You can deploy Unified Access Gateway with Horizon Cloud with On-Premises Infrastructure and Horizon Air cloud infrastructure. For the Horizon deployment, the Unified Access Gateway appliance replaces Horizon security server.

Prerequisites

If you want to have both Horizon and a web reverse proxy instance such as Workspace ONE Access configured and enabled on the same Unified Access Gateway instance, see Advanced Edge Service Settings.

Procedure

  1. In the admin UI Configure Manually section, click Select.
  2. In the General Settings > Edge Service Settings, click Show.
  3. Click the Horizon Settings gearbox icon.
  4. In the Horizon Settings page, turn on the Enable Horizon toggle to enable Horizon settings.
  5. Configure the following edge service settings resources for Horizon:

    Option

    Description

    Identifier

    Set by default to Horizon. Unified Access Gateway can communicate with servers that use the Horizon XML protocol, such as Horizon Connection Server, Horizon Air, and Horizon Cloud with On-Premises Infrastructure.

    Connection Server URL

    Enter the address of the Horizon server or load balancer. Enter as https://00.00.00.00.

    Connection Server URL Thumbprint

    Note:

    You must specify a thumbprint only if the connection server SSL server certificate is not issued by a trusted CA. For example, a self-signed certificate or a certificate issued by an internal CA.

    Enter the list of Horizon server thumbprints in hexadecimal digits format.

    A thumbprint is of the format [alg=]xx:xx... where alg can be sha1 (default value), sha256, sha384, and sha512 or md5 and the xx are hexadecimal digits. Hash algorithm must meet the requirements specified for the minimum hash size. If multiple thumbprints are added, then it should be comma separated. The separator can be a space, colon (:), or no separator.

    For example, sha1=C3 89 A2 19 DC 7A 48 2B 85 1C 81 EC 5E 8F 6A 3C 33 F2 95 C3, sha256=ad:5c:f1:48:47:94:7e:80:82:73:13:6c:83:52:b:e:78:ed:ff:50:23:56:a8:42:8a:d9:30:fc:3a:33:d6:c6:db, sha512=2221B24DC78018A8FAFF81B7AD348722390793DE8C0E5E5AA1D622BCC951D4DA5DBB1C76C79A258A7AFBD1727447151C90E1733E7E83A7D1D46ADF1A31C78496.

    Certificate thumbprints can be configured for certificate validation for the server certificate returned in communication between Unified Access Gateway and Horizon Connection Server.

    This option can be configured during PowerShell deployment by adding the proxyDestinationUrlThumbprints parameter in the [Horizon] section in the ini file. See Using PowerShell to Deploy the Unified Access Gateway Appliance.

    Honor Connection Server Redirect

    When the Horizon broker sends an HTTP redirect 307 response code and the Honor Connection Server Redirect toggle is turned on, Unified Access Gateway communicates with the URL specified in the 307 response location header for the current and future requests in the session.

    If the Enable Host Redirection check box is selected on Connection Server, ensure to turn on the Honor Connection Server Redirect toggle on Unified Access Gateway. For more information, see Enable Host Redirection in the Horizon Installation and Upgrade Guide at VMware Docs.

    Enable PCOIP

    Turn on this toggle to specify whether the PCoIP Secure Gateway is enabled.

    Disable PCOIP Legacy Certificate

    Turn on this toggle to use the uploaded SSL server certificate instead of Legacy certificate. Legacy PCoIP clients will not work if this toggle is turned on.

    PCOIP External URL

    URL used by Horizon clients to establish the Horizon PCoIP session to this Unified Access Gateway appliance. It must contain an IPv4 address and not a hostname. For example, 10.1.2.3:4172. The default is the Unified Access Gateway IP address and port 4172.

    Enable Blast

    Turn on this toggle to use the Blast Secure Gateway.

    Blast External URL

    URL used by Horizon clients to establish the Horizon Blast or BEAT session to this Unified Access Gateway appliance. For example, https://uag1.myco.com or https://uag1.myco.com:443.

    If the TCP port number is not specified, the default TCP port is 8443. If the UDP port number is not specified, the default UDP port is also 8443.

    Blast Reverse Connection Enabled

    Turn on this toggle to enable Blast Reverse Connection.

    Restriction: This toggle is added for a future use case.

    Connection Server IP mode

    Indicates the IP mode of a Horizon Connection Server.

    This field can have the following values: IPv4, IPv6, and IPv4+IPv6.

    Default is IPv4.

    • If all NICs in the Unified Access Gateway appliance are in IPv4 mode (no IPv6 mode), then this field can have one of the following values: IPv4 or IPv4+IPv6 (mixed mode).

    • If all NICs in the Unified Access Gateway appliance are in IPv6 mode (no IPv4 mode), then this field can have one of the following values: IPv6 or IPv4+IPv6 (mixed mode).

    Client Encryption Mode

    Indicates the mode of encryption for communications between Horizon Client, Unified Access Gateway, and Horizon Connection Server.

    The values for this option are DISABLED, ALLOWED, and REQUIRED. The default value is ALLOWED.

    • DISABLED - Client Encryption Mode option is disabled.

      When disabled, the existing behavior continues. In Unified Access Gateway versions earlier than 2111, non-encrypted communication is allowed between Horizon Client, Unified Access Gateway, and Horizon Connection Server.

    • ALLOWED - With Horizon Client 2111 or later, Unified Access Gateway allows only encrypted communication with Horizon Client and Horizon Connection Server.

      With earlier versions of Horizon Client, non-encrypted communication is allowed. This behavior is similar to when the feature is disabled.

    • REQUIRED - Only encrypted communication is allowed between the three components.

      Note: If an earlier version of Horizon Client is used in this encrypted mode, then the non-encrypted communication fails and the end user is unable to launch the Horizon desktops and applications.

    Enable XML Signing

    Indicates the mode of XML signing. The values for this option are AUTO, ON, and OFF. By default, XML signing is turned off.
    Restriction: This toggle is added for a future use case.

    Re-Write Origin Header

    If an incoming request to Unified Access Gateway has the Origin header and the Re-Write Origin Header toggle is turned on, Unified Access Gateway rewrites the Origin header with the Connection Server URL.

    The Re-Write Origin Header toggle works alongside the checkOrigin CORS property of the Horizon Connection Server. When this field is enabled, the Horizon administrator can bypass the need to specify Unified Access Gateway IP addresses in the locked.properties file.

    For information about Origin Checking, see Horizon Security documentation.

  6. To configure the authentication method rule, and other advanced settings, click More.

    Option

    Description

    Auth Methods

    The default is to use pass-through authentication of the user name and password.

    The following authentication methods are supported: Passthrough, SAML, SAML and Passthrough, SAML and Unauthenticated, SecurID, SecurID and Unauthenticated, X.509 Certificate, X.509 Certificate and Passthrough, Device X.509 Certificate and Passthrough, RADIUS, RADIUS and Unauthenticated, and X.509 Certificate or RADIUS.

    Important:

    If you have chosen any of the Unauthenticated methods as the auth method, ensure that you configure the Login Deceleration Level in the Horizon Connection Server to Low. This configuration is necessary to avoid long delay in login time for endpoints while accessing the remote desktop or application.

    For more information about how to configure Login Deceleration Level, see Configure Login Deceleration for Unauthenticated Access to Published Applications in the Horizon Administration Guide at VMware Docs.

    Enable Windows SSO

    This toggle can be used when Auth Methods is set to RADIUS and when the RADIUS passcode is the same as the Windows domain password.

    Turn on this toggle to use the RADIUS username and passcode for the Windows domain login credentials to avoid the need to prompt the user again.

    If Horizon is setup on a multi domain environment, if the user name provided does not contain a domain name, then the domain will not be sent to CS.

    If NameID suffix is configured and if the user name provided does not contain a domain name, then the configure NameID suffix value will be appended to the username. For example, if a user provided jdoe as the username and NameIDSuffix is set to @north.int, the Username sent is [email protected].

    If NameID suffix is configured and if username provided is in UPN format, NameID suffix will be ignored. For example, if a user provided [email protected], NameIDSuffix - @south.int, the Username is [email protected]

    If the username provided is in the format <DomainName\username>, for example, NORTH\jdoe, Unified Access Gateway sends the username and domain name separately to CS.

    RADIUS Class Attributes

    This field is enabled when Auth Methods is to set to RADIUS. Click '+' to add a value for the class attribute. Enter the name of the class attribute to be used for user authentication. Click '-' to remove a class attribute.

    Note:

    If this field is left blank, then the additional authorization is not performed.

    Disclaimer Text

    The Horizon disclaimer message that is displayed to the user and accepted by the user in cases where Auth Method is configured.

    Smart Card Hint Prompt

    Turn on this toggle to enable password hint for certificate authentication.

    Health Check URI Path

    The URI path for the connection server that Unified Access Gateway connects to, for health status monitoring.

    Enable UDP Server

    Connections are established through the UDP Tunnel server if there is a poor network.

    When the Horizon Client sends requests through the UDP, Unified Access Gateway receives the source IP address of these requests as 127.0.0.1. Unified Access Gateway sends the same source IP address to the Horizon Connection Server.

    To ensure that the Connection Server receives the actual source IP address of the request, you must disable this option (Enable UDP Server) in the Unified Access Gateway admin UI.

    Blast Proxy Certificate

    Proxy certificate for Blast. Click Select to upload a certificate in the PEM format and add to the BLAST trust store. Click Change to replace the existing certificate.

    If the user manually uploads the same certificate for the Unified Access Gateway to the load balancer and needs to use a different certificate for Unified Access Gateway and Blast Gateway, establishing a Blast desktop session would fail as the thumbprint between the client and the Unified Access Gateway does not match. The custom thumbprint input to Unified Access Gateway or Blast Gateway resolves this by relaying the thumbprint to establish the client session.

    Blast Allowed Host Header Values

    Enter an IP address or a host name

    By specifying a host header value, BSG (Blast Secure Gateway) allows only those requests that contain the specified host header value.

    A list of comma-separated values in the host[:port] format can be specified. The value can be an IP address, host name, or an FQDN name.

    The host header in the incoming Blast TCP port 8443 connection request to Blast Secure Gateway must match one of the values provided in the field.

    To allow a request that has no host name or IP address in the host header, use _empty_.

    If no value is specified, then any host header sent by the Horizon Client is accepted.

    Enable Tunnel

    If the Horizon secure tunnel is used, turn on this toggle. The client uses the external URL for tunnel connections through the Horizon Secure Gateway. The tunnel is used for RDP, USB, and multimedia redirection (MMR) traffic.

    Tunnel External URL

    URL used by Horizon clients to establish the Horizon Tunnel session to this Unified Access Gateway appliance. For example, https://uag1.myco.com or https://uag1.myco.com:443.

    If the TCP port number is not specified, the default TCP port is 443.

    Tunnel Proxy Certificate

    Proxy certificate for Horizon Tunnel. Click Select to upload a certificate in the PEM format and add to the Tunnel trust store. Click Change to replace the existing certificate.

    If the user manually uploads the same certificate for the Unified Access Gateway to the load balancer and needs to use a different certificate for Unified Access Gateway and Horizon Tunnel, establishing a Tunnel session would fail as the thumbprint between the client and the Unified Access Gateway does not match. The custom thumbprint input to Unified Access Gateway or Horizon Tunnel resolves this by relaying the thumbprint to establish the client session.

    Endpoint Compliance Check Provider

    Select the endpoint compliance check provider.

    Default is None.

    Note:

    Only when the compliance check provider settings are configured in the admin UI, you can see the options available for selection. For more information about the endpoint compliance check providers and their configuration, see Endpoint Compliance Checks for Horizon.

    Compliance Check on Authentication

    Option to disable or enable the endpoint compliance check at user authentication.

    Compliance is always checked when a user starts a desktop or application session. When this option is enabled, compliance is also checked after the user authenticates successfully. If this option is enabled and the compliance check fails at authentication time, then the user session does not continue.

    If the option is disabled, Unified Access Gateway only checks compliance when a user starts a desktop or application session.

    This option is available only when an endpoint compliance check provider is selected. By default, this option is enabled.

    Attention:

    If you have configured the Compliance Check Initial Delay option on the Endpoint Compliance Check Provider Settings page, Compliance Check on Authentication is automatically disabled. Unified Access Gateway does not check compliance on authentication. For more information about the time interval and the behavior of Unified Access Gateway when this time interval is configured, see Time Interval for Delaying Compliance Check.

    This option is also present as a parameter in the [Horizon] section in the .ini file and can be configured during deployment using PowerShell. For the parameter name, see Using PowerShell to Deploy the Unified Access Gateway Appliance.

    Proxy Pattern

    Enter the regular expression that matches the URIs that are related to the Horizon Server URL (proxyDestinationUrl). It has a default value of (/|/view-client(.*)|/portal(.*)|/appblast(.*)).

    Note:

    The pattern can also be used to exclude certain URLs. For example, to allow all URLs through but block /admin you can use the following expression.^/(?!admin(.*))(.*)

    SAML SP

    Enter the name of the SAML service provider for the Horizon XMLAPI broker. This name must either match the name of a configured service provider metadata or be the special value DEMO.

    Enable Proxy Pattern Canonical Match

    Turn on this toggle to enable Horizon canonical match. Unified Access Gateway performs the equivalent of C RealPath() to normalize the URL converting character sequences such as %2E and removing the .. sequences to create an absolute path. Proxy pattern check is then applied on absolute path.

    By default, this toggle is turned on for Horizon edge services.

    Note:

    By default, this toggle is turned off for Web Reverse Proxy services.

    Logout on Certificate Removal

    Note:

    This option is available when any of the smart card authentication methods is selected as an Auth Method.

    If this toggle is turned on and the smart card is removed, the end user is forced to log out from an Unified Access Gateway session.

    User name label for RADIUS

    Enter text to customize the user name label in the Horizon client. For example, Domain Username

    RADIUS authentication method must be enabled. To enable RADIUS, see Configure RADIUS Authentication.

    The default label name is Username.

    Maximum length of label name is 20 characters.

    Passcode label for RADIUS

    Enter a name to customize the passcode label in the Horizon client. For example, Password

    RADIUS authentication method must be enabled. To enable RADIUS, see Configure RADIUS Authentication.

    The default label name is Passcode.

    Maximum length of label name is 20 characters.

    Match Windows User Name

    Turn on this toggle to match RSA SecurID and Windows user name. When turned on,securID-auth is set to true and the securID and Windows user name matching is enforced.

    If Horizon is setup on a multi domain environment, if the user name provided does not contain a domain name, then the domain will not be sent to CS.

    If NameID suffix is configured and if the user name provided does not contain a domain name, then the configure NameID suffix value will be appended to the username. For example, if a user provided jdoe as the username and NameIDSuffix is set to @north.int, Username sent would be [email protected].

    If NameID suffix is configured and if username provided is in UPN format, NameID suffix will be ignored. For example, if a user provided [email protected], NameIDSuffix - @south.int, Username would be [email protected]

    If the username provided is in the format <DomainName\username>, for example, NORTH\jdoe, Unified Access Gateway sends the username and domain name separately to CS.

    Note:

    In Horizon 7 if you enable the Hide server information in client user interface and Hide domain list in client user interface settings and select two-factor authentication (RSA SecureID or RADIUS) for the Connection Server instance, do not enforce Windows user name matching. Enforcing Windows user name matching prevents users from entering domain information in the user name text box and login always fails. For more information, see the topics about two-factor authentication in the Horizon 7 Administration document.

    Gateway Location

    The location from where the connection request originates. The security server and Unified Access Gateway set the gateway location. The location can be External or Internal.

    Important:

    The location must be set to Internal when any of the following auth methods are selected: SAML and Unauthenticated, SecurID and Unauthenticated, or RADIUS and Unauthenticated.

    Show Connection Server Pre-login message Turn on this toggle to show to the user any connection server pre-login message configured on the connection server during XML-API primary protocol flows. By default, this toggle is turned on for Horizon edge services.

    When this toggle is turned off, the user does not see the pre-login message configured on connection server.

    JWT Producer

    Select a configured JWT producer from the drop-down menu.

    Note: Ensure that the Name field is configured in the JWT Producer Settings section of Advanced Settings.

    JWT Audiences

    Optional list of intended recipients of the JWT used for Workspace ONE Access Horizon SAML Artifact validation.

    For JWT validation to be successful, at least one of the recipients in this list must match with one of the audiences specified in Workspace ONE Access Horizon configuration. If no JWT Audiences are specified, JWT validation does not consider audiences.

    JWT Consumer

    Select the JWT consumer name of one of the configured JWT settings.

    Note: For Workspace ONE Access JWT SAML artifact validation, ensure that the Name field is configured in the JWT Consumer Settings section of Advanced Settings.

    Trusted Certificates

    • To select a certificate in PEM format and add to the trust store, click +.

    • To provide a different name, edit the alias text box.

      By default, the alias name is the filename of the PEM certificate.

    • To remove a certificate from the trust store, click -.

    Response Security Headers

    To add a header, click +. Enter the name of the security header. Enter the value.

    To remove a header, click -. Edit an existing security header to update the name and the value of the header.

    Important:

    The header names and values are saved only after you click Save. Some standard security headers are present by default. The headers configured are added to the Unified Access Gateway response to client only if the corresponding headers are absent in the response from the configured back-end server.

    Note:

    Modify security response headers with caution. Modifying these parameters might impact the secure functioning of Unified Access Gateway .

    Host Port Redirect Mappings

    For information about how UAG supports the HTTP Host Redirect capability and certain considerations required for using this capability, see Unified Access Gateway Support for HTTP Host Redirect.

    Note:

    Source Host and Redirect Host support optional port, separated by colon. The default port number is 443.

    • Source Host:Port

      Enter the host name of the source (host header value).

    • Redirect Host:Port

      Enter the host name of the individual Unified Access Gateway appliance whose affinity must be maintained with the Horizon Client.

    Host Entries

    Enter the details to be added in /etc/hosts file. Each entry should include an IP, a hostname, and an optional hostname alias in that order, separated by a space. For example, 10.192.168.1 example1.com, 10.192.168.2 example2.com example-alias. Click the '+" sign to add multiple host entries.

    Important:

    The host entries are saved only after you click Save.

    SAML Audiences

    Ensure that either SAML or SAML and Passthrough authentication method is chosen.

    Enter the audience URL.

    Note:

    If the text box is left empty, audiences are not restricted.

    To understand how Unified Access Gateway supports SAML Audiences, see SAML Audiences.

    SAML Unauthenticated Username Attribute

    Enter the custom attribute name

    Note:

    This field is available only when the value of Auth Methods is SAML and Unauthenticated.

    When Unified Access Gateway validates the SAML assertion, if the attribute name specified in this field is present in the assertion, then Unified Access Gateway provides unauthenticated access to the user name configured for the attribute in the Identity Provider.

    For more information about the SAML and Unauthenticated method, see Authentication Methods for Unified Access Gateway and Third-Party Identity Provider Integration.

    Default Unauthenticated Username

    Enter the default user name that must be used for unauthenticated access

    This field is available in the Admin UI when one of the following Auth Methods is selected: SAML and Unauthenticated, SecurID and Unauthenticated, and RADIUS and Unauthenticated.

    Note:

    For SAML and Unauthenticated authentication method, the default user name for unauthenticated access is used only when the SAML Unauthenticated Username Attribute field is empty or the attribute name specified in this field is missing in the SAML assertion.

    Disable HTML Access

    If this toggle is turned on, web access to Horizon is disabled. See Configure OPSWAT as the Endpoint Compliance Check Provider for Horizon for details.

  7. Click Save.