Providing Secure Access to VMware Horizon 7 and VMware Identity Manager with the VMware Unified Access Gateway
The VMware Unified Access Gateway is a platform that provides secure edge services and access to defined resources that reside in the internal network. This allows authorized, external users to access internally located resources in a secure manner.
The VMware Unified Access Gateway can be used for multiple use cases including
- Remote access to VMware Horizon 7 desktops and applications
- Reverse proxying of web servers such as VMware Identity Manager
- Access to on-premises legacy applications that use Kerberos or header-based authentication with identity bridging from SAML or certificates
- With Workspace ONE UEM to allow mobile applications secureaccess to internal services through VMware Tunnel
- Allowing Mobile Content Management access to internal files shares or SharePoint repositories by running the VMware Content Gateway service
A Unified Access Gateway appliance typically resides within a network demilitarized zone (DMZ) and acts as a proxy host for connections inside your organization's trusted network. This design provides an additional layer of security by shielding the internal resources such as VMware Identity Manager, virtual desktops, application hosts, and servers from the public-facing Internet.
This article describes how to deploy a single Unified Access Gateway to proxy VMware Horizon 7 traffic and to also reverse-proxy VMware Identity Manager web traffic.
For Horizon 7, Unified Access Gateway provides very similar functionality to the View security server but does not need one-to-one pairing with a View Connection Server. Unified Access Gateway is also capable of proxying sessions to other VMware products and providing more advanced security options, including authentication in DMZ. If you are running View security servers, take the time to look at replacing them with Unified Access Gateway appliances.
In larger-scale environments, you may still want to have separate Unified Access Gateway appliances for certain edge use cases, to provide scale and operational separation. But in mid-sized to smaller environments, where the load on Unified Access Gateway is not substantial, combining workloads on one set of Unified Access Gateway appliances is convenient.
Following are two ways to deploy and configure a Unified Access Gateway:
This section walks through using the PowerShell method with the script and the sample INI settings files provided. Do not be put off by the fact that this method uses PowerShell. You will be running a single command that calls an INI file that contains all of your settings. You do not need to know PowerShell.
First, download the latest version of the Unified Access Gateway OVA file and the PowerShell script with it accompanying sample INI settings files
- From the Downloads page for Unified Access Gateway, download the appliance OVA file.
- Download the latest version of the PoewrShell Scripts ZIP files and extract the contents. (At time of writing, this is uagdeploy-18.104.22.168-pspscripts.zip).
- Additionally, visit the community page Using PowerShell to Deploy VMware Unified Access Gateway for additional detail on the process and information about the settings.
From the downloaded ZIP file, use the sample INI settings files to create your own settings file.
- Make a copy of the uag10-vidm.ini file and edit it.
- As with any deployment, go through and enter your information as required for the General and SSLCert sections.
Leave all other lines as they are. In the following example, spaces and comment lines have been removed to conserve space.
Depending on your network topology, you may need to use a twonic or threenic deployment. Uncomment the lines for your choice and add the required networking information as necessary.
SSL Certificates can also be provided in PEM format. Comment out the pfxcerts line and uncomment the following two pemCerts lines and complete if using PEM format.
- Complete the WebReverseProxy section to configure access to VMware Identity Manager.
The only line you need to change here is the proxyDestinationURL line. Do not change the proxyPattern lines.
In the example above, workspace.domain.com is the internal address of the VMware Identity Manager appliance (or the internal load balancer address if you have more than one VMware Identity Manager appliance).
- Next, add in a Horizon section by copying that section from the uag2-advanced.ini file and paste it into your first file (your copy of uag10-vidm.ini) at the end, on a new line after the authCookie line.
- Complete the Horizon section and enter the following relevant values for your environment.
In the example above:
- view.domain.com is the internal address of the Connection Server (or the internal load balancer address if you have more than one Connection Server).
- horizon.domain.com is the external address used for Horizon 7 connections.
- 22.214.171.124 is the external IP address for horizon.domain.com.
Now you are ready to deploy the Unified Access Gateway appliance.
- Open a PowerShell prompt and change to the directory where the scripts are located.
- Run ./uagdeploy.psl ./<filename>.ini, follow the prompts, and enter the passwords.
- After the process is complete, wait a few minutes for the Unified Access Gateway appliance to boot completely.
You can monitor this process in VMware vCenter Server to see when the assigned IP address is reported on the Summary page for the VM.
If you have all the settings in the INI file completed correctly, and your certificates are in order, you will have a fully operational Unified Access Gateway that will proxy connections to both your Horizon Connection Server and the VMware Identity Manager appliance. You can also logon to the administratoive console to confirm settings and change if required using https://FQDN or IP address of UAG:9443/admin
Horizon HTML Access
One slight nuance of this combined deployment model is where a Unified Access Gateway appliance is used for both VMware Identity Manager and Horizon 7. Direct, external Web access to the Horizon 7 HTML login page is not possible using the root URL.
In this example, you have two FQDNs:
- horizon.domain.com for your Connection Servers
- workspace.domain.com for your VMware Identity Manager appliances
If the user enters either https://horizon.domain.com or https://workspace.domain.com, the user always gets directed to the VMware Identity Manager login page.
This should not be a concern, as you want your primary external Web entry point for users to be through VMware Identity Manager. From there, a user can always connect to a Horizon 7 desktop or application using HTML Access or the Horizon Client. Users can also access the Horizon 7 HTML login page by appending /portal to the URL, for example:
External access using the Horizon Client is unaffected by this behavior and routes as normal to the Connection Server and the Horizon Agent in the virtual desktop or published application.
Of course, this configuration of Unified Access Gateway works with multiple components (Unified Access Gateway appliances, Connection Servers, VMware Identity Manager appliances) and load balancers. To understand how to deploy multiple components with load balancers, see the Horizon 7 Enterprise Edition Reference Architecture.
You can create PowerShell scripts that quickly deploy the appliance and provide secure edge services to multiple use cases, including Horizon Connection Server, VMware Identity Manager, VMware Workspace ONE UEM components such as the Content Gateway, and VMware Tunnel, and to provide identity bridging. Try the deployment instructions in this article and use this as an opportunity to make the move to Unified Access Gateway. You can also mix and match the deployment approaches and use the administrative UI on a running Unified Gateway appliance to modify or add new edge services.
Learn more about use cases and deploying Unified Access Gateway by follwing the activity path on Tech Zone: https://techzone.vmware.com/understanding-unified-access-gateway