This section covers the security settings configured for Unified Access Gateway.
The following table lists the TLS configuration for the main Unified Access Gateway HTTP Port 443 on the standard (non-FIPS) Unified Access Gateway. The FIPS version of Unified Access Gateway uses more limited set of ciphers and TLS versions. The TLS settings are configured in System Settings and are applicable to the Horizon Edge service and the Web Reverse Proxy Edge service.
|TLS Versions||TLS Ciphers||TLS Elliptic Curves/Named Groups||TLS Server Certificates|
Unified Access Gateway supports the following TLS versions on the HTTPS 443 interface.
The default is for support of
Unified Access Gateway supports the following default TLS ciphers on the HTTPS 443 interface. The cipher list is configurable.
||By default, Unified Access Gateway will generate self signed SSL server certificates. VMware strongly recommends to replace with trusted Certificate Authority (CA) signed certificates appropriate for the production environment. The trusted CA signed certificates can be specified during deployment of Unified Access Gateway.|
By default, root console access to Unified Access Gateway using the SSH protocol is deactivated. You can activate SSH access using the password access or the SSH keys or both. If required, it can be limited to access on individual NICs.
By restricting SSH access to specific NICs, it is also possible to use a jumpbox and ensure limited access to that jumpbox.
Security Technical Implementation Guides (STIGs)
Unified Access Gateway supports configuration settings to allow Unified Access Gateway to comply with the Photon 3 DISA STIG. For this compliance, the FIPS version of Unified Access Gateway must be used and specific configuration settings are applied at deploy time. For more information about the configuration settings, see DISA STIG OS Compliance Guidelines for Unified Access Gateway in the Deploying and Configuring VMware Unified Access Gateway Guide at VMware Docs.
NIAP CSfC Guidelines for Unified Access Gateway when used with Horizon
The US National Security Agency (NSA) has developed, approved, and published solution-level specifications called Capability Packages (CPs). In addition to the CPs, the National Security Agency, and the National Information Assurance Partnership (NIAP) works with technical communities from across industries, governments, and academia to develop, maintain, and publish product-level security requirements called Protection Profiles (PPs).
NSA/CSS's (Central Security Service) Commercial Solutions for Classified (CSfC) Program is established to allow commercial products to be used in layered solutions protecting classified National Security Systems (NSS) data.
VMware is seeking NIAP/CSfC validation and certification of Unified Access Gateway with Horizon using the CSfC Selections for Transport Layer Security (TLS) Protected Servers. This validation requires specific configuration in the Unified Access Gateway appliance which is necessary for the NIAP/CSfC operation. For more information about the configuration settings, see NIAP CSfC Guidelines for Unified Access Gateway when used with Horizon in the Deploying and Configuring VMware Unified Access Gateway Guide at VMware Docs.
The Federal Risk and Management Program (FedRAMP) is a cyber security risk management program for the use of cloud products and services used by U.S. federal agencies. FedRAMP uses the National Institute of Standards and Technology’s (NIST) guidelines and procedures to provide standardized security requirements for cloud services. Specifically, FedRAMP leverages NIST’s Special Publication [SP] 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations series, the baselines and test cases.
VMware is seeking FedRAMP compliance and certification of Unified Access Gateway with Horizon on Azure GovCloud. This requires specific configuration. For more information about the configuration settings, see FedRAMP Guidelines for Unified Access Gateway in the Deploying and Configuring VMware Unified Access Gateway Guide at VMware Docs.