The Federal Risk and Management Program (FedRAMP) is a cyber security risk management program for the use of cloud products and services used by U.S. federal agencies.

FedRAMP uses the National Institute of Standards and Technology’s (NIST) guidelines and procedures to provide standardized security requirements for cloud services. In addition, FedRAMP leverages NIST’s Special Publication [SP] 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations series, the baselines, and test cases.

VMware is seeking FedRAMP compliance and certification of Unified Access Gateway with Horizon on Azure GovCloud. This requires a specific configuration.

Pre-requisites

  • Unified Access Gateway 2207 or later FIPS build artifact appliance image used for deployment.
  • Package mirror repository in FedRAMP boundary to hold Photon OS packages with security updates for applying periodic security fixes on Unified Access Gateway appliance.
  • Syslog server to forward audit events from Unified Access Gateway.
  • NTP servers to configure time synchronization on Unified Access Gateway.
  • Identity provider setup with SAML authentication support.
  • VMware Horizon Cloud for Azure GovCloud.

Deploy the FIPS version of Unified Access Gateway 2207 or later on Azure GovCloud with the following configurations.

  1. Configure OS hardening settings specified in the DISA STIG OS Compliance Guidelines for Unified Access Gateway.
  2. Configure the following parameters based on the requirement.
    Parameter Description
    sshKeyAccessEnabled Set to true to enable the SSH access using keypair.

    The default value is false.

    sshPublicKey1

    (sshPublicKey2,..)

    Configure the SSH public key used for SSH login, if SSH key based access is enabled.
    osLoginUsername Enter the high-privileged non-root username to login into Unified Access Gateway OS console.

    By default, root login is supported.

    osMaxLoginLimit Enter the maximum allowed concurrent login sessions of a non-root user, if configured.
  3. Configure TLS server certificates for Unified Access Gateway with RSA key size of 2048 or higher. See the [SSLCert] section in the INI example at Using PowerShell to Deploy the Unified Access Gateway Appliance.
  4. Configure automated package update settings to download and apply the security updates from the packages repository maintained within FedRAMP boundary. See Configure Unified Access Gateway to Automatically Apply Authorized OS Updates and [PackageUpdates] section in the INI example at Using PowerShell to Deploy the Unified Access Gateway Appliance.
  5. Configure Horizon edge service with necessary Auth method settings, such as SAML. For more information, see Configuring Horizon for Unified Access Gateway and Third-Party Identity Provider Integration.