VMware Horizon 7: deploy Unified Access Gateway


Normally installed in a DMZ area, the Unified Access Gateway (UAG) is an appliance used to ensure incoming traffic comes from a strongly authenticated remote user.

Unified Access Gateway directs authentication requests to the appropriate server and only to desktop and application resources to which the user is actually entitled.


Unified Access Gateway

Unified Access Gateway acts as a proxy host for connections inside your company's trusted network adding an extra layer of security.

The appliance presents some hardening settings since it is designed specifically for the DMZ:

  • Updated Linux Kernel and software patches
  • Multiple NIC support for Internet and intranet traffic
  • Disabled SSH
  • Disabled FTP, Telnet, Rlogin, or Rsh services
  • Disabled unwanted services

Compared to VPN, the UAG appliance has some advantages:

  • UAG is design for performance and security.
  • Users can access their virtual desktops using the Horizon Client only without using different software to connect.
  • UAG applies access rules automatically requiring less administrative effort to maintain the required rules.

    Deployment settings

    The Unified Access Gateway can be deployed with different configurations. You can specify one, two, or three NICS settings:

    • 1 NIC - this is the simplest configuration where all network traffic is combined onto a single network.
    • 2 NICs - one NIC for unauthenticated access and back-end authenticated traffic and management traffic are separated on the second NIC.
    • 3 NICs - all traffic is separated in specific networks.

    Unified Access Gateway 1


    Firewall ports to open

    To avoid connection issues in your Horizon infrastructure, the appropriated ports must be open in your firewall. The following table lists ports to open.

    Unified Access Gateway 2


    Deploy the UAG appliance

    After downloading the UAG software in OVA format, from vSphere Client right click the object where to install the appliance and select Deploy OVF Template.

    Unified Access Gateway 3

    Click Browse and select the .OVA file downloaded from VMware. Click Next.

    Unified Access Gateway 4

    Enter a Virtual machine name and select a location. Click Next.

    Unified Access Gateway 5

    Specify the compute resource and click Next.

    Unified Access Gateway 6

    Click Next.

    Unified Access Gateway 7

    Select the Configuration required and click Next.

    Unified Access Gateway 8

    Select the Storage to store the appliance and click Next.

    Unified Access Gateway 9

    Specify the Destination Network and click Next.

    Unified Access Gateway 10

    Enter the network parameters and click Next.

    Unified Access Gateway 11

    Click Finish to proceed with UAG deployment.

    Unified Access Gateway 12


    Configure the Unified Access Gateway appliance

    Once the UAG has been deployed, open your preferred browser and enter the address https://<IP_UAG>:9443. Enter the credentials and click Login.

    Unified Access Gateway 13

    Click Select in the Configure Manually side.

    Unified Access Gateway 14

    Enable the Edge Service Setting switch under General Settings to configure the Horizon environment.

    Unified Access Gateway 15

    Click the Horizon Settings' icon.

    Unified Access Gateway 16

    Enter the Connection Server URL and the Connection Server URL Thumbprint. Enable the requested protocols such as PCOIP, Blast and specify the URL for the configured protocols used to connect Horizon infrastructure from external. Click Save when done.

    Unified Access Gateway 17

    To find the correct Connection Server URL Thumbprint, right click in the browser the certificate used to connect the Connection Server. In the Details tab search for Thumbrint and copy the value. This value needs to be pasted to the appropriated field.

    Unified Access Gateway 18

    If the entered parameters are correct and the correct firewall ports open, you should see all items with a green circle. If the Horizon Destination Server is red, it means the UAG is unable to resolve the FQDN of the Connection Sever. As workaround, use the Connection Server IP Address instead of FQDN.

    Unified Access Gateway 19

    In the Horizon Console, access the Servers area under Settings and go to Connection Servers tab. Select your Connection Server and click Edit.

    Unified Access Gateway 20

    Disable the HTTP(s) Secure Tunnel and both PCoIP and Blast Secure Gateways. Click OK to save the configuration.

    Unified Access Gateway 21

    Now access the Gateways tab and click Register.

    Unified Access Gateway 22

    Enter the name of the appliance specified in the Advanced Settings of the UAG and click OK.

    Unified Access Gateway 23

    The appliance has been registered successfully.

    Unified Access Gateway 24

    Under Monitor, select Dashboard and click View.

    Unified Access Gateway 25

    In the Gateway tab you can find the configued UAG.

    Unified Access Gateway 26

    Testing the connection to a VD, the Security Gateway used by Horizon is the configured UAG.

    Unified Access Gateway 27


    Export the UAG configuration

    To export the configuration, in the UAG configuration UI you can find the Export Unified Access Gateway Settings option under Support Settings. You can export the configuration in JSON or INI format by clicking the appropriated options.

    Unified Access Gateway 28

    The settings are exported to your computer. Click OK to save.

    Unified Access Gateway 29

    The Unified Access Gateway configuration is now complete and the appliance is ready to manage the connection requests.



    1. Allferry 10/12/2021
      • Paolo Valsecchi 11/12/2021