Eric Monjoin
Staff Consulting Architect but also pilot, spending time in front of my computer or flying in the air...

Category: Unified Access Gateway

ADFS with VMware Unified Access Gateway (UAG)

This article talks about configuration of ADFS with VMware Unified Access Gateway without the use of Workspace One Access.

There’re two use cases here to configure ADFS with Unified Access Gateway

  1. Use Case #1: ADFS as MFA, so users first authenticate using ADFS, and then authenticate using standard credential to get the list of available resources (desktop or apps)
  2. Use Case #2: ADFS for single authentication method, so users will authenticate once with ADFS and then will connect to VDI VMs or published apps without the need to enter any other credentials. This use case of course required VMware TrueSSO to works

Initial configuration is the same for both and to make it short here the different steps required:

  1. Change Expiration Period for Service Provider Metadata
    1. https://my-virt.alfadir.net/index.php/2022/01/12/change-the-expiration-period-for-service-provider-metadata-on-connection-server/
  2. Deploy UAG
    1. Configure Edge Service and specify a Connection Server fqdn (not the load-balancer)
    2. Check connection is working
  3. Connect to <federation fqdn> and save the FederationMetadata.xml file
  4. Import FederationMetadata.xml in UAG (Upload Identity Provider Metadata)
  5. Configure UAG for SAML or SAML and Passthrough auth methods
  6. Specify Identity Provider
  7. Download SAML Service Provided .xml file
  8. Configure ADFS
    1. Add a new Relying Party Trusts
    2. Specify UAG SP .xml file as source
    3. Configure Claim Issuance Policy
  9. Connect to UAG as “client”
    1. Auth using ADFS
    2. Auth using AD credential

Now if we want to go further and implement ADFS with TrueSSO:

  1. Generate SAML IdP Settings
    1. Import signed cert or use Generated one
    2. Copy Content of Download IDP Settings
  2. Configure Horizon Connect Server for SAML auth with UAG and ADFS
    1. Connect to admin console of Horizon Connection Server
    2. Add SAML Authenticator for UAG
      1. Mode Static
      2. Past Content of UAG Download IDP Settings
      3. Change EntityId if required
    3. Add SAML Authenticator for ADFS
      1. Mode Static
      2. Past Content of FederationMetadata.xml
  3. Enable TrueSSO for UAG and ADFS
    1. Using vdmUtil, enable both authenticator
  4. Check True SSO connection
    1. Connect to UAG as Client
    2. Once authenticated to ADFS, the list of available resource appears, and you can login without any other cred

That said, let see with some nice pictures how we do that :

Continue reading…

New Release of Horizon Enterprise 2103 and Unified Access Gateway 2103

What’s New?

  • Horizon Server
    • Added support for “Global Access Group”
    • Added support for open source database — “PostgresSQL”
    • Added support for untrusted domain
    • Pegged unabated growth of event database
    • Ability to pre-assign computer names to instant clone desktops
    • Delivered View API parity REST APIs
  • Horizon Agents & Clients
    • Teams offload Mac client
    • USB redirection for HTML Access & Chrome client
    • Pen redirection iOS & Android
    • HEVC 444 Intel GPU Linux client
    • Bandwidth control for integrated printing
    • Serial port improvements, auto mapping, ID passing
    • Agent hot patch via MSP
    • Expose HCA, H.264/H.265 enablement and networking client settings to registry and GPO template
    • Drop 32-bit support Windows agent, Linux agent and client
  • App Volumes
    • Support for Windows 10 Enterprise multi-session on Horizon Cloud on Azure
    • App Volumes Command-Line Capture Program for working with App Volumes and MSIX formatted VMDK and VHD packages
    • Global option to allow the same packages to work across both VDI/RDSH regardless of the packaging OS used
  • Dynamic Environment Manager
    • Replication of the Script folder in SyncTool
    • Simplification of computer environment configuration
    • Support for late arrival of system environment variables in agent configuration for computer environment settings
    • Improvements in default printer logic to roam default printer settings for redirected printers

Running VMware Unified Access Gateway on Hyper-V

Ok okkkkkk, I know that could be weird at first sight but I had a request from a customer to assist in the deployment of UAG 3.9 on Hyper-V in a “Dual DMZ” configuration.

The Back End UAG is deployed on vSphere but the the front-end should run on the DMZ hypervisors who are…. Windows 2019 Core / Hyper-V

So when we look at the files required to perform this installation we need to download 2 files :

  • Unifed Access Gateway (UAG) 3.9 PowerShell scripts to get all scripts to deploy the appliance
  • Unifed Access Gateway (UAG) 3.9 for Microsoft Azure to have .vhd file so Hyper-V disk format file.

Unified Access Gateway and .local domain

Since recent release of Unified Access Gateway (I guess starting with 3.7 as I didn’t remember having any issue with version 3.6), the appliance is not using the configured DNS and when looking at /etc/resolv.conf it’s using a internal IP of 127.0.0.53 to perform queries.

After digging into internet I found some post about this and to make it short the solution is to edit /etc/systemd/resolved.conf and comment out “Domains=” and specify your local domain :