VMware Unified Access Gateway 3.7

Last Modified: Sep 18, 2019 @ 5:45 am

Navigation

ūüí° = Recently Updated

Change Log

Overview

Unified Access Gateway provides remote connectivity to internal Horizon Agent machines. For an explanation of how this works (i.e. traffic flow), see Understanding Horizon Connections at VMware Tech Zone.

Unified Access Gateway (formerly known as Access Point) is a replacement for Horizon Security Servers. Advantages include:

  • You don’t need to build extra Connection Servers just for pairing.¬†However, you might want extra Horizon Connection Servers so you can filter pools based on tags.
  • Between Unified Access Gateway and Horizon Connection Servers you only need TCP 443. No need for IPSec or 4001 or the other ports. You still need 4172, 22443, etc. to the View Agents.
  • No need to enable Gateway/Tunnel on the internal Horizon Connection Servers.
  • Additional security with DMZ authentication.¬†Some of the Authentication methods supported on Unified Access Gateway are RSA SecurID, RADIUS, CAC/certificates, etc.

However:

  • It’s Linux. You can deploy and configure the appliance without any Linux skills. But you might need some Linux skills during troubleshooting.

Horizon View Security Server is still developed and supported so you’re welcome to use that instead of Unified Access Gateway. But some of the newer Blast Extreme functionality only works in Unified Access Gateway (Access Point) 2.9 and newer. See Configure the Blast Secure Gateway at VMware Docs.

More information at VMware Blog Post Technical Introduction to VMware Unified Access Gateway for Horizon Secure Remote Access.

Horizon Compatibility – Refer to the interoperability matrix to determine which version of Unified Access Gateway is compatible with your version of Horizon.

Download one of the following versions of UAG:

Then download the PowerShell deployment scripts on the same UAG download page.

Firewall

VMware Technical White Paper Blast Extreme Display Protocol in Horizon 7, and Firewall Rules for DMZ-Based Unified Access Gateway Appliances at VMware Docs.

Open these ports from any device on the Internet to the Unified Access Gateway Load Balancer VIP:

  • TCP and UDP 443 (includes Blast Extreme)
  • TCP¬†and¬†UDP¬†4172.¬†UDP¬†4172¬†must¬†be¬†opened¬†in¬†both¬†directions. (PCoIP)
  • TCP and UDP 8443 (for HTML Blast)

Open these ports from the Unified Access Gateways to internal:

  • TCP 443 to internal Connection Servers (through a load balancer)
  • TCP and UDP 4172 (PCoIP) to all internal Horizon View Agents.¬†UDP 4172 must be opened in both directions.
  • TCP 32111 (USB Redirection) to all internal Horizon View Agents.
  • TCP and UDP 22443 (Blast Extreme) to all internal Horizon View Agents.
  • TCP 9427 (MMR and CDR) to all internal Horizon View Agents.

Open these ports from any internal administrator workstations to the Unified Access Gateway appliance IPs:

  • TCP 9443 (REST API)
  • TCP 80/443 (Edge Gateway)

Network Profile

Note: in Unified Access Gateway 3.3 and later, Network Protocol Profile is no longer necessary and you can skip this section.

  1. Before importing the Unified Access Gateway OVF, you will need to configure a Network Profile. In vSphere Web Client, go to the Datacenter object. On the right, switch to the Manage (or Configure) tab > Network Protocol Profiles.
  2. Click the plus icon.

  3. In the Select name and network page, enter a name, select the DMZ VM Network for your Unified Access Gateway appliance, and click Next.

  4. In the Configure IPv4 page, enter the subnet information, and Gateway.
  5. Don’t configure an IP pool. Click Next.
  6. In the Ready to complete page, click Finish.
  7. If you are configuring multiple NICs on your Unified Access Gateway, create Network Protocol Profile for the remaining subnets.

Import OVF

Mark Benson at VMware Communities Using PowerShell to Deploy VMware Unified Access Gateway has a PowerShell script that runs OVF Tool to deploy and configure Unified Access Gateway. The PowerShell script is updated as newer versions of Unified Access Gateways are released. This is the recommended method of deploying Unified Access Gateway.

In UAG 3.3.1.0 and newer, the PowerShell deployment script is downloadable from the UAG 3.7, or UAG 3.3.2.0 download page.

Some notes regarding the PowerShell script:

  • If the OVA path has spaces in it, do not include quotes in the .ini file. The script adds the quotes automatically.
  • For the¬†target parameter, specify a cluster name instead of a host. If spaces, there’s no need for quotes. For example:
    target=vi://admin@corp.local:PASSWORD@vcenter02.corp.local/Datacenter/host/Cluster 1
  • Special characters in the vCenter password must be encoded. Use a URL encoder tool (e.g.¬†https://www.urlencoder.org/) to encode the password. Then paste the encoded password when prompted by the ovftool. The UAG passwords do not need encoding, but the vCenter password does.

There is no upgrade process for Unified Access Gateway. You must delete the old appliance and deploy a new one. To speed up the deployment, either use the PowerShell deployment script, or export the settings from the old appliance and import into the new appliance.

Upgrade

To upgrade from an older appliance, you delete the old appliance, and import the new one. Before deleting the older appliance, export your settings:

  1. Login to the UAG at https://<Your_UAG_IP>:9443/admin/index.html.
  2. In the Configure Manually section, click Select.
  3. Scroll down to the Support Settings section, and then click the JSON button next to Export Unified Access Gateway Settings.

Deploy

To deploy the Unified Access Gateway using VMware vSphere Client:

  1. Download UAG. Refer to the compatibility matrix for the latest compatibility data for each version.
  2. In vSphere Client, right-click a cluster, and click Deploy OVF Template. Note: the HTML5 UI client in vSphere 6.5 Update 2 and newer might work for single NIC. But multi-NIC is only supported in the Flash UI (source = Hilko Lantinga in the comments)

  3. Select Local File. In the Select source page, browse to the downloaded euc-unified-access-gateway-3.7.0.0.ova file, and click Next.


  4. In the Select name and location page, give the machine a name, and click Next.

  5. In the Review Details page, click Next.
  6. In the Select configuration page, select a Deployment Configuration. See DMZ Design for VMware Unified Access Gateway and the use of Multiple NICs at VMware Communities. Click Next.

  7. In the Select storage page, select a datastore, select a disk format, and click Next.

  8. Even if you select Single NIC, the OVF deployment wizard asks you for multiple NICs. UAG typically goes in the DMZ.
  9. In the Customize template page, select STATICV4, and scroll down. Note: HTML5 UI vSphere Web client displays the settings in a different order than the Flash vSphere Client.
  10. In the NIC1 (eth0) IPv4 address field, enter the NIC1 (eth0) IPv4 address. Scroll down.
  11. Enter DNS addresses, Gateway, and Subnet Mask. Scroll down.

  12. Scroll down and enter more IP info.
  13. Scroll down.
  14. Enter a Unified Gateway Appliance Name.
  15. Scroll down. Expand Password Options, and enter passwords.

  16. In UAG 3.5 and newer, there’s a new checkbox for Enable SSH.
  17. Click Next.
  18. In the Ready to complete page, click Finish.

UAG Admin Interface

  1. Power on the Unified Access Gateway appliance.
  2. If the appliance initially boots with the wrong IP, then a reboot might fix it.
  3. In Unified Access Gateway and Access Point 2.8 and later, you can point your browser to https://My_UAG_IP:9443/admin/index.html, and login as admin.

Import Settings

  1. If you have previously exported settings, you can import it now by clicking Select in the Import Settings section.
  2. Browse to the previously exported UAG_Settings.json file and then click Import.
  3. It should say UAG settings imported successfully.
  4. Press <F5> on your keyboard to refresh the browser.

Configure Horizon Settings

  1. To manually configure the appliance, under Configure Manually, click Select.
  2. Next to Edge Service Settings, click Show.
  3. Next to Horizon Settings, click the gear icon.
  4. Change Enable Horizon to Yes.
  5. As you fill in these fields, hover over the information icon to see the syntax.
  6. The Connection Server URL should point to the internal load balanced DNS name (URL) for your internal Connection Servers.

    1. For the Connection Server¬†URL Thumb print, get the thumbprint from the internal Horizon View certificate. Point your browser to the internal Horizon View Connection Server FQDN (load balanced), and click the padlock icon to open the certificate. If using Chrome, you have to open the Developer Tools (F12), switch to the Security tab, and then click¬†View Certificate. If you don’t see the¬†Security tab, then click the double right arrows.
    2. On the Details tab, copy the Thumbprint.
  7. In the Proxy Destination URL Thumb Prints field, type in sha1= and paste the certificate thumbprint.
  8. At the beginning of the Thumbprint field, immediately after the equals sign, there might be a hidden character. Press the arrow keys on the keyboard to find it. Then delete the hidden character.
  9. Enable the three PCOIP, Blast, and Tunnel Gateways and perform the following configurations:
    1. For PCOIP External URL, enter the external¬†IP or external FQDN and :4172. The IP or FQDN should point to your external load balancer that’s load balancing UDP 4172 and TCP 4172 to multiple Unified Access Gateways.
    2. For Blast External URL, enter https://<FQDN>:443 (e.g. https://view.corp.com:443). This FQDN should resolve to your¬†external load balancer that’s load balancing UDP 443 and TCP 443 to multiple Unified Access Gateways.
    3. For Tunnel External URL, enter https://<FQDN>:443 (e.g. https://view.corp.com:443). This FQDN should resolve to your¬†external load balancer that’s load balancing TCP 443 to multiple Unified Access Gateways.
    4. The external load balancer must be capable of using the same persistence across multiple port numbers. On NetScaler, this feature is called Persistency Group. On F5, the feature is called Match Across.
  10. Then click More.
  11. Unified Access Gateway has a default list of paths it will forward to the Horizon Connection Server. You can edit the Proxy Pattern and add /|/downloads(.*) to the list so users can also download Horizon Clients that are stored on your Horizon View Connection Servers.
  12. Scroll down and click Save when done.
  13. If you click the arrow next to Horizon Settings, then it shows you the status of the Edge services.

    • If all you see is Not Configured, then refresh your browser and then click the Refresh Status icon.
  14. In your Horizon Connection Servers, the Secure Gateways (e.g. PCoIP Gateway) should be disabled.
    1. Go to Horizon Console or Horizon Administrator.
    2. Expand Settings and click Servers. Or expand View Configuration, and click Servers.

    3. On the right, switch to the tab named Connection Servers.

    4. Highlight your Connection Servers, and click Edit.

    5. Then uncheck or disable all three Tunnels/Gateways.

    6. If Horizon 7, HTML Access won’t work through Unified Access Gateway unless you disable Origin Check or configure the Connection Server’s¬†locked.properties¬†with the UAG addresses. Also see¬†2144768¬†Accessing the Horizon View Administrator page displays a blank error window in Horizon 7.

Add UAG to Horizon Administrator

In Horizon 7.7 and newer, you can add UAG 3.4 and newer to Horizon Administrator so you can check its status in the Dashboard.

  1. In UAG Admin console, under Advanced Settings, click the gear icon next to System Configuration.
  2. At the top of the page, change the UAG Name to a friendly name. You’ll use this name later.
  3. Click Save at the bottom of the page.
  4. In Horizon Console, on the left, expand Settings and click Servers. Or in Horizon Administrator, on the left, expand View Configuration and then click Servers.

  5. On the right, switch to the tab named Gateways.

  6. Click the Register button.

  7. In the Gateway Name field, enter the friendly name you specified earlier, and then click OK.

  8. Use a Horizon Client to connect through a Unified Access Gateway. Horizon Console and/or Horizon Administrator only detects the UAG status for active sessions.
  9. In Horizon Administrator (not Horizon Console), on the top left, click Dashboard.
  10. In the middle, expand Gateways and click your gateway to see its status.
  11. In Horizon Administrator, you can go to Monitoring > Sessions to see the Gateway that users are connected to.

Other UAG Configurations

  1. If you want Unified Access Gateway to authenticate users using non-AD methods (e.g. two-factor), enable the Authentication Settings section, and configure the settings as appropriate for your requirements. See Configuring Authentication in DMZ at VMware Docs.
  2. Ciphers are configured under Advanced Settings > System Configuration.

    • Carlo Costanzo at How to get an A+ from Qualys SSLLabs on your Horizon UAG deployment recommends the following cipher suites:
      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    • Also enable¬†Honor Cipher Order.
    • Syslog is also configured here.
    • In UAG 3.6 and newer, at the bottom of the System Configuration page are several settings for SNMP, DNS, and NTP.
  3. UAG 3.6 and newer let you add static routes to each NIC.
    1. Click Network Settings.
    2. Click the gear icon next to a NIC.
    3. Click IPv4 Configuration to expand it and then configure IPv4 Static Routes.
  4. UAG supports High Availability Settings.

    1. With the High Availability Virtual IP address, you might not need load balancing of the UAG appliances. See Unified Access Gateway High Availability at VMware Docs.
      1. The High Availability feature requires three IP addresses and three DNS names:
        1. One IP/FQDN for the High Availability Virtual IP.
        2. And one IP/FQDN for each appliance/node.
      2. The Horizon Edge Gateways should be set to node-specific IP addresses and node-specific DNS names. Each appliance is set to a different IP/FQDN.
      3. The Virtual IP (and its DNS name) is only used for the High Availability configuration.
      4. The YouTube videos¬†What’s New Unified Access Gateway 3 4¬†and High Availability on VMware Unified Access Gateway Feature Walk-through explain the High Availability architecture.
    2. Set the Mode to ENABLED.
    3. Enter a new Virtual IP Address which is active on both appliances.
    4. Enter a unique Group ID between 1 and 255 for the subnet.
    5. Click Save.
    6. On the second appliance, configure the exact same High Availability Settings.
  5. To upload a valid certificate, scroll down to the Advanced Settings section, and next to TLS Server Certificate Settings, click the gear icon.

    1. In Unified Access Gateway 3.2 and newer, you can apply the uploaded certificate to Internet Interface, Admin Interface, or both.
    2. In Unified Access Gateway 3.0 and newer, change the Certificate Type to PFX, browse to a PFX file, and then enter the password. This PFX file certificate must match the Public FQDN (load balanced) for Unified Access Gateway.
    3. Leave the Alias field blank.
    4. Click Save.

    5. If you changed the Admin Interface certificate, then you will be prompted to close the browser window and re-open it.
  6. Or, you can upload a PEM certificate/key (this is the only option in older UAG). Next to Private Key, click the Select link.

    1. Browse to a PEM keyfile. If not running Unified Access Gateway 3.0 or newer, then certificates created on Windows (PFX files) must be converted to PEM before they can be used with Unified Access Gateway. You can use openssl commands to perform this conversion. The private key should be unencrypted.
    2. Browse to a PEM certificate file (Base-64) that contains the server certificate, and any intermediate certificates. The server certificate is on top, the intermediate certificates are below it. The server certificate must match the public FQDN (load balanced) for the Unified Access Gateway.
    3. Click Save when done.
  7. UAG 3.1 and newer have an Endpoint Compliance Check feature. The feature requires an OPSWAT subscription. The OPSWAT agent is deployed to endpoints out-of-band. It’s pass/fail. See Endpoint Compliance Checks for Horizon at VMware Docs. And the YouTube video¬†Endpoint Compliance Checks: New VMware Horizon Security Feature.

  8. Scroll down to Support Settings and click the icon next to Export Unified Access Gateway Settings to save the settings to a JSON file. If you need to rebuild your Unified Access Gateway, simply import the the JSON file.
  9. If you point your browser to the Unified Access Gateway external URL, you should see the Horizon View Connection Server portal page. Horizon Clients should also work to the Unified Access Gateway URL.

Monitor Sessions

In UAG 3.4 and newer, in the UAG Admin interface,

  • At the top of the page, next to¬†Edge Service Settings, you can see the number of Active Sessions on this appliance.
  • At the bottom of the page, under¬†Support Settings, click¬†Edge Service Session¬†Statistics¬†to see more details.

In older versions of UAG, to see existing Horizon connections going through UAG, point your browser to https://uag-hostname-or-ip-addr:9443/rest/v1/monitor/stats.

Andrew Morgan at Viewing VMware Unified Access Gateway statistics with REST created a PowerShell module that calls this REST API.

Logs and Troubleshooting

In Access Point 2.8, and Unified Access Gateway (2.9 and newer), you can download logs from the Admin Interface.

You can also review the logs at /opt/vmware/gateway/logs. You can less these logs from the appliance console.

Or you can point your browser to https://MyApplianceIP:9443/rest/v1/monitor/support-archive. This will download a .zip file with all of the logfiles. Much easier to read in a GUI text editor.

For initial configuration problems, check out admin.log.

For Horizon View brokering problems, check out esmanager.log.

By default, tcpdump is not installed on UAG. To install it, login to the console and run /etc/vmware/gss-support/install.sh

Load Balancing

If NetScaler, see https://www.carlstalhood.com/vmware-horizon-unified-access-gateway-load-balancing-netscaler-12/ load balance Unified Access Gateways.

For VMware NSX load balancing of Unified Access Gateways, see the¬†VMware¬ģ NSX for vSphere End-User Computing Design Guide 1.2.

Related Pages

261 thoughts on “VMware Unified Access Gateway 3.7”

  1. I installed my first UAG 3.6 last week but I tried to do everything manually via a browser session rather than push out the configuration via the PowerShell script. This is the way I have done all of my UAG install thus far. I was able to get the UAG 3.6 installed but I hit a roadblock when trying to access the REST GUI. When using Chrome, I was able to enter my credentials but when I would click the green Login button, I would see some red text appear that said something about “Server communication error. Please check server logs.” If I used Firefox, I could enter my credentials but when I clicked the green Login button, nothing would happen at all. If I used IE (I was on a Windows 7 box so I didn’t have Edge available to try), the REST GUI login screen would not even load.

    Has anyone ran into similar trouble when trying to access the REST GUI on a new UAG 3.6?

    Thanks!
    Dan

  2. First off, a very big Thank You! to Carl for putting together this page. I have used this page quite a bit from UAG 3.1 up to UAG 3.6 and it has come in handy numerous times!

    With all of the UAG’s I’ve set up in the past, I have only used the REST GUI to configure them manually and I have not yet tried the PowerShell method of deploying one. I deployed my first UAG 3.6 last night but unfortunately, when I tried using the REST GUI to configure it, I had varying degrees of non-success. When using Firefox, the REST GUI login page loaded and I was able to enter my credentials but when I would click the green Login button, nothing would happen. When using Chrome, I could enter my credentials and I could click the green Login button but then I would see a red error message that said something like “Server communication error. Check server logs” This red message would appear over the top of my credentials on the REST GUI screen. When using IE, the REST GUI wouldn’t load at all. I was on a Windows 7 box so I didn’t have Edge available to try.

    Has anyone seen this type of behavior before when trying to configure a UAG 3.6?

    Thank you,
    Daniel

    1. When you say REST, are you referring a REST API client, like Postman? Or do you actually mean the GUI administration webpage?

      How many NICs did you assign to the UAG? I usually only do one NIC.

  3. How to set up to use Unified Access Gateway (UAG) 3.5 with required smartcard?
    How do I set up certificates on UAG?
    Thanks

  4. Is it possible to configure the UAG so external users can decide which authentication method to use like Smart card or RSA? Smart card is our primary method but if a user forgets the card we will like to have a backup option.

    Thanks for your guidance!

  5. Carl, Can I use Identify manager, user environment manager or UAG to prevent an external user from copying data from a VDI to a local computer. If the user *is* connected to the internal network they should be able to copy from VDI to local machine..

  6. I have 2 uag server that are up and working properly; however, one servers shows unbearable on the View management console. Is there anyway to correct the false-positive error

    1. UAG has a default proxy pattern that includes “/”. I wonder if removing “/” from the proxy pattern would accomplish this.

      If you have a load balancer in front of UAG and if your load balancer is decrypting the SSL 443 traffic then you might be able to configure your load balancer to block traffic to /.

  7. THANK YOU!! I am not sure how well my UAG deployment would have went without this guidance.

    Horizon Client access works fine ūüôā

    I have an issue I cam stuck at… If I point a browser to the Unified Access Gateway external URL, all I get is a blank white page. not error – no Horizon View Connection Server portal page..?

    Any Help is appreciated!

      1. I did configure the checkOrigin=false in the locked.properties file. I verified it does not have .txt extension. I can access the admin page at the URL as well as local host.

        This is a small simple POC setup. No load balancers. 1 Connection server, 1 Security server everything working well with these.

        The external URL to the Security server as well as the internal URL to the Connection Server reveals the portal page. With the UAG External URL I can connect with the Horizon Client successfully using Blast.

      2. I corrected dns mistakes and redeployed the UAG. That has worked. It was strange situation. Thanks again for the great article!

Leave a Reply to Noel Cancel reply