Deploy Unified Access Gateway (UAG) 3.0 with Horizon

Hi All,

We will be deploying UAG 3.0 for Horizon with this post. As you might be aware, UAG is the next Security server for Horizon. It is also a UNIFIED gateway for other services; Horizon, Reverse Proxy, VMware Tunnel, and SEG (Secure Email Gateway) as tech preview for Airwatch or Workspace ONE!

Edge Services

There are lots of deployment options so use the guides wisely. It can also place in front of VMware Identity Manager as reverse proxy. Please check the latest guides as always as there are lots of new stuff within each versions. You can find the latest at: https://www.vmware.com/support/pubs/access-point-pubs.html

I must note that with UAG, the need to 1-1 pair with Connection server is no longer necessary. The UAG can now cross talk to pair of Connection servers:

 

UAG Topology in DMZ

UAG Topology in DMZ

The deployment is very easy and quick:

  1. Need to download OVF
  2. Deploy OVF
  3. Create DNS records for OVF
  4. Login to Admin interface and configure Edge Services.

Thats all.

Quick recap with screenshots (I am not going into the details of deploying OVF Templates but during the deployment you need to select one, two, nic leg option per your environment and then enter IP/DNS etc.. information into configuration. There is already great guide about this:

https://docs.vmware.com/en/Unified-Access-Gateway/3.0/com.vmware.access-point-30-deploy-config.doc/GUID-FFC6B49E-07E2-42F0-AA6D-8811E5340BD6.html 

You can also use Powershell to deploy ovf… Up to you.

Once you login to UAG Admin interface https://UAGServer:9443/admin, unhide Edge Services and configure Horizon:

Horizon-EdgeServices-UAG

Go to connection server, and edit Tunnel settings, that is Untick all of them

 

ConnectionSErver

Then you are almost set. One thing you need to remember is that if you  will be using HTML access, due to security settings on Connection server, you need to make some changes to config file:

You need to create locked.properties (the path is: C:\Program Files\VMware\VMware View\Server\sslgateway\conf) and add one of the followings per your environment to this file:

  • checkorigin=false
  • balancedHost=Loadbalancer FQDN
  • portalHost.1=UAGName1
    portalHost.2=UAGName2

Please also refer to:

It may also be good idea (recommended) to change the self signed certificate upon installation… Within UAG Admin interface, go to TLS Server Certificate Settings and upload PFX or PEM. For PFX, if you get error as below, try to copy GUID within error message to Alias field:

 

pfx

You may also refer to the video at my another post (although it is in Turkish)

Hope helps.

Good luck.

Bulent Tolu

Bulent Tolu

Sr. Systems Engineer at VMware
Bulent is an IT professional with Master's in MIS and 10-years of experience in broad range of Information Technologies. He is exposed to engineering/architecting, implementation/integration, and administration of various high-available IT systems and infrastructure. He has a passion to continually research, test and evaluate new technologies and follow industry best practices to secure and optimize IT systems. Currently, he lives in Istanbul and works as a Sr. Systems Engineer at VMware.
Bulent Tolu

Leave a Reply

Your email address will not be published. Required fields are marked *

Post Navigation

Share
Translate »