This blog was created as a point-in-time reference. For the latestinformation, read the Configuring Horizon Edge Service in VMware Unified Access Gatewayoperational tutorial.
TheVMware Unified Access Gateway(formerly called Access Point) is a platform that provides secure edge services and access to defined resources that reside in the internal network. This allows authorized, external users to access internally located resources in a secure manner.
This blog and the accompanying videos give an overview of the Unified Access Gateway.Wealso cover deployment requirements, options and demonstrations ofthe two deploymentmethods. Lastly, we include information on scaling, upgrades, authentication options, logs and troubleshooting.
Supported Use Cases
The Unified Access Gateway can be used for multiple use cases, including:
- Remote access toVMware Horizon 7desktop and applications
- Reverse proxying of web servers
- Access to on-premises legacy applications that use Kerberos or header-based authentication with identity bridging from SAML or certificates
- Provision ofVMware AirWatchorVMware Workspace ONEPer=App Tunnels and Tunnel Proxy to allowmobile applications secure access to internal services
- Running the VMware Content Gateway service to allowVMware Content Lockeraccess to internal file shares or Microsoft SharePoint repositories
These use cases can be mixed to run multiple services on the same Unified Access Gateway instance or separated out on multiple Unified Access Gateway instances, depending on the desired architecture and the scale of the environment.
Secure Deployments
Unified Access Gateway is usually deployed in the DMZ, run on a hardened version of SUSE Linux Enterprise Server 12 and is currently undergoing FIPS and Common Criteria certification. It is intended as a replacement for older gateway solutions, such as the Horizon security server, the AirWatch Tunnel and the standalone Content Gateway.
To enhance security options, Unified Access Gateway provides many integration options for authentication, including smart card, certificates, SAML pass-through, RADIUS and RSA SecurID. The Unified Access Gateway architecture keeps unauthenticated traffic in the DMZ. Traffic is allowed through to the internal network only after authentication has been successful.
Deploying VMware Unified Access Gateway
There are two ways to deploy and configure a Unified Access Gateway:
- vSphere OVF Template
- PowerShell Scripts
Deploying Unified Access Gateway With the vSphere OVF Template
The vSphere OVF template deployment method is a two-phase process.First, use the VMware vSphere Client to deploy the virtual machine using the OVF template option. Second, log in to the Unified Access Gateway administrator console on the deployed virtual machine to configure the Unified Access Gateway appliance and edge services.
https://<IP Address or FQDN>:9443/admin/
Deploying Unified Access Gateway With PowerShell
The PowerShell deployment method for Unified Access Gateway allows for the mastering of all settings into a singleINIfile, including the Unified Access Gateway appliance settings and the edge services. This means the Unified Access Gateway appliance is fully configured with certificates and edge services on first boot. This aids with repeat installations and upgrades, and expedites large deployments.
To deploy Unified Access Gateway with PowerShell, use the script and sample setting files provided in the community article, “Using PowerShell to Deploy VMware Unified Access Gateway.”
Download
First, get the latest files:
- Download and install the latest OVF tools frommy.vmware.com.
- Download the latest Unified Access Gateway OVA file frommy.vmware.com.
Configure
Next, configure the PowerShell script for your environment.
1. From “Using PowerShell to Deploy VMware Unified Access Gateway,” download theuagdeploy-310-v3.zipor later file and extract the contents.
2. Make a copy and edit one of the sampleINIfiles (such asuag2-advanced.ini).
3. Enter your information as required for theGeneralandSSLCertsections.
Leave all other lines as they are. In the following example, spaces and comment lines have been removed to conserve space.
[General]name=uag1source=C:\euc-unified-access-gateway-3.1.1.0-6797878_OVF10.ovatarget=vi://administrator@vsphere.local:PASSWORD@192.168.1.12/Datacenter1/host/Cluster1/ds=vsanDatastorenetInternet=DMZnetManagementNetwork=DMZnetBackendNetwork=DMZdeploymentOption=onenicip0=192.168.1.36dns=192.168.2.10 192.168.2.11[SSLCert]pfxCerts=sslcerts.pfx
4. Copy, paste and complete edge service sections from the sampleINIfiles as required.
5. As an example, to add secure external access to Horizon 7 resources, retain or copy in the[Horizon]section of theuag2-advanced.inifile and paste it into yourINIfile at the end. Change the following to the relevant values for your environment.
[Horizon]
proxyDestinationUrl=https://view.domain.comtunnelExternalUrl=https://horizon.domain.com:443blastExternalUrl=https://horizon.domain.com:443pcoipExternalUrl=88.100.100.100:4172
In the previous example:
- view.domain.comis the internal address of the Horizon Connection Server (or the internal load balancer address if you have more than one Connection Server).
- horizon.domain.comis the external address used for Horizon connections.
- 88.100.100.100is the external IP address forhorizon.domain.com
Deploy
Now you are ready to deploy the Unified Access Gateway appliance.
- Open a PowerShell prompt and change to the directory where the scripts and yourINIfile are located.
- Besure to use theuagdeploy.ps1, uagdeploy.psm1anduagdeployhv.ps1supplied with theuagdeploy-310-v3.zipfile or later.
- Make sure that script execution is unrestricted for the current user. You can do this by running the command:
- set-executionpolicy -scope currentuser unrestricted
- You only need to run this once, and only if it is currently restricted.
- If you get a warning about running this script, you can unblock that warning by running the command:
- unblock-file -path .\uagdeploy.ps1
- Run.\uagdeploy.psl .\<filename>.iniand follow the prompts, entering the passwords.
- You can optionally specify the admin and root passwords as parameters which will prevent you being prompted for them.
- After the process is complete, wait a few minutes for the Unified Access Gateway appliance to boot completely.
You can monitor this process in the vSphere Client to see when the assigned IP address is reported on the summary page for the VM. If you have all the settings in the INI file completed correctly, and your certificates are in order, you will have a fully operational Unified Access Gateway that will proxy connections to your Horizon Connection Servers.
Log in to the Unified Access Gateway administrator console to check the configuration and service statuses and to add or change the configuration. If you change any settings, such as adding a new edge service, remember to export the settings and update yourINIfile to reflect your changes.
Scaling Unified Access Gateway
With a configured Unified Access Gateway,you can export the settings and use those to quickly deploy and configure new appliances. With a load balancer situated in front of the Unified Access Gateway instances, you can scale up and down the number of appliances quickly.
Upgrading Unified Access Gateway
With the exported settings inJSONformat or yourINIfile, ifyou used the PowerShell method,you can upgradeyour Unified Access Gateway appliances to a newer version. The appliance itself is treated as disposable and gets powered off and deleted, then replaced with an appliance with the same configuration.An option in the administrator console allows you to put a Unified Access Gateway appliance into quiesce mode during these types of operations to stop the load balancer from sending traffic to it.
Authentication Methods
You can configure the Unified Access Gateway service to integratewith authentication services. This allows the Unified Access Gateway to perform certificate, smart card, RSA SecurID, RADIUS and RSA Adaptive Authentication. This also allows unauthenticated traffic to be handled in the DMZ, permitting only authorized traffic through.
Summary
Use the Unified Access Gateway to design environments that need secure external access to your organization’s applications. Explore all the possible use cases, including enhancing your security by having the Unified Access Gateway handle authentication requests from the DMZ.
Learn more at Understanding Unified Access Gateway on VMware TechZone.