VMware Unified Access Gateway (aka Access Point) 3.2

Last Modified: Jan 8, 2018 @ 9:23 am


ūüí° = Recently Updated



Unified Access Gateway is the new name for VMware Access Point.

Unified Access Gateway (formerly known as Access Point) is a replacement for Horizon Security Servers. Advantages include:

  • You don’t need to build extra Connection Servers just for pairing.¬†However, you might want extra Horizon Connection Servers so you can filter pools based on tags.
  • Between Unified Access Gateway and Horizon Connection Servers you only need TCP 443. No need for IPSec or 4001 or the other ports. You still need 4172, 22443, etc. to the View Agents.
  • No need to enable Gateway/Tunnel on the internal Horizon Connection Servers.
  • Additional security with DMZ authentication.¬†Some of the Authentication methods supported on Unified Access Gateway are RSA SecurID, RADIUS, CAC/certificates, etc.


  • It’s Linux. You can deploy and configure the appliance without any Linux skills. But you might need some Linux skills during troubleshooting.

Horizon View Security Server is still developed and supported so you’re welcome to use that instead of Unified Access Gateway. But some of the newer Blast Extreme functionality only works in Unified Access Gateway (Access Point) 2.9 and newer. See Configure the Blast Secure Gateway at VMware Docs.

More information at VMware Blog Post Technical Introduction to Access Point for Secure Remote Access.

Unified Access Gateway 3.2.0 is supported with Horizon 7.4. Refer to the compatibility matrix for the latest compatibility data for each version.

Download Unified Access Gateway 3.2.0 from the main VMware Horizon 7.4 download page.


VMware Technical White Paper Blast Extreme Display Protocol in Horizon 7, and Firewall Rules for DMZ-Based Unified Access Gateway Appliances at VMware Pubs.

Open these ports from any device on the Internet to the Unified Access Gateway Load Balancer VIP:

  • TCP and UDP 443 (includes Blast Extreme)
  • TCP¬†and¬†UDP¬†4172.¬†UDP¬†4172¬†must¬†be¬†opened¬†in¬†both¬†directions. (PCoIP)
  • TCP and UDP 8443 (for HTML Blast)

Open these ports from the Unified Access Gateways to internal:

  • TCP 443 to internal Connection Servers (through a load balancer)
  • TCP and UDP 4172 (PCoIP) to all internal Horizon View Agents.¬†UDP 4172 must be opened in both directions.
  • TCP 32111 (USB Redirection) to all internal Horizon View Agents.
  • TCP and UDP 22443 (Blast Extreme) to all internal Horizon View Agents.
  • TCP 9427 (MMR and CDR) to all internal Horizon View Agents.

Open these ports from any internal administrator workstations to the Unified Access Gateway appliance IPs:

  • TCP 9443 (REST API)
  • TCP 80/443 (Edge Gateway)

Network Profile

  1. Before importing the Unified Access Gateway OVF, you will need to configure a Network Profile. In vSphere Web Client, go to the Datacenter object. On the right, switch to the Manage (or Configure) tab > Network Protocol Profiles.
  2. Click the plus icon.

  3. In the Select name and network page, enter a name, select the DMZ VM Network for your Unified Access Gateway appliance, and click Next.

  4. In the Configure IPv4 page, enter the subnet information, and Gateway.
  5. Don’t configure an IP pool. Click Next.
  6. In the Ready to complete page, click Finish.
  7. If you are configuring multiple NICs on your Unified Access Gateway, create Network Protocol Profile for the remaining subnets.

Import OVF

Mark Benson at VMware Communities Using PowerShell to Deploy VMware Unified Access Gateway has a PowerShell script that runs OVF Tool to deploy and configure Unified Access Gateway. The PowerShell script is updated as newer versions of Unified Access Gateways are released. This is the recommended method of deploying Unified Access Gateway.

Some notes regarding the PowerShell script:

  • If the OVA path has spaces in it, do not include quotes in the .ini file. The script adds the quotes automatically.
  • For the¬†target parameter, specify a cluster name instead of a host. If spaces, there’s no need for quotes. For example:
    target=vi://admin@corp.local:PASSWORD@vcenter02.corp.local/Datacenter/host/Cluster 1
  • Special characters in the vCenter password must be encoded. Use a URL encoder tool (e.g.¬†https://www.urlencoder.org/) to encode the password. Then paste the encoded password when prompted by the ovftool. The UAG passwords do not need encoding, but the vCenter password does.

There is no upgrade process for Unified Access Gateway. You must delete the old appliance and deploy a new one. To speed up the deployment, either use the PowerShell deployment script, or export the settings from the old appliance and import into the new appliance.

To deploy the Unified Access Gateway using VMware vSphere Web Client:

  1. Unified Access Gateway 3.2 is supported with Horizon 7.4. Refer to the compatibility matrix for the latest compatibility data for each version.
  2. Download Unified Access Gateway 3.2.0 from the main VMware Horizon 7.4 download page.
  3. In vSphere Web Client (Flash client, not HTML5 client), right-click a cluster, and click Deploy OVF Template.

  4. In the Select source page, browse to the downloaded euc-unified-access-gateway-3.2.0.ova file, and click Next.

  5. In the  Select name and location page, give the machine a name, and click Next.
  6. In the Review Details page, click Next.
  7. In the Select configuration page, select a Deployment Configuration. See DMZ Design for VMware Unified Access Gateway and the use of Multiple NICs at VMware Communities. Click Next.
  8. In the Select storage page, select a datastore, select a disk format, and click Next.
  9. Even if you select Single NIC, the OVF deployment wizard asks you for multiple NICs.
  10. In the Customize template page, enter DNS addresses, Gateway, and Subnet Mask. Scroll down.
  11. Scroll down and enter more IP info.
    1. STATICV4 and a static IP.
    2. For DNS servers, enter them with a space between them.
  12. Scroll down.
  13. Enter a Unified Gateway Appliance Name, and then expand the Password Options section.
  14. Scroll down. Expand Password Options, and enter passwords. Then click Next.
  15. In the Ready to complete page, click Finish.

UAG Admin Interface

  1. Power on the Unified Access Gateway appliance.

    • When booting UAG 3.0, it might ask you to answer a question. Select¬†No, and click¬†OK.
  2. If the appliance initially boots with the wrong IP, then a reboot might fix it.
  3. In Unified Access Gateway and Access Point 2.8 and later, you can point your browser to https://My_AP_IP:9443/admin/index.html, and login as admin.
  4. If you have previously exported settings, you can import it now.
  5. Or, on the right, under Configure Manually, click Select.
  6. Next to Edge Service Settings, click Show.
  7. Next to Horizon Settings, click the gear icon.
  8. Change Enable Horizon to Yes.
  9. As you fill in these fields, hover over the information icon to see the syntax.
  10. The Connection Server URL should point to the internal load balanced DNS name (URL) for your internal Connection Servers.

    1. For the Connection Server¬†URL Thumb print, get the thumbprint from the internal Horizon View certificate. Point your browser to the internal Horizon View Connection Server FQDN (load balanced), and click the padlock icon to open the certificate. If using Chrome, you have to open the Developer Tools (F12), switch to the Security tab, and then click¬†View Certificate. If you don’t see the¬†Security tab, then click the double right arrows.
    2. On the Details tab, copy the Thumbprint.
  11. In the Proxy Destination URL Thumb Prints field, type in sha1= and paste the certificate thumbprint.
  12. At the beginning of the Thumbprint field, immediately after the equals sign, there might be a hidden character. Press the arrow keys on the keyboard to find it. Then delete the hidden character.
  13. Enable the three PCOIP, Blast, and Tunnel Gateways and perform the following configurations:
    1. For PCOIP External URL, enter the external¬†IP or external FQDN and :4172. The IP or FQDN should point to your external load balancer that’s load balancing UDP 4172 and TCP 4172 to multiple Unified Access Gateways.
    2. For Blast External URL, enter https://<FQDN>:443 (e.g. https://view.corp.com:443). This FQDN should resolve to your¬†external load balancer that’s load balancing UDP 443 and TCP 443 to multiple Unified Access Gateways.
    3. For Tunnel External URL, enter https://<FQDN>:443 (e.g. https://view.corp.com:443). This FQDN should resolve to your¬†external load balancer that’s load balancing TCP 443 to multiple Unified Access Gateways.
    4. The external load balancer must be capable of using the same persistence across multiple port numbers. On NetScaler, this feature is called Persistency Group. On F5, the feature is called Match Across.
  14. Then click More.
  15. Unified Access Gateway has a default list of paths it will forward to the Horizon Connection Server. You can edit the Proxy Pattern and add |/downloads(.*) to the list so users can also download Horizon Clients that are stored on your Horizon View Connection Servers. The extra pattern goes inside the parentheses. For example: (/|/downloads(.*))
  16. Scroll down and click Save when done.
  17. If you click the arrow next to Horizon Settings, then it shows you the status of the Edge services.

    • If all you see is Not Configured, then refresh your browser.
  18. In your Horizon Connection Servers, the Gateways (e.g. PCoIP Gateway) should be disabled.
    1. Go to Horizon Administrator.
    2. Expand View Configuration, and click Servers.
    3. On the right, switch to the Connection Servers tab.
    4. Highlight your Connection Servers, and click Edit.
    5. Then uncheck all three gateways.
    6. If Horizon 7, HTML Access won’t work through Unified Access Gateway unless you disable Origin Check or configure the Connection Server’s¬†locked.properties¬†with the Access Point addresses. Also see¬†2144768¬†Accessing the Horizon View Administrator page displays a blank error window in Horizon 7.
  19. If you want Unified Access Gateway to authenticate users using non-AD methods (e.g. two-factor), enable the Authentication Settings section, and configure the settings as appropriate for your requirements.
  20. Ciphers are configured under Advanced Settings > System Configuration.

    • Syslog is also configured here.
  21. Scroll down to the Advanced Settings section, and next to TLS Server Certificate Settings, click the gear icon.
  22. In Unified Access Gateway 3.2 and newer, you can apply the certificate to Internet Interface, Admin Interface, or both.
  23. In Unified Access Gateway 3.0 and newer, change the Certificate Type to PFX, browse to a PFX file, enter the password. This PFX file certificate must match the Public FQDN (load balanced) for Unified Access Gateway.
  24. Leave the Alias field blank.
  25. Click Save.

  26. If you changed the Admin Interface certificate, then you will be prompted to close the browser window and re-open it.
  27. Or, you can upload a PEM certificate/key (this is the only option in older UAG). Next to Private Key, click the Select link.

    1. Browse to a PEM keyfile. If not running Unified Access Gateway 3.0 or newer, then certificates created on Windows (PFX files) must be converted to PEM before they can be used with Unified Access Gateway. You can use openssl commands to perform this conversion. The private key should be unencrypted.
    2. Browse to a PEM certificate file (Base-64) that contains the server certificate, and any intermediate certificates. The server certificate is on top, the intermediate certificates are below it. The server certificate must match the public FQDN (load balanced) for the Unified Access Gateway.
    3. Click Save when done.
  28. UAG 3.1 adds an Endpoint Compliance Check feature. It requires an OPSWAT subscription. The OPSWAT agent is deployed to endpoints out-of-band. It’s pass/fail. See¬†Endpoint Compliance Checks for Horizon at VMware Docs. And the YouTube video¬†Endpoint Compliance Checks: New VMware Horizon Security Feature.

  29. If you scroll down to Support Settings, click the icon next to Export Unified Access Gateway Settings to save the settings to a JSON file. If you need to rebuild your Unified Access Gateway, simply import the the JSON file.
  30. If you point your browser to the Unified Access Gateway external URL, you should see the Horizon View Connection Server portal page. Horizon Clients should also work to the Unified Access Gateway URL.


In Access Point 2.8, and Unified Access Gateway (2.9 and newer), you can download logs from the Admin Interface.

You can also review the logs at /opt/vmware/gateway/logs. You can less these logs from the appliance console.

Or you can point your browser to https://MyApplianceIP:9443/rest/v1/monitor/support-archive. This will download a .zip file with all of the logfiles. Much easier to read in a GUI text editor.

For initial configuration problems, check out admin.log.

For Horizon View brokering problems, check out esmanager.log.

Load Balancing

See http://www.carlstalhood.com/vmware-horizon-unified-access-gateway-load-balancing-netscaler-12/ to load balance Unified Access Gateways.

Related Pages

171 thoughts on “VMware Unified Access Gateway (aka Access Point) 3.2”

  1. Hi Carl,

    Thanks you for such a detailed post. I would like to understand few things

    1. Can we configure horizon port 8443 and workspace ONE port 443 both service on single UAG 3.2 appliance.
    2. How it works as we hit FQDN without specific port.

    e.g :
    1 vdi.domain.com – for horizon

    2 wpone.domain.com – for workspace one.

    Want to know how it will work with given port sharing feature enabled.

    I tried but only 1 of the service is responding at a time.

    Appreciate your help in advance.

  2. Issue resetting admin password. I use the normal firstboot option to change the admin password. but when I login ans get the change password screen it failed to update it.


    can’t fine anyting on VMWARE.com about this

  3. Hi Carl, Fantastic blog as always. I have a question about 2-factor authentication. I have successfully configured 2-factor on my customers UAG. The issue is, they have a list of public IP addresses that need to bypass Duo 2-factor. Is this something that would be configured on the Unified Access Gateway appliance or would this need to be configured on the customers on their F5 Access Policy Manager?

  4. Is it normal to have the VCS server to report Unknown in red under the Security Servers in the Dashboard?

    Everything works fine, but the VCS server is reporting Unknown since we moved to UAG.

  5. Hi carls,
    I have a problem with SSL certificates to use BLAST and HTML ACCESS.
    I don’t use AEG or Security Server. I applied on my parent machine: the Horizon agent with HTML Access.
    On this machine we have a Blast certificate in the personal Windows store. I insert my CA root and intermediate CA authority certificates in the personal store and trusted editors.
    I also apply a Wildcard generated from our CA root. When I deploy, I find my VDI machines with the certificates but unfortunately I still suffer from non-approved certificate warnings regardless of the web browser.
    Any ideas ?
    I read the HTML Access PDF, the KB 2088354, the forum https://communities.vmware.com/thread/496892

  6. I successfully managed to use UAG instead of Security server. But in my Horizon Dashboard, the old Sec server is still there and showing as red… How can I remove that and eventually have the UAG showing up ?
    external IP is the same…

  7. Have a question about the Blast Gateway, with the certificate error received if behind the UAG should that Gateway be enabled so it routes internal users to UAG rather than directly to the agent where the client will get a certificate error? Thanks

    1. If you need HTML Blast, and if you want to prevent certificate errors, you can proxy the connection through your Connection Servers by enabling the Blast Gateway, or you can proxy the connection through a UAG, or you can install valid certificates on each Agent.

  8. How do I know which interface is which in the config? How do I know if the “netManagementNetwork” config setting in the script is the target interface for the “ip1” setting?
    Trying to do a threenic installation. Deployment runs fine, but the appliance never responds on the management IP. Tried to reboot the appliance several times, but to no avail.

        1. For regular load balancing, Standard is fine.

          How many concurrent UAG connections? I’m assuming PCoIP/Blast are going through NetScaler.

          Your NetScaler might be doing decrypt/re-encrypt of Blast, which means fewer users than maximum bandwidth. If PCoIP, it should be just forwarding as is.

          1. One UAG I think is rated for 2,000 users.

            If you assume 250K per active user, that’s around 732 Mbps. So VPX would need to be at least 1000, which gives you two more vCPUs.

          2. F5 can replace UAG. NetScaler can replace UAG for PCoIP only. I assume NetScaler will eventually add Blast protocol.

            Otherwise, it’s standard load balancing.

          3. BTW I didn’t know blast would require decrypt / re-encrypt by NS…any recommendation for possibly 3000 users. Most of them are internal but just out of curiosity.

          4. Internal traffic doesn’t go through NetScaler and instead goes directly from Horizon Client to Horizon Agent. Thus not much traffic needed on NetScaler. It’s only UAG users that send traffic through NetScaler.

          5. I don’t see point of replacing UAG, in both cases NS and F5 can I just use standard LB and let UAG do the job for any protocol?

          6. Hi Carl Just last question. Without replacing UAG, F5 license just to load balance service, internal and external, F5 “Good” license should be enough right?

  9. Since UAG is in Prod, users receive this : VMWare Horizon Client – Logout Request by system.

    As long as we don’t click OK, it is fine except that USB is not working…

    We are on 7.2

  10. Hello Carl, I was wondering about the sentence ” Open these ports from any device on the Internet to the Unified Access Gateway Load Balancer VIP:

    TCP and UDP 443 (includes Blast Extreme)
    TCP and UDP 4172. UDP 4172 must be opened in both directions. (PCoIP)
    TCP and UDP 8443 (for HTML Blast) “.

    In our case – this traffic goes to the REAL IP Addresses of the Firewall, which forward the traffic to the security servers in question. In other words, if the settings for the different gateway protocols – PCoIP, BLAST and HTML blast all points to something which is not the load balancer’s IP Address one would not need to open them at all.
    By my understanding, once authenticated to UAG, a client will receive and process an URL which should be used for further “secondary” protocols. If this “link”/setting/url does not lead to the IP of the load balancer -then this traffic will not traverse the load balancer at all.

    Please correct me if I am wrong.

    1. You can do it either way. If your load balancer supports persistence across multiple port numbers, then you can send all ports through a single public IP that resolves to one VIP. Otherwise, you send 443 to the load balancer, and 4172 and 8443 directly to each UAG.

  11. Hi Carl,

    Can you explain why on the Connections Servers the Gateways have to be disabled?

    Before we were using Security Server on Windows in the DMZ and had all these gateways enabled.
    We could connect through Blast Secure Gateway on HTML Access on the URL of the Security Server (from outside the office) and to the URL of the Connection Server for internal HTML Access.

    We now have disabled all the Gateways on the Connection Server and now it’s not possible to use HTML Access through the Connection Server. It seems like it’s want to connect to the IP of the linked clone directly instead of through the Connection Server.

    Why can’t I enable the Blast Secure Gateway for internal HTML Access to the View Desktops?

    1. Enabling it on Connection Servers overrides the same functionality on UAG.

      One option is to build separate VCSs for internal users and enable it on them. Make sure UAG doesn’t connect to those VCSs.

  12. Hi Carl, just a quick observation – if I make the change to the portal-links-html-access.properties file to disable the enable download feature (=false) it works when connecting directly via the Connection Servers (v7.2) or internal VIP, but breaks the UAG access (v3.0) and the Proxy Destination Server turns red on the Admin page.

    If I change it back, the UAG access works again, but obviously still shows the download option.

    Is there a proxy pattern I need to enter to permit UAG access as it seems to be having an issue talking to the Connection Server? (I’ve tried a few combinations to no avail….)


    1. Quick heads up – seems to be an issue with the VIP/Load Balancing as when make the change the internal vip shows the Connection Servers are unavailable…..

  13. Question: The time out setting under advanced config…it’s set to 3600000 milliseconds – or ten hours – IS there a know way to set that to never timeout? Like can I use -1 or zero or something so that sessions are never disconnected? VMware support said to fill it with 9’s and that’s the best I can do.

    Is that true?

  14. Got a working UAG v2.9 and replaced it with UAG 3.0, but UAG 3.0 does not work. I get a certificate error when accessing Horizon with a browser. It seems like the UAG 3.0 does not like SANs in the certificate. Tried both PFX and PEM methods for UAG 3.0 deployment. Booting up the UAG 2.9 again, and all works again.
    Any thougts on that?

  15. Hi Carl,

    Tupid question but I can’t find the answer anywhere… how do I change the IP address of the UAG 3.0 after deployment ??



    1. You might have to delete it and re-deploy it. You can save the config to a file. Re-deploy. Then upload the config again.

      1. OK, Done that.. but I struggle with it.
        I’m left with
        Proxy Destination Server RED.

        I only have one Connection server and replacing the Secure server by UAG on the same IP.

        Any hint on what am I doing wrong here ?

        1. Either UAG can’t resolve the DNS name, can’t talk to the destination address, or the certificate thumbprint you imported doesn’t match the certificate on the Connection Server (or load balancer).

    2. It is SUSE linux so find in google how to change IP in this distribution. I changed the IP yesterday by editing ifcfg-eth0 file (sigle NIC deployment).

  16. Hi Carl,

    We’ve been using UAG for a long time now.. and the latest build 3.0 has been fine for a month or so but now within a few days of each other, two of the three UAG’s have gone offline (or somehow stopped passing user traffic). They just stopped working…
    I can pull up the admin site, but if I disable “server 1 and 2” so only “server 3” is active in the netscaler LB… i cant connect the Horizon client. A few days ago it was server three…. so i took it out of the mix… Today server 2 did it….
    A reboot of the UAG fixes it.. but kinds annoying… as no users can get in that the netscaler decides to hand off to that UAG for access…
    Anyone else have this issue?
    I really don’t want to open a ticket… as it’ rather irritating how long tickets take to work with VMware… especially on a issue like this.

    Three 3.0 UAG servers behind a netscaler, load balanced following the articles you’ve got here.
    They connect to two 7.2 connection servers, also on a VIP.

    1. I recently built a new Horizon environment for a client a few weeks ago, and we just had this issue today. It is a very small environment with no load balancer, with all traffic going through the UAG. This caused a production outage. I checked the UAG and all of the services were green. Rebooting the UAG fixed the issue. I have them opening a ticket with VMware support and will let you know what we find out.

  17. Hello Carl, Following ur site since a while now and i m wondering if u have any suggestion regarding the monitoring of the VMware Unified Access Gateway.

    I m usually using snmp agent or shinken agent to monitor our infrastructure but it seem that VMware didn’t plan to do any of those.

    For now i doing a simple snmp check to make sure the gateway is alive and some http check.

    Any suggestion would be very welcome ūüôā

    Thx u for all those great articles !

    1. Carl, I’d like to ask a question. I deployed two UAGs with PS and the first one came up fine, but the second one, well, I can’t get to the web interface. I used the exact same PS script except that I changed the name and IP address and the datastore, but still the web admin interface will not load. I can ping it and in VMware, I can console to it, so I’m at a loss as to what happened. Any thoughts?

  18. Hi carls,

    I need your help in configuring reverse proxy in access point for my IDM URL so that my users can open the IDM URL from internet and they can access published application and desktops. I am listing down my infrastructure details can you please guide me how to achieve this.

    1. I have 2 AP configured in the DMZ and both are in single NIC configuration
    2. both the AP is configured behind a Netscaler load balancer in the DMZ
    3. The external URL which is configured in the AP is VDI.Gridtech.com and I have the same URL for internal access as well
    4.I have deployed and configured two IDM 2.8 appliance with an internal FQDN as IDM01.gridtech.grid.com and IDM02.gridtech.grid.com
    5. Created a DNS entry as workspace.gridtech.com internally
    6.i can access workspace.gridtech.com internally and I am able to launch the applications and desktop seamlessly through the workspace portal
    7. I want to access the same URL from internet and reverse proxy needs to be configured through my access point

    can you please help me with the steps which I need to do.

    1. I’m trying the same thing not a lot of luck thus far. VMware support has not been very helpful either.

Leave a Reply