Security Settings for Unified Access Gateway

This section covers the security settings configured for Unified Access Gateway.

The following table lists the TLS configuration for the main Unified Access Gateway HTTP Port 443 on the standard (non-FIPS) Unified Access Gateway. The FIPS version of Unified Access Gateway uses more limited set of ciphers and TLS versions. The TLS settings are configured in System Settings and are applicable to the Horizon Edge service and the Web Reverse Proxy Edge service.

Note: TLS settings for VMware Tunnel, Content Gateway, and Secure Email Gateway Edge services are configured separately in Workspace ONE UEM Console.

Table 1. TLS Configuration for Unified Access Gateway HTTP Port 443
TLS Versions	TLS Ciphers	TLS Elliptic Curves/Named Groups	TLS Server Certificates
Unified Access Gateway supports the following TLS versions on the HTTPS 443 interface. `TLS 1.3` `TLS 1.2` `TLS 1.1` `TLS 1.0` The default is for support of `TLS 1.3` and `TLS 1.2` only. VMware recommends to activate other versions only if required.	Unified Access Gateway supports the following default TLS ciphers on the HTTPS 443 interface. The cipher list is configurable. TLS 1.3 `TLS_AES_128_GCM_SHA256` `TLS_AES_256_GCM_SHA384` `TLS_CHACHA20_POLY1305_SHA256` TLS 1.2 `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256` `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`	`P-256 (secp256r1)` (256 bits) `P-384 (secp384r1)` (384 bits) `P-521 (secp521r1)` (521 bits) `X25519` (253 bits)	By default, Unified Access Gateway will generate self signed SSL server certificates. VMware strongly recommends to replace with trusted Certificate Authority (CA) signed certificates appropriate for the production environment. The trusted CA signed certificates can be specified during deployment of Unified Access Gateway.

SSH

By default, root console access to Unified Access Gateway using the SSH protocol is deactivated. You can activate SSH access using the password access or the SSH keys or both. If required, it can be limited to access on individual NICs.

By restricting SSH access to specific NICs, it is also possible to use a jumpbox and ensure limited access to that jumpbox.

Compliance

Security Technical Implementation Guides (STIGs)

Unified Access Gateway supports configuration settings to allow Unified Access Gateway to comply with the Photon 3 DISA STIG. For this compliance, the FIPS version of Unified Access Gateway must be used and specific configuration settings are applied at deploy time. For more information about the configuration settings, see DISA STIG OS Compliance Guidelines for Unified Access Gateway in the Deploying and Configuring VMware Unified Access Gateway Guide at VMware Docs.

FedRAMP Compliance

The Federal Risk and Management Program (FedRAMP) is a cyber security risk management program for the use of cloud products and services used by U.S. federal agencies. FedRAMP uses the National Institute of Standards and Technology’s (NIST) guidelines and procedures to provide standardized security requirements for cloud services. Specifically, FedRAMP leverages NIST’s Special Publication [SP] 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations series, the baselines and test cases.

VMware is seeking FedRAMP compliance and certification of Unified Access Gateway with Horizon on Azure GovCloud. This requires specific configuration. For more information about the configuration settings, see FedRAMP Guidelines for Unified Access Gateway in the Deploying and Configuring VMware Unified Access Gateway Guide at VMware Docs.