Posted on by Aaron Rombaut

MyLab: Configuring VMware Horizon on Unified Access Gateway (UAG)

Overview

This post will document how to configure VMware Horizon on Unified Access Gateway (UAG). To get this working the first time, ensure the following appliances are configured. A Unified Access Gateway should already be deployed and configured. Reference the link for more information on how to:
* Log into the Appliance Settings
* Configure NTP servers
* Configure TLS settings (Admin and Internet interfaces)
* Configure a SAML Identity Provider (IdP)
* Configure High Availability Settings (if required)
* Configure network settings.

The other technology that should already be configured are the VMware Horizon Connection servers. It is ideal to have separate Horizon Connection servers for internal and external endpoints. The configurations for these servers are different when dealing with tunnels and secure gateways. Ensure the Horizon Connection servers have TLS certificates configured.

Verify Unified Access Gateway (UAG) Settings

Log into the Unified Access Gateway and select Configure Manually.

Verify Network Settings

Under Advanced > System Configuration, verify:

UAG NameShould be a fully qualified domain name.

DNS

DNS Search

NTP Servers

Under Advanced > Network Settings, verify:

IPv4 Default Gateway

NIC 1 : Internet facing interface (IPv4 Address; IPv4 Netmask; IPv4 Static Routes)

NIC 2 : Management network interface (IPv4 Address; IPv4 Netmask; IPv4 Static Routes)

You will be unable to visually verify TLS Server Certificate Settings and SAML Settings in the UI. The browser will show a lock symbol if the appliance has a valid Admin interface TLS certificate.

Configure Smart Card or PIV in Authentication Settings on the Unified Access Gateway (UAG)

Under General Settings > Authentication Settings, configure X.509 Certificate.

Enable X.509 Certificate by sliding the toggle to enable. Add all intermediate and root certificates that signed the user smart card or PIV tokens in the Root and Intermediate CA Certificates section.

Note: You will not be able to visually verify the added certificates in the UI.

Configuring a Trust Between Horizon and UAG for SAML (High Level)

  1. On the UAG, configure the SAML Identity Provider Settings.
  1. On the Horizon Connection Server (Windows Console), Change the Expiration Period for Service Provider Metadata on Connection Server. (https://docs.vmware.com/en/VMware-Horizon/2309/horizon-console-administration/GUID-3E170C23-097F-46D0-82BD-7CACFF04FC9A.html)
cs-samlencryptionkeyvaliditydays=number-of-days
cs-samlsigningkeyvaliditydays=number-of-days
  1. On the Horizon Connection Server (Horizon Console), enable, Configure a SAML Authenticator, and Associate a SAML Authenticator and a Connection Server.
  1. In the browser, Generate SAML Metadata So That Connection Server Can Be Used as a Service Provider (https://docs.vmware.com/en/VMware-Horizon/2309/horizon-console-administration/GUID-C5D01C30-C84E-4199-92E8-9B1E324C40A5.html)
https://<fully-qualified-domain-name>/SAML/metadata/sp.xml
https://hzn-92-30.aaronrombaut.com/SAML/metadata/sp.xml

Right-click and select View Page Source.

  1. On the UAG, configure the SAML Service Provider Settings using the metadata from step 4, above.

Note: The Service Provider Name used (HorizonCS in this example) will be the name used (case sensitive) when setting up the Horizon Settings, detailed in the next part of this post.

Configure VMware Horizon Settings on Unified Access Gateway (UAG)

Under General Settings, expand the Edge Service Settings.

Select the gear to the right of Horizon Settings.

Expand the Enable Horizon toggle. Fill out the necessary details:

Connection Server URL


Connection Server URL Thumbprint (required if using an Enterprise issued certificate)

Connection Server IP mode

Client Encryption Mode

Auth Methods – Set this according to your requirements. If only Smart Card or PIV, set to only X.509 Certificate. Passthrough will allow a user name and password.


Enable Blast

Blast External URL

SAML SP – Use the name and exact case of the name used when setting up the SAML Service Provider.


Gateway Location


Disable HTML Access – HTML Access cannot be used with Smart Card or PIV authentication, the browser does not pass the token through. The Horizon Client, either on a thick client or thin client must be used.

Disable Gateways on the Horizon Console

When a Unified Access Gateway (UAG) is associated with a Horizon Connection Server, the UAG will handle the security gateway and BLAST security gateway functionality. These must be turned off on the associated Horizon Connection servers.

In Horizon Console, navigate to Settings > Servers > Connection Servers. Choose a Connection Server from the list and select Edit.

On the General tab, under HTTP(s) Secure Tunnel, de-select Use Secure Tunnel connection to machine.

On the General tab, under Blast Secure Gateway, select Do not use Blast Secure Gateway.

Leave a Reply

Your email address will not be published. Required fields are marked *