Configuring the Horizon Edge Service in VMware Unified Access Gateway: VMware Horizon Operational Tutorial

In addition to the PowerShell deployment, Unified Access Gateway can be deployed using the Deployment Utility tool. The utility is based on a wizard and perfect for those deploying the appliance for the first time.

To learn more, watch the following video.

In a single-NIC deployment, all traffic (Internet, backend, and management) uses the same network interface. Authorized traffic is then forwarded by Unified Access Gateway through the inner firewall to resources on the internal network using the same NIC. Unauthorized traffic is discarded by Unified Access Gateway.

A two-NIC deployment separates the Internet traffic onto its own NIC, while the management and backend network data still share a NIC.  The first NIC still used for Internet-facing unauthenticated access, but the backend authenticated traffic and management traffic are separated onto a different network. This type of deployment is suitable for production environments.

In this two-NIC deployment, traffic going to the internal network through the inner firewall must be authorized by Unified Access Gateway. Any unauthorized traffic is not allowed on this backend network. Management traffic such as the REST API for Unified Access Gateway uses only this second network.

If a device on the unauthenticated front-end network is compromised—for example, if a load balancer were compromised—then reconfiguring that device to bypass Unified Access Gateway would still not be possible in this two-NIC deployment. It combines layer 4 firewall rules with layer 7 Unified Access Gateway security.

Similarly, if the Internet-facing firewall is misconfigured to allow TCP port 9443 through, the Unified Access Gateway Management REST API would still not be exposed to Internet users. A defense-in-depth principle uses multiple levels of protection, such as knowing that a single configuration mistake or system attack will not necessarily create an overall vulnerability.

In a two-NIC deployment, it is common to put additional infrastructure systems such as DNS servers, RSA SecurID Authentication Manager servers, and so on in the backend network within the DMZ so that they are not visible from the Internet-facing network. This guards against layer-2 attacks from a compromised front-end system on the Internet-facing LAN and thereby effectively reduces the overall attack surface.

When the Horizon service is enabled on Unified Access Gateway, most network traffic is the display protocol traffic for Blast Extreme and PCoIP. With a single NIC, display protocol traffic to or from the Internet is combined with traffic to or from the backend systems. When two or more NICs are used, the traffic is spread across front-end and backend NICs and networks. This can result in performance benefits by reducing the potential bottleneck of a single NIC.

A three-NIC deployment separates the Internet traffic onto its own NIC and separates management and backend network data onto dedicated networks. HTTPS management traffic to port 9443 is then only possible from the management LAN. This type of deployment is suitable for production environments.

To access the Horizon Administration Console, navigate to https://server/admin on your Web browser, where server is the host name of the Connection Server instance.

1. Enter the user name.
2. Enter the password.
3. Enter the Domain.
4. Click Sign in.

1. Click Settings.
2. Click Servers.
3. Select Connection Servers.
4. Select the Connection Server to be used as the front-end server for Unified Access Gateway deployed in this exercise.
5. Click Edit.

1. Select General.
2. Make sure Use Secure Tunnel connection to machine is deselected.
3. Make sure Use PCoIP Secure Gateway for PCoIP connections to machine is deselected.
4. Make sure Do not use Blast Secure Gateway is selected.
5. Click OK.

1. Using a browser from a client machine (not in the connection server), access the Horizon Administration Console https://ConnectionServer.
2. The Certificate Information shows if the cert is trusted or not. This screenshot shows an example of an untrusted cert.

If the Connection Server is not signed by a trusted CA follow the next steps, otherwise skip.

1. Select the Certificate Details tab.
2. Copy the Thumbprint algorithm and Thumbprint.
3. Save the Thumbprint values in a text file.

Create a INI file and add the following sections:

• [General]
• [Horizon]
• [SSLCert]
• [SSLCertAdmin]

Save the file as  uag-Horizon.ini.

In the General section of the INI file, add the following settings and the respective values:

1. For name, enter a name for VM that will be created in vCenter, such as UAG-2 in this example.
2. For source, enter the path, such as C:\Users\Administrator\Desktop\UAG Resources\UAG Files\euc-unified-access-gateway-3.3.0.0-8539135_OVF10.ova, and use File Explorer to verify that the OVA file has the name indicated.
3. For target, enter the destination path related to the vCenter host that you plan to deploy the appliance, such as  vi://administrator@vsphere.local:VMware1!@vc.corp.local/Nested_Datacenter/host/Host_Cluster.
4. Note: You can replace the password with 'PASSWORD' and the script prompts for the password during the PowerShell execution.
5. For diskmode, enter thin, which refers to disk provision mode.
6. For ds (ds refers to data store), enter the name of the where the appliance will be deployed to, such as datastore2_ESXi01.
7. For deploymentOption, enter twonic.

Continue the General section configuration, and set the following additional values for the parameters in the INI file, keeping in mind that ip0 is the Internet-facing NIC, and ip1 is the internally facing NIC:

1. For ipMode, enter STATICV4.
2. For defaultGateway, enter the IP address, such as 192.168.110.1.
3. For dns, enter the IP address, such as 192.168.110.10.
4. For ip0, enter the IP address, such as 192.168.110.20.
   Important: ip0 is the Internet-facing NIC.
5. For ip1, enter the IP address, such as 172.16.0.20.
   Important: ip1 is the internally-facing NIC.

1. For netmask0 and netmask1, enter the netmask related to the ip0 and ip1, such as 255.255.255.0.
2. For netInternet, enter the name of the vSphere Network for the UAG primary network, such as  DMZ_VM_DPortGroup.
3. For netManagementNetwork and netBackendNetwork, enter the name of the vSphere Network for the UAG backend network, such as Internal_VM_DPortGroup.

Continue to the Horizon section configuration, and set the following additional values for the parameters in the INI file, keeping in mind that the following parameters enable access through the tunnel, Blast, and PCoIP protocols. For this tutorial, we will only use the Blast protocol for testing.

Under the Horizon section configure the following fields:

The first will be used by the Horizon client to communicate with Unified Access Gateway and authenticate the user.

1. For proxyDestinationUrl, enter the URL for the Connection Server or internal load balancer to which Unified Access Gateway directs traffic, such as https://s1horizon.vmweuc.com.

The following settings are used by the Horizon client when the user launches an application or desktop, based on the respective protocol.

2. For tunnelDestinationUrl, enter the URL used by Horizon clients to establish the Horizon Tunnel session to this Unified Access Gateway appliance, such as https://horizon.vmweuc.com:443.

3. For blastExternalUrl, enter the URL used by Horizon clients to establish the Horizon Blast or BEAT session to this Unified Access Gateway appliance, such as https://horizon.vmweuc.com. If the TCP port number is not specified, the default TCP port is 8443. If the UDP port number is not specified, the default UDP port is also 8443.

4. For pcoipExternalUrl, enter the IP used by Horizon clients to establish the Horizon PCoIP session to this Unified Access Gateway appliance, such as 66.170.97.71:4172. It must contain an IPv4 address and not a host name.

Note: If the Connection Server (proxyDestinationUrl) uses a self-signed certificate, you must add the proxyDestinationUrlThumbprints parameter to the INI, and inform the Thumbprints for the certificate used by the connection server, otherwise the Horizon Client cannot establish a connection with Unified Access Gateway.

proxyDestinationUrlThumbprints=sha1=84 a7 37 84 d5 90 b6 a8 a9 a7 02 26 44 a8 10 bb 50 2f ec b8

In case the Connection Server uses a certificated signed by a trusted authority, the proxyDestinationUrlThumbprints parameter is not required.

TLS/SSL is required for client connections to Unified Access Gateway appliances. Client-facing Unified Access Gateway appliances and intermediate servers that terminate TLS/SSL connections require TLS/SSL server certificates.

TLS/SSL server certificates are signed by a Certificate Authority (CA). A CA is a trusted entity that guarantees the identity of the certificate and its creator. When a certificate is signed by a trusted CA, users no longer receive messages asking them to verify the certificate, and thin client devices can connect without requiring additional configuration.

TLS/SSL server certificates can be imported and assigned to the Admin interface and Internet Interface using the administration console. In case you do not import the certificates during deployment, a self-signed TLS/SSL server certificate is generated. For production environments, VMware recommends that you replace the default certificate as soon as possible or configure a trusted certificate during the deployment. The default certificate is not signed by a trusted CA. Use the default certificate only in a non- production environment.

To configure the TLS/SSL certificates use the SSLCert and SSLCertAdmin sections on the INI file, you can use PEM or PFX certificate types for this configuration.

The certificate assigned to the Internet interface applies only to Horizon and Web Reverse Proxy Edge Service. The certificates for the Content Gateway, VMware Tunnel, and Secure Email Gateway Edge Services must be configured through the Workspace ONE UEM Console.

For PFX certificates, use the pfxCerts setting, when using PEM certificate use the pemPrivKey and pemCerts settings.

For this example, we use PFX certificate.

1. For pfxCerts under SSLCert, enter C:\AW Tools\airwlab.com.pfx (this certificate is for the Internet interface).
2. For pfxCerts under SSLCertAdmin, enter C:\AW Tools\airwlab.com.pfx (this certificate is for the administration interface).

Note: The certificate password may get requested during the deployment.

Certificates that you import into the Unified Access Gateway appliance must be trusted by client machines and must also be applicable to all instances of Unified Access Gateway and any load balancer, either by using wildcards or by using Subject Alternative Name (SAN) certificates.

Click the PowerShell icon located on the Windows task bar.

After you run the uagdeploy.ps1 script, it prompts for input.

1. When prompted, enter the information requested, such as in the following example:
   .\uagdeploy.ps1 .\uag-2NIC VMware1! VMware1! false false no
   • The first VMware1! is the root password for the Unified Access Gateway appliance.
   • The second VMware1! is the admin password for the REST API management access.
   • The first false is to NOT skip the validation of signature and certificate.
   • The second false is to NOT skip SSL verification for the vSphere connection.
   • The no is to not join the VMware CEIP program.
2. When prompted, enter the password for the SSLcert and SSLcertAdmin fields.

To avoid a password request for the certificate, you must provide a certificate without a password.

The deployment starts and you can follow the progress on the same window or on your vSphere Web Client, which you opened at the beginning of this tutorial.

Note: To make sure that the script execution is not restricted, enter the PowerShell set-executionpolicy command.

set-executionpolicy -scope currentuser unrestricted

You must do this only once to remove the restriction.

• (Optional) If there is a warning for the script, run the following command to unblock the warning: unblock-file -path .\uagdeploy.ps1

After successfully finalizing the deployment, the script automatically powers on the VM UAG-2. 

The Received IP address presented by the script log is a temporary IP. The final IPs for NIC 1 and NIC2 are assigned to the Unified Access Gateway appliance during the first start. You can return to the vSphere Web Client to validate that as described in the next step.

Return to the vSphere Client to validate the deployment.

1. Click VM and Templates.
2. Click UAG-2.
3. Click View all 2 IP addresses.

Important: If the Unified Access Gateway appliance does not finalize the configuration during the first startup, you receive an error message from vSphere Web Client. If that happens, wait for the appliance to finalize, and refresh the entire Google Chrome browser.

1. Click the New Tab button to open a new tab.
2. Browse to the Unified Access Gateway Administration Console using the URL, such as  https://uagmgt-int.airwlab.com:9443/admin or by clicking a bookmark if you created one.
3. Enter the username, such as admin in this example.
4. Enter the password created for the Admin API in the Deploy OVF Wizard.
5. Click Login.

A successful login redirects you to the initial window where you can import settings or manually configure the Unified Access Gateway appliance.

Click Select under Configure Manually.

1. Click the Show toggle next to Edge Service Settings. After you click, it switches to display the Hide option.
2. Click the Arrow on Horizon Settings to show the status of the communication between the appliance and Horizon.
3. Click the gear icon next to Horizon Settings.

All items should be GREEN, representing that the appliance can communicate with the Horizon Connection Server through the multiple protocols configured. Items not fully functional are presented in RED.

The configuration defined in the INI file is presented and can be updated any time through the Horizon settings.

Click Cancel to close the settings.

1. Launch Horizon Client.
2. Click Add Server.
3. Enter the Unified Access Gateway or load balancer FQDN.
4. Click Connect.

After you configure the Connection Server instance to connect to Unified Access Gateway, the Horizon Client will require user credentials to perform the authentication. This is known as XML-API connection and is responsible for authentication, authorization, and session management.

1. Enter the User name.
2. Enter the Password.
3. Select the Domain.
4. Click Login.

Note: In case the login fails because of an SSL certificate error and the Connection Server used a self-signed certificate, return to the Unified Access Gateway Admin UI and under the Horizon Edge Service settings, ensure the Connection Server thumbprint matches the one used by the Connection Server certificate.

A successful connection will present the desktops and applications entitled to logged-in users. In this exercise, you can see one virtual desktop (Win10 1803) and four other virtual applications (Calculator, Notepad, Paint, WordPad).

1. Right-click the desktop or one of the applications.
2. Ensure that VMware Blast (default) is selected.
3. Click Launch.

When you launch the desktop or applications, Horizon client opens a secondary connection through Unified Access Gateway based on the display protocol selected. The secondary Horizon protocols must be routed to the same Unified Access Gateway appliance to which the primary Horizon XML-API protocol was routed. This allows the Unified Access Gateway to authorize the secondary protocols based on the authenticated user session.

Confirm that you have successfully launched the virtual resource.

1. Click Options.
2. Click Disconnect and Log Off.

The following diagram demonstrates the flow for the primary (XML-API) and secondary protocols used in this section. These protocols were invoked in exercises 2 and 3; when you authenticated through the Horizon Client and launched the virtual desktop or application.