Deploying Unified Access Gateway using vSphere Web Client

Introduction

In the previous post, we discussed an overview of Unified Access Gateway. In this post, I will be deploying a VMware Unified Access Gateway (UAG) appliance to give the end-user access to entitled Virtual Desktop / Remote Hosted applications over an insecure network like the internet.

You might think when you can provide access to Virtual Desktop or to Remote Hosted Applications using security server why there is a need for VMware Unified Access Gateway.  Why an organization should think of deploying Unified Access Gateway?

In my opinion, an organization should think of deploying Unified Access Gateway considering following reasons.

  1. Even if you can do a security hardening of windows based security server, Windows based OS is more vulnerable to attacks than a hardened Linux.
  2. You can only have 1:1 relationship between the Security Server and the Connection Server. You have more flexibility in case Unified Access Gateway.
  3. Unified Access Gateway can act as a single solution of different use cases
    • Secure Remote Access / Proxy of Horizon Protocols (Blast/ PCoIP)
    • DMZ Authentication (RADIUS, RSA SecurID, CAC, SAML)
    • Reverse Proxy – Access to on-prem web resources
    • Identity Bridging – Access to non SAML ready on-prem apps (Kerberos / Header based)
    • Airwatch Per-App VPN / Proxy Tunneling Server
    • Airwatch Content Gateway
  4. Unified Access Gateway can make use of Blast Extreme Adaptive Transport protocol. Blast is a UDP based protocol which gives a better remote user experience even if you are connecting over a lossy network.
  5. Much easier to configure & manage in comparison to sercurity server & Access point virtual appliance.

VMware UAG Virtual Appliance Requirement

  1. 4GB of RAM on a physical host running ESXi / Hyper-V running on Windows 2012 R2 or Windows 2016.
  2. 2 x vCPU
  3. 1 – 3 Network Cards
    • 1 NIC, Single NIC handle Internet, Internal & Management traffic (recommended for POC only)
    • 2 NIC, One NIC handles Internet traffic & Second NIC handles all internal & management traffic.
    • 3 NIC, Separate NIC to handle Internet, Internal & Management traffic each.
  4. 20 GB of Disk Space
  5. Horizon 6.x & 7.x
  6. 1 UAG node per 2000 concurrent connections

Deploying UAG Virtual Appliance using vSphere Web Client

Conclusion

This concludes the deployment of VMware Unified Access Gateway using VMware vSphere Web Client.  Hope this will be informative for you. Thanks for Reading!!. Be social and share if you find worth sharing it.

 

 

 

 

Introduction to VMware Unified Access Gateway (UAG) 3.2

Introduction to Unified Access Gateway

Unified Access Gateway (UAG) is an appliance which is a replacement for Horizon Security Servers. UAG ensure the traffic entering to DC is of authenticated users only by directing authentication requests to the appropriate server and discards any unauthenticated request.  VMware Unified Access Gateway (UAG) is specifically designed for DMZ environment with hardening settings like multi-NIC support for Internet & Intranet traffic, Disabled SSH, FTP, Telnet, Rlogin, etc. You can deploy Unified Access Gateway appliance either on VMware ESXi or Microsoft Hyper-V.

VMware Unified Access Gateway Advantages:

  • No VMware Horizon Security server needed to access entitled virtual desktops to users.
  • Only TCP 443 need to be opened on external firewall
  • Can provide an additional layer of security by integrating RSA SecurID, RADIUS, CAC/certificates, etc.

The Unified Access Gateway (UAG) provides secure access to the following environments:

  • VMware Horizon desktops and applications
  • VMware Identity Manager
  • VMware AirWatch or VMware Workspace ONE per-app tunnels and tunnel proxy
  • VMware Content Gateway service to allow VMware Content Locker access to internal file shares and Microsoft SharePoint

You can not upgrade VMware Unified Access Gateway using upgrade bundles, the way you can do for other VMware appliances. You can upgrade Unified Access Gateway by deploying the latest release and importing the configuration of the old appliance. You can upgrade Unified Access Gateway with Zero Downtime by placing Unified Access Gateway quiesce mode to YES. Once quiesce mode is YES, the UAG is shown as not available and requests from load balancer are not sent to Unified Access Gateway.

There are primary methods you can use to install the Unified Access Gateway appliance on a vSphere ESX or ESXi host.

  1. The vSphere Client or vSphere Web Client
  2. PowerShell Script

When you deploy the OVF, you configure how many network interfaces (NIC) are required, the IP address and set up the administrator and root passwords. The simplest deployment of VMware UAG is a single NIC where all network traffic is combined into a single network. Deployment using Single NIC is best suited for POC environment.

VMware UAG Virtual Appliance Requirement

  1. 4GB of RAM on a physical host running ESXi / Hyper-V running on Windows 2012 R2 or Windows 2016.
  2. 2 x vCPU
  3. 1 – 3 Network Cards
    • 1 NIC, Single NIC handle Internet, Internal & Management traffic (recommended for POC only)
    • 2 NIC, One NIC handles Internet traffic & Second NIC handles all internal & management traffic.
    • 3 NIC, Separate NIC to handle Internet, Internal & Management traffic each.
  4. 20 GB of Disk Space
  5. Horizon 6.x & 7.x
  6. 1 UAG node per 2000 concurrent connections

Once deployed you can access Admin GUI of VMware Unified Access Gateway appliance using

https://<UAG_appliance_hostname_or_IPAddress>:9443/admin/index.html

Conclusion

This summarizes the introduction to VMware Unified Acess Gateway. In next post, I will be covering the deployment of VMware Unified Access Gateway. Hope this will be informative for you, Happy Reading!!. Be social and share if you find worth sharing it.