The deployment scenarios described in this chapter can help you identify and organize the Unified Access Gateway deployment in your environment. Unified Access Gateway is an appliance that is normally installed in a demilitarized zone (DMZ) and is used to ensure that the only traffic entering the corporate data center is traffic on behalf of a strongly authenticated remote user.

You can deploy Unified Access Gateway with Horizon 8, Horizon Cloud Service, Workspace ONE Access, and Workspace ONE UEM.

Note: To implement Unified Access Gateway with Horizon Cloud Service, see Deploying a Horizon 8 Edge for Use with Horizon 8 Deployments and the Horizon Cloud - next-gen Control Plane in the VMware Horizon Cloud Service - next-gen Guide at VMWare Docs.

Unified Access Gateway as a secure gateway

Unified Access Gateway directs authentication requests to the appropriate server and discards any unauthenticated request. Users can access only the resources that they are authorized to access.

Unified Access Gateway also ensure that the traffic for an authenticated user can be directed only to desktop and application resources to which the user is actually entitled. This level of protection involves specific inspection of desktop protocols and coordination of potentially rapid changing policies and network addresses, to accurately control access.

Unified Access Gateway acts as a proxy host for connections inside your company's trusted network. This design provides an extra layer of security by shielding virtual desktops, application hosts, and servers from the public-facing Internet.

Unified Access Gateway is designed specifically for the DMZ. The following hardening settings are implemented.

  • Up-to-date Linux Kernel and software patches
  • Multiple NIC support for Internet and intranet traffic
  • Disabled SSH
  • Disabled FTP, Telnet, Rlogin, or Rsh services
  • Disabled unwanted services

Using Unified Access Gateway instead of a Virtual Private Network

Unified Access Gateway and generic VPN solutions are similar as they both ensure that traffic is forwarded to an internal network only on behalf of strongly authenticated users.

Unified Access Gateway advantages over generic VPN include the following:

  • Access Control Manager. Unified Access Gateway applies access rules automatically. Unified Access Gateway recognizes the entitlements of the users and the addressing required to connect internally. A VPN does the same, because most VPNs allow an administrator to configure network connection rules for every user or group of users individually. At first, this works well with a VPN, but requires significant administrative effort to maintain the required rules.
  • User Interface. Unified Access Gateway does not alter the straightforward Horizon Client user interface. With Unified Access Gateway, when the Horizon Client is launched, authenticated users are in their Horizon Connection Server environment and have controlled access to their desktops and applications. A VPN requires that you must set up the VPN software first and authenticate separately before launching the Horizon Client.
  • Performance. Unified Access Gateway is designed to maximize security and performance. With Unified Access Gateway, PCoIP, HTML access, and WebSocket protocols are secured without requiring additional encapsulation. VPNs are implemented as SSL VPNs. This implementation meets security requirements and, with Transport Layer Security (TLS) enabled, is considered secure, but the underlying protocol with SSL/TLS is just TCP-based. With modern video remoting protocols exploiting connectionless UDP-based transports, the performance benefits can be significantly eroded when forced over a TCP-based transport. This does not apply to all VPN technologies, as those that can also operate with DTLS or IPsec instead of SSL/TLS can work well withHorizon Connection Server desktop protocols.