VMware Unified Access Gateway

Last Modified: Oct 18, 2018 @ 4:53 pm


ūüí° = Recently Updated

Change Log


Unified Access Gateway is the new name for VMware Access Point.

Unified Access Gateway (formerly known as Access Point) is a replacement for Horizon Security Servers. Advantages include:

  • You don’t need to build extra Connection Servers just for pairing.¬†However, you might want extra Horizon Connection Servers so you can filter pools based on tags.
  • Between Unified Access Gateway and Horizon Connection Servers you only need TCP 443. No need for IPSec or 4001 or the other ports. You still need 4172, 22443, etc. to the View Agents.
  • No need to enable Gateway/Tunnel on the internal Horizon Connection Servers.
  • Additional security with DMZ authentication.¬†Some of the Authentication methods supported on Unified Access Gateway are RSA SecurID, RADIUS, CAC/certificates, etc.


  • It’s Linux. You can deploy and configure the appliance without any Linux skills. But you might need some Linux skills during troubleshooting.

Horizon View Security Server is still developed and supported so you’re welcome to use that instead of Unified Access Gateway. But some of the newer Blast Extreme functionality only works in Unified Access Gateway (Access Point) 2.9 and newer. See Configure the Blast Secure Gateway at VMware Docs.

More information at VMware Blog Post Technical Introduction to Access Point for Secure Remote Access.

Unified Access Gateway is supported with Horizon 7.5 and Horizon 7.6. Refer to the compatibility matrix for the latest compatibility data for each version.

  • What’s New in VMware Unified Access Gateway 3.3.1¬†VMware Techzone Blog Post
    • Reset admin password from CLI
    • Syslog for audit events
    • Customizable Security Headers – e.g.¬†Content Security Policy
    • Pass SAML attributes as HTTP Headers
    • PowerShell Support for Content Gateway and Identity Bridging
    • Admin portal allows you to edit the network settings of each NIC

Download Unified Access Gateway

The main VMware Horizon 7.6 download page also has UAG


VMware Technical White Paper Blast Extreme Display Protocol in Horizon 7, and Firewall Rules for DMZ-Based Unified Access Gateway Appliances at VMware Pubs.

Open these ports from any device on the Internet to the Unified Access Gateway Load Balancer VIP:

  • TCP and UDP 443 (includes Blast Extreme)
  • TCP¬†and¬†UDP¬†4172.¬†UDP¬†4172¬†must¬†be¬†opened¬†in¬†both¬†directions. (PCoIP)
  • TCP and UDP 8443 (for HTML Blast)

Open these ports from the Unified Access Gateways to internal:

  • TCP 443 to internal Connection Servers (through a load balancer)
  • TCP and UDP 4172 (PCoIP) to all internal Horizon View Agents.¬†UDP 4172 must be opened in both directions.
  • TCP 32111 (USB Redirection) to all internal Horizon View Agents.
  • TCP and UDP 22443 (Blast Extreme) to all internal Horizon View Agents.
  • TCP 9427 (MMR and CDR) to all internal Horizon View Agents.

Open these ports from any internal administrator workstations to the Unified Access Gateway appliance IPs:

  • TCP 9443 (REST API)
  • TCP 80/443 (Edge Gateway)

Network Profile

Note: in Unified Access Gateway 3.3 and later, Network Protocol Profile is no longer necessary.

  1. Before importing the Unified Access Gateway OVF, you will need to configure a Network Profile. In vSphere Web Client, go to the Datacenter object. On the right, switch to the Manage (or Configure) tab > Network Protocol Profiles.
  2. Click the plus icon.

  3. In the Select name and network page, enter a name, select the DMZ VM Network for your Unified Access Gateway appliance, and click Next.

  4. In the Configure IPv4 page, enter the subnet information, and Gateway.
  5. Don’t configure an IP pool. Click Next.
  6. In the Ready to complete page, click Finish.
  7. If you are configuring multiple NICs on your Unified Access Gateway, create Network Protocol Profile for the remaining subnets.

Import OVF

Mark Benson at VMware Communities Using PowerShell to Deploy VMware Unified Access Gateway has a PowerShell script that runs OVF Tool to deploy and configure Unified Access Gateway. The PowerShell script is updated as newer versions of Unified Access Gateways are released. This is the recommended method of deploying Unified Access Gateway.

As of UAG, the PowerShell script is downloadable from the UAG download page.

Some notes regarding the PowerShell script:

  • If the OVA path has spaces in it, do not include quotes in the .ini file. The script adds the quotes automatically.
  • For the¬†target parameter, specify a cluster name instead of a host. If spaces, there’s no need for quotes. For example:
    target=vi://admin@corp.local:PASSWORD@vcenter02.corp.local/Datacenter/host/Cluster 1
  • Special characters in the vCenter password must be encoded. Use a URL encoder tool (e.g.¬†https://www.urlencoder.org/) to encode the password. Then paste the encoded password when prompted by the ovftool. The UAG passwords do not need encoding, but the vCenter password does.

There is no upgrade process for Unified Access Gateway. You must delete the old appliance and deploy a new one. To speed up the deployment, either use the PowerShell deployment script, or export the settings from the old appliance and import into the new appliance.


To upgrade from an older appliance, you delete the old appliance, and import the new one. Before deleting the older appliance, export your settings:

  1. Login to the UAG at https://<Your_UAG_IP>:9443/admin/index.html.
  2. In the Configure Manually section, click Select.
  3. Scroll down to the Support Settings section, and then click the JSON button.


To deploy the Unified Access Gateway using VMware vSphere Client:

  1. Unified Access Gateway is supported with Horizon 7.5.1 and Horizon 7.6. Refer to the compatibility matrix for the latest compatibility data for each version.
  2. Download Unified Access Gateway
  3. In vSphere Client, right-click a cluster, and click Deploy OVF Template. Note: the HTML5 UI client in vSphere 6.5 Update 2 and newer might work for single NIC. But multi-NIC is only supported in the Flash UI (source = Hilko Lantinga in the comments)

  4. Select Local File. In the Select source page, browse to the downloaded euc-unified-access-gateway- file, and click Next.

  5. In the  Select name and location page, give the machine a name, and click Next.

  6. In the Review Details page, click Next.
  7. In the Select configuration page, select a Deployment Configuration. See DMZ Design for VMware Unified Access Gateway and the use of Multiple NICs at VMware Communities. Click Next.

  8. In the Select storage page, select a datastore, select a disk format, and click Next.

  9. Even if you select Single NIC, the OVF deployment wizard asks you for multiple NICs. UAG typically goes in the DMZ.
  10. In the Customize template page, enter STATICV4, and scroll down. Note: HTML5 UI client displays the settings in a different order than the Flash vSphere Client.
  11. Enter the NIC1 (eth0) IPv4 address. Scroll down.
  12. Enter DNS addresses, Gateway, and Subnet Mask. Scroll down.

  13. Scroll down and enter more IP info.
    1. STATICV4 and a static IP.
    2. For DNS servers, enter them with a space between them.
  14. Scroll down.
  15. Enter a Unified Gateway Appliance Name.
  16. Then expand the Password Options section.
  17. Scroll down. Expand Password Options, and enter passwords. Then click Next.

  18. In the Ready to complete page, click Finish.

UAG Admin Interface

  1. Power on the Unified Access Gateway appliance.

    • When booting UAG 3.0, it might ask you to answer a question. Select¬†No, and click¬†OK.
  2. If the appliance initially boots with the wrong IP, then a reboot might fix it.
  3. In Unified Access Gateway and Access Point 2.8 and later, you can point your browser to https://My_AP_IP:9443/admin/index.html, and login as admin.
  4. If you have previously exported settings, you can import it now by clicking Select in the Import Settings section.
  5. Or, on the right, under Configure Manually, click Select.
  6. Next to Edge Service Settings, click Show.
  7. Next to Horizon Settings, click the gear icon.
  8. Change Enable Horizon to Yes.
  9. As you fill in these fields, hover over the information icon to see the syntax.
  10. The Connection Server URL should point to the internal load balanced DNS name (URL) for your internal Connection Servers.

    1. For the Connection Server¬†URL Thumb print, get the thumbprint from the internal Horizon View certificate. Point your browser to the internal Horizon View Connection Server FQDN (load balanced), and click the padlock icon to open the certificate. If using Chrome, you have to open the Developer Tools (F12), switch to the Security tab, and then click¬†View Certificate. If you don’t see the¬†Security tab, then click the double right arrows.
    2. On the Details tab, copy the Thumbprint.
  11. In the Proxy Destination URL Thumb Prints field, type in sha1= and paste the certificate thumbprint.
  12. At the beginning of the Thumbprint field, immediately after the equals sign, there might be a hidden character. Press the arrow keys on the keyboard to find it. Then delete the hidden character.
  13. Enable the three PCOIP, Blast, and Tunnel Gateways and perform the following configurations:
    1. For PCOIP External URL, enter the external¬†IP or external FQDN and :4172. The IP or FQDN should point to your external load balancer that’s load balancing UDP 4172 and TCP 4172 to multiple Unified Access Gateways.
    2. For Blast External URL, enter https://<FQDN>:443 (e.g. https://view.corp.com:443). This FQDN should resolve to your¬†external load balancer that’s load balancing UDP 443 and TCP 443 to multiple Unified Access Gateways.
    3. For Tunnel External URL, enter https://<FQDN>:443 (e.g. https://view.corp.com:443). This FQDN should resolve to your¬†external load balancer that’s load balancing TCP 443 to multiple Unified Access Gateways.
    4. The external load balancer must be capable of using the same persistence across multiple port numbers. On NetScaler, this feature is called Persistency Group. On F5, the feature is called Match Across.
  14. Then click More.
  15. Unified Access Gateway has a default list of paths it will forward to the Horizon Connection Server. You can edit the Proxy Pattern and add |/downloads(.*) to the list so users can also download Horizon Clients that are stored on your Horizon View Connection Servers. The extra pattern goes inside the parentheses. For example: (/|/view-client(.*)|/portal(.*)|/appblast(.*))|/downloads(.*))
  16. Scroll down and click Save when done.
  17. If you click the arrow next to Horizon Settings, then it shows you the status of the Edge services.

    • If all you see is Not Configured, then refresh your browser, and click Refresh Status icon.
  18. In your Horizon Connection Servers, the Secure Gateways (e.g. PCoIP Gateway) should be disabled.
    1. Go to Horizon Administrator.
    2. Expand View Configuration, and click Servers.
    3. On the right, switch to the Connection Servers tab.
    4. Highlight your Connection Servers, and click Edit.
    5. Then uncheck all three gateways.
    6. If Horizon 7, HTML Access won’t work through Unified Access Gateway unless you disable Origin Check or configure the Connection Server’s¬†locked.properties¬†with the Access Point addresses. Also see¬†2144768¬†Accessing the Horizon View Administrator page displays a blank error window in Horizon 7.
  19. If you want Unified Access Gateway to authenticate users using non-AD methods (e.g. two-factor), enable the Authentication Settings section, and configure the settings as appropriate for your requirements.
  20. Ciphers are configured under Advanced Settings > System Configuration.

    • Syslog is also configured here.
  21. To upload a valid certificate, scroll down to the Advanced Settings section, and next to TLS Server Certificate Settings, click the gear icon.
  22. In Unified Access Gateway 3.2 and newer, you can apply the uploaded certificate to Internet Interface, Admin Interface, or both.
  23. In Unified Access Gateway 3.0 and newer, change the Certificate Type to PFX, browse to a PFX file, enter the password. This PFX file certificate must match the Public FQDN (load balanced) for Unified Access Gateway.
  24. Leave the Alias field blank.
  25. Click Save.

  26. If you changed the Admin Interface certificate, then you will be prompted to close the browser window and re-open it.
  27. Or, you can upload a PEM certificate/key (this is the only option in older UAG). Next to Private Key, click the Select link.

    1. Browse to a PEM keyfile. If not running Unified Access Gateway 3.0 or newer, then certificates created on Windows (PFX files) must be converted to PEM before they can be used with Unified Access Gateway. You can use openssl commands to perform this conversion. The private key should be unencrypted.
    2. Browse to a PEM certificate file (Base-64) that contains the server certificate, and any intermediate certificates. The server certificate is on top, the intermediate certificates are below it. The server certificate must match the public FQDN (load balanced) for the Unified Access Gateway.
    3. Click Save when done.
  28. UAG 3.1 adds an Endpoint Compliance Check feature. It requires an OPSWAT subscription. The OPSWAT agent is deployed to endpoints out-of-band. It’s pass/fail. See¬†Endpoint Compliance Checks for Horizon at VMware Docs. And the YouTube video¬†Endpoint Compliance Checks: New VMware Horizon Security Feature.

  29. If you scroll down to Support Settings, click the icon next to Export Unified Access Gateway Settings to save the settings to a JSON file. If you need to rebuild your Unified Access Gateway, simply import the the JSON file.
  30. If you point your browser to the Unified Access Gateway external URL, you should see the Horizon View Connection Server portal page. Horizon Clients should also work to the Unified Access Gateway URL.

Monitor Sessions

To see existing Horizon connections going through UAG, point your browser to https://uag-hostname-or-ip-addr:9443/rest/v1/monitor/stats.

Andrew Morgan at Viewing VMware Unified Access Gateway statistics with REST created a PowerShell module that calls this REST API.

Logs and Troubleshooting

In Access Point 2.8, and Unified Access Gateway (2.9 and newer), you can download logs from the Admin Interface.

You can also review the logs at /opt/vmware/gateway/logs. You can less these logs from the appliance console.

Or you can point your browser to https://MyApplianceIP:9443/rest/v1/monitor/support-archive. This will download a .zip file with all of the logfiles. Much easier to read in a GUI text editor.

For initial configuration problems, check out admin.log.

For Horizon View brokering problems, check out esmanager.log.

By default, tcpdump is not installed on UAG. To install it, login to the console and run /etc/vmware/gss-support/install.sh

Load Balancing

If NetScaler, see https://www.carlstalhood.com/vmware-horizon-unified-access-gateway-load-balancing-netscaler-12/ load balance Unified Access Gateways.

For VMware NSX load balancing of Unified Access Gateways, see the¬†VMware¬ģ NSX for vSphere End-User Computing Design Guide 1.2.

Related Pages

199 thoughts on “VMware Unified Access Gateway”

  1. Hello Carl

    First of all great website …

    We have an environment as shown in your image “Unified Access Gateway in DMZ Topology”. The UAGs are configure for MFA with two loadbalanced Radius servers. Everything works fine so far.
    We got only one problem, after login with MFA on one of the UAGs you have to login on the view portal a second time. This login page shows the Active Directory drop down menu with all our domains. After login with correct domain you can start the session.
    Is there a posiblity to do a SSO after MFA login on the UAGs?

    Kind regards

  2. Hello,

    unfortunately, after the update from Horizon Server 7.3.1 to 7.6, the UAG does not work anymore. All points are green but the Horizon target server is red, this would be shut down. In the logs I find the following:

    ERROR client.HttpClient[exceptionCaught: 286][]: Exception caught while communication to backend: javax.net.ssl.SSLException: Received fatal alert: handshake_failure

    ERROR view.ViewEdgeService[onFailure: 650][]: unable to query Horizon Broker: javax.net.ssl.SSLException: Received fatal alert: handshake_failure

    Does anyone have an idea what has changed with version 7.6? I have already tried the latest UAG appliance and installed a fresh server with 7.6, but unfortunately the same error.

    Thank you for any support! :-))

      1. Hello Carl,

        thank you for your answer. No certificates are used, the thumbprint has remained the same and has been tested. I’ve installed a new Connection Server trial with a new thumbprint but unfortunately this does not work either. Except the update via the Connection Server over it run was not changed.

      1. Unfortunately not yet, but yesterday I opened a ticket with VMware and wait for an answer from the support. Should the gateways work again I will share the solution.

      2. ok, the problem here was pretty “simple”. We had used a UAG FIPS the whole time, but you probably need a server with FIPS enabled and the CS with FIPS. The CS 7.3 was no matter the UAG ran, but with the 7.6 does not work anymore. Just rolled out a new UAG without FIPS and in two minutes everything went well again.

  3. Any command you can run on a UAG v3.2.1 to get the number is sessions going through the at point in time. Just checking if it’s taken out of the VIP, when the sessions are cleared off it. Cheers, Paul.

  4. Hello everyone,

    i have a question.

    One customer from me have the following demand.

    200 Licenses.
    One VDI Pool (Horizon 7.5)
    One UAG

    It should maximum 50 user connect to over the UAG to the one pool.
    The customer wish 150 free licenses for internal students.
    A secound pool is not desired.

    Do I have a way to do this?

    Thanks for helping.

  5. HI Carl,
    We have a similar setup to what you are depicting in your diagram with NetScalers in the DMZ but no load balancers on the internal network. Essentially 1 UAG(3.1) speaks to 1 Connection server (7.3.1) only. The Netscalers VPX 200 (11) use SSL_BRIDGE to connect to the UAGs as per one of your previous posts.

    I need to to document Client IPs and MAC addresses hitting the SSL_BRIDGE service so only external connections. I was wondering if you could recommend the best way to achieve this

    I need to document 6 months worth of SRC IP SRC MACr. I presume the NetScaler would be the place or perhaps the UAGs.

    I hope you are able to point me to the right path on this one.


  6. Carl,

    Have you seen where users randomly are not allowed to connect over pcoip thru the UAC? They can connect over BLAST. We’re experiencing this right now, and it was working a couple of days ago.

  7. hi Carl

    why cann’t i save radius configuration? i keep getting and error \”Error in saving the authentication method”

  8. @above
    Use the PowerShell method to deploy: https://communities.vmware.com/docs/DOC-30835


    proxyDestinationURL= https://workspace.xxx.com

    Please add a note that deploying anything but ‘Single NIC’ isn’t supported with the HTML OVF Deployment Wizard, they require Flex (Flash Interface) or PowerShell. And of course Horizon 7.5 is also supported with 3.3.

  9. Carl,

    Any reason you can think of why we’d be getting an error of “The connection Server authentication failed. The tunnel server presented a certificate that didn’t match the expected certificate.”? We get this when coming in through the UAGs with our Horizon client, but only when Tunnel is enabled. If tunnel is disabled, we don’t get it, we get it fine, but, obviously functions like USB redirection do not work. I’m using a wildcard cert. I’m thrown off by the error because if it’s a cert mismatch, why do I only get it when Tunnel is enabled?

    We utilize F5 as our load balancer. Essentially all users, internally and externally, go to a GTM. We’ll call it https://vdi.site.com. For this discussion, since it’s UAG, we’ll stick to external use case.

    When they hit the GTM, there are 2 LTMs behind it:

    DC1LTM = UAG 1, UAG 2

    DC2LTM = UAG 1, UAG 2

    The UAGs themselves are pointed at another LTM for connectivity to their Horizon brokers.

    In my Horizon client, I’m telling it to use the DC1 UAG LTM to test, and this is where I run into the error above. What’s odd is, if I leave tunnel enabled, but switch the external URL to DC1LTMFQDN:8443 (the dialog box in the UAG says use 8443 but I see your screenshot uses 443; I tried both), I get an error of “tunnel re-connection is not permitted”.

    1. Not sure how related it is to my issue, but, the one line from the deployment guide from F5 that I keep going back to about changing, is the one that states:

      In the Virtual Servers and Pools section, complete the following. a. Type the IP address for the virtual server. b. Type the FQDN to which external clients will connect with the Horizon Client.

      For point B. we’re actually putting in that field the LTM FQDN of whicever iApp we’re configuring at that time. I’m wondering if instead we should be putting in the GTM. Our F5 admin put in the LTM and I can see where he’s going with that, but, I wonder if that’s a mistake and we should use the GTM, since quite literally the users are indeed going to the GTM, that then hands them off to the LTM.

  10. Hi,

    Can anyone please advise I am trying to setup RSA SecureID but iam getting the following error message.

    “Failed to set adapter configuration. A SecurID connectivity or configuration error has occurred.”

    UAG is in DMZ and RSA Security ID is on internal network. the following ports are open but still no luck. has anyone managed to setup RSA SecurID authentication with UAG.

    Port: 5500 Protocol: udp
    Port: 5550 Protocol: tcp
    Port: 5580 Protocol: tcp

  11. Great work Carls,

    Just need a bit help setting up UAG with two nic deployment. I am confused how to setup network protocol profiles for external network and internal network. Can you please advise how can I achieve this.


  12. Hi Carl,

    Thanks you for such a detailed post. I would like to understand few things

    1. Can we configure horizon port 8443 and workspace ONE port 443 both service on single UAG 3.2 appliance.
    2. How it works as we hit FQDN without specific port.

    e.g :
    1 vdi.domain.com – for horizon

    2 wpone.domain.com – for workspace one.

    Want to know how it will work with given port sharing feature enabled.

    I tried but only 1 of the service is responding at a time.

    Appreciate your help in advance.

  13. Issue resetting admin password. I use the normal firstboot option to change the admin password. but when I login ans get the change password screen it failed to update it.


    can’t fine anyting on VMWARE.com about this

  14. Hi Carl, Fantastic blog as always. I have a question about 2-factor authentication. I have successfully configured 2-factor on my customers UAG. The issue is, they have a list of public IP addresses that need to bypass Duo 2-factor. Is this something that would be configured on the Unified Access Gateway appliance or would this need to be configured on the customers on their F5 Access Policy Manager?

  15. Is it normal to have the VCS server to report Unknown in red under the Security Servers in the Dashboard?

    Everything works fine, but the VCS server is reporting Unknown since we moved to UAG.

  16. Hi carls,
    I have a problem with SSL certificates to use BLAST and HTML ACCESS.
    I don’t use AEG or Security Server. I applied on my parent machine: the Horizon agent with HTML Access.
    On this machine we have a Blast certificate in the personal Windows store. I insert my CA root and intermediate CA authority certificates in the personal store and trusted editors.
    I also apply a Wildcard generated from our CA root. When I deploy, I find my VDI machines with the certificates but unfortunately I still suffer from non-approved certificate warnings regardless of the web browser.
    Any ideas ?
    I read the HTML Access PDF, the KB 2088354, the forum https://communities.vmware.com/thread/496892

  17. I successfully managed to use UAG instead of Security server. But in my Horizon Dashboard, the old Sec server is still there and showing as red… How can I remove that and eventually have the UAG showing up ?
    external IP is the same…

  18. Have a question about the Blast Gateway, with the certificate error received if behind the UAG should that Gateway be enabled so it routes internal users to UAG rather than directly to the agent where the client will get a certificate error? Thanks

    1. If you need HTML Blast, and if you want to prevent certificate errors, you can proxy the connection through your Connection Servers by enabling the Blast Gateway, or you can proxy the connection through a UAG, or you can install valid certificates on each Agent.

  19. How do I know which interface is which in the config? How do I know if the “netManagementNetwork” config setting in the script is the target interface for the “ip1” setting?
    Trying to do a threenic installation. Deployment runs fine, but the appliance never responds on the management IP. Tried to reboot the appliance several times, but to no avail.

        1. For regular load balancing, Standard is fine.

          How many concurrent UAG connections? I’m assuming PCoIP/Blast are going through NetScaler.

          Your NetScaler might be doing decrypt/re-encrypt of Blast, which means fewer users than maximum bandwidth. If PCoIP, it should be just forwarding as is.

          1. One UAG I think is rated for 2,000 users.

            If you assume 250K per active user, that’s around 732 Mbps. So VPX would need to be at least 1000, which gives you two more vCPUs.

          2. F5 can replace UAG. NetScaler can replace UAG for PCoIP only. I assume NetScaler will eventually add Blast protocol.

            Otherwise, it’s standard load balancing.

          3. BTW I didn’t know blast would require decrypt / re-encrypt by NS…any recommendation for possibly 3000 users. Most of them are internal but just out of curiosity.

          4. Internal traffic doesn’t go through NetScaler and instead goes directly from Horizon Client to Horizon Agent. Thus not much traffic needed on NetScaler. It’s only UAG users that send traffic through NetScaler.

          5. I don’t see point of replacing UAG, in both cases NS and F5 can I just use standard LB and let UAG do the job for any protocol?

          6. Hi Carl Just last question. Without replacing UAG, F5 license just to load balance service, internal and external, F5 “Good” license should be enough right?

  20. Since UAG is in Prod, users receive this : VMWare Horizon Client – Logout Request by system.

    As long as we don’t click OK, it is fine except that USB is not working…

    We are on 7.2

  21. Hello Carl, I was wondering about the sentence ” Open these ports from any device on the Internet to the Unified Access Gateway Load Balancer VIP:

    TCP and UDP 443 (includes Blast Extreme)
    TCP and UDP 4172. UDP 4172 must be opened in both directions. (PCoIP)
    TCP and UDP 8443 (for HTML Blast) “.

    In our case – this traffic goes to the REAL IP Addresses of the Firewall, which forward the traffic to the security servers in question. In other words, if the settings for the different gateway protocols – PCoIP, BLAST and HTML blast all points to something which is not the load balancer’s IP Address one would not need to open them at all.
    By my understanding, once authenticated to UAG, a client will receive and process an URL which should be used for further “secondary” protocols. If this “link”/setting/url does not lead to the IP of the load balancer -then this traffic will not traverse the load balancer at all.

    Please correct me if I am wrong.

    1. You can do it either way. If your load balancer supports persistence across multiple port numbers, then you can send all ports through a single public IP that resolves to one VIP. Otherwise, you send 443 to the load balancer, and 4172 and 8443 directly to each UAG.

  22. Hi Carl,

    Can you explain why on the Connections Servers the Gateways have to be disabled?

    Before we were using Security Server on Windows in the DMZ and had all these gateways enabled.
    We could connect through Blast Secure Gateway on HTML Access on the URL of the Security Server (from outside the office) and to the URL of the Connection Server for internal HTML Access.

    We now have disabled all the Gateways on the Connection Server and now it’s not possible to use HTML Access through the Connection Server. It seems like it’s want to connect to the IP of the linked clone directly instead of through the Connection Server.

    Why can’t I enable the Blast Secure Gateway for internal HTML Access to the View Desktops?

    1. Enabling it on Connection Servers overrides the same functionality on UAG.

      One option is to build separate VCSs for internal users and enable it on them. Make sure UAG doesn’t connect to those VCSs.

  23. Hi Carl, just a quick observation – if I make the change to the portal-links-html-access.properties file to disable the enable download feature (=false) it works when connecting directly via the Connection Servers (v7.2) or internal VIP, but breaks the UAG access (v3.0) and the Proxy Destination Server turns red on the Admin page.

    If I change it back, the UAG access works again, but obviously still shows the download option.

    Is there a proxy pattern I need to enter to permit UAG access as it seems to be having an issue talking to the Connection Server? (I’ve tried a few combinations to no avail….)


    1. Quick heads up – seems to be an issue with the VIP/Load Balancing as when make the change the internal vip shows the Connection Servers are unavailable…..

  24. Question: The time out setting under advanced config…it’s set to 3600000 milliseconds – or ten hours – IS there a know way to set that to never timeout? Like can I use -1 or zero or something so that sessions are never disconnected? VMware support said to fill it with 9’s and that’s the best I can do.

    Is that true?

  25. Got a working UAG v2.9 and replaced it with UAG 3.0, but UAG 3.0 does not work. I get a certificate error when accessing Horizon with a browser. It seems like the UAG 3.0 does not like SANs in the certificate. Tried both PFX and PEM methods for UAG 3.0 deployment. Booting up the UAG 2.9 again, and all works again.
    Any thougts on that?

  26. Hi Carl,

    Tupid question but I can’t find the answer anywhere… how do I change the IP address of the UAG 3.0 after deployment ??



    1. You might have to delete it and re-deploy it. You can save the config to a file. Re-deploy. Then upload the config again.

      1. OK, Done that.. but I struggle with it.
        I’m left with
        Proxy Destination Server RED.

        I only have one Connection server and replacing the Secure server by UAG on the same IP.

        Any hint on what am I doing wrong here ?

        1. Either UAG can’t resolve the DNS name, can’t talk to the destination address, or the certificate thumbprint you imported doesn’t match the certificate on the Connection Server (or load balancer).

    2. It is SUSE linux so find in google how to change IP in this distribution. I changed the IP yesterday by editing ifcfg-eth0 file (sigle NIC deployment).

  27. Hi Carl,

    We’ve been using UAG for a long time now.. and the latest build 3.0 has been fine for a month or so but now within a few days of each other, two of the three UAG’s have gone offline (or somehow stopped passing user traffic). They just stopped working…
    I can pull up the admin site, but if I disable “server 1 and 2” so only “server 3” is active in the netscaler LB… i cant connect the Horizon client. A few days ago it was server three…. so i took it out of the mix… Today server 2 did it….
    A reboot of the UAG fixes it.. but kinds annoying… as no users can get in that the netscaler decides to hand off to that UAG for access…
    Anyone else have this issue?
    I really don’t want to open a ticket… as it’ rather irritating how long tickets take to work with VMware… especially on a issue like this.

    Three 3.0 UAG servers behind a netscaler, load balanced following the articles you’ve got here.
    They connect to two 7.2 connection servers, also on a VIP.

    1. I recently built a new Horizon environment for a client a few weeks ago, and we just had this issue today. It is a very small environment with no load balancer, with all traffic going through the UAG. This caused a production outage. I checked the UAG and all of the services were green. Rebooting the UAG fixed the issue. I have them opening a ticket with VMware support and will let you know what we find out.

    2. Known issue with 3.0. Resolved with 3.1 (resolved issues in release notes) and later. Also, 3.0 not supported with 7.2.
      Better late than never…

  28. Hello Carl, Following ur site since a while now and i m wondering if u have any suggestion regarding the monitoring of the VMware Unified Access Gateway.

    I m usually using snmp agent or shinken agent to monitor our infrastructure but it seem that VMware didn’t plan to do any of those.

    For now i doing a simple snmp check to make sure the gateway is alive and some http check.

    Any suggestion would be very welcome ūüôā

    Thx u for all those great articles !

    1. Carl, I’d like to ask a question. I deployed two UAGs with PS and the first one came up fine, but the second one, well, I can’t get to the web interface. I used the exact same PS script except that I changed the name and IP address and the datastore, but still the web admin interface will not load. I can ping it and in VMware, I can console to it, so I’m at a loss as to what happened. Any thoughts?

  29. Hi carls,

    I need your help in configuring reverse proxy in access point for my IDM URL so that my users can open the IDM URL from internet and they can access published application and desktops. I am listing down my infrastructure details can you please guide me how to achieve this.

    1. I have 2 AP configured in the DMZ and both are in single NIC configuration
    2. both the AP is configured behind a Netscaler load balancer in the DMZ
    3. The external URL which is configured in the AP is VDI.Gridtech.com and I have the same URL for internal access as well
    4.I have deployed and configured two IDM 2.8 appliance with an internal FQDN as IDM01.gridtech.grid.com and IDM02.gridtech.grid.com
    5. Created a DNS entry as workspace.gridtech.com internally
    6.i can access workspace.gridtech.com internally and I am able to launch the applications and desktop seamlessly through the workspace portal
    7. I want to access the same URL from internet and reverse proxy needs to be configured through my access point

    can you please help me with the steps which I need to do.

    1. I’m trying the same thing not a lot of luck thus far. VMware support has not been very helpful either.

Leave a Reply