VMware Horizon 7: deploy Unified Access Gateway

horizon-7-unified-access-gateway-01

Normally installed in a DMZ area, the Unified Access Gateway (UAG) is an appliance used to ensure incoming traffic comes from a strongly authenticated remote user.

Unified Access Gateway directs authentication requests to the appropriate server and only to desktop and application resources to which the user is actually entitled.

 

Unified Access Gateway

Unified Access Gateway acts as a proxy host for connections inside your company’s trusted network adding an extra layer of security.

The appliance presents some hardening settings since it is designed specifically for the DMZ:

  • Updated Linux Kernel and software patches
  • Multiple NIC support for Internet and intranet traffic
  • Disabled SSH
  • Disabled FTP, Telnet, Rlogin, or Rsh services
  • Disabled unwanted services

Compared to VPN, the UAG appliance has some advantages:

  • UAG is design for performance and security.
  • Users can access their virtual desktops using the Horizon Client only without using different software to connect.
  • UAG applies access rules automatically requiring less administrative effort to maintain the required rules.

    Deployment settings

    The Unified Access Gateway can be deployed with different configurations. You can specify one, two, or three NICS settings:

    • 1 NIC – this is the simplest configuration where all network traffic is combined onto a single network.
    • 2 NICs – one NIC for unauthenticated access and back-end authenticated traffic and management traffic are separated on the second NIC.
    • 3 NICsall traffic is separated in specific networks.

    Unified Access Gateway 228

     

    Firewall ports to open

    To avoid connection issues in your Horizon infrastructure, the appropriated ports must be open in your fierwall. The following table lists ports to open.

    Unified Access Gateway 229

     

    Deploy the UAG appliance

    After downloading the UAG software in OVA format, from vSphere Client right click the object where to install the appliance and select Deploy OVF Template.

    Unified Access Gateway 230

    Click Browse and select the .OVA file downloaded from VMware. Click Next.

    Unified Access Gateway 231

    Enter a Virtual machine name and select a location. Click Next.

    Unified Access Gateway 232

    Specify the compute resource and click Next.

    Unified Access Gateway 233

    Click Next.

    Unified Access Gateway 234

    Select the Configuration required and click Next.

    Unified Access Gateway 235

    Select the Storage to store the appliance and click Next.

    Unified Access Gateway 236

    Specify the Destination Network and click Next.

    Unified Access Gateway 237

    Enter the network parameters and click Next.

    Unified Access Gateway 238

    Click Finish to proceed with UAG deployment.

    Unified Access Gateway 239

     

    Configure the Unified Access Gateway appliance

    Once the UAG has been deployed, open your preferred browser and enter the address https://<IP_UAG>:9443. Enter the credentials and click Login.

    Unified Access Gateway 240

    Click Select in the Configure Manually side.

    Unified Access Gateway 241

    Enable the Edge Service Setting switch under General Settings to configure the Horizon environment.

    Unified Access Gateway 242

    Click the Horizon Settings‘ icon.

    Unified Access Gateway 243

    Enter the Connection Server URL and the Connection Server URL Thumbprint. Enable the requested protocols such as PCOIP, Blast and specify the URL for the configured protocols used to connect Horizon infrastructure from external. Click Save when done.

    Unified Access Gateway 244

    To find the correct Connection Server URL Thumbprint, right click in the browser the certificate used to connect the Connection Server. In the Details tab search for Thumbrint and copy the value. This value needs to be pasted to the appropriated field.

    Unified Access Gateway 245

    If the entered parameters are correct and the correct firewall ports open, you should see all items with a green circle. If the Horizon Destination Server is red, it means the UAG is unable to resolve the FQDN of the Connection Sever. As workaround, use the Connection Server IP Address instead of FQDN.

    Unified Access Gateway 246

    In the Horizon Console, access the Servers area under Settings and go to Connection Servers tab. Select your Connection Server and click Edit.

    Unified Access Gateway 247

    Disable the HTTP(s) Secure Tunnel and both PCoIP and Blast Secure Gateways. Click OK to save the configuration.

    Unified Access Gateway 248

    Now access the Gateways tab and click Register.

    Unified Access Gateway 249

    Enter the name of the appliance specified in the Advanced Settings of the UAG and click OK.

    Unified Access Gateway 250

    The appliance has been registered successfully.

    Unified Access Gateway 251

    Under Monitor, select Dashboard and click View.

    Unified Access Gateway 252

    In the Gateway tab you can find the configued UAG.

    Unified Access Gateway 253

    Testing the connection to a VD, the Security Gateway used by Horizon is the configured UAG.

    Unified Access Gateway 254

     

    Export the UAG configuration

    To export the configuration, in the UAG configuration UI you can find the Export Unified Access Gateway Settings option under Support Settings. You can export the configuration in JSON or INI format by clicking the appropriated options.

    Unified Access Gateway 255

    The settings are exported to your computer. Click OK to save.

    Unified Access Gateway 256

    The Unified Access Gateway configuration is now complete and the appliance is ready to manage the connection requests.

    signature

    Copyright Nolabnoparty. All Rights Reserved.

    Similar Posts