Deploy Unified Access Gateway (UAG) 3.0 with Horizon
We will be deploying UAG 3.0 for Horizon with this post. As you might be aware, UAG is the next Security server for Horizon. It is also a UNIFIED gateway for other services; Horizon, Reverse Proxy, VMware Tunnel, and SEG (Secure Email Gateway) as tech preview for Airwatch or Workspace ONE!
There are lots of deployment options so use the guides wisely. It can also place in front of VMware Identity Manager as reverse proxy. Please check the latest guides as always as there are lots of new stuff within each versions. You can find the latest at: https://www.vmware.com/support/pubs/access-point-pubs.html
I must note that with UAG, the need to 1-1 pair with Connection server is no longer necessary. The UAG can now cross talk to pair of Connection servers:
UAG Topology in DMZ
- Need to download OVF
- Deploy OVF
- Create DNS records for OVF
- Login to Admin interface and configure Edge Services.
Quick recap with screenshots (I am not going into the details of deploying OVF Templates but during the deployment you need to select one, two, nic leg option per your environment and then enter IP/DNS etc.. information into configuration. There is already great guide about this:
You can also use Powershell to deploy ovf… Up to you.
Once you login to UAG Admin interface https://UAGServer:9443/admin, unhide Edge Services and configure Horizon:
Go to connection server, and edit Tunnel settings, that is Untick all of them
Then you are almost set. One thing you need to remember is that if you will be using HTML access, due to security settings on Connection server, you need to make some changes to config file:
You need to create locked.properties (the path is: C:\Program Files\VMware\VMware View\Server\sslgateway\conf) and add one of the followings per your environment to this file:
- balancedHost=Loadbalancer FQDN
Please also refer to:
- Accessing the Horizon View Administrator page displays a blank error window in Horizon 7 (2144768)
- Cross-Origin Resource Sharing
It may also be good idea (recommended) to change the self signed certificate upon installation… Within UAG Admin interface, go to TLS Server Certificate Settings and upload PFX or PEM. For PFX, if you get error as below, try to copy GUID within error message to Alias field:
- VMware Identity Manager – Workspace ONE – Provide Access to Horizon Desktops and Apps & Workspace ONE mode - 17 September 2017
- VMware Identity Manager 2.9.2 – Workspace ONE – Installation in DMZ with Outbound-Only Connection Mode - 17 September 2017
- Deploy Unified Access Gateway (UAG) 3.0 with Horizon - 17 September 2017