Secure Remote Access with VMware Unified Access Gateway | Omnissa (2024)

This blog was created as a point-in-time reference. For the latestinformation, read the Configuring Horizon Edge Service in VMware Unified Access Gatewayoperational tutorial.

TheVMware Unified Access Gateway(formerly called Access Point) is a platform that provides secure edge services and access to defined resources that reside in the internal network. This allows authorized, external users to access internally located resources in a secure manner.

This blog and the accompanying videos give an overview of the Unified Access Gateway.Wealso cover deployment requirements, options and demonstrations ofthe two deploymentmethods. Lastly, we include information on scaling, upgrades, authentication options, logs and troubleshooting.

Supported Use Cases

The Unified Access Gateway can be used for multiple use cases, including:

  • Remote access toVMware Horizon 7desktop and applications
  • Reverse proxying of web servers
  • Access to on-premises legacy applications that use Kerberos or header-based authentication with identity bridging from SAML or certificates
  • Provision ofVMware AirWatchorVMware Workspace ONEPer=App Tunnels and Tunnel Proxy to allowmobile applications secure access to internal services
  • Running the VMware Content Gateway service to allowVMware Content Lockeraccess to internal file shares or Microsoft SharePoint repositories

These use cases can be mixed to run multiple services on the same Unified Access Gateway instance or separated out on multiple Unified Access Gateway instances, depending on the desired architecture and the scale of the environment.

Secure Deployments

Unified Access Gateway is usually deployed in the DMZ, run on a hardened version of SUSE Linux Enterprise Server 12 and is currently undergoing FIPS and Common Criteria certification. It is intended as a replacement for older gateway solutions, such as the Horizon security server, the AirWatch Tunnel and the standalone Content Gateway.

To enhance security options, Unified Access Gateway provides many integration options for authentication, including smart card, certificates, SAML pass-through, RADIUS and RSA SecurID. The Unified Access Gateway architecture keeps unauthenticated traffic in the DMZ. Traffic is allowed through to the internal network only after authentication has been successful.

Secure Remote Access with VMware Unified Access Gateway | Omnissa (1)

Deploying VMware Unified Access Gateway

There are two ways to deploy and configure a Unified Access Gateway:

  • vSphere OVF Template
  • PowerShell Scripts

Deploying Unified Access Gateway With the vSphere OVF Template

The vSphere OVF template deployment method is a two-phase process.First, use the VMware vSphere Client to deploy the virtual machine using the OVF template option. Second, log in to the Unified Access Gateway administrator console on the deployed virtual machine to configure the Unified Access Gateway appliance and edge services.

https://<IP Address or FQDN>:9443/admin/

Secure Remote Access with VMware Unified Access Gateway | Omnissa (2)

Deploying Unified Access Gateway With PowerShell

The PowerShell deployment method for Unified Access Gateway allows for the mastering of all settings into a singleINIfile, including the Unified Access Gateway appliance settings and the edge services. This means the Unified Access Gateway appliance is fully configured with certificates and edge services on first boot. This aids with repeat installations and upgrades, and expedites large deployments.

Secure Remote Access with VMware Unified Access Gateway | Omnissa (3)

To deploy Unified Access Gateway with PowerShell, use the script and sample setting files provided in the community article, “Using PowerShell to Deploy VMware Unified Access Gateway.”

Download

First, get the latest files:

  • Download and install the latest OVF tools frommy.vmware.com.
  • Download the latest Unified Access Gateway OVA file frommy.vmware.com.
Configure

Next, configure the PowerShell script for your environment.

1. From “Using PowerShell to Deploy VMware Unified Access Gateway,” download theuagdeploy-310-v3.zipor later file and extract the contents.

2. Make a copy and edit one of the sampleINIfiles (such asuag2-advanced.ini).

3. Enter your information as required for theGeneralandSSLCertsections.

Leave all other lines as they are. In the following example, spaces and comment lines have been removed to conserve space.

[General]name=uag1source=C:\euc-unified-access-gateway-3.1.1.0-6797878_OVF10.ovatarget=vi://administrator@vsphere.local:PASSWORD@192.168.1.12/Datacenter1/host/Cluster1/ds=vsanDatastorenetInternet=DMZnetManagementNetwork=DMZnetBackendNetwork=DMZdeploymentOption=onenicip0=192.168.1.36dns=192.168.2.10 192.168.2.11[SSLCert]pfxCerts=sslcerts.pfx

4. Copy, paste and complete edge service sections from the sampleINIfiles as required.

5. As an example, to add secure external access to Horizon 7 resources, retain or copy in the[Horizon]section of theuag2-advanced.inifile and paste it into yourINIfile at the end. Change the following to the relevant values for your environment.

[Horizon]

proxyDestinationUrl=https://view.domain.comtunnelExternalUrl=https://horizon.domain.com:443blastExternalUrl=https://horizon.domain.com:443pcoipExternalUrl=88.100.100.100:4172

In the previous example:

  • view.domain.comis the internal address of the Horizon Connection Server (or the internal load balancer address if you have more than one Connection Server).
  • horizon.domain.comis the external address used for Horizon connections.
  • 88.100.100.100is the external IP address forhorizon.domain.com
Deploy

Now you are ready to deploy the Unified Access Gateway appliance.

  1. Open a PowerShell prompt and change to the directory where the scripts and yourINIfile are located.
    • Besure to use theuagdeploy.ps1, uagdeploy.psm1anduagdeployhv.ps1supplied with theuagdeploy-310-v3.zipfile or later.
  2. Make sure that script execution is unrestricted for the current user. You can do this by running the command:
    • set-executionpolicy -scope currentuser unrestricted
    • You only need to run this once, and only if it is currently restricted.
  3. If you get a warning about running this script, you can unblock that warning by running the command:
    • unblock-file -path .\uagdeploy.ps1
  4. Run.\uagdeploy.psl .\<filename>.iniand follow the prompts, entering the passwords.
    • You can optionally specify the admin and root passwords as parameters which will prevent you being prompted for them.
  5. After the process is complete, wait a few minutes for the Unified Access Gateway appliance to boot completely.

You can monitor this process in the vSphere Client to see when the assigned IP address is reported on the summary page for the VM. If you have all the settings in the INI file completed correctly, and your certificates are in order, you will have a fully operational Unified Access Gateway that will proxy connections to your Horizon Connection Servers.

Log in to the Unified Access Gateway administrator console to check the configuration and service statuses and to add or change the configuration. If you change any settings, such as adding a new edge service, remember to export the settings and update yourINIfile to reflect your changes.

Scaling Unified Access Gateway

With a configured Unified Access Gateway,you can export the settings and use those to quickly deploy and configure new appliances. With a load balancer situated in front of the Unified Access Gateway instances, you can scale up and down the number of appliances quickly.

Secure Remote Access with VMware Unified Access Gateway | Omnissa (4)

Upgrading Unified Access Gateway

With the exported settings inJSONformat or yourINIfile, ifyou used the PowerShell method,you can upgradeyour Unified Access Gateway appliances to a newer version. The appliance itself is treated as disposable and gets powered off and deleted, then replaced with an appliance with the same configuration.An option in the administrator console allows you to put a Unified Access Gateway appliance into quiesce mode during these types of operations to stop the load balancer from sending traffic to it.

Secure Remote Access with VMware Unified Access Gateway | Omnissa (5)

Authentication Methods

You can configure the Unified Access Gateway service to integratewith authentication services. This allows the Unified Access Gateway to perform certificate, smart card, RSA SecurID, RADIUS and RSA Adaptive Authentication. This also allows unauthenticated traffic to be handled in the DMZ, permitting only authorized traffic through.

Summary

Use the Unified Access Gateway to design environments that need secure external access to your organization’s applications. Explore all the possible use cases, including enhancing your security by having the Unified Access Gateway handle authentication requests from the DMZ.

Learn more at Understanding Unified Access Gateway on VMware TechZone.

Secure Remote Access with VMware Unified Access Gateway | Omnissa (2024)

FAQs

What is the difference between VPN and unified access gateway? ›

With Unified Access Gateway, when the Horizon Client is launched, authenticated users are in their View environment and have controlled access to their desktops and applications. A VPN requires that you must set up the VPN software first and authenticate separately before starting the Horizon Client.

What are the benefits of using unified access gateway? ›

Unified Access Gateway provides the flexibility to design your deployment based on your specific business needs. You have the following options: All Workspace ONE UEM services can be enabled in each appliance. Multiple services can be enabled (any two or all three Workspace ONE UEM services) per appliance.

How do I enable SSH on UAG? ›

You can optionally enable SSH on the appliance by adding sshEnabled=true. For the source setting, enter the full path to the UAG . ova file. For the target setting, leave PASSWORD in upper case.

What is VMware horizon unified access gateway? ›

Unified Access Gateway is designed to be Internet facing in a cloud tenant edge or DMZ network and meets advanced industry compliance and security standards. Multi-factor user authentication for Horizon is enhanced with built-in support for user identity federation with leading SAML identity providers.

Is UniFi VPN secure? ›

UniFi Identity Enterprise Adaptive VPN enables you to configure an adaptive security policy for your organization's VPN, thereby protecting the VPN against credential theft, phishing threats, and data breaches.

What is the difference between a VPN and a gateway? ›

A VPN is a service that encrypts a user's internet connection for privacy and security, while a VPN gateway is a specific type of network device that manages and secures VPN connections for multiple networks or users, acting as a secure access point.

What are the benefits of UniFi security gateway? ›

The UniFi Security Gateway combines reliable security features with high‑performance routing technology in a cost-effective unit. The UB-USG-PRO-4 features a rack-mountable form factor with fibre connectivity options and a dual-core, 1 GHz processor for maximum hardware‑accelerated performance.

What are the advantages of using a gateway approach? ›

Advantages of using a gateway in networking

Filters data and works as an intelligent gadget. Encapsulates and decapsulates the data packets. Controls both collisions and the broadcast domain. Connects devices from two distinct networks that use different protocols.

What are the benefits of a unified platform? ›

Benefits of a Unified Data Platform
  • Improved Data Accessibility and Availability.
  • Enhanced Data Quality and Consistency.
  • Accelerated Data Insights and Decision-Making.
  • Increased Operational Efficiency and Cost Savings.
  • Empowered Self-Service Analytics.
Sep 4, 2024

What is the maximum number of connections in vmware UAG? ›

Although the Unified Access Gateway appliance can support a maximum of 2,000 simultaneous connections, you might decide to use 2 or 4.

What is the admin URL for vmware unified access gateway? ›

Go to UAG admin console: https://UAG_FQDN_or_IP_Address:9443/admin and login with privileges. On Configure Manually, click Select. Go to General Settings -> Edge Services and click Show to display Horizon Settings.

How to enable SSH remotely? ›

How to Enable an SSH Connection
  1. Go to System Settings.
  2. Click General in the left menu.
  3. Locate and open Sharing.
  4. Enable Remote Login to allow SSH access to the device.
Nov 23, 2023

What is VMware secure access? ›

VMware Secure Access™ is a remote access solution that is based on a Zero Trust Network Access (ZTNA) framework. The cloud-hosted solution offers multiple benefits over traditional VPN solutions, enabling users a consistent, optimal, and secure cloud application process.

How to deploy VMware Unified Access Gateway? ›

Deploying and configuring VMware Unified Access Gateway
  1. Prepare the Client Machine for Powershell.
  2. Prepare the AWS EC2 Environment.
  3. Uploading the Unified Access Gateway Image with PowerShell.
  4. Prepare an INI File for AWS.
  5. Deploy Unified Access Gateway to Amazon AWS EC2.
Aug 28, 2024

Is VMware Horizon Client a VPN? ›

VMware Horizon provides a solution that is not VPN-based and solves the challenges mentioned above with traditional VPN connections. Note the following: Remote users connect to virtual or physical desktops that are provisioned inside the corporate network.

What is the difference between VPN and Citrix Gateway? ›

Simply, with VPN, the users can access the shared resources and device by establishing a secure connection on their device. In contrast, Citrix is the VDI product that stands for virtual desktop infrastructure, delivering virtual desktops to users with dedicated resources on their devices.

What is the difference between VPN and GlobalProtect? ›

Setting up Palo Alto GlobalProtect differs from other VPNs mainly in how it integrates with Palo Alto Networks' security platform. The process involves configuring security policies and user authentication within a broader security ecosystem.

What is the difference between VPN and Remote Desktop Gateway server? ›

VPNs encrypt all data sent through the network, making it more secure than RDP. However, RDP is faster and easier to set up than VPNs. RDP provides a graphic interface that allows users to interact with their remote computer as if they were sitting in front of it. VPNs do not provide this level of interactivity.

What is the difference between Cisco AnyConnect and VPN client? ›

What is the difference between AnyConnect and the VPN client and can you use them both to connect to the ASA? Hi, Either will work fine on the ASA as long as it is configured to accept them. AnyConnect uses HTTPS/SSL to connect whereas the VPN Client uses IPSEC. Generally see everyone moving toward AnyConnect.

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Kelle Weber

Last Updated:

Views: 6494

Rating: 4.2 / 5 (73 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Kelle Weber

Birthday: 2000-08-05

Address: 6796 Juan Square, Markfort, MN 58988

Phone: +8215934114615

Job: Hospitality Director

Hobby: tabletop games, Foreign language learning, Leather crafting, Horseback riding, Swimming, Knapping, Handball

Introduction: My name is Kelle Weber, I am a magnificent, enchanting, fair, joyous, light, determined, joyous person who loves writing and wants to share my knowledge and understanding with you.