Uag vmware что это
In this post I will give an overview of Unified Access Gateway, the VMware virtual appliance used with End-User Computing products. I will describe the main features and then drill down a little into deployment, security, high availability (HA) and scalability.
About Unified Access Gateway
To help design secure application access for deployments of VMware Horizon ® and Workspace ONE , use Unified Access Gateway . This appliance helps enable secure remote access for users of virtual desktops, internal sites, applications, and file repositories. Deploying Unified Access Gateway is simple and secure, providing the necessary security hardening and multi-cloud support across Amazon AWS , Microsoft Azure , and Google Cloud Platform , in addition to vSphere .
Unified Access Gateway is key to VMware's Anywhere Workspace solution and provides several proxy services for different use cases and protocols.
UAG Authentication
SAML is configured in UAG 3.8 and newer in the Identity Bridging Settings section.
For RADIUS authentication:
-
Enable the Authentication Settings section, and configure the settings as appropriate for your requirements. See Configuring Authentication in DMZ at VMware Docs.
- When configuring RADIUS, if you click More, there’s a field for Login page passphrase hint.
Firewall
VMware Technical White Paper Blast Extreme Display Protocol in Horizon, and Firewall Rules for DMZ-Based Unified Access Gateway Appliances at VMware Docs.
Open these ports from any device on the Internet to the Unified Access Gateway Load Balancer VIP:
- TCP and UDP 443
- TCP and UDP 4172. UDP 4172 must be opened in both directions. (PCoIP)
- TCP and UDP 8443 (for HTML Blast)
Open these ports from the Unified Access Gateways to internal:
- TCP 443 to internal Connection Servers (through a load balancer)
- TCP and UDP 4172 (PCoIP) to all internal Horizon View Agents. UDP 4172 must be opened in both directions.
- TCP 32111 (USB Redirection) to all internal Horizon View Agents.
- TCP and UDP 22443 (Blast Extreme) to all internal Horizon View Agents.
- TCP 9427 (MMR and CDR) to all internal Horizon View Agents.
Open these ports from any internal administrator workstations to the Unified Access Gateway appliance IPs:
- TCP 9443 (REST API)
- TCP 80/443 (Edge Gateway)
Загрузка VMware UAG 3.8
Univeral Access Gateway - часть Horizon Standard
Установка VMware UAG 3.8
Для установки VMware UAG 3.8 будем использовать vCenter.
Есть возможность сделать это без vCenter (Внедрение OVF без vCenter | VMware), но тогда мы должны будем применять средства типа ovftool, которые отвлекут нас от, собственно, установки и настройки UAG.
Заходим в vCenter и выбираем
Выбираем вариант развёртывания с 2 -мя сетевыми картами.
На одну карту будет приходить интернет, а вторая будет в локальной сети.
Обе карты, то есть и интернет и локальная сеть у нас будут в одной виртуальной сети внутри ESXi.
Напоминаем, что цель нашего эксперимента - провести тест, а дальше адаптировать решение в соответствии с реалиями доступа у вас.
Выбираем тип настройки STATICV 4 .
Добавляем адрес, который будет смотреть в сеть интернет.
В данном случае мы возьмем адрес из сети 192.168.100.0/24 и на него пробросим 3 порта: 443 , 8443 и 4172 со шлюза.
DNS сервер у нас живет во внутренней сети, которую из этого интерфейса мы настроить не можем (сделаем это чуть позже), но нужно, чтобы этот DNS мог резолвить наш View Connection Server view-conn.virtual.local.
Поэтому я поставил сюда DNS с домен контроллера.
Шлюз 192.168.100.10 - это шлюз в интернет, на котором мы настраивали проброс портов.
Unified Gateway Appliance Name - это имя, которое нам понадобится для регистрации шлюза в View Connection Server (вот тут)
Дальше VMware Universal Gateway какое-то время разворачивается на ESXi, после чего машину UAG-3.8 нужно запустить.
Если установка была через vCenter, то можно зайти в него и посмотреть, какой адрес назначился интерфейсу управления через DHCP (прописывали в настройках мы только внешний интерфейс, адрес которого 192.168.100.100 , но управление не будет работать через интерфейс, предназначенный для интернет).
Если установка была через ovftool, то мы можем зайти в консоль UAG и посмотреть настройки интерфейсов.
И выполнить команду ifconfig -a.
Эта команда показала 2 интерфейса: внешний, уже настроенный нами с ip 192.168.100.100 и внутренний с адресом, подхваченным с DHCP 192.168.0.211 .
Выбираем ручную настройку
Меню General Settings показываем Edge Service Settings и переходим в настройки Horizon Settings
Включаем Horizon и указываем FQDN View Connection сервера, как он виден с этого шлюза внутри локальной сети.
Внутри свойств сертификата находим Thumbprint и Thumbprint algorithm.
И вбиваем эти данные как показано ниже
Меняем настройки сети
Меняем настройки сети
Наша внутренняя сеть, в которой находится View Connection Server, физические ПК или виртуальные рабочие столы, DNS сервер - 192.168.11.0/255.255.255.0 . Ставим адрес из нее.
Проверяем настройки Horizon и видим, что Horizon Destination Server не найден.
Скорее всего это из-за того, что шлюз UAG не резолвит view-conn.virtual.local.
Можно зайти в консоль UAG и попробовать пинг view-conn.virtual.local.
Заходим опять в Horizon Settings, разворачиваем полностью настройки, находим Host Entries и добавляем запись 192.168.11.20 view-conn.virtual.local
Проверяем пингом view-conn.virtual.local
Проверяем через минуту Horizon Settings и видим, что всё хорошо.
VMware Universal Access Gateway увидел View Connection Server.
Осталось проверить, что View Connection Server видит VMware Universal Access Gateway.
Для этого заходим на страницу управления View Connection Server view-conn.virtual.local/admin
В нашем случае мы сразу попали на рабочий стол, поскольку назначили пользователю virtual\Administrator (который является администратором View) пул и машину.
Если бы мы этого не сделали, произошла бы ошибка, которая сказала бы нам о том, что ползьователю не назначен рабочий стол.
Но тем не менее мы идем и проверяем на странице конфигурирования View Connection сервера, что шлюз виден.
Он виден, ура. Да и проброс на рабочий стол работает. Вот и всё!
Unified Access Gateway provides remote connectivity to internal Horizon Agent machines. For an explanation of how this works (i.e. traffic flow), see Understanding Horizon Connections at VMware Tech Zone.
Unified Access Gateway (formerly known as Access Point) is a replacement for Horizon Security Servers. Advantages include:
- You don’t need to build extra Connection Servers just for pairing. However, you might want extra Horizon Connection Servers so you can filter pools based on tags.
- Between Unified Access Gateway and Horizon Connection Servers you only need TCP 443. No need for IPSec or 4001 or the other ports. You still need 4172, 22443, etc. to the View Agents.
- No need to enable Gateway/Tunnel on the internal Horizon Connection Servers.
- Additional security with DMZ authentication. Some of the Authentication methods supported on Unified Access Gateway are RSA SecurID, RADIUS, CAC/certificates, etc.
- It’s Linux. You can deploy and configure the appliance without any Linux skills. But you might need some Linux skills during troubleshooting.
Horizon View Security Server has been removed from Horizon 2006 (aka Horizon 8).
- Some of the newer Blast Extreme functionality only works in Unified Access Gateway. See Configure the Blast Secure Gateway at VMware Docs.
Horizon Compatibility – Refer to the interoperability matrix to determine which version of Unified Access Gateway is compatible with your version of Horizon.
- The latest version of UAG is 2203, which is newer than version 3.10. Version 2203 means March 2022 in YYMM format. Version 2111 is an Extended Service Branch (ESB) with 3 years of support. Version 2111.2 is newer than version 2111 and includes a fix for log4j vulnerability.
- You usually want the Non-FIPS version.
- Then download the PowerShell deployment scripts on the same UAG download page.
- Use the Select Version drop-down to select the version of Horizon you have deployed.
- Then open the downloads for the edition that you are entitled to: Standard, Advanced, or Enterprise.
- Scroll down the page to see the Unified Access Gateway downloads. You usually want the Non-FIPS version.
- Then download the PowerShell deployment scripts on the same UAG download page.
Logs and Troubleshooting
You can download logs from the Admin Interface by clicking the icon next to Log Archive.
You can also review the logs at /opt/vmware/gateway/logs . You can less these logs from the appliance console.
For initial configuration problems, check out admin.log.
For Horizon View brokering problems, check out esmanager.log.
By default, tcpdump is not installed on UAG. To install it, login to the console and run /etc/vmware/gss-support/install.sh
Upgrade
To upgrade from an older appliance, you delete the old appliance and import the new one. Before deleting the older appliance, export your settings:
UAG Admin Interface
Import Settings
Configure Horizon Settings
- If all you see is Not Configured, then refresh your browser and then click the Refresh Status icon.
- Go to Horizon Console.
- Expand Settings and click Servers.
- On the right, switch to the tab named Connection Servers.
- Highlight your Connection Servers, and click Edit.
- Then uncheck or disable all three Tunnels/Gateways.
- HTML Access probably won’t work through Unified Access Gateway. You’ll probably see the message Failed to connect to the Connection Server.
- To fix this, configure on each Connection Server the file C:\Program Files\VMware\VMware View\Server\sslgateway\conf\locked.properties to disable Origin Check (checkOrigin=false) or configure the Connection Server’s locked.properties with the UAG addresses. Also see 2144768 Accessing the Horizon View Administrator page displays a blank error window in Horizon 7.
- Horizon 2106 and newer enable CORS by default so you’ll need to either disable CORS by adding enableCORS=false to C:\Program Files\VMware\VMware View\Server\sslgateway\conf\locked.properties, or configure the portalHost entries in locked.properties as detailed at 85801 Cross-Origin Resource Sharing (CORS) with Horizon 8 and loadbalanced HTML5 access.
- After modifying the locked.properties file, restart the VMware Horizon View Security Gateway Component service.
Add UAG to Horizon Console
In Horizon 7.7 and newer, you can add UAG 3.4 and newer to Horizon Console so you can check its status in the Dashboard.
See status of UAG appliances:
To see the Gateway that users are connected to:
VMware Tunnel
Tunnel is a modern VPN replacement providing full device and per application modes to enable remote access to any type of user. Unified Access Gateway appliance serves as the on-premises option for Zero Trust Network Access (ZTNA) leveraging the Workspace ONE Tunnel app. VMware's ZTNA solution is also available as a hosted SaaS service as part of VMware's Secure Access Service Edge.
Related Pages
Related Documentation Resources
VMware Unified Access Gateway
Web Reverse Proxy
Unified Access Gateway also provides a built-in reverse proxy that can be federated with Workspace ONE Access and other Identity Providers to secure access to internal web sites. This proxy can natively integrate with Conditional Access provided by Workspace ONE Access , and can also provide identity bridging to legacy-authenticated services.
Hands-on Labs for Unified Access Gateway
You can access the Hands-on Labs (HOL) to try out the Unified Access Gateway product. You need to have a MyVMware account to access HOL.
Documentation of an Older Release
To access old versions of Unified Access Gateway documentation, select Archived Documentation folder in the left navigation panel. Click the release version link to download the zip file containing PDFs.
This blog was created as a point-in-time reference. For the latest information, read the Configuring Horizon Edge Service in VMware Unified Access Gateway operational tutorial.
The VMware Unified Access Gateway (formerly called Access Point) is a platform that provides secure edge services and access to defined resources that reside in the internal network. This allows authorized, external users to access internally located resources in a secure manner.
This blog and the accompanying videos give an overview of the Unified Access Gateway. We also cover deployment requirements, options and demonstrations of the two deployment methods. Lastly, we include information on scaling, upgrades, authentication options, logs and troubleshooting.
Supported Use Cases
The Unified Access Gateway can be used for multiple use cases, including:
- Remote access to VMware Horizon 7 desktop and applications
- Reverse proxying of web servers
- Access to on-premises legacy applications that use Kerberos or header-based authentication with identity bridging from SAML or certificates
- Provision of VMware AirWatch or VMware Workspace ONE Per=App Tunnels and Tunnel Proxy to allow mobile applications secure access to internal services
- Running the VMware Content Gateway service to allow VMware Content Locker access to internal file shares or Microsoft SharePoint repositories
These use cases can be mixed to run multiple services on the same Unified Access Gateway instance or separated out on multiple Unified Access Gateway instances, depending on the desired architecture and the scale of the environment.
Other Unified Access Gateway Documentation Resources
A video that shows you how to deploy and configure Unified Access Gateway for Horizon use cases.
Additional videos and information about the fundamentals of using Unified Access Gateway with VMware Workspace ONE and VMware Horizon 7.
To simplify the deployment of the Unified Access Gateway appliance as the Workspace ONE security gateway, sizing recommendations are added to the deployment configurations for the appliance. VMware Configuration Maximums is a portal that contains the sizing recommendations for Unified Access Gateway and several other products.
An article that lists the load balancing requirements and configurations of Unified Access Gateway for Horizon use cases.
A blog that highlights the overview, deployment, security, high availability, and scalability aspects of Unified Access Gateway .
How Is Unified Access Gateway Deployed?
The short answer is that UAG is deployed very quickly and very easily! UAG is packaged in Open Virtualization Format (OVF) as a single .ova file and is deployed onto a vSphere ESX or ESXi host as a pre-configured virtual appliance VM that is locked down and set up for production operation on first boot.
Figure 2: Deploying the UAG OVF Template in vSphere Web Client with vCenter
As shown in Figure 2 , a basic install, where settings can be specified in a deployment wizard, can be performed through the vSphere Web Client with vCenter using the Deploy OVF Template option and selecting the UAG OVA virtual appliance image file. You are prompted for some basic settings such as its IP addresses, management interface passwords, and a forwarding URL, and UAG is then set up. The administrator can then use the UAG admin UI to configure additional settings.
For Windows administrators, PowerShell can be used to deploy UAG automatically. With the PowerShell command, all of the settings come from a .ini file. This method ensures that UAG is “Production ready on first boot” and it simplifies management as the .ini file can be re-used for future deployments. Deploying an upgraded UAG appliance then simply involves changing the source .ova file reference and re-running the deployment command. This deploys an upgraded UAG and all the initial settings are re-applied automatically. The process takes around 2 minutes depending on vSphere compute, network and storage performance, after which no manual configuration steps are required. Refer to Using PowerShell to Deploy VMware Unified Access Gateway for details including sample .ini files to help get started.
One of the unique features of UAG is the almost zero level of ongoing management required. All of its dynamic configuration settings and access-control security rules are automatically determined from the backend server systems, such as Horizon Connection Server, so that it immediately adapts to changes in entitlement policies. UAG does support a full admin UI and a management REST API for getting and setting static configuration values, but the general approach is to deploy it with all configurations applied at the outset. You deploy it, and apart from monitoring it, you just leave it alone.
Syslog-based monitoring is supported with UAG. You can use any syslog environment to capture UAG events, and full vRealize Log Insight integration is supported.
For production environment deployments, I would certainly recommend using the scripted, unattended PowerShell deployment method. This gives you a predictable and repeatable deployment for all UAG virtual appliances and takes care of any advanced settings you need to specify. On first start-up, you then know it is fully configured, fully secured, and immediately ready to operate. The scripted deployment method also makes it easier to deploy upgraded images as they become available. The script can be re-used and altered to reference a newer UAG OVA image. The original can be destroyed, and a newer replacement can be quickly deployed, and all the exact same settings will be automatically applied.
Monitor Sessions
In UAG 3.4 and newer, in the UAG Admin interface,
Where Can I Get More Information About Unified Access Gateway?
By Mark Benson, Senior Architect and Senior Staff Engineer, End-User-Computing CTO Office, VMware
Mark Benson
Mark Benson is a senior staff engineer for the VMware EUC CTO Office (specializing in desktop and application virtualization technologies such as authentication, security, HA and remote access) and senior…
Welcome to the Unified Access Gateway documentation page.
To access the Unified Access Gateway release notes, product documentation, and technical notes ( More Information ), use the links on the Table of Contents pane that follows the Collapse All or Expand All option. Product documentation and technical notes are available in the HTML and PDF formats.
PowerShell Deploy Script
Mark Benson at VMware Communities Using PowerShell to Deploy VMware Unified Access Gateway has a PowerShell script that runs OVF Tool to deploy and configure Unified Access Gateway. The PowerShell script is updated as newer versions of Unified Access Gateways are released. This is the recommended method of deploying Unified Access Gateway.
If you prefer to use vSphere Client to Deploy the OVF file, skip ahead to Upgrade or Deploy.
In UAG 3.3.1.0 and newer, the PowerShell deployment script is downloadable from the UAG download page.
The PowerShell deploy script requires the OVF Tool:
Create or Edit a UAG .ini configuration file:
- Or copy and edit one of the downloaded .ini files, like uag2-advanced.ini.
- If your Horizon Connection Servers each have different certificates, then you can include multiple thumbprints (comma separated).
When you run the PowerShell script, if the UAG appliance already exists, then the PowerShell script will replace the existing appliance. There’s no need to power off the old appliance since the OVF tool will do that for you.
VMware Horizon
Unified Access Gateway equips remote workers anywhere, anytime with secure accesses to Horizon virtual desktops and applications. Unified Access Gateway is designed to be Internet facing in a cloud tenant edge or DMZ network and meets advanced industry compliance and security standards. Multi-factor user authentication for Horizon is enhanced with built-in support for user identity federation with leading SAML identity providers. Fine-grained access controls for authorized protocol access to desktop and application resources are enforced automatically.
Scaling Unified Access Gateway
With a configured Unified Access Gateway, you can export the settings and use those to quickly deploy and configure new appliances. With a load balancer situated in front of the Unified Access Gateway instances, you can scale up and down the number of appliances quickly.
Understanding Unified Access Gateway on VMware TechZone.
Установка и настройка VMware Unified Access Gateway.
Устанавливать VMware UAG мы будем на ESXi, установленный в пункте 1 .What Is Unified Access Gateway?
Unified Access Gateway (UAG) is a virtual appliance primarily designed to allow secure remote access to VMware end-user computing resources from authorized users connecting from the internet. UAG supports VMware Horizon, VMware Identity Manager and VMware AirWatch use cases but this post focuses just on the Horizon functionality. UAG provides this secure connectivity to desktops and applications that are either cloud-hosted through VMware Horizon Cloud or on-premises in a customer data center through Horizon 7.
A connection from a Horizon Client or browser on the internet, whether to on-premises or cloud-hosted end-user computing resources, presents a security challenge. An enterprise needs strong assurance of the identity of the user, and also needs to precisely control access to their entitled desktops and applications.
Figure 1: A Single Access-Point Appliance Deployed in a DMZ
For those of you who are familiar with Horizon security server, UAG provides similar but enhanced functionality.
UAG virtual appliances are typically deployed in a network demilitarized zone (DMZ), and they ensure that all traffic entering the data center to desktop and application resources is traffic on behalf of a strongly authenticated user. UAG virtual appliances also ensure that the traffic for an authenticated user can be directed only to desktop and application resources to which the user is actually entitled. This level of protection involves specific inspection of desktop protocols and coordination of potentially rapid changing policies and network addresses, and so on, to be able to accurately control access.
The main difference from Horizon security server is that UAG is implemented as a hardened, locked-down, preconfigured Linux-based virtual machine, as opposed to software running on a general-purpose Windows operating system. UAG also scales differently; the restriction to pair it with a single Horizon Connection Server has been removed. You can connect a UAG appliance to an individual Horizon Connection Server, or you can connect it through a load balancer in front of multiple Horizon Connection Servers, giving improved high availability. It acts as an enforcing man-in-the-middle between Horizon Clients and backend Horizon Connection Servers, and because deployment is so fast, it can rapidly scale up or down to meet the demands of fast-changing enterprises.
Does Unified Access Gateway Replace Horizon Security Server?
Horizon security server currently remains fully supported in Horizon 6 and Horizon 7. If you have deployed Horizon security server in your on-premises Horizon environment you can continue to use Horizon security server as before, or you can replace it with a UAG appliance.
As I have mentioned earlier in this article, UAG does offer enhanced functionality to Horizon security server. What we do expect, is that with significant research and development investments in UAG, we are rapidly developing improved capabilities, and this does mean that Horizon security server will probably be phased out or at least deprecated. Dates for this have not yet been decided.
For the Horizon Cloud use case with cloud-hosted desktops and applications, Horizon security server cannot be used, and therefore UAG must be used. It is built into Horizon Cloud, anyway.
Other UAG Configurations
- With the High Availability Virtual IP address, you might not need load balancing of the UAG appliances. See Unified Access Gateway High Availability at VMware Docs.
- The High Availability feature requires three IP addresses and three DNS names:
- One IP/FQDN for the High Availability Virtual IP.
- And one IP/FQDN for each appliance/node.
- Browse to a PEM keyfile. If not running Unified Access Gateway 3.0 or newer, then certificates created on Windows (PFX files) must be converted to PEM before they can be used with Unified Access Gateway. You can use openssl commands to perform this conversion. The private key should be unencrypted.
- Browse to a PEM certificate file (Base-64) that contains the server certificate, and any intermediate certificates. The server certificate is on top, the intermediate certificates are below it. The server certificate must match the public FQDN (load balanced) for the Unified Access Gateway.
- Click Save when done.
- UAG 3.9 and newer let you upload the Opswat Endpoint Compliance on-demand agent executables. Horizon Client downloads the executables from UAG and runs them. See Upload OPSWAT MetaAccess on-demand agent Software on Unified Access Gateway at VMware Docs.
- In UAG 20.09 and newer, Outbound Proxy Settings can be configured to allow UAG to contact the Opswat servers when checking for device compliance.
- The exported JSON file does not include the UAG certificate so you’ll also need the .pfx file.
589 thoughts on “VMware Unified Access Gateway 2203”
Hi Carl, Was wondering if you could point me in the right direction. I have up and running UAG 2.9. The issue I’m having is with the TLS Server certificates. The UAG is a one NIC deployment sat in our DMZ, firewall controls internal/external access. DigiCert have generated two certs from the certreq I sent them. They have been sent to me in .crt format. The appliance is asking me to upload ‘private key’ and ‘certificate chain’ in PEM format. I have renamed the file to the PEM extension and tried to upload. The fields when I click ‘save’ turn red :(. Any suggestions / help to get the public facing cert working would be appreciated. Thanks.
Where did you generate the private key? If on IIS, you need to complete the certificate there first, and then export to PFX (UAG 3.0 can import the .pfx file). If a Linux box, then you need to get the private key from it and combine it with the certs you got from DigiCert.
Thanks for getting back to me Carl, I’m a bit of a novice when it comes to certificates, managed fine with the internal stuff. Not sure if this was the correct method but to summarize – the private key was generated via ssh session to the UAG. Created a configuration file, generated the CSR from the configuration file
(WinSCP was used to upload config file / download the files generated) vdi.key and vdi.csr – were the files sent to digicert CA.The files sent back to me from Digicert are two .crt files and they have the following format;
—–BEGIN CERTIFICATE—–
MIIElDCCA3ygAwIBAgIQAf2j627Q4tyS8+8kTANBgkqhkiG9w
MQswCQYDVQQGEwGA1UEChMMRGlnaUNlcnQgSW5jMR
………….
—–END CERTIFICATE—–I have now combined the certs, however is it the formatting that is preventing this from working? I’ve read about One-Line PEM Format. Is there some tool or command line utility I’ve missed.
The last thing you want to do is upload your certs to test. You may have just given away your Private KEY!
The One-Line format is only needed for REST configuration. Otherwise, my instructions starting with step 28 in the Admin Interface section should detail how to upload the certificate and the format for the files. You upload the .key file. And you upload the .cer file with the server certificate on top and intermediate certificate below it.
does anyone know where to get the hyper-v version?
im not able to find it somehow…
sad but true, thanks 🙂
Has anyone experience teh issue while deploying 2.9 where the root or admin password do not work. I’ve checked to make sure my password complies with the requirements, but it doesn’t matter whether I use the powershell script or the web client to deploy the appliance. The password won’t work at all
Hello Carl! Your blog is excelent!
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Thu Mar 30 14:16:38 UTC 2017
There was an unexpected error (type=Not Found, status=404).
Not FoundCould you please help me? This is the first time I have encountered this error.
Was there a typo in the address or URL ? You might see this error for those scenarios
I’ve configured AP as a reverse proxy for VIDM, however it REDIRECTS to VIDM’s internal FQDN. Any idea why this is happening? Based on my understanding, it should stay at the AP’s external URL all the way so that it can be externally resolvable, correct?
Really need some help here!
Few updates
1. Not much linux skills are needed to deploy so following could be removed
“However: It’s Linux so you need some Linux skills.”
2. Version section could be updated
UAG ver are backward compatible with Horizon version and min version supported per the interop matrix on 6.2.x is AP 2.5.1 and HZ 7.x is UAG_v2.9
IDM also min version now supported is 2.8.1Hi Vish, thanks for your recommendations.
1. I changed the Linux comment to restrict it to Troubleshooting only.
2. The Interoperability Matrix shows that only two versions of Horizon are supported with UAG 2.9. Maybe the matrix hasn’t been updated yet? And I don’t see any Identity Manager with 2.9.
3. I linked to the Pubs article, but I didn’t see any differences with my firewall rules list.
4. I wasn’t aware of that. I found some confusing documentation and linked to it.
5. Correct. I try to avoid removing old content in case somebody still wants to read it. But each of those sections links to earlier sections that use the preferred configuration methods.Hi Carl,
did you configure AP 2.8 as a reverse proxy for identity manager ? I do not find it, and proxy pattern found on the documentation does not seems to work. I get error: “ERR_TOO_MANY_REDIRECTS”.Question, how do you get to the GUI on the AP if there is only a single NIC and it is in our DMZ? I am unable to access it from a device that is internal even when the AP is configured to my internal DNS servers.
9443 is not reachable?
Hi Carl
Very Nice writeup. Article needs some updates
1. Another benefit of AP over security server is additional security with DMZ authentication
Some of the Authentication methods supported on AP are RSA SecurID, RADUIS, CAC/ certificates2. “No management GUI. Use REST instead.” — Starting APv2.8 there is GUI available
3. Versions – Minimum version to use AP is Horizon View v6.2 and upwards.
– APv2.7.2 and upwards single image could be used for Horizon and IDM
– Latest version of AP are backwards compatible, please refer the compatibility matrix for each version4. VMW recommends using either Powershell scripts or Admin GUI to deploy AP.
demo video link is out dated so could be removedLooks like I should have removed a couple items when updating for 2.8. Let me know find anything else. Thanks.
Great article! Glad to see you keep it up-to-date with the new versions. 2.8 is so much easier to deal with than 2.0.0…
Thanks for help
After struggling with Access Point 2.8 and the new GUI, we found out that there are multiple bugs. Importing SSL certificates (PEM files) using the interface does not work correctly. Use the swagger to import or create a custom ini file to deploy Access Point 2.8 through Powershell. Don’t depend on the GUI.
Another problem we have seen is to disable 2 factor authentication after configuring this in the GUI. The GUI won’t allow you to disable these settings.
VMware confirmed this after a 2 day investigation.
The biggest problem we ran into is to create the PEM files including the VIP. There is no direction / no correct information from VMware how to do this.
Could you please explain what you needed to do to get it to work. You talk about the biggest problem being the VIP PEM files. If you could write up what you had to do that would be greatly appreciated.
How Is This Different from a VPN?
If you choose to use a Virtual Private Network (VPN), Horizon fully supports remote access to desktops and applications via a VPN. A VPN can certainly meet the requirement of ensuring that traffic into the internal network is forwarded only on behalf of a strongly authenticated user. In that respect, UAG and a commercial-grade VPN are similar. There are some considerations, though, that should be pointed out.
- Access control management. UAG applies access rules automatically. UAG has the additional benefit that it recognizes not only the user’s entitlements, but also the addressing needed to connect internally, which can change quickly! To some extent, a VPN can do the same, because most VPNs allow an administrator to configure network connection rules for every user or group of users individually. At first, this works well with a VPN, but usually involves significant administrative effort to keep up with the required rules. Quite often this is too much for an administrator to manage, and either too many authorized resources end up blocked, or unauthorized resources end up being allowed. The easy response for a VPN administrator is to allow unchecked access to any resource on the internal network; authenticate to the VPN, and you have complete access to the corporate network as though you were on the internal network. This is easy for the administrator, but usually a concern for corporate security. Not all, but many, VPN administrators will adopt this low-cost operational approach.
- User interface. A VPN often requires that the end user first set up the VPN software and authenticate separately before launching the Horizon Client. This may be secure, but users do not like this extra step. UAG does not alter the straightforward Horizon Client user interface at all, and eliminates the extra (VPN) step. The user launches the Horizon Client, and as long as the authentication is successful, they are into their Horizon environment, and have precisely controlled access to their desktops and applications.
- Performance. Not all, but many, VPNs are implemented as SSL VPNs. These certainly meet security requirements and, with Transport Layer Security (TLS) enabled, are usually considered secure, but the underlying protocol with SSL/TLS is just TCP-based. With modern video-remoting protocols exploiting connectionless UDP-based transports, the performance benefits can be significantly eroded when forced over a TCP-based transport. This does not apply to all VPN technologies, as those that can also operate with DTLS or IPsec instead of SSL/TLS can work well with Horizon desktop protocols. UAG is specifically designed to maximize security and maximize performance. It does not have to be a compromise between the two. With UAG, PCoIP, HTML access, and WebSocket protocols are secured without requiring additional encapsulation, and so UAG gives the best possible user experience.
I am not saying that you should not use a VPN with Horizon desktops and hosted applications, although with UAG it is unnecessary. What I am saying is to make sure the administrative effort, the user experience for setup, and the desktop protocol performance are all considered before using VPN technology with Horizon. The first concern about accurate access controls can be addressed by using VPN technology in combination with UAG. The performance degradation with a VPN can be significantly reduced by using VPN technology that efficiently handles UDP. These are typically DTLS or IPsec-based instead of SSL/TLS-based.
Deploy New
Horizon Compatibility – Refer to the interoperability matrix to determine which version of Unified Access Gateway is compatible with your version of Horizon.
- The latest version of UAG is 2203, which is newer than version 3.10. Version 2203 means March 2022 in YYMM format. Version 2111 is an Extended Service Branch (ESB) with 3 years of support. Version 2111.2 is newer than version 2111 and includes a fix for log4j vulnerability.
- You usually want the Non-FIPS version.
- Then download the PowerShell deployment scripts on the same UAG download page.
- Use the Select Version drop-down to select the version of Horizon you have deployed.
- Then open the downloads for the edition that you are entitled to: Standard, Advanced, or Enterprise.
- Scroll down the page to see the Unified Access Gateway downloads. You usually want the Non-FIPS version.
- Then download the PowerShell deployment scripts on the same UAG download page.
To deploy the Unified Access Gateway using VMware vSphere Client:
How Does User Authentication Work?
User authentication in pass-through mode is very similar to Horizon security server. Supported user authentication methods through UAG include:
- Active Directory domain password
- Kiosk mode
- RSA SecurID two-factor
- RADIUS via a number of third party, two-factor security-vendor solutions
- Smart card, CAC, or PIV X.509 user certificates
- SAML
These authentication methods are supported in combination with Horizon Connection Server. There is no requirement for UAG to communicate directly with Active Directory. This communication is proxied via the Horizon Connection Server, which can directly access Active Directory.
In addition to pass-through authentication, UAG can instead be configured to perform the initial user authentication itself. This is particularly important for secure environments where proper “edge” authentication in the DMZ is required. This applies to Smart Card authentication, and two factor authentication using RSA SecurID or RADIUS. A user must pass the strong UAG two-factor authentication in the DMZ before any traffic for that user enters the data center. Any traffic that is not on behalf of a strongly authenticated user is disguarded in the DMZ.
After the user session has been authenticated according to the authentication policy, UAG is then able to forward requests for entitlement information, and desktop and application launch requests, to Horizon Connection Server. UAG is also able to manage its desktop and application protocol handlers to allow them to forward only authorized protocol traffic.
Load Balancing
For VMware NSX load balancing of Unified Access Gateways, see the VMware® NSX for vSphere End-User Computing Design Guide 1.2.
To help with load balancing affinity, UAG 3.8 and newer can redirect the load balanced DNS name to a node-specific DNS name. This is configured in Edge Service Settings > Horizon Settings > More (bottom of page).
Secure Deployments
Unified Access Gateway is usually deployed in the DMZ, run on a hardened version of SUSE Linux Enterprise Server 12 and is currently undergoing FIPS and Common Criteria certification. It is intended as a replacement for older gateway solutions, such as the Horizon security server, the AirWatch Tunnel and the standalone Content Gateway.
To enhance security options, Unified Access Gateway provides many integration options for authentication, including smart card, certificates, SAML pass-through, RADIUS and RSA SecurID. The Unified Access Gateway architecture keeps unauthenticated traffic in the DMZ. Traffic is allowed through to the internal network only after authentication has been successful.
Deploying Unified Access Gateway With the vSphere OVF Template
The vSphere OVF template deployment method is a two-phase process. First, use the VMware vSphere Client to deploy the virtual machine using the OVF template option. Second, log in to the Unified Access Gateway administrator console on the deployed virtual machine to configure the Unified Access Gateway appliance and edge services.
Deploying Unified Access Gateway With PowerShell
The PowerShell deployment method for Unified Access Gateway allows for the mastering of all settings into a single INI file, including the Unified Access Gateway appliance settings and the edge services. This means the Unified Access Gateway appliance is fully configured with certificates and edge services on first boot. This aids with repeat installations and upgrades, and expedites large deployments.
Download
First, get the latest files:
Configure
Next, configure the PowerShell script for your environment.
1. From “Using PowerShell to Deploy VMware Unified Access Gateway,” download the uagdeploy-310-v3.zip or later file and extract the contents.
2. Make a copy and edit one of the sample INI files (such as uag2-advanced.ini).
3. Enter your information as required for the General and SSLCertsections.
Leave all other lines as they are. In the following example, spaces and comment lines have been removed to conserve space.
4. Copy, paste and complete edge service sections from the sample INIfiles as required.
5. As an example, to add secure external access to Horizon 7 resources, retain or copy in the [Horizon] section of the uag2-advanced.ini file and paste it into your INI file at the end. Change the following to the relevant values for your environment.
In the previous example:
Deploy
Now you are ready to deploy the Unified Access Gateway appliance.
- Open a PowerShell prompt and change to the directory where the scripts and your INI file are located.
- Be sure to use the uagdeploy.ps1, uagdeploy.psm1 and uagdeployhv.ps1 supplied with the uagdeploy-310-v3.zip file or later.
- Make sure that script execution is unrestricted for the current user. You can do this by running the command:
- set-executionpolicy -scope currentuser unrestricted
- You only need to run this once, and only if it is currently restricted.
- If you get a warning about running this script, you can unblock that warning by running the command:
- unblock-file -path .\uagdeploy.ps1
- Run .\uagdeploy.psl .\.ini and follow the prompts, entering the passwords.
- You can optionally specify the admin and root passwords as parameters which will prevent you being prompted for them.
- After the process is complete, wait a few minutes for the Unified Access Gateway appliance to boot completely.
You can monitor this process in the vSphere Client to see when the assigned IP address is reported on the summary page for the VM. If you have all the settings in the INI file completed correctly, and your certificates are in order, you will have a fully operational Unified Access Gateway that will proxy connections to your Horizon Connection Servers.
Log in to the Unified Access Gateway administrator console to check the configuration and service statuses and to add or change the configuration. If you change any settings, such as adding a new edge service, remember to export the settings and update your INI file to reflect your changes.
What About Scalability and High Availability?
One of the features of VMware Horizon is that deployments can avoid any single points of failure. UAG appliances scale horizontally so that as traffic load requirements increase, you add more UAG appliances behind a general-purpose load balancer. If a UAG appliance goes down for any reason, the load balancer becomes aware of this through health monitoring and directs traffic to the other UAG appliances. This response also serves to spread load across all available appliances.
Figure 3: Multiple UAG Appliances Deployed Behind a Load Balancer
UAG is also able to communicate with backend Horizon Connection Servers via a load balancer, so if a Connection Server is down for any reason, this does not reduce the capacity for desktop and application protocol handling within the DMZ.
UAG supports roughly 2,000 sessions. The actual number depends very much on the display traffic used by each user. If 2,000 sessions underperform, or place high resource demands on the appliance, then the load can be spread to say 1,000 sessions on each of two appliances, or even 500 sessions on each of four appliances. Because UAG is quick and easy to deploy, you can increase or reduce the number of UAG appliances according to demand and monitored use.
There really is no limit to the number of UAG appliances that can be deployed because there is no communication between them, and they are therefore all independent of one another.
Additional use cases for Workspace ONE
Unified Access Gateway serves as a secure black box for deploying other Workspace ONE components including Content Gateway and Secure Email Gateway. These gateways can be used in conjunction with the Workspace ONE Content app, Workspace ONE Boxer app, and other native and third party mail clients.
Читайте также:
- You usually want the Non-FIPS version.
- The High Availability feature requires three IP addresses and three DNS names:
- You usually want the Non-FIPS version.