You can configure the security protocols and cryptographic algorithms that are used to encrypt communications between clients and the Unified Access Gateway appliance from the admin configuration pages.
Prerequisites
- Review the Unified Access Gateway Deployment Properties. The following settings information is required:
- Static IP address for the Unified Access Gateway appliance
- IP Addresses of the DNS servers
Note: A maximum of two DNS server IP addresses can be specified.
Unified Access Gateway uses the platform default fallback public DNS addresses only when no DNS server addresses are provided to UAG either as part of the configuration settings or through DHCP.
- Password for the administration console
- URL of the server instance or load balancer that the Unified Access Gateway appliance points to
- Syslog server URL to save the event log files
Procedure
- In the admin UI Configure Manual section, click Select.
- In the Advanced Settings section, click the System Configuration gearbox icon.
- Edit the following Unified Access Gateway appliance configuration values.
Option Default Value and Description UAG Name Unique Unified Access Gateway appliance name. Note: The appliance name can consist of a text string up to 24 characters which includes alphabets (A-Z), digits (0-9), minus sign(-)
, and period(.)
. However, the appliance name cannot have spaces.Locale Specifies the locale to use when generating error messages.
- en_US for American English. This is the default.
- ja_JP for Japanese
- fr_FR for French
- de_DE for German
- zh_CN for Simplified Chinese
- zh_TW for Traditional Chinese
- ko_KR for Korean
- es for Spanish
- pt_BR for Brazilian Portuguese
- en_GB for British English
Cipher Suites Most cases, the default settings do not need to be changed. This is the cryptographic algorithms that are used to encrypt communications between clients and the Unified Access Gateway appliance. Cipher settings are used for enabling various security protocols. TLS 1.0 Enabled Default is NO
.Select YES to enable TLS 1.0 security protocol.
TLS 1.1 Enabled Default is NO
.Select YES to enable TLS 1.1 security protocol.
TLS 1.2 Enabled Default is YES
.The TLS 1.2 security protocol is enabled.
TLS 1.3 Enabled Default is YES
The TLS 1.3 security protocol is enabled.
Allowed Host Headers Enter the IP address or the host name as the host header values. This setting is applicable for the UAG deployment with Horizon and Web Reverse Proxy use cases. For UAG deployments with Horizon, you might be required to provide multiple host headers. This depends on whether N+1 Virtual IP (VIP) is used and the Blast Secure Gateway (BSG) and VMware Tunnel are enabled and configured to use port 443 externally.
The Horizon clients send the IP address in the host header for the blast connection request. If the BSG is configured to use port 443, then the allowed host headers must contain the external IP address of the BSG hostname configured in the blast external URL for the specific UAG.
If the host header values are not specified then any host header value sent by the client is accepted by default.
CA Certificate This option is enabled when a Syslog server is added. Select a valid Syslog Certificate Authority certificate. Health Check URL Enter a URL that the load balancer connects to and checks the health of Unified Access Gateway. Cookies to be Cached The set of cookies that Unified Access Gateway caches. The default is none. Session Timeout Default value is 36000000 milliseconds. Note: The value of Session Timeout on the Unified Access Gateway must be the same as the value of the Forcibly disconnect users setting on the Horizon Connection Server.The Forcibly disconnect users setting is one of the General Global Settings in the Horizon console. For more information about this setting, see Configuring Settings for Client Sessions in the VMware Horizon Administration documentation at VMware Docs.
Quiesce Mode Enable YES to pause the Unified Access Gateway appliance to achieve a consistent state to perform maintenance tasks Monitor Interval Default value is 60. Password Age Number of days the password is valid for the user in the ADMIN role. The default value is
90
days. Maximum value that can be configured is999
days.For password to never expire, specify the value of this field as
0
.Monitoring Users Password Age Number of days the password is valid for the users in the MONITORING role. The default value is
90
days. The maximum value that can be configured is999
days.For the password to never expire, specify the value of this field as
0
.Request Timeout Indicates the maximum time Unified Access Gateway waits for a request to be received. The default value is
3000
.This timeout must be specified in milliseconds.
Body Receive Timeout Indicates the maximum time Unified Access Gateway waits for a request body to be received. The default is
5000
.This timeout must be specified in milliseconds.
Maximum Connections per Session Maximum number of TCP connections allowed per TLS session. The default value is
16
.For no limit on the allowed number of TCP connections, set the value of this field to
0
.Note: Field value of8
or lower causes errors in the Horizon Client .Client Connection Idle Timeout Specify the time (in seconds) a client connection can stay idle before the connection is closed. The default value is 360 seconds (6 minutes). A value of Zero indicates that there is no idle timeout. Authentication Timeout The maximum wait time in milliseconds before which authentication must happen. The default is 300000. If 0 is specified, it indicates no time limit for authentication.
Clock Skew Tolerance Enter the permitted time difference in seconds between an Unified Access Gateway clock and the other clocks on the same network. The default is 600 seconds. Max Allowed System CPU Indicates the maximum allowed average system CPU usage in one minute. When the configured CPU limit is exceeded, new sessions are not allowed and the client receives an HTTP 503 error to indicate that the Unified Access Gateway appliance is temporarily overloaded. Additionally, the exceeded limit also allows a load balancer to mark the Unified Access Gateway appliance down so that new requests can be directed to other Unified Access Gateway appliances.
Value is in percentage.
Default value is
100%
.Join CEIP If enabled, sends Customer Experience Improvement Program ("CEIP") information to VMware. See Join or Leave the Customer Experience Improvement Program for details. Enable SNMP Toggle YES to enable SNMP service. Simple Network Management Protocol collects system statistics, memory, and Tunnel edge service MIB information by Unified Access Gateway. The list of available Management Information Base (MIB), - UCD-SNMP-MIB::systemStats
- UCD-SNMP-MIB::memory
- VMWARE-TUNNEL-SERVER-MIB::vmwTunnelServerMIB
SNMP Version Select the desired SNMP version. Note: If you have deployed Unified Access Gateway through PowerShell, enabled SNMP, but not configured SNMPv3 settings either through PowerShell or the Unified Access Gateway Admin UI, then by default SNMPv1 and SNMPV2c versions are used.For configuring the SNMPv3 settings in the Admin UI, see Configure SNMPv3 Using the Unified Access Gateway Admin UI.
For configuring SNMPv3 settings through PowerShell deployment, certain SNMPv3 settings must be added to the INI file. See Using PowerShell to Deploy the Unified Access Gateway Appliance.
Admin Disclaimer Text Enter the disclaimer text based on your organization's user agreement policy. For an administrator to successfully log into the Unified Access Gateway Admin UI, the administrator must accept the agreement policy.
The disclaimer text can be configured either through PowerShell deployment or by using the Unified Access Gateway Admin UI. For more information about the PowerShell setting in the INI file, see Using PowerShell to Deploy the Unified Access Gateway Appliance.
While using the Unified Access Gateway Admin UI to configure this text box, the administrator must first log into the Admin UI and then configure the disclaimer text. On subsequent administrator logins, the text is displayed for the administrator to accept before accessing the login page.
DNS Enter Domain Name System addresses that are added to /run/systemd/resolve/resolv.conf configuration file. It must contain a valid DNS search address. Click '+' to add a new DNS address. DNS Search Enter Domain Name System search that is added to /etc/resolv.conf configuration file. It must contain a valid DNS search address. Click '+' to add a new DNS search entry. NTP Servers NTP servers for network time protocol synchronization. You can enter valid IP addresses and hostnames. Any per-interface NTP servers obtained from systemd-networkd.service configuration or through DHCP will take precedence over these configurations. Click '+' to add a new NTP server. FallBack NTP Servers Fallback NTP servers for network time protocol synchronization. If NTP server information is not found, these fallback NTP server host names or IP addresses will be used. Click '+' to add a new fallback NTP server. SSH Public Keys Upload public keys to enable root user access to Unified Access Gateway virtual machine when using the public-private key pair option. Administrators can upload multiple, unique public keys to Unified Access Gateway.
This field is visible on the Admin UI only when the following SSH options are set to
true
during deployment: Enable SSH and Allow SSH root login using key pair. For information about these options, see Deploy Unified Access Gateway Using the OVF Template Wizard. - Click Save.
What to do next
Configure the edge service settings for the components that Unified Access Gateway is deployed with. After the edge settings are configured, configure the authentication settings.