VMware Unified Access Gateway (aka Access Point) 3.0

Last Modified: Jun 12, 2017 @ 3:40 pm

Navigation

ūüí° = Recently Updated

Overview

Unified Access Gateway is the new name for VMware Access Point.

Unified Access Gateway (formerly known as Access Point) is a replacement for Horizon Security Servers. Advantages include:

  • You don’t need to build extra Connection Servers just for pairing.¬†However, you might want extra Horizon Connection Servers so you can filter pools based on tags.
  • Between Unified Access Gateway and Horizon Connection Servers you only need TCP 443. No need for IPSec or 4001 or the other ports. You still need 4172, 22443, etc. to the View Agents.
  • No need to enable Gateway/Tunnel on the internal Horizon Connection Servers.
  • Additional security with DMZ authentication.¬†Some of the Authentication methods supported on Unified Access Gateway are RSA SecurID, RADIUS, CAC/certificates, etc.

However:

  • It’s Linux. You can deploy and configure the appliance without any Linux skills. But you might need some Linux skills during troubleshooting.

Horizon View Security Server is still developed and supported so you’re welcome to use that instead of Unified Access Gateway. But some of the newer Blast Extreme functionality only works in Unified Access Gateway (Access Point) 2.9 and newer. See Configure the Blast Secure Gateway at VMware Pubs.

More information at VMware Blog Post Technical Introduction to Access Point for Secure Remote Access.

Firewall

VMware Technical White Paper Blast Extreme Display Protocol in Horizon 7, and Firewall Rules for DMZ-Based Unified Access Gateway Appliances at VMware Pubs.

Open these ports from any device on the Internet to the Unified Access Gateway Load Balancer VIP:

  • TCP and UDP 443 (includes Blast Extreme)
  • TCP¬†and¬†UDP¬†4172.¬†UDP¬†4172¬†must¬†be¬†opened¬†in¬†both¬†directions. (PCoIP)
  • TCP and UDP 8443 (for HTML Blast)

Open these ports from the Unified Access Gateways to internal:

  • TCP 443 to internal Connection Servers (through a load balancer)
  • TCP and UDP 4172 (PCoIP) to all internal Horizon View Agents.¬†UDP 4172 must be opened in both directions.
  • TCP 32111 (USB Redirection) to all internal Horizon View Agents.
  • TCP and UDP 22443 (Blast Extreme) to all internal Horizon View Agents.
  • TCP 9427 (MMR and CDR) to all internal Horizon View Agents.

Open these ports from any internal administrator workstations to the Unified Access Gateway appliance IPs:

  • TCP 9443 (REST API)
  • TCP 80/443 (Edge Gateway)

Network Profile

  1. Unified Access Gateway 3.0 is supported with Horizon 7.1, Horizon 6.2.4, and Identity Manager 2.8.1, 2.9.1.
  2. Before importing the Unified Access Gateway OVF, you will need to configure a Network Profile. In vSphere Web Client, go to the Datacenter object. On the right, switch to the Manage (or Configure) tab > Network Protocol Profiles.
  3. Click the plus icon.

  4. In the Select name and network page, enter a name, select the DMZ VM Network for your Unified Access Gateway appliance, and click Next.

  5. In the Configure IPv4 page, enter the subnet information, and Gateway.
  6. Don’t configure an IP pool. Click Next.
  7. In the Ready to complete page, click Finish.
  8. If you are configuring multiple NICs on your Unified Access Gateway, create Network Protocol Profile for the remaining subnets.

Import OVF

Mark Benson at VMware Communities Using PowerShell to Deploy VMware Unified Access Gateway has a PowerShell script that runs OVF Tool to deploy and configure Unified Access Gateway. The PowerShell script is updated as newer versions of Unified Access Gateways are released. This is the recommended method of deploying Unified Access Gateway.

Some notes regarding the PowerShell script:

  • If the OVA path has spaces in it, do not include quotes in the .ini file. The script adds the quotes automatically.
  • For the¬†target parameter, specify a cluster name instead of a host. If spaces, there’s no need for quotes. For example:
    target=vi://admin@corp.local:PASSWORD@vcenter02.corp.local/Datacenter/host/Cluster 1
  • Special characters in the vCenter password must be encoded. Use a URL encoder tool (e.g.¬†https://www.urlencoder.org/) to encode the password. Then paste the encoded password when prompted by the ovftool. The UAG passwords do not need encoding, but the vCenter password does.

There is no upgrade process for Unified Access Gateway. You must delete the old appliance and deploy a new one. To speed up the deployment, either use the PowerShell deployment script, or export the settings from the old appliance and import into the new appliance.

To deploy the Unified Access Gateway using VMware vSphere Web Client:

  1. Download euc-unified-access-gateway-3.0.0.0.ova. The download link is on the bottom of the Horizon View download page.
  2. In vSphere Web Client, right-click a cluster, and click Deploy OVF Template.

  3. In the Select source page, browse to the downloaded euc-unified-access-gateway-3.0.0.0.ova file, and click Next.

  4. In the  Select name and location page, give the machine a name, and click Next.
  5. In the Review Details page, click Next.
  6. In the Select configuration page, select a Deployment Configuration. For some reason VMware recommends multiple NICs. It’s more secure to have a single NIC in the DMZ, and funnel all traffic through firewalls.
  7. In the Select storage page, select a datastore, select a disk format, and click Next.
  8. Even if you select Single NIC, the OVF deployment wizard asks you for multiple NICs.
  9. In the Customize template page, enter DNS addresses, Gateway, and Subnet Mask. Scroll down.
  10. Scroll down and enter more IP info.
    1. STATICV4 and a static IP.
    2. For DNS servers, enter them with a space between them.
  11. Then expand the Password Options section.
  12. Scroll down. Expand Password Options, and enter passwords. Notice the complexity requirements for the passwords. If the passwords are not complex enough, then they won’t work.
  13. In the Ready to complete page, finish importing the OVF, and power on the appliance.

Admin Interface

  1. Power on the Unified Access Gateway appliance.
  2. When booting UAG 3.0, it might ask you to answer a question. Select No, and click OK.
  3. If the appliance initially boots with the wrong IP, then a reboot might fix it.
  4. In Unified Access Gateway and Access Point 2.8 and later, you can point your browser to https://My_AP_IP:9443/admin/index.html, and login as admin.
  5. If you have previously exported settings, you can import it now.
  6. Or, on the right, under Configure Manually, click Select.
  7. Next to Edge Service Settings, click Show.
  8. Next to Horizon Settings, click the gear icon.
  9. Change Enable Horizon to Yes.
  10. As you fill in these fields, hover over the information icon to see the syntax.
  11. The Connection Server URL should point to the internal load balanced DNS name (URL) for your internal Connection Servers.
  12. For the Proxy Destination URL Thumb prints, get the thumbprint from the internal Horizon View certificate. Point your browser to the internal Horizon View Connection Server FQDN, and click the padlock icon to open the certificate. If using Chrome, you have to open the Developer Tools (F12), switch to the Security tab, and then click¬†View Certificate. If you don’t see the¬†Security tab, then click the double right arrows.
  13. On the Details tab, copy the Thumbprint.
  14. At the beginning of the Thumbprint field, immediately after the equals sign, there might be a hidden character. Press the arrow keys on the keyboard to find it. Then delete the hidden character.
  15. Enable the three Gateways and enter the external URLs and external IP. These should point to your external load balancer.
  16. For Blast, the port number can be 443.
  17. Then click More.
  18. Unified Access Gateway has a default list of paths it will forward to the Horizon Connection Server. You can edit the Proxy Pattern and add |/downloads(.*) to the list so users can also download Horizon Clients that are stored on your Horizon View Connection Servers. The extra pattern goes inside the parentheses.
  19. Click Save when done.
  20. If you click the arrow next to Horizon Settings, then it shows you the status of the Edge services.
  21. In your Horizon Connection Servers, the Gateways (e.g. PCoIP Gateway) should be disabled.


  22. If Horizon 7, HTML Access won’t work through Unified Access Gateway unless you disable Origin Check or configure the Connection Server’s¬†locked.properties¬†with the Access Point addresses. Also see¬†2144768¬†Accessing the Horizon View Administrator page displays a blank error window in Horizon 7.
  23. If you want Unified Access Gateway to authenticate users using non-AD methods (e.g. two-factor), enable the Authentication Settings section, and configure the settings as appropriate for your requirements.
  24. Ciphers are configured under Advanced Settings > System Configuration.
  25. Syslog is also configured here.
  26. Scroll down to the Advanced Settings section, and next to TLS Server Certificate Settings, click the gear icon.
  27. In Unified Access Gateway 3.0 and newer, change the Certificate Type to PFX, browse to a PFX file, enter the password, and click Save. This PFX file certificate must match the Public FQDN (load balanced) for Unified Access Gateway.

  28. Or, you can upload a PEM certificate/key (this is the only option in older UAG). Next to Private Key, click the Select link.
  29. Browse to a PEM keyfile. If not running Unified Access Gateway 3.0 or newer, then certificates created on Windows (PFX files) must be converted to PEM before they can be used with Unified Access Gateway. You can use openssl commands to perform this conversion. The private key should be unencrypted.
  30. Browse to a PEM certificate file (Base-64) that contains the server certificate, and any intermediate certificates. The server certificate is on top, the intermediate certificates are below it. The server certificate must match the public FQDN (load balanced) for the Unified Access Gateway.
  31. Click Save when done.
  32. If you scroll down to Support Settings, click the icon next to Export Unified Access Gateway Settings to save the settings to a JSON file. If you need to rebuild your Unified Access Gateway, simply import the the JSON file.
  33. If you point your browser to the Unified Access Gateway external URL, you should see the Horizon View Connection Server portal page. Horizon Clients should also work to the Unified Access Gateway URL.

Logs

In Access Point 2.8, and Unified Access Gateway (2.9 and newer), you can download logs from the Admin Interface.

You can also review the logs at /opt/vmware/gateway/logs. You can less these logs from the appliance console.

Or you can point your browser to https://MyApplianceIP:9443/rest/v1/monitor/support-archive. This will download a .zip file with all of the logfiles. Much easier to read in a GUI text editor.

For initial configuration problems, check out admin.log.

For Horizon View brokering problems, check out esmanager.log.

Load Balancing

See http://www.carlstalhood.com/horizon-view-load-balancing-netscaler-11-1/ to load balance Unified Access Gateways.

Related Pages

129 thoughts on “VMware Unified Access Gateway (aka Access Point) 3.0”

    1. Carl, I’d like to ask a question. I deployed two UAGs with PS and the first one came up fine, but the second one, well, I can’t get to the web interface. I used the exact same PS script except that I changed the name and IP address and the datastore, but still the web admin interface will not load. I can ping it and in VMware, I can console to it, so I’m at a loss as to what happened. Any thoughts?

  1. Hi carls,

    I need your help in configuring reverse proxy in access point for my IDM URL so that my users can open the IDM URL from internet and they can access published application and desktops. I am listing down my infrastructure details can you please guide me how to achieve this.

    1. I have 2 AP configured in the DMZ and both are in single NIC configuration
    2. both the AP is configured behind a Netscaler load balancer in the DMZ
    3. The external URL which is configured in the AP is VDI.Gridtech.com and I have the same URL for internal access as well
    4.I have deployed and configured two IDM 2.8 appliance with an internal FQDN as IDM01.gridtech.grid.com and IDM02.gridtech.grid.com
    5. Created a DNS entry as workspace.gridtech.com internally
    6.i can access workspace.gridtech.com internally and I am able to launch the applications and desktop seamlessly through the workspace portal
    7. I want to access the same URL from internet and reverse proxy needs to be configured through my access point

    can you please help me with the steps which I need to do.

    1. I’m trying the same thing not a lot of luck thus far. VMware support has not been very helpful either.

Leave a Reply