Unified Access Gateway | Released on 18 December 2020
Check for additions and updates to these release notes.
What is in the Release NotesThe release notes cover the following topics:
- What's New in This Release
- Compatibility Notes
- Unified Access Gateway Lifecycle Support Policy
- Installation and Upgrade
- Sizing Options
- Technical Resources
- Resolved Issues
- Known Issues
What is New in This Release
VMware Unified Access Gateway 2012 provides the following new features and enhancements:
For more information about these features, see the Documentation Center.
- Admin User Interface (UI) accessibility improvements based on VPAT (Voluntary Product Accessibility Template) tests.
- Added support with Horizon Smart Card and Device Certificate authentication so that multiple issuer CA (certificate authority) certificates can now be uploaded to Unified Access Gateway even when these CA public key certificates have a duplicate subject name. This is useful for cases where a CA issuer certificate is regenerated with a different keypair and the same subject name, but UAG is required to support the authentication from users with issued certificates from the old and the new CA. The Unified Access Gateway mechanism to construct the certification path to the correct CA certificate public key uses the X.509 v3 certificate extensions of SubjectKeyIdentifier (SKI) and AuthorityKeyIdentifier (AKI).
- Added the ability to set some advanced network settings at deploy time. An example is to specify that a DNS server IP address allocated by DHCP must be ignored, and the statically applied DNS IP addresses must be used.
- SNMP monitoring can now use SNMP v3. Previous versions used SNMP v2C.
- The root password policy, such as expiry time and complexity, can now be specified at the deployment time.
- The TLS cipher list supported by the Horizon PCoIP Secure Gateway is changed to remove the ones that use an RSA key exchange, as they do not support the forward secrecy. The stronger TLS_ECDHE_RSA_ ciphers are now supported for PCoIP. If old versions of a Horizon Client are used with Unified Access Gateway that relies on the weaker RSA key ciphers, they can no longer use PCoIP, and the client must be upgraded to a current version. The removed PCoIP ciphers are:
- Updates to Photon OS package versions and Java versions.
The Unified Access Gateway user interface, online help, and product documentation are available in Japanese, French, German, Spanish, Brazilian Portuguese, Simplified Chinese, Traditional Chinese, and Korean. For the complete documentation, go to the Documentation Center.
For more information about the VMware Product Interoperability Matrix, go to http://www.vmware.com/resources/compatibility/sim/interop_matrix.php.
Lifecycle Support policy
For information about the Unified Access Gateway Lifecycle Support policy, go to https://kb.vmware.com/s/article/2147313.
Installation and Upgrade
To download the Unified Access Gateway, see the Product Download page.
For the Unified Access Gateway sizing recommendations, go to VMware Configuration Maximums.
To learn and master Unified Access Gateway, go to https://techzone.vmware.com/mastering-unified-access-gateway.
When using SAML 2.0 Authentication to Horizon 7/8 environments where a pre-login/disclaimer message is configured on Horizon Connection Server, this message could be displayed to the user twice.
When using Horizon Universal Broker to launch desktop and application sessions to a Horizon 7/8 POD through Unified Access Gateway version 2009, there was a requirement to manually configure a response header on Unified Access Gateway to support a browser CORS policy. This manual header response configuration for Universal Broker is now not necessary with Unified Access Gateway 2012.
TLS 1.3 support for Horizon, Web Reverse Proxy and the Horizon Blast Secure Gateway can be enabled or disabled after deployment using the Admin UI. In previous versions it was necessary to restart Edge Service Manager or reboot Unified Access Gateway.
The Photon gettext package needed for certain command line commands is now included.
Connections to OCSP servers for certificate checks would not use the configured outbound proxy.
Tunnel Invalid UUID results in unhandled exception while calling the API GET /API/mdm/gateway/sync.
If a backslash (\) character is used when setting an admin password, root password, or RADIUS shared secret, then it must be escaped by using an extra backslash character. So, the admin must specify a password like Secret\123 as Secret\\123.
Workaround: Prefix \ with an extra backslash \ (for example, \\u).
When Unified Access Gateway is deployed in Microsoft Azure using DHCP allocated IP addresses and there is a conflict between any custom static routes and DHCP assigned routes, then the static routes can be removed after they have been applied. This only happens if there is a mismatch between the Unified Access Gateway hostname and the hostname assigned by Azure based on the VM name.
Workaround: Ensure that the Azure VM name based hostname matches the uagName (hostname) set when Unified Access Gateway is deployed so that a hostname change is not performed.
The location of waagent.log is /var/log/waagent.log, which is a link to /opt/waagent/log/waagent.log. However, /opt/waagent does not exist and therefore a log file is not created.
Workaround: The log file is not needed, but if it is ever required, log into the Unified Access Gateway console as root and remove the link by using the following command: rm /var/log/waagent.log.
When Unified Access Gateway is deployed on Microsoft Azure, on first boot, the Microsoft Hypervisor is correctly detected by Unified Access Gateway and within the Hypervisor, based on a DHCP setting, Azure is correctly detected. However, on subsequent boot, Azure is incorrectly detected as Hyper-V and waagent is stopped. This is a minor issue as waagent is mainly used to apply configuration settings on first boot only.
When Horizon SAML 2.0 is used with Horizon True SSO to avoid the initial AD password prompt, if the session is manually locked or locks due to inactivity, the user must either enter their AD password to unlock the session or close the client and reconnect. The Horizon True SSO unlock mechanism currently depends on Workspace ONE Access.