Unified Access Gateway 2203 | 29 MAR 2022
Check for additions and updates to these release notes.
VMware Unified Access Gateway 2203 provides the following new features and enhancements:
For more information about these features, see the Documentation Center.
- Added support for Horizon SAML authentication flows in the FIPS version of Unified Access Gateway. Earlier versions supported Horizon SAML authentication only for the standard version.
- Improved protection to block URL Path Traversals for Horizon and Web Reverse Proxy based on proxy pattern definitions and a new configuration setting to enable canonical proxy pattern matching.
- The OPSWAT endpoint compliance feature now supports optional flag values to determine how the downloaded on-demand OPSWAT agent is run. This is supported by newer 2203 Windows Horizon lients and can allow control of whether downloaded code runs on the client in the context of the user or system.
- The CSRF feature for Horizon HTML Access introduced in Horizon 2006 did not support the combination of a pre-login message configured on Connection Server with Multi-Factor authentication configured on Unified Access Gateway. Unified Access Gateway 2203 now includes the CSRF protection requirements to support this combination.
- Improved logging and communication of analysis data to Horizon brokers for cases where a Horizon Client is detected as idle, and for cases where misrouting of Horizon Client protocols occurs.
- Improved audit logging when trusted certificates are added by the administrator. This includes comprehensive logging of the certificate details.
- Unified Access Gateway syslog events can now be sent to an MQTT server using the MQTT IoT messaging protocol. This is in addition to existing support for standard syslog protocols using UDP, TCP or TLS. Improvements to Syslog Admin UI for simplifying configurations where multiple syslog and/or MQTT servers are used.
- The UAG stats monitoring API now provides information on Unified Access Gateway uptime and version number.
- Improved control over proxyPattern configuration for Horizon. This makes it possible to block Horizon Webclient reverse proxy forwarding to the Horizon broker if required. If Horizon edge service proxyPattern is configured with an empty expression "()", then requests to Horizon Webclient with /portal URLs will be blocked. This would not affect native Horizon Clients. By default, the proxyPattern for Horizon includes /portal to allow the use of the Horizon HTML Access Webclient.
- Update Interval in Workspace ONE Intelligence Data settings are now pre-populated with the default value.
- Console root login idle time auto-disconnect value is now configurable.
- The Horizon Client HTTP 307 redirect feature now allows TCP port number to be used in addition to FQDN and IP address.
- Added automatic disk space monitoring so that syslog events are automatically sent if disk usage is excessively high.
- General improvements to the functionality for forwarding data to Workspace ONE Intelligence.
- Enhanced certificate-based authentication for Content Gateway Repository to support all Active Directory (AD) entities. Earlier versions supported only UPN.
- TLS_RSA ciphers have been removed by default on the Secure Email Gateway (SEG) service.
- Updates to Photon OS package versions and Java component versions. These updates include openssl version updates to remediate a potential non-critical DoS attack vulnerability CVE-2022-0778.
The Unified Access Gateway user interface, online help, and product documentation are available in Japanese, French, German, Spanish, Brazilian Portuguese, Simplified Chinese, Traditional Chinese, and Korean. For the complete documentation, go to the Documentation Center.
Lifecycle Support Policy
Installation and Upgrade
There are several resources that help you learn and understand Unified Access Gateway. For more information, see these information resources.
Tunnel service on Unified Access Gateway 2111 causes error “
AllowListManager Query returns Bad Response” impacting access for devices. For more information, see https://kb.vmware.com/s/article/88753.
Workaround: Use the 2203.1 or later version.
- Smart Card/CAC certificate authentication could not be used on FIPS Unified Access Gateway versions 2111(.x).
- The admin interface on TCP port 9443 was not accessible by FQDN on FIPS Unified Access Gateway versions 2111(.x) and only worked if accessing the interface by IP address.
- A compatibility issue with Unified Access Gateway Web Reverse Proxy service which affected Large file uploads to Bitnami/Drupel Web Servers.
- Some log files used by the Content Gateway service were not previously configured for automatic log rotation.
- Resolved compatibility issue with the VMware Tunnel service and on-premise UEM API load balancing.