploy Unified Access Gateway at Omnissa Docs.
  4. For any value that has spaces, do not include quotes in the .ini file. The script adds the quotes automatically.
  5. The name setting specifies the name of the virtual machine in vCenter. If this VM name already exists in vCenter, then OVF Tool will delete the existing VM and replace it.
  6. Add a uagName setting and specify a friendly name. You’ll later add this name to Horizon Console so you can view the health of the UAG appliance in Horizon Console.
  7. You can optionally enable SSH on the appliance by adding sshEnabled=true.
  8. For the source setting, enter the full path to the UAG .ova file.
  9. For the target setting, leave PASSWORD in upper case. Don’t enter an actual password. OVF Tool will instead prompt you for the password.
  10. For the target setting, specify a cluster name instead of a host. If spaces, there’s no need for quotes. For example:
    target=vi://admin@corp.local:PASSWORD@vcenter02.corp.local/Datacenter/host/Cluster 1
  11. Specify the exact datastore name for the UAG appliance.
  12. Optionally uncomment the diskMode setting.
  13. For a onenic configuration (recommended), set the netInternet, netManagementNetwork, and netBackendNetwork settings to the same port group name.
  14. Multiple dns servers are space delimited.
  15. For pfxCerts, UNC paths don’t work. Make sure you enter a local path (e.g. C:\). OVA Source File can be UNC, but the .pfx file must be local.
  16. There’s no need to enter the .pfx password in the .ini file since the uagdeploy.ps1 script will prompt you for the password.
  17. proxyDestinationUrl should point to the internal load balancer for the Horizon Connection Servers.
  18. For proxyDestinationUrlThumbprints, paste in the sha256 or higher thumbprint of the Horizon Connection Server certificate in the format shown.
    • If your Horizon Connection Servers each have different certificates, then you can include multiple thumbprints (comma separated).
  19. Make sure there’s no hidden character between sha256 and the beginning of the thumbprint. Or you can just paste the thumbprint without specifying sha256. Note: sha1 is no longer supported. Edge and Chrome can show sha256 certificate fingerprint.
  20. Change the ExternalUrl entries to an externally-resolvable DNS name and a public IP address. For multiple UAGs, the FQDNs and public IP address should resolve to the load balancer. Note: your load balancer must support persistence across multiple port numbers (443, 8443, 4172).

When you run the PowerShell script, if the UAG appliance already exists, then the PowerShell script will replace the existing appliance. There’s no need to power off the old appliance since the OVF tool will do that for you.

  1. Open an elevated PowerShell prompt.
  2. Paste in the path to the uagdeploy.ps1 file. If there are quotes around the path, then add a & to the beginning of the line so PowerShell executes the path instead of just echoing the string.
  3. Add the -iniFile argument and enter the path to the .ini file that you modified. Press <Enter> to run the script.
  4. You’ll be prompted to enter the root password for the UAG appliance. Make sure the password meets password complexity requirements.
  5. You’ll be prompted to enter the admin password for the UAG appliance. Make sure the password meets password complexity requirements.
  6. For CEIP, enter yes or no.
  7. For .pfx files, you’ll be prompted to enter the password for the .pfx file. Note: the .pfx file must be local, not UNC.
  8. OVF Tool will prompt you for the vCenter password. Special characters in the vCenter password must be encoded. Use a URL encoder tool (e.g., https://www.urlencoder.org/) to encode the password. Then paste the encoded password when prompted by the ovftool. The UAG passwords do not need encoding, but the vCenter password does.
  9. The deploy script will display the IP address of the powered on UAG appliance.
  10. Review settings in the UAG admin interface.
  11. Add the new UAG appliance to Horizon Console.

Upgrade

To upgrade from an older appliance, you delete the old appliance and import the new one. Before deleting the older appliance, export your settings:

  1. Login to the UAG at https://<Your_UAG_IP>:9443/admin/index.html.
  2. In the Configure Manually section, click Select.
  3. Scroll down to the Support Settings section, and then click the JSON button next to Export Unified Access Gateway Settings.
  4. Note: the exported JSON file does not include the UAG certificate, so you’ll also need the .pfx file. If RADIUS is configured, then during import you’ll be prompted to enter the RADIUS secret.

Deploy New

Horizon Compatibility – Refer to the interoperability matrix to determine which version of Unified Access Gateway is compatible with your version of Horizon.

  • The latest version of UAG is 2412.
    • You usually want the Non-FIPS version.
  • If you are running an ESB version of Horizon, then make sure you run the ESB version of Unified Access Gateway. Get it from the same page as your Horizon download.
    1. Use the Select Version drop-down to select the version of Horizon you have deployed.
    2. Then open the downloads for the edition that you are entitled to: Standard, Advanced, or Enterprise.
    3. Scroll down the page to see the Unified Access Gateway downloads. You usually want the Non-FIPS version.

To deploy the Unified Access Gateway using VMware vSphere Client:

  1. If vSphere Client, right-click a cluster, and click Deploy OVF Template.
  2. Select Local File and click Upload Files. In the Open window, browse to the downloaded euc-unified-access-gateway.ova file, and click Next.
  3. In the Select a name and folder page, give the machine a name, and click Next.
  4. In the Review Details page, click Next.
  5. In the Select configuration page, select a Deployment Configuration. See Network Segments at Unified Access Gateway Architecture at Omnissa Tech Zone. Click Next.
  6. In the Select storage page, select a datastore, select a disk format, and click Next.
  7. In the Select networks page, even if you select Single NIC, the OVF deployment wizard asks you for multiple NICs. UAG typically goes in the DMZ.
  8. In the Customize template page, select STATICV4, and scroll down.
  9. In the NIC1 (eth0) IPv4 address field, enter the NIC1 (eth0) IPv4 address. Scroll down.
  10. Enter DNS addresses, Gateway, and Subnet Mask. Scroll down.
  11. Scroll down and enter more IP info.
  12. Scroll down.
  13. Enter a Unified Gateway Appliance Name.
  14. Scroll down.
  15. UAG 2207 and newer let you specify the local root username.
  16. Enter passwords.

    • UAG 20.12 (2012) and newer let you specify Password Policy settings when deploying the OVF.
  17. Scroll down and enter the password for the admin user.
  18. UAG 2207 and newer have an adminreset command if you mess up the admin interface login. There’s also an adminpwd command to reset the password.
  19. UAG 2207 and newer have an option to enable DISA STIG compliance, usually on the FIPS version of UAG.
  20. There’s a checkbox for Enable SSH.
  21. In UAG 3.9 and newer, there’s an option to login using a SSH key/pair instead of a password.
  22. Newer versions of UAG have more SSH options.
  23. UAG 2207 adds Commands to Run on First Boot or Every Boot.
  24. Click Next.
  25. In the Ready to complete page, click Finish.

UAG Admin Interface

  1. Power on the Unified Access Gateway appliance.
  2. Point your browser to https://My_UAG_IP:9443/admin/index.html and login as admin. It might take a few minutes before the admin page is accessible.
  3. UAG 2207 and newer have an adminreset command if you mess up the admin interface login. There’s also an adminpwd command to reset the password.

Import Settings

  1. If you have previously exported settings, you can import it now by clicking Select in the Import Settings section.
  2. Browse to the previously exported UAG_Settings.json file and then click Import. Note that this json file might have old settings, like old ciphers. Review the file to ensure you’re not importing legacy configurations. If the .json file has a SHA-1 thumbprint, then edit the file and replace it with SHA-256 thumbprint (fingerprint).
  3. It should say UAG settings imported successfully. If you don’t see this, then your .json file probably has a SHA-1 thumbprint.
  4. Press <F5> on your keyboard to refresh the browser.
  5. The .json file does not include the certificate so you’ll have to do that separately. In the Admin console, in the Advanced Settings section, click TLS Server Certificate Settings.
  6. In the Internet row, click the gear icon.
  7. Change the drop-down for Certificate Type to PFX.
  8. In the row Upload PFX, click Select and browse to your PFX file.
  9. In the Password field, enter the PFX password and then click Save.

Configure Horizon Settings

  1. To manually configure the appliance, under Configure Manually, click Select.
  2. Click the slider for Edge Service Settings.
  3. Click the gear icon for Horizon Settings.
  4. Click the slider for Enable Horizon.
  5. As you fill in these fields, hover over the information icon to see the syntax.
  6. The Connection Server URL should point to the internal load balanced DNS name (URL) for your internal Connection Servers.

    1. For the Connection Server URL Thumbprint, get the thumbprint from the internal Horizon certificate. Point your browser to the internal Horizon Connection Server FQDN (load balanced) and click the padlock icon to open the certificate.
    2. On the Details tab, copy the SHA-256 Fingerprint. Note that SHA-1 thumbprint is no longer supported.
  7. In the Proxy Destination URL Thumb Prints field, type in sha256= and paste the certificate thumbprint.
  8. At the beginning of the Thumbprint field, immediately after the equals sign, there might be a hidden character. Press the arrow keys on the keyboard to find it. Then delete the hidden character.
  9. Enable the three PCOIP, Blast, and Tunnel Gateways and perform the following configurations:
    1. For PCOIP External URL, enter the external IP and :4172. The IP should point to your external load balancer that’s load balancing UDP 4172 and TCP 4172 to multiple Unified Access Gateways.
    2. For Blast External URL, enter https://<FQDN>:8443 (e.g. https://view.corp.com:8443). This FQDN should resolve to your external load balancer that’s load balancing UDP 8443 and TCP 8443 to multiple Unified Access Gateways.
    3. For Enable UDP Tunnel Server, enable the setting.
    4. For Tunnel External URL, enter https://<FQDN>:443 (e.g., https://view.corp.com:443). This FQDN should resolve to your external load balancer that’s load balancing TCP 443 to multiple Unified Access Gateways.
    5. The external load balancer must be capable of using the same persistence across multiple port numbers. On NetScaler, this feature is called Persistency Group. On F5, the feature is called Match Across.
  10. Then click More.
  11. Unified Access Gateway has a default list of paths it will forward to the Horizon Connection Server. You can edit the Proxy Pattern and add |/downloads(.*) to the list so that users can also download Horizon Clients that are stored on your Horizon Connection Servers as detailed elsewhere at carlstalhood.com. Make sure you click Save at least once so it saves the default Proxy Pattern. Then go back in and add |/downloads(.*) to the end of the Proxy Pattern but inside the last parentheses. In UAG 2406, the default Proxy Pattern looks something like below:

    (/|/view-client(.*)|/portal(.*)|/appblast(.*)|/iwa(.*)|/downloads(.*))
  12. Scroll down and click Save when done.
  13. If you click the arrow next to Horizon Settings, then it shows you the status of the Edge services. It might take a minute or two to start working.
  14. In your Horizon Connection Servers, the Secure Gateways (e.g. PCoIP Gateway) should be disabled.
    1. Go to Horizon Console.
    2. Expand Settings and click Servers. On the right, switch to the tab named Connection Servers. Highlight your Connection Servers and click Edit.
    3. Then uncheck or disable all three Tunnels/Gateways.
    4. HTML Access probably won’t work through Unified Access Gateway. You’ll probably see the message Failed to connect to the Connection Server.
    5. To fix this, configure on each Connection Server the file C:\Program Files\Omnissa\Horizon\Server\sslgateway\conf\locked.properties (or C:\Program Files\VMware\VMware View\Server\sslgateway\conf\locked.properties) to disable Origin Check (checkOrigin=false) or configure the Connection Server’s locked.properties with the UAG addresses. Also see 2144768 Accessing the Horizon View Administrator page displays a blank error window in Horizon 7.
    6. Horizon 2106 and newer enable CORS by default so you’ll need to either disable CORS by adding enableCORS=false to C:\Program Files\Omnissa\Horizon\Server\sslgateway\conf\locked.properties (0r C:\Program Files\VMware\VMware View\Server\sslgateway\conf\locked.properties) or configure the portalHost entries in locked.properties as detailed at 85801 Cross-Origin Resource Sharing (CORS) with Horizon 8 and loadbalanced HTML5 access.