The 3.10 release of VMware Unified Access Gateway introduces a variety of new features and enhancements that can improve the life of system administrators everywhere.
But before we get started, make sure you check out the Unified Access Gateway Activity Path in Tech Zone – it includes a lot of technical content to help you master Unified Access Gateway.
One of the most important changes in this release is the support for TLS 1.3 which brings increased security over TLS communication. The following edge services are now supporting TLS 1.3:
- Horizon and Web Reverse Proxy on TCP 443
- Secure Email Gateway
TLS 1.3 is enabled by default during deployment, and you can disable it via Admin UI or PowerShell deployment. Blast secure gateway component on TCP 8443 no longer uses TLS 1.1, and Blast only supports TLS 1.2 moving forward.
In addition, the default ciphers for Horizon and Web Reverse Proxy have now been updated. With the new release, new defaults will be enabled on Unified Access Gateway if you have not specified them during deployment.
New defaults for the UAG non-FIPS version:
- TLS 1.3
- TLS 1.2
New defaults for the FIPS UAG version:
- TLS 1.2 only
Another important feature is support for FIPS smart cards and device certificates. You no longer need to deploy a security server to bypass previous limitations. When you deploy the FIPS version, all other authentication methods will be displayed grayed out.
The X.509 certificate option will be enabled. After you upload the certificate, it is displayed in Horizon settings to perform authentications.
This release also provides a number of enhancements around SAML 2.0 authentication of third-party identity providers. In addition to the parsing improvements for third-party SAML metadata, validation has been added for the Microsoft AD Federation Services and Shibboleth identity providers. You now have a total of five validated identity providers to choose from, in addition to VMware Workspace ONE Access.
Another key feature is the ability of Unified Access Gateway to act as a bridge between IPv4 and IPv6 for the Horizon infrastructure.
With this new release, Unified Access Gateway now supports IPv6 on Horizon infrastructure, even if you have IPv4 and IPv6 clients. You can now choose from the following supported scenarios:
- IPv4/IPv6 => IPv4
- IPv6 => IPv6
- IPv4/IPv6 => IPv6 (new)
In addition, initial support is provided for the following protocols:
- XML-API on TCP/UDP 443
- Blast on TCP 443 and 8443
You can now set up clients in both IPv4 and IPv6, and up the Unified Access Gateway in mixed mode. For example, you can set the Internet NIC in IPv4 plus IPv6, and the backend NIC in IPv6, and in that way, connect with the infrastructure in IPv6.
You can also configure Unified Access Gateway with just IPv4 on the internet NIC, and have the backend NIC set up to IPv6 infrastructure.
Enabled by default, the Origin Header check helps validate the incoming requests against an external URL. If an incoming request to Unified Access Gateway has an Origin Header, and if the Re-Write Origin Header is enabled, Unified Access Gateway rewrites the Origin header with the Connection Server URL hostname.
This means that the Horizon administrator no longer needs to add the Unified Access Gateway IP addresses to the locked.properties file.
This release brings an additional capability in the form of the Web Reverse Proxy edge service configuration, which can proxy requests normally used for local Unified Access Gateway resources. This new web reverse proxy enhancement is specifically for use cases using OPSWAT and the Unified Access Gateway is used in a Horizon double-hop DMZ configuration.
To support this case, the proxyPattern must include /gateway/resources/(.*) to allow the Unified Access Gateway on the front end to pass the traffic to the backend and download the OPSWAT MetaAccess on-demand agent.
Another key feature is the configurable CPU utilization maximum on Unified Access Gateway. In the past, if the CPU level reached 90%, Unified Access Gateway did not allow new sessions to be allocated. Instead, it returned a 503 error to the client and the load balancer routed the traffic to alternative appliances with more CPU available.
With this release, that has changed. The default is now 100%. And what’s more, you can configure the threshold, either on the UI using the System Settings, or in the PowerShell INI file using the maxSystemCPUAllowed parameter under the General section.
In addition, the favicon.ico health monitor leverages that threshold, meaning the threshold applies to all edge services.
Raising the default to 100% results in more sessions. This improves user experience and helps traffic balance across multiple appliances. It also effectively increases maximum concurrent Blast sessions up to 2,000. Of course, this varies to some degree depending on the use case.
While we on the topic of Blast, let’s take a minute to mention something that will impact Blast, especially in Horizon use cases, which is how the ports are configured on Unified Access Gateway. The following diagram illustrates some best practices when using Blast. Note that if you are blocking UDP 8443 and using Blast only on TCP 8443, you are using more resources on Unified Access Gateway. The result is fewer sessions available per appliance.
If you cannot open TCP/UDP 8443 for security requirements or other reasons, then you must deploy more appliances to spread the traffic. If possible, however, the best practice is to enable both the UDP 8443 and TCP 8443, which are the defaults. This results in a much higher number of sessions than if you block UDP 8443 and just use TCP 8443.
For more information, see Understand and Troubleshoot Horizon Connections.
Another key feature of this release is support for Secure Email Gateway (SEG) and Active Directory Client Certificate Mapping Authentication (AADCA). If you make use of external IDs for users, and must operate within strict requirements for certificate providers, templates, and so on, this new feature will interest you.
One result of the above situation can be that UserPrincipalNames (UPN) on certificates do not always match the UPN on the user’s Active Directory object. Or a different type of UPN is provided for security reasons. And if that UPN doesn’t match the UPN of the Active Directory, the result is failure.
With this new feature, certificates that don’t have the UPN or have a different UPN can allow SEG to perform the query into the Active Directory to obtain the real UPN and then enable the certificate authentication on the mail server. To enable this feature, you must go into application properties of the SEG configuration files, and enable certificate mapping, as follows:
cert.mapping.ldap.enabled = true
cert.mapping.ldap.host = ldap://ldap-remote:3268
cert.mapping.ldap.user = CN=servKCD,CN=Users,DC=vmw,DC=org
cert.mapping.ldap.lookup.base = DC=vmw, DC=org
The following diagram outlines the basic flow, as follows:
- The certificate meta data is published as part of the user’s AD object, outside of Workspace ONE.
- The certificate is pushed to the device to be used as KCD authentication for SEG, and the mail client will use that certificate-based authentication.
- When SEG tries to perform the authentication, it will fail because the UPN is not valid.
- You have enabled the feature beforehand (see Configuration snippet), so SEG makes an LDAP call to AD to see who the owner of the certificate is.
- The real UPN is obtained for that user and SEG uses the real UPN to perform the authentication.
You can now configure a disclaimer agreement message when your end users log in to the Admin UI. You can do this either under System Configuration or through the PowerShell INI file, by adding the admindisclaimerText parameter under the General section. When you add a disclaimer and enable this feature, the disclaimer is displayed every time the user logs in (not just the first time).
As you can see in the following screenshot, the new logo is also displayed along with the disclaimer.
Avi is now officially supported for all edge services on Unified Access Gateway.
This includes enterprise-grade load balancing to front-ending EUC solutions and is available across all services, including Unified Access Gateway, Workspace ONE UEM, and Horizon. Avi helps deliver large Workspace ONE and Horizon deployments in a short time, lowers costs, simplifies operations, and provides application and client insights.
This release includes some handy tooltip enhancements for UEM services on the Admin UI when services fail to start because of a misconfiguration, such as incorrect URL, incorrect username or password, or an issue reaching the UEM API Server. If you miss a configuration such as these, you must download the logs to troubleshoot and find the correct configuration.
So, starting in this release, you will now see the following message if a misconfiguration occurs:
Down due to misconfiguration or configuration not resolved at the time of configuring service, look into Unified Access Gateway logs archive file for more details.
This message reminds you to review those configurations, such as the appliance-agent.log, which can be helpful when configuring and troubleshooting the service.
When you download the log files on Unified Access Gateway, you will now see that you have 4 additional log files as part of the system_logs.tar.gz, related to the CPU utilization, memory, and more information about the system.
These additional files help improve the troubleshooting experience on Unified Access Gateway. They include the following information:
- cpu.info – Information about CPU (vCPU) of the virtual machine
- mem.info – Information about virtual machine memory such as total memory available, free memory available
- sysctl.log – Information about all kernel parameters
- journalctl_archive – Information about journald service activities that have already occurred with log files of size 5 MB each
And last but not least, this new release includes a new external website reference for Unified Access Gateway sizing: VMware Configuration Maximums.
With the nav bar on the left, you can click to view the sizing for individual services such as just Horizon or just Tunnel, for example, or any combination of UEM services or reverse proxy. Each selection provides the number of concurrent connections for small, medium, and large appliances.
Later, you can generate a PDF based on the configuration selected to download for future reference.
Now that you’ve glimpsed the new features and enhancements in the 3.10 release of VMware Unified Access Gateway, don’t forget you can find everything you want to know in the Unified Access Gateway Activity Path.