Providing Secure Access to VMware Horizon 7 and Workspace ONE Access with the VMware Unified Access Gateway
The VMware Unified Access Gateway™ is a platform that provides secure edge services and access to defined resources that reside in the internal network. This allows authorized, external users to access internally located resources in a secure manner.
The VMware Unified Access Gateway can be used for multiple use cases including
- Remote access to VMware Horizon® 7 desktops and applications
- Reverse proxying of web servers such as VMware Workspace ONE® Access™(formerly VMware Identity Manager)
- Access to on-premises legacy applications that use Kerberos or header-based authentication with identity bridging from SAML or certificates
- With Workspace ONE® UEM to allow mobile applications secure access to internal services through VMware Tunnel
- Allowing Mobile Content Management access to internal files shares or SharePoint repositories by running the VMware Content Gateway service
A Unified Access Gateway appliance typically resides within a network demilitarized zone (DMZ) and acts as a proxy host for connections inside your organization's trusted network. This design provides an additional layer of security by shielding the internal resources such as Workspace ONE Access, virtual desktops, application hosts, and servers from the public-facing Internet.
This article describes how to deploy a single Unified Access Gateway to proxy VMware Horizon 7 traffic and to also reverse-proxy Workspace ONE Access web traffic.
For Horizon 7, Unified Access Gateway provides very similar functionality to the View security server but does not need one-to-one pairing with a View Connection Server. Unified Access Gateway is also capable of proxying sessions to other VMware products and providing more advanced security options, including authentication in DMZ. If you are running View security servers, take the time to look at replacing them with Unified Access Gateway appliances.
In larger-scale environments, you may still want to have separate Unified Access Gateway appliances for certain edge use cases, to provide scale and operational separation. But in mid-sized to smaller environments, where the load on Unified Access Gateway is not substantial, combining workloads on one set of Unified Access Gateway appliances is convenient.
Following are two ways to deploy and configure a Unified Access Gateway:
This section walks through using the PowerShell method with the script and the sample INI settings files provided. Do not be put off by the fact that this method uses PowerShell. You will be running a single command that calls an INI file that contains all of your settings. You do not need to know PowerShell.
First, download the latest version of the Unified Access Gateway OVA file and the PowerShell script with it accompanying sample INI settings files
- From the Downloads page for Unified Access Gateway, download the appliance OVA file.
- Download the latest version of the PoewrShell Scripts ZIP files and extract the contents. (At time of writing, this is uagdeploy-22.214.171.124-pspscripts.zip).
- Additionally, visit the community page Using PowerShell to Deploy VMware Unified Access Gateway for additional detail on the process and information about the settings.
From the downloaded ZIP file, use the sample INI settings files to create your own settings file.
- Make a copy of the uag10-vidm.ini file and edit it.
- As with any deployment, go through and enter your information as required for the General and SSLCert sections.
Leave all other lines as they are. In the following example, spaces and comment lines have been removed to conserve space.
Depending on your network topology, you may need to use a twonic or threenic deployment. Uncomment the lines for your choice and add the required networking information as necessary.
SSL Certificates can also be provided in PEM format. Comment out the pfxcerts line and uncomment the following two pemCerts lines and complete if using PEM format.
- Complete the WebReverseProxy section to configure access to Workspace ONE Access.
The only line you need to change here is the proxyDestinationURL line. Do not change the proxyPattern lines.
In the example above, workspace.domain.com is the internal address of the Workspace ONE Access appliance (or the internal load balancer address if you have more than one Workspace ONE Access appliance).
- Next, add in a Horizon section by copying that section from the uag2-advanced.ini file and paste it into your first file (your copy of uag10-vidm.ini) at the end, on a new line after the authCookie line.
- Complete the Horizon section and enter the following relevant values for your environment.
In the example above:
- view.domain.com is the internal address of the Connection Server (or the internal load balancer address if you have more than one Connection Server).
- horizon.domain.com is the external address used for Horizon 7 connections.
- 126.96.36.199 is the external IP address for horizon.domain.com.
Now you are ready to deploy the Unified Access Gateway appliance.
- Open a PowerShell prompt and change to the directory where the scripts are located.
- Run ./uagdeploy.psl ./<filename>.ini, follow the prompts, and enter the passwords.
- After the process is complete, wait a few minutes for the Unified Access Gateway appliance to boot completely.
You can monitor this process in VMware vCenter Server to see when the assigned IP address is reported on the Summary page for the VM.
If you have all the settings in the INI file completed correctly, and your certificates are in order, you will have a fully operational Unified Access Gateway that will proxy connections to both your Horizon Connection Server and the Workspace ONE Access appliance. You can also logon to the administrative console to confirm settings and change if required using https://FQDN or IP address of UAG:9443/admin
Horizon HTML Access
One slight nuance of this combined deployment model is where a Unified Access Gateway appliance is used for both Workspace ONE Access and Horizon 7. Direct, external Web access to the Horizon 7 HTML login page is not possible using the root URL.
In this example, you have two FQDNs:
- horizon.domain.com for your Connection Servers
- workspace.domain.com for your Workspace ONE Access appliances
If the user enters either https://horizon.domain.com or https://workspace.domain.com, the user always gets directed to the Workspace ONE Access login page.
This should not be a concern, as you want your primary external Web entry point for users to be through Workspace ONE Access. From there, a user can always connect to a Horizon 7 desktop or application using HTML Access or the Horizon Client. Users can also access the Horizon 7 HTML login page by appending /portal to the URL, for example:
External access using the Horizon Client is unaffected by this behavior and routes as normal to the Connection Server and the Horizon Agent in the virtual desktop or published application.
Of course, this configuration of Unified Access Gateway works with multiple components (Unified Access Gateway appliances, Connection Servers, Workspace ONE Access appliances) and load balancers. To understand how to deploy multiple components with load balancers, see the VMware Workspace ONE and VMware Horizon Reference Architecture.
You can create PowerShell scripts that quickly deploy the appliance and provide secure edge services to multiple use cases, including Horizon Connection Server, Workspace ONE Access, VMware Workspace ONE UEM components such as the Content Gateway, and VMware Tunnel, and to provide identity bridging. Try the deployment instructions in this article and use this as an opportunity to make the move to Unified Access Gateway. You can also mix and match the deployment approaches and use the administrative UI on a running Unified Gateway appliance to modify or add new edge services.
Learn more about use cases and deploying Unified Access Gateway by following the activity path on Tech Zone: https://techzone.vmware.com/mastering-unified-access-gateway.