Eric Monjoin
Staff Consulting Architect but also pilot, spending time in front of my computer or flying in the air...

Category: Unified Access Gateway

Unified Access Gateway

Omnissa Unified Access Gateway 2412

January 29, 2025

What’s new :

Unified Access Gateway 2412 provides the following new features and enhancements:

  • Transition Update
    • The transition from Broadcom to Omnissa is now complete. The Unified Access Gateway Admin user interface, configuration strings, and file paths have been updated to reflect the new Omnissa brand.
    • As HTML Access is renamed to Web Client, the related keys and Admin UI settings on Unified Access Gateway are also renamed.
  • Operating System Update
    • Following the transition from Broadcom to Omnissa, the Unified Access Gateway now uses the AlmaLinux operating system. AlmaLinux is an open-source, community-driven Linux operating system. Unified Access Gateway 2412 uses AlmaLinux 9.2.
    • Compatibility between ALMA 9.2 and ESXi (vSphere/vCenter)
  • Users can now configure Unified Access Gateway to perform OpenID Connect (OIDC) authentication. See OpenID Connect (OIDC).
  • Administrators can now configure Gateway Specification that will allow only the required services for that specification type to run on the appliance. See Gateway Specification in Deploying to vSphere using the OVF Template Wizard.
  • Security Improvements
    • Added protection against user impersonation attack to ensure a desktop launch session is sent from the same client endpoint where it was generated when Unified Access Gateway is used with SAML authentication in Service Provider initiated mode.
    • Added protection against SAML assertion replay attack to ensure that the SAML assertion issued by an Identity Provider can be used only once in its lifetime.
    • In case of Smart card, RADIUS and RSA SecurID authentication, Unified Access Gateway issues a SAML assertion (containing the end user attributes) to Horizon Connection Server. Added support for encrypting this assertion.
    • Change in the default value of SAML Authentication request signature algorithm from SHA-1 to SHA-256.
    • On FIPS version of Unified Access Gateway, Extended Master Secret extension is mandatory for TLS 1.2 connections.
    • Updates to TLS Ciphers. See System configuration.
  • Added compatibility with Horizon Connection Server’s support for handling encrypted SAML assertion, issued by Identity Providers. See Encrypted assertion between Unified Access Gateway and auth methods.
  • On the Upload Identity Provider Metadata section of the Admin UI, you can now view all the uploaded certificates present in the Identity Provider metadata.
  • Logging improvements.
  • Updates to OS package versions and Java component versions.
Unified Access Gateway

ADFS with VMware Unified Access Gateway (UAG)

February 16, 2022

This article talks about configuration of ADFS with VMware Unified Access Gateway without the use of Workspace One Access.

There’re two use cases here to configure ADFS with Unified Access Gateway

  1. Use Case #1: ADFS as MFA, so users first authenticate using ADFS, and then authenticate using standard credential to get the list of available resources (desktop or apps)
  2. Use Case #2: ADFS for single authentication method, so users will authenticate once with ADFS and then will connect to VDI VMs or published apps without the need to enter any other credentials. This use case of course required VMware TrueSSO to works

Initial configuration is the same for both and to make it short here the different steps required:

  1. Change Expiration Period for Service Provider Metadata
    1. https://my-virt.alfadir.net/index.php/2022/01/12/change-the-expiration-period-for-service-provider-metadata-on-connection-server/
  2. Deploy UAG
    1. Configure Edge Service and specify a Connection Server fqdn (not the load-balancer)
    2. Check connection is working
  3. Connect to <federation fqdn> and save the FederationMetadata.xml file
  4. Import FederationMetadata.xml in UAG (Upload Identity Provider Metadata)
  5. Configure UAG for SAML or SAML and Passthrough auth methods
  6. Specify Identity Provider
  7. Download SAML Service Provided .xml file
  8. Configure ADFS
    1. Add a new Relying Party Trusts
    2. Specify UAG SP .xml file as source
    3. Configure Claim Issuance Policy
  9. Connect to UAG as “client”
    1. Auth using ADFS
    2. Auth using AD credential

Now if we want to go further and implement ADFS with TrueSSO:

  1. Generate SAML IdP Settings
    1. Import signed cert or use Generated one
    2. Copy Content of Download IDP Settings
  2. Configure Horizon Connect Server for SAML auth with UAG and ADFS
    1. Connect to admin console of Horizon Connection Server
    2. Add SAML Authenticator for UAG
      1. Mode Static
      2. Past Content of UAG Download IDP Settings
      3. Change EntityId if required
    3. Add SAML Authenticator for ADFS
      1. Mode Static
      2. Past Content of FederationMetadata.xml
  3. Enable TrueSSO for UAG and ADFS
    1. Using vdmUtil, enable both authenticator
  4. Check True SSO connection
    1. Connect to UAG as Client
    2. Once authenticated to ADFS, the list of available resource appears, and you can login without any other cred

That said, let see with some nice pictures how we do that :

Continue reading…
App Volumes / Dynamic Environment Manager / Horizon / Unified Access Gateway

New Release of Horizon Enterprise 2103 and Unified Access Gateway 2103

March 24, 2021

What’s New?

  • Horizon Server
    • Added support for “Global Access Group”
    • Added support for open source database — “PostgresSQL”
    • Added support for untrusted domain
    • Pegged unabated growth of event database
    • Ability to pre-assign computer names to instant clone desktops
    • Delivered View API parity REST APIs
  • Horizon Agents & Clients
    • Teams offload Mac client
    • USB redirection for HTML Access & Chrome client
    • Pen redirection iOS & Android
    • HEVC 444 Intel GPU Linux client
    • Bandwidth control for integrated printing
    • Serial port improvements, auto mapping, ID passing
    • Agent hot patch via MSP
    • Expose HCA, H.264/H.265 enablement and networking client settings to registry and GPO template
    • Drop 32-bit support Windows agent, Linux agent and client
  • App Volumes
    • Support for Windows 10 Enterprise multi-session on Horizon Cloud on Azure
    • App Volumes Command-Line Capture Program for working with App Volumes and MSIX formatted VMDK and VHD packages
    • Global option to allow the same packages to work across both VDI/RDSH regardless of the packaging OS used
  • Dynamic Environment Manager
    • Replication of the Script folder in SyncTool
    • Simplification of computer environment configuration
    • Support for late arrival of system environment variables in agent configuration for computer environment settings
    • Improvements in default printer logic to roam default printer settings for redirected printers
Unified Access Gateway

Running VMware Unified Access Gateway on Hyper-V

April 28, 2020

Ok okkkkkk, I know that could be weird at first sight but I had a request from a customer to assist in the deployment of UAG 3.9 on Hyper-V in a “Dual DMZ” configuration.

The Back End UAG is deployed on vSphere but the the front-end should run on the DMZ hypervisors who are…. Windows 2019 Core / Hyper-V

So when we look at the files required to perform this installation we need to download 2 files :

  • Unifed Access Gateway (UAG) 3.9 PowerShell scripts to get all scripts to deploy the appliance
  • Unifed Access Gateway (UAG) 3.9 for Microsoft Azure to have .vhd file so Hyper-V disk format file.
Unified Access Gateway

Unified Access Gateway and .local domain

March 19, 2020

Since recent release of Unified Access Gateway (I guess starting with 3.7 as I didn’t remember having any issue with version 3.6), the appliance is not using the configured DNS and when looking at /etc/resolv.conf it’s using a internal IP of 127.0.0.53 to perform queries.

After digging into internet I found some post about this and to make it short the solution is to edit /etc/systemd/resolved.conf and comment out “Domains=” and specify your local domain :