Home > Uncategorized > to see the status of the UAG appliances: On the top left

to see the status of the UAG appliances: On the top left

Categories Select Category ADC / NetScaler  (94)    Citrix ADC 12.1  (8)    Citrix ADC 13  (9)       Citrix Gateway 13  (2)    Citrix Gateway  (2)    NetScaler 10.5  (17)       Load Balancing  (7)       NetScaler Gateway  (10)    NetScaler 11  (20)       Load Balancing NetScaler 11  (6)       NetScaler Gateway 11  (10)    NetScaler 11.1  (21)       Load Balancing NetScaler 11.1  (8)       NetScaler Gateway 11.1  (8)    NetScaler 12  (23)       Load Balancing NetScaler 12  (5)       NetScaler Gateway 12  (11) Blog  (1) Citrix App Layering  (6) Citrix Provisioning  (9) EUC Weekly Digest  (212) Profile Management  (3) Receiver  (3) Site Updates  (10) StoreFront  (14)    StoreFront 1912 – 3.5  (4) Uncategorized  (4) Unidesk  (3) Virtual Apps and Desktops  (8) VMware Horizon  (36)    VMware Horizon 7  (11)    VMware Horizon 8  (8) Workspace app  (2) XenApp/XenDesktop  (56)    XenApp/XenDesktop 7.11  (6)    XenApp/XenDesktop 7.12  (5)    XenApp/XenDesktop 7.13  (5)    XenApp/XenDesktop 7.14  (6)    XenApp/XenDesktop 7.15  (4)    XenApp/XenDesk.

Trust Cerebro with your most challenging tasks
Tuesday September 08, 2020

For animation studios. Bring the most ambitious ideas to life full-length projects and series!. With Cerebro, you can rest easy at any stage of creating your animated masterpieces. Easy communication with colleagues, fast transfer of even the largest files to any continent and control over …

The post Trust Cerebro with your most challenging tasks appeared first on betfair.

VMware Unified Access Gateway 3.10

Citrix Federated Authentication Service (SAML) 2006.
VMware Unified Access Gateway 3.10.
Last Modified: Jul 11, 2020 @ 8:18 am 374 Comments Navigation.
Change Log.
Overview Firewall.
Network Profile.
PowerShell Deploy Script Method – both upgrade and new.
vSphere Web Client Deploy OVF method – Upgrade Existing, or Deploy New.
Web-based Admin Interface.

17:15 Closing Panel
Tuesday September 08, 2020

Rikke Jansen. VR Artist and developer Rikke Jansen is an experienced games artist and technical artist, having been in the field for more than a decade. She discovered VR three years ago and saw the potential in the platform by discovering social VR. She’s been …

The post 17:15 Closing Panel appeared first on betfair.

Add UAG to Horizon Console/Administrator

Monitor Sessions.
Logs and Troubleshooting.
Load Balancing.
UAG Authentication – SAML, RADIUS.
Other UAG Configurations – High Availability, Network Settings, System Settings.
???? = Recently Updated Change Log.
2020 July 11 – updated for UAG 3.10.
2020 Apr 29 – PowerShell deployment – updated ovftool for 4.3.0 P02.
2020 Apr 9 – Horizon Edge configuration – added link to VMware 78419 Unified Access Gateway (UAG) high CPU utilization.
2020 Mar 18 – updated for UAG 3.9.
2020 Mar 14 – added link to Unified Access Gateway Deployment Utility fling.
2019 Dec 15 – updated for UAG 3.8.
2019 Nov 16 – fleshed out PowerShell Deploy Script Method.
2019 Sep 17 – updated for UAG 3.7.
2019 Jul 14 – Other UAG Configurations – added info from Carlo Costanzo How to get an A+ from Qualys SSLLabs on your Horizon UAG deployment.
2019 Jul 7 – Overview – added link to Understanding Horizon Connections at VMware Tech Zone.
2019 Jul 4 – updated for UAG 3.6 Other UAG Configurations – new GUI configuration for SNMP, NTP, DNS, and Static Routes.
2019 Mar 18 – updated for UAG 3.5.
2018 Dec 28 – UAG Configuration – added link to High Availability on VMware Unified Access Gateway Feature Walk-through YouTube video.
2018 Dec 15 – updated for UAG 3.4 Overview – UAG 3.4 licensed editions.
New Add UAG to Horizon Administrator section.
UAG Configuration – High Availability settings.
Monitor Sessions – Edge Service Session Statistics in UAG Admin Interface.
2018 Oct 18 – Monitor Sessions – new section to see current UAG sessions.
2018 Oct 10 – Overview – added link to What’s New in VMware Unified Access Gateway 3.3.1 VMware Techzone Blog Post.
2018 Sep 27 – added link to Troubleshooting Blast through UAG at VMware Discussions.
2018 Aug 18 – updated for UAG
2018 May 24 – updated for UAG Added HTML5 vSphere Client instructions.
2018 Mar 4 – updated for UAG 3.2.1.
2018 Jan 28 – in the Logs and Troubleshooting section, added tcpdump install instructions, and link to Justin Johnson Troubleshooting Port Connectivity For Horizon’s Unified Access Gateway 3.2 Using Curl And Tcpdump.
2018 Jan 28 – in the Load Balancing section, added link to the VMware® NSX for vSphere End-User Computing Design Guide 1.2, which describes NSX load balancing of UAG.
2018 Jan 8 – updated for UAG 3.2 In section, added step to apply certificate to admin interface.
2018 Jan 3 – in the section, added link to YouTube video Endpoint Compliance Checks: New VMware Horizon Security Feature.
2017 Dec 15 – in Import OVF section, added link to DMZ Design and the use of Multiple NICs at VMware Communities.
Unified Access Gateway provides remote connectivity to internal Horizon Agent machines.
For an explanation of how this works (i.e.
traffic flow), see Understanding Horizon Connections at VMware Tech Zone.
Unified Access Gateway (formerly known as Access Point) is a replacement for Horizon Security Servers.
Advantages include: You don’t need to build extra Connection Servers just for pairing. However, you might want extra Horizon Connection Servers so you can filter pools based on tags.
Between Unified Access Gateway and Horizon Connection Servers you only need TCP 443.
No need for IPSec or 4001 or the other ports.
You still need 4172, 22443, etc.
to the View Agents.
No need to enable Gateway/Tunnel on the internal Horizon Connection Servers.
Additional security with DMZ authentication. Some of the Authentication methods supported on Unified Access Gateway are RSA SecurID, RADIUS, CAC/certificates, etc.
However: It’s Linux.
You can deploy and configure the appliance without any Linux skills.
But you might need some Linux skills during troubleshooting.
Horizon View Security Server is still developed and supported so you’re welcome to use that instead of Unified Access Gateway.
But some of the newer Blast Extreme functionality only works in Unified Access Gateway (Access Point) 2.9 and newer.
See Configure the Blast Secure Gateway at VMware Docs.
More information at VMware Blog Post Technical Introduction to VMware Unified Access Gateway for Horizon Secure Remote Access.
Horizon Compatibility – Refer to the interoperability matrix to determine which version of Unified Access Gateway is compatible with your version of Horizon.
UAG version 3.7 is UAG ESB for Horizon 7.10 ESB.
UAG version is UAG ESB for Horizon 7.5.2 ESB.
Download one of the following versions of UAG: For Horizon 7.12, .

Serial seven segment LED display shield for chipKIT
Tuesday September 08, 2020

Serial seven segment LED display shield for chipKIT. Seven segment LED displays are brighter more attractive, and provide a far viewing distance as well as a wider viewing angle compared to LCD displays. This project describes a serial seven segment LED display shield for chipKIT …

The post Serial seven segment LED display shield for chipKIT appeared first on betfair.

Download Unified Access Gateway (UAG) 3.10 for vSphere and Amazon AWS (Non-FIPS)

For Horizon 7.10 (ESB), download Unified Access Gateway 3.7 for vSphere and Amazon AWS.
You usually want the non-FIPS version.
For Horizon 7.5.2 (ESB), download Unified Access Gateway (ESB). You usually want the non-fips version.
Then download the PowerShell deployment scripts on the same UAG download page.
VMware Technical White Paper Blast Extreme Display Protocol in Horizon 7, and Firewall Rules for DMZ-Based Unified Access Gateway Appliances at VMware Docs.
Open these ports from any device on the Internet to the Unified Access Gateway Load Balancer VIP: TCP and UDP 443.
TCP and UDP 4172. UDP 4172 must be opened in both directions.
TCP and UDP 8443 (for HTML Blast).
Open these ports from the Unified Access Gateways to internal: TCP 443 to internal Connection Servers (through a load balancer).
TCP and UDP 4172 (PCoIP) to all internal Horizon View Agents. UDP 4172 must be opened in both directions.
TCP 32111 (USB Redirection) to all internal Horizon View Agents.
TCP and UDP 22443 (Blast Extreme) to all internal Horizon View Agents.
TCP 9427 (MMR and CDR) to all internal Horizon View Agents.
Open these ports from any internal administrator workstations to the Unified Access Gateway appliance IPs: TCP 9443 (REST API).
TCP 80/443 (Edge Gateway).
Network Profile.
Note: in Unified Access Gateway 3.3 and later, Network Protocol Profile is no longer necessary and you can skip this section.
Before importing the Unified Access Gateway OVF, you will need to configure a Network Profile.
In vSphere Web Client, go to the Datacenter object.
On the right, switch to the Manage (or Configure) tab > Network Protocol Profiles.
Click the plus icon.
In the Select name and network page, enter a name, select the DMZ VM Network for your Unified Access Gateway appliance, and click Next.
In the Configure IPv4 page, enter the subnet information, and Gateway.
Don’t configure an IP pool.
Click Next.
In the Ready to complete page, click Finish.
If you are configuring multiple NICs on your Unified Access Gateway, create Network Protocol Profile for the remaining subnets.
PowerShell Deploy Script.
Mark Benson at VMware Communities Using PowerShell to Deploy VMware Unified Access Gateway has a PowerShell script that runs OVF Tool to deploy and configure Unified Access Gateway.
The PowerShell script is updated as newer versions of Unified Access Gateways are released.
This is the recommended method of deploying Unified Access Gateway.
If you prefer to use vSphere Client to Deploy the OVF file, skip ahead to Upgrade or Deploy.
In UAG and newer, the PowerShell deployment script is downloadable from the UAG 3.10, UAG 3.7, or UAG download page.
The PowerShell deploy script requires the OVF Tool: Go to Open Virtualization Format Tool (ovftool) on VMware {code}.
The latest release for vSphere 6.7 is 4.3.0 P02.
Patch 2 is newer than Update 3.
There’s also ovftool 4.4 for vSphere 7.
Download the VMware OVF Tool for Windows 64-bit.
If OVF Tool is already installed, then you’ll have to uninstall the old version before you can upgrade it.
On the machine where you will run the UAG Deploy script, install VMware-ovftool-4.3.0-15755677-win.x86_64.msi.
In the Welcome to the VMware OVF Tool Setup Wizard page, click Next.
In the End-User License Agreement page, check the box next to I accept the terms and click Next.
In the Destination Folder page, click Next.
In the Ready to install VMware OVF Tool page, click Install.
In the Completed the VMware OVF Tool Setup Wizard page, click Finish.
Create or Edit a UAG .ini configuration file: Extract the downloaded uagdeploy PowerShell scripts for your version of Unified Access Gateway.
Copy and edit one of the downloaded .ini files, like uag2-advanced.ini.
A full explanation of all configuration settings can be found at Using PowerShell to Deploy VMware Unified Access Gateway at VMware Communities.
For any value that has spaces, do not include quotes in the .ini file.
The script adds the quotes automatically.
The name setting specifies the name of the virtual machine in vCenter.
If this VM name already exists in vCenter, then OVF Tool will delete the existing VM and replace it.
Add a uagName setting and specify a friendly name.
You’ll later add this name to Horizon Console/Administrator so you can view the health of the UAG appliance in Horizon Console/Administrator.
You can optionally enable SSH on the appliance by adding sshEnabled=true.
For the source setting, enter the full path to the UAG .ova file.
For the target setting, leave PASSWORD in upper case.
Don’t enter an actual password.
OVF Tool will instead prompt you for the password.
For the target setting, specify a cluster name instead of a host.
If spaces, there’s no need for quotes.
For example: target=vi://[email protected]:[email protected]/Datacenter/host/Cluster 1.
Specify the exact datastore name for the UAG appliance.
Optionally uncomment the diskMode setting.
For a onenic configuration (recommended), set the netInternet, netManagementNetwork, and netBackendNetwork settings to the same port group name.
Multiple dns servers are space delimited.
For pfxCerts, UNC paths don’t work.
Make sure you enter a local path (e.g.
OVA Source File can be UNC, but the .pfx file must be local.
There’s no need to enter the .pfx password in the .ini file since the uagdeploy.ps1 script will prompt you for the password.
proxyDestinationUrl should point to the internal load balancer for the Horizon Connection Servers.
If the DNS name ends in .local, then see 78611 DNS Related Troubleshooting With Unified Access Gateway 3.7 and newer which is based on Photon 3 and Roderik de Block VMware UAG not using DNS.
For proxyDestinationUrlThumbprints, paste in the thumbprint of the Horizon Connection Server certificate in the format shown.
If your Horizon Connection Servers each have different certificates, then you can include multiple thumbprints (comma separated).
Make sure there’s no hidden character between sha1 and the beginning of the thumbprint.
Change the ExternalUrl entries to an externally-resolvable DNS name and a public IP address.
For multiple UAGs, the FQDNs and public IP address should resolve to the load balancer.
Note: your load balancer must support persistence across multiple port numbers (443, 8443, 4172).
When you run the PowerShell script, if the UAG appliance already exists, then the PowerShell script will replace the existing appliance.
There’s no need to power off the old appliance since the OVF tool will do that for you.
Open an elevated PowerShell prompt.
Paste in the path to the uagdeploy.ps1 file.
If there are quotes around the path, then add a & to the beginning of the line so PowerShell executes the path instead of just echoing the string.
Add the -iniFile argument and enter the path to the .ini file that you modified.
Press to run the script.
You’ll be prompted to enter the root password for the UAG appliance.
Make sure the password meets password complexity requirements.
You’ll be prompted to enter the admin password for the UAG appliance.
Make sure the password meets password complexity requirements.
For CEIP, enter yes or no.
For .pfx files, you’ll be prompted to enter the password for the .pfx file.
Note: the .pfx file must be local, not UNC.
OVF Tool will prompt you for the vCenter password.
Special characters in the vCenter password must be encoded.
Use a URL encoder tool (e.g.
https://www.urlencoder.org/) to encode the password.
Then paste the encoded password when prompted by the ovftool.
The UAG passwords do not need encoding, but the vCenter password does.
The deploy script will display the IP address of the powered on UAG appliance.
Review settings in the UAG admin interface.

Add the new UAG appliance to Horizon Console/Administrator

To upgrade from an older appliance, you delete the old appliance, and import the new one.
Before deleting the older appliance, export your settings: Login to the UAG at https://:9443/admin/index.html.
In the Configure Manually section, click Select.
Scroll down to the Support Settings section, and then click the JSON button next to Export Unified Access Gateway Settings.

To deploy the Unified Access Gateway using VMware vSphere Client: Download UAG

Refer to the compatibility matrix for the latest compatibility data for each version.
For Horizon 7.12, download Unified Access Gateway (UAG) 3.10 for vSphere and Amazon AWS (Non-FIPS).

Unified Access Gateway 3.7 is UAG ESB for Horizon 7.10 ESB

You usually want the version that is not FIPS.

Unified Access Gateway is UAG ESB for Horizon 7.5.2 ESB

You usually want the non-fips version.
Unified Access Gateway Deployment Utility fling can be used instead of vSphere Client Deploy OVF.
If vSphere Client, right-click a cluster, and click Deploy OVF Template.
Note: the HTML5 UI client in vSphere 6.5 Update 2 and newer might work for single NIC.
But multi-NIC is only supported in the Flash UI (source = Hilko Lantinga in the comments).
Select Local File and click Choose Files. In the Open window, browse to the downloaded euc-unified-access-gateway- file, and click Next.
In the Select a name and folder page, give the machine a name, and click Next.
In the Review Details page, click Next.
In the Select configuration page, select a Deployment Configuration.
See DMZ Design for VMware Unified Access Gateway and the use of Multiple NICs at VMware Communities.
Click Next.
In the Select storage page, select a datastore, select a disk format, and click Next.
In the Select networks page, even if you select Single NIC, the OVF deployment wizard asks you for multiple NICs.
UAG typically goes in the DMZ.
In the Customize template page, select STATICV4, and scroll down.
Note: HTML5 UI vSphere Web client displays the settings in a different order than the Flash vSphere Client.
In the NIC1 (eth0) IPv4 address field, enter the NIC1 (eth0) IPv4 address.
Scroll down.
Enter DNS addresses, Gateway, and Subnet Mask.
Scroll down.
Scroll down and enter more IP info.
Scroll down.
Enter a Unified Gateway Appliance Name.
Scroll down.
Expand Password Options, and enter passwords.
In UAG 3.5 and newer, there’s a new checkbox for Enable SSH.
In UAG 3.9 and newer, there’s an option to login using a SSH key/pair instead of a password.
Click Next.
In the Ready to complete page, click Finish.
UAG Admin Interface.
Power on the Unified Access Gateway appliance.
If the appliance initially boots with the wrong IP, then a reboot might fix it.
In Unified Access Gateway, or Access Point 2.8 and later, you can point your browser to https://My_UAG_IP:9443/admin/index.html, and login as admin.
It might take a minute or two before the admin page is accessible.
Import Settings.
If you have previously exported settings, you can import it now by clicking Select in the Import Settings section.

Browse to the previously exported UAG_Settings.json file and then click Import

It should say UAG settings imported successfully.
Press on your keyboard to refresh the browser.
Configure Horizon Settings.
To manually configure the appliance, under Configure Manually, click Select.
Next to Edge Service Settings, click Show.
Next to Horizon Settings, click the gear icon.
Change Enable Horizon to Yes.
As you fill in these fields, hover over the information icon to see the syntax.
The Connection Server URL should point to the internal load balanced DNS name (URL) for your internal Connection Servers. If the DNS name ends in .local, then see 78611 DNS Related Troubleshooting With Unified Access Gateway 3.7 and newer which is based on Photon 3 and Roderik de Block VMware UAG not using DNS.
For the Connection Server URL Thumb print, get the thumbprint from the internal Horizon View certificate.
Point your browser to the internal Horizon View Connection Server FQDN (load balanced), and click the padlock icon to open the certificate.
On the Details tab, copy the Thumbprint.
In the Proxy Destination URL Thumb Prints field, type in sha1= and paste the certificate thumbprint.
At the beginning of the Thumbprint field, immediately after the equals sign, there might be a hidden character.
Press the arrow keys on the keyboard to find it.
Then delete the hidden character.
Enable the three PCOIP, Blast, and Tunnel Gateways and perform the following configurations: For PCOIP External URL, enter the external IP and :4172.
The IP should point to your external load balancer that’s load balancing UDP 4172 and TCP 4172 to multiple Unified Access Gateways.
For Blast External URL, enter https://:8443 (e.g.
This FQDN should resolve to your external load balancer that’s load balancing UDP 8443 and TCP 8443 to multiple Unified Access Gateways.
You could change the Blast port to 443 but this would increase CPU utilization on UAG.

See VMware 78419 Unified Access Gateway (UAG) high CPU utilization

Link: Troubleshooting Blast through UAG at VMware Discussions.
For Tunnel External URL, enter https://:443 (e.g.
This FQDN should resolve to your external load balancer that’s load balancing TCP 443 to multiple Unified Access Gateways.
The external load balancer must be capable of using the same persistence across multiple port numbers.
On NetScaler, this feature is called Persistency Group.
On F5, the feature is called Match Across.
Then click More.
Unified Access Gateway has a default list of paths it will forward to the Horizon Connection Server.
You can edit the Proxy Pattern and add /|/downloads(.*) to the list so users can also download Horizon Clients that are stored on your Horizon View Connection Servers.
Scroll down and click Save when done.
If you click the arrow next to Horizon Settings, then it shows you the status of the Edge services.
If all you see is Not Configured, then refresh your browser and then click the Refresh Status icon.
In your Horizon Connection Servers, the Secure Gateways (e.g.
PCoIP Gateway) should be disabled.
Go to Horizon Console or Horizon Administrator.
Expand Settings and click Servers.
Or expand View Configuration, and click Servers.
On the right, switch to the tab named Connection Servers.
Highlight your Connection Servers, and click Edit.
Then uncheck or disable all three Tunnels/Gateways.
If Horizon 7, HTML Access won’t work through Unified Access Gateway unless you disable Origin Check or configure the Connection Server’s locked.properties with the UAG addresses.
Also see 2144768 Accessing the Horizon View Administrator page displays a blank error window in Horizon 7.
Add UAG to Horizon Administrator.
In Horizon 7.7 and newer, you can add UAG 3.4 and newer to Horizon Administrator so you can check its status in the Dashboard.
In UAG Admin console, under Advanced Settings, click the gear icon next to System Configuration.
At the top of the page, change the UAG Name to a friendly name.
You’ll use this name later.
Click Save at the bottom of the page.
In Horizon Console, on the left, expand Settings and click Servers.
Or in Horizon Administrator, on the left, expand View Configuration and then click Servers.
On the right, switch to the tab named Gateways.
Click the Register button.
In the Gateway Name field, enter the friendly name you specified earlier, and then click OK.
See status of UAG appliances: Use a Horizon Client to connect through a Unified Access Gateway.
Horizon Console and/or Horizon Administrator only detects the UAG status for active sessions.
In Horizon Console 7.10 and newer, to see the status of the UAG appliances: On the top left, expand Monitor and click Dashboard.
In the top-left block named System Health, click VIEW.
With Components highlighted on the left, on the right, switch to the tab named Gateway Servers.
This tab shows the status of the UAG appliances, including its version.
In Horizon Administrator, to see the status of the UAG appliances: On the top left, click Dashboard.
In the middle, expand Gateways and click your gateway to see its status.
To see the Gateway that users are connected to: In Horizon Console 7.10 or newer, or in Horizon Administrator, go to Monitor > Sessions.
Search for a session and notice the Security Gateway column.
UAG Authentication.

SAML is configured in UAG 3.8 and newer in the Identity Bridging Settings section

Upload Identity Provider Metadata.
Then in Edge Service Settings > Horizon Settings > More (bottom of page), you can set Auth Methods (near top of page) to SAML only, which requires True SSO implementation, or SAML and Passthrough, which requires two logins: one to IdP, and one to Horizon.
For Okta and True SSO, see Enabling SAML 2.0 Authentication for Horizon with Unified Access Gateway and Okta: VMware Horizon Operational Tutorial at VMware Tech Zone.
For Azure MFA, see Sean Massey Integrating Microsoft Azure MFA with VMware Unified Access Gateway 3.8.
For RADIUS authentication: Enable the Authentication Settings section, and configure the settings as appropriate for your requirements.
See Configuring Authentication in DMZ at VMware Docs.
When configuring RADIUS, if you click More, there’s a field for Login page passphrase hint.
Then in Edge Service Settings > Horizon Settings > More (bottom of page), you can set Auth Methods (near top of page) to RADIUS.
If you scroll down the Horizon Settings page you’ll see additional fields for RADIUS.
In UAG 3.8 and newer, Passcode label field can be customized for MFA providers like Duo.
If your RADIUS is doing Active Directory authentication (e.g.
Microsoft Network Policy Server with Azure MFA), then Enable Windows SSO so the user isn’t prompted twice for the password.
Other UAG Configurations.
UAG 3.8 and newer shows when the admin password expires in Account Settings in the Advanced Settings section.
Ciphers are configured under Advanced Settings > System Configuration.
The default ciphers in UAG 3.10 are the following and include support for TLS 1.3.
Carlo Costanzo at How to get an A+ from Qualys SSLLabs on your Horizon UAG deployment recommends the following cipher suites in older UAG appliances: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA.
Also enable Honor Cipher Order in older versions of UAG.
Syslog is also configured here.
In UAG 3.6 and newer, at the bottom of the System Configuration page are several settings for SNMP, DNS, and NTP.
UAG 3.10 and newer have Admin Disclaimer Text.
Session Timeout is configured in System Configuration.
It defaults to 10 hours.
UAG 3.6 and newer let you add static routes to each NIC.
Click Network Settings.
Click the gear icon next to a NIC.
Click IPv4 Configuration to expand it and then configure IPv4 Static Routes.

UAG supports High Availability Settings

With the High Availability Virtual IP address, you might not need load balancing of the UAG appliances.
See Unified Access Gateway High Availability at VMware Docs.
The High Availability feature requires three IP addresses and three DNS names: One IP/FQDN for the High Availability Virtual IP.
And one IP/FQDN for each appliance/node.
The Horizon Edge Gateways should be set to node-specific IP addresses and node-specific DNS names.
Each appliance is set to a different IP/FQDN.
The Virtual IP (and its DNS name) is only used for the High Availability configuration.
The YouTube videos What’s New Unified Access Gateway 3 4 and High Availability on VMware Unified Access Gateway Feature Walk-through explain the High Availability architecture.
Set the Mode to ENABLED.
Enter a new Virtual IP Address which is active on both appliances.
Enter a unique Group ID between 1 and 255 for the subnet.
Click Save.
On the second appliance, configure the exact same High Availability Settings.
To upload a valid certificate, scroll down to the Advanced Settings section, and next to TLS Server Certificate Settings, click the gear icon.
In Unified Access Gateway 3.2 and newer, you can apply the uploaded certificate to Internet Interface, Admin Interface, or both.
In Unified Access Gateway 3.0 and newer, change the Certificate Type to PFX, browse to a PFX file, and then enter the password.
This PFX file certificate must match the Public FQDN (load balanced) for Unified Access Gateway.
Leave the Alias field blank.
Click Save.
If you changed the Admin Interface certificate, then you will be prompted to close the browser window and re-open it.
Or, you can upload a PEM certificate/key (this is the only option in older UAG).
Next to Private Key, click the Select link.
Browse to a PEM keyfile.
If not running Unified Access Gateway 3.0 or newer, then certificates created on Windows (PFX files) must be converted to PEM before they can be used with Unified Access Gateway.
You can use openssl commands to perform this conversion.
The private key should be unencrypted.
Browse to a PEM certificate file (Base-64) that contains the server certificate, and any intermediate certificates.
The server certificate is on top, the intermediate certificates are below it.
The server certificate must match the public FQDN (load balanced) for the Unified Access Gateway.
Click Save when done.
UAG 3.1 and newer have an Endpoint Compliance Check feature.
The feature requires an OPSWAT subscription.
The OPSWAT agent is deployed to endpoints out-of-band.
It’s pass/fail.
See Endpoint Compliance Checks for Horizon at VMware Docs.
And the YouTube video Endpoint Compliance Checks: New VMware Horizon Security Feature.
UAG 3.9 and newer let you upload the Opswat Endpoint Compliance on-demand agent executables.
Horizon Client downloads the executables from UAG and runs them.
See Upload OPSWAT MetaAccess on-demand agent Software on Unified Access Gateway at VMware Docs.
Scroll down to Support Settings and click the icon next to Export Unified Access Gateway Settings to save the settings to a JSON file.
If you need to rebuild your Unified Access Gateway, simply import the the JSON file.
If you point your browser to the Unified Access Gateway external URL, you should see the Horizon View Connection Server portal page.
Horizon Clients should also work to the Unified Access Gateway URL.
Monitor Sessions.
In UAG 3.4 and newer, in the UAG Admin interface, At the top of the page, next to Edge Service Settings, you can see the number of Active Sessions on this appliance.
At the bottom of the page, under Support Settings, click Edge Service Session Statistics to see more details.
In older versions of UAG, to see existing Horizon connections going through UAG, point your browser to https://uag-hostname-or-ip-addr:9443/rest/v1/monitor/stats.
Logs and Troubleshooting.
In Access Point 2.8, and Unified Access Gateway (2.9 and newer), you can download logs from the.
You can also review the logs at /opt/vmware/gateway/logs.
You can less these logs from the appliance console.
Or you can point your browser to https://MyApplianceIP:9443/rest/v1/monitor/support-archive.
This will download a .zip file with all of the logfiles.
Much easier to read in a GUI text editor.
For initial configuration problems, check out admin.log.
For Horizon View brokering problems, check out esmanager.log.
By default, tcpdump is not installed on UAG.
To install it, login to the console and run /etc/vmware/gss-support/install.sh More info at Justin Johnson Troubleshooting Port Connectivity For Horizon’s Unified Access Gateway 3.2 Using Curl And Tcpdump.
Load Balancing.
If NetScaler, see https://www.carlstalhood.com/vmware-horizon-unified-access-gateway-load-balancing-netscaler-12/ load balance Unified Access Gateways.
For VMware NSX load balancing of Unified Access Gateways, see the VMware® NSX for vSphere End-User Computing Design Guide 1.2.
To help with load balancing affinity, UAG 3.8 and newer can redirect the load balanced DNS name to a node-specific DNS name.
This is configured in Edge Service Settings > Horizon Settings > More (bottom of page).
Related Pages.
Back to VMware Horizon 7.
Posted on July 11, 2020 Author Carl Stalhood Categories VMware Horizon 374 thoughts on “VMware Unified Access Gateway 3.10”.
Comment navigation.
Older Comments September 3, 2020 at 2:58 pm Hello Carl, First of all, thank you for the tutorial.
We’ve upgraded our UAG’s from v3.3 to v3.10 and everything went fine (just as you decribed).
However, now users start to get the following message when trying to connect: VMware Horizon Client cannot verify your connection.
The server provided a self-signed certificate instead of a verifiable certificate.
Because the server has provied a verifiable certificate in the past, there is a strong likelihood that your connection is not secure.
Do you have an idea how this can be fixed.
Than you very much.
Reply September 3, 2020 at 3:01 pm If you exported/imported the config, then be aware that the certificate is not included so you’ll have to upload it again.
Reply September 3, 2020 at 3:10 pm Thanks Carl, i exported/imported the config, but the old UAG’s didn’t have the certificate either.
They are behind a load balancer.
September 3, 2020 at 4:35 pm Uploading the certificate did the trick.
Omar Sanchez September 1, 2020 at 11:01 am Hi Carl, first of all let me thank you for the tutorial, it has helped me a lot, I have a question, I am doing a PoC and we only use one NIC for the UAG.
To enter the horizon environment from the internet, I am using a NAT from a public IP to the internal IP of the UAG, like this: https: //x.x.x.x: 444 = https: //x.x.x.x: 443.
The user can log in correctly, but when requesting the desktop, it is looking for the internal IP of the UAG using BLAST, do you know what I need to configure in the UAG to be able to show the desktop.
Reply September 1.

2020 at 11:14 am In UAG > Horizon Settings

did you set the URL to :8443, which is the default for blast.
Or are you doing port sharing on :444.
Reply Omar Sanchez September 1, 2020 at 11:32 am Thanks Carl, on UAG >Horizon Settings I set the URL like this: Blast External URL: (IP is the internal IP of the UAG) on the firewall I am configuring a NAT https: //187.188.x.x: 444 to https: // I am working like this because of lack o resources for the PoC Do I need to change the Blas External URL to https://187.188.x.x:8443?.
Regards, Reply September 1, 2020 at 11:40 am :8443 is the default.
You can try :444 to match your external port.
Magnus August 19, 2020 at 5:28 am Hi Carl, thanks for your great arcticle.
In case I hosted the Workspace ONE UEM environment for the customer and installed the UAG on customers site, which steps are imported to ensure no SSL errors between UAG and customers environment and UAG to WS1 environment.
I did the following: – SSL PFx Cert from the hosted environment imported into the UAG webconsole on the Internet interface (Admin Interface will be used with the customers certificate – Root, Intermediate Certs from the customers environment and the hosted WS1 environment into the trusted certificates from each Edge Service Anything else.
Magnus Reply.
Chad Corkrum August 16, 2020 at 7:35 pm I see you do work with the Netscaler and it’s similar to UAG and I know the recommended Netscaler be on the Edge you can give it a public IP and I think that was a recommended config.
Anyone know if UAG is secure enough to do the same.
With built in load balancing you could give the front end NIC 2 public addresses, it’s own, and lb and then a backend NIC in a DMZ with static routes to the networks it needs access to.
I can’t find anything on if that is a recommended setup or prefer behind a firewall because it isn’t secure enough on its own.
Reply August 16, 2020 at 8:36 pm I prefer to put a real firewall in front of these devices.
Sarvjit Pabla July 27, 2020 at 12:36 pm Carl you should mention or add that with UAG 3.7 HA will fail because the account HA is trying to use has an expired password.
It failed while I was testing HA setup (GUI would show the error FAULT), I found the error that was causing the issue in the /var/log/messages log.
I reset the password for the “gateway” user account,.
Once I reset the password using the standard “passwd” linux command utility, reenabled HA via the UAG GUI, HA came up as expected.
Damian July 17, 2020 at 10:44 am Hi, Great guide, regarding 4c for adding a new static route, do you happen to know the command for adding this outside the GUI.
Thanks Reply July 17, 2020 at 12:03 pm To automate a UAG, try the PowerShell script.
The INI file should have an option for static routes.
Reply Damian July 17, 2020 at 12:21 pm Hi, the UAG is already installed but some of our static routes magically disappeared overnight.
I found this command in a tech note so wondering if it would work so I can add them quickly to get the service back up and running: route add -net netmask gw dev eth1 Reply Andre L July 22, 2020 at 7:29 pm FYI: This may work for what you are attempting but it is a temp route and will “disappear” the next time you reboot the appliance.
Jakub Jezisek July 2, 2020 at 7:01 am Hi Carl, Thank you for your awesome site.
I have problem with UAG 3.9.1 and certificate with alternate names (SAN).
When connecting with Horizon Client everything is OK.
But when I use web browser to access my desktops, it can only be done when connecting to commonName of certificate.
Accessing web by any of SAN names result in error “Failed to connect to the Conection server” when clicking HTML Access.
Log didn’t help me.
Reply July 2, 2020 at 7:07 am Is checkOrigin disabled on your Connection Servers.
Reply Jakub Jezisek July 2, 2020 at 7:25 am That’s it.
I actually didn’t turn off check origin.
But I specified portalHost as mentioned in vmware documentation and now I forgot to add subject alternative names of new certificate.
Thank you for pointing this out.
Chad June 30, 2020 at 2:42 pm Hi, I am wondering about DNS in a DMZ configuration.
We have active directory integrated DNS, and would have to open DNS service from the DMZ to one or more of our Domain Controllers to use DNS on the UAG back to the LAN.
Is this the typical practice.
If so, it seems that would be included in the list of ports needed for the UAG setup to work.
Just wondering how others are doing this.
Sandra June 23, 2020 at 12:39 am This is the best guide so far for UAG deployment, even VMWare KB also is not detailed as this.
Thank you soo much.
Chad June 16, 2020 at 9:17 am Hi, I was wondering if you have any recommendation on if it’s ok to run UAG in a 2NIC setup with 1 NIC in the WAN and the other in the DMZ with static routes to connection server and agents.
Currently I just use a single NIC deployment in the DMZ with a NAT from public IP to DMZ IP and a VIP to load balance the initial connection.
Wondering if the appliance is hardened enough to have it’s external interface on the WAN.
My main reason for wanting to investigate this route is when I have any hiccup with my front end firewall or upgrade it etc etc it takes out UAG access, so if I only took out internet access out that would be better with UAG continuing to function aside when it gets updated, Reply.
Juan June 15, 2020 at 5:11 am Hi, I discover that if use dns search in ova then not connect to admin https, refuse to connect at all, in 3.9, 3.6, 3.5 and others.
My domain its .local FYI Reply Mike July 14, 2020 at 2:01 pm Known issue: see https://arnomeijroos.com/2020/02/18/how-to-fix-dns-issues-on-the-vmware-uag/ Reply.
Comment navigation.
Older Comments Leave a Reply Cancel reply.
Post navigation.
Previous Previous post: VMware Dynamic Environment Manager 2006 Next Next post: VMware Horizon 6 Composer.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *