You can configure the security protocols and cryptographic algorithms that are used to encrypt communications between clients and the Unified Access Gateway appliance from the admin configuration pages.

Prerequisites

  • Review the Unified Access Gateway Deployment Properties. The following settings information is required:
    • Static IP address for the Unified Access Gateway appliance
    • IP Addresses of the DNS servers
      Note: A maximum of two DNS server IP addresses can be specified.

      Unified Access Gateway uses the platform default fallback public DNS addresses only when no DNS server addresses are provided to Unified Access Gateway either as part of the configuration settings or through DHCP.

    • Password for the administration console
    • URL of the server instance or load balancer that the Unified Access Gateway appliance points to
    • Syslog server URL to save the event log files

Procedure

  1. In the admin UI Configure Manual section, click Select.
  2. In the Advanced Settings section, click the System Configuration gearbox icon.
  3. Edit the following Unified Access Gateway appliance configuration values.
    Option Default Value and Description
    UAG Name Unique Unified Access Gateway appliance name.
    Note: The appliance name can consist of a text string up to 24 characters which includes alphabets (A-Z), digits (0-9), minus sign (-), and period (.). However, the appliance name cannot have spaces.
    Locale

    Specifies the locale to use when generating error messages.

    • en_US for American English. This is the default.
    • ja_JP for Japanese
    • fr_FR for French
    • de_DE for German
    • zh_CN for Simplified Chinese
    • zh_TW for Traditional Chinese
    • ko_KR for Korean
    • es for Spanish
    • pt_BR for Brazilian Portuguese
    • en_GB for British English
    TLS Server Cipher Suites Enter a comma-separated, list of cipher suites, which are cryptographic algorithms used to encrypt inbound TLS connections to Unified Access Gateway

    This option is used with few other options such as TLS versions, named groups, signature schemes, and so on that are used in enabling various security protocols.

    The TLS Server Cipher suites supported in FIPS mode are as follows:
    • Default enabled cipher suites:
      • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • Cipher suites that are supported and can be manually configured:
      • TLS_RSA_WITH_AES_256_CBC_SHA256
      • TLS_RSA_WITH_AES_128_CBC_SHA256
      • TLS_RSA_WITH_AES_256_CBC_SHA
      • TLS_RSA_WITH_AES_128_CBC_SHA
    The default TLS Server Cipher suites supported in non-FIPS mode are as follows:
    • TLS_AES_128_GCM_SHA256
    • TLS_AES_256_GCM_SHA384
    • TLS_CHACHA20_POLY1305_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

    This option can be configured during PowerShell deployment by adding the cipherSuites parameter in the ini file. See Run PowerShell script to deploy.

    TLS Client Cipher Suites Enter a comma-separated, list of cipher suites, which are cryptographic algorithms used to encrypt outbound TLS connections to Unified Access Gateway

    This option is used with few other options such as TLS versions, named groups, signature schemes, and so on that are used in enabling various security protocols.

    The following cipher suites are supported in FIPS mode:
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_RSA_WITH_AES_256_CBC_SHA256
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    • TLS_RSA_WITH_AES_256_CBC_SHA
    • TLS_RSA_WITH_AES_128_CBC_SHA

    In the non-FIPS mode, by default, all cipher suites that are supported by the SSL library (Java/Open SSL) can be used.

    This option can be configured during PowerShell deployment by adding the outboundCipherSuites parameter in the ini file. See Run PowerShell script to deploy.

    Minimum SHA Hash Size Select the Minimum SHA Hash Size for Horizon protocols and all non-horizon connections during communication and for certificate thumbprint specification.

    SHA-256 is the default. The supported SHA hash size values are: SHA-1, SHA-256, SHA-384, and SHA-512. SHA-1 is not recommended.

    Enable TLS 1.1 By default, this toggle is turned off.

    Turn on this toggle to enable TLS 1.1 security protocol.

    Enable TLS 1.2 By default, this toggle is turned on.

    The TLS 1.2 security protocol is enabled.

    Enable TLS 1.2 and TLS 1.3 (non-FIPS only) By default, this toggle is turned on.

    The TLS 1.2 and TLS 1.3 security protocols are enabled.

    SSL Provider Select the SSL Provider implementation used for handling TLS connections.

    To configure TLS Named Groups and TLS Signature Schemes, the value of this option must be JDK. By default, the value of this option is OPENSSL.

    Note: When the value of this option is JDK, OCSP-based certificate revocation check is not supported. However, CRL-based certificate revocation check is supported.

    Any changes to this option results in Unified Access Gateway services getting restarted. Ongoing Unified Access Gateway sessions are not retained during the restart.

    This option can be configured during PowerShell deployment by adding the sslProvider parameter in the ini file. See Run PowerShell script to deploy.

    TLS Named Groups Allows the administrator to configure the desired named groups (elliptic curves) from a list of supported named groups used for key exchange during SSL handshake.

    This option allows comma-separated values. Some of the supported named groups are as follows: secp256r1, secp384r1, secp521r1.

    To configure this option, ensure that the SSL Provider option is set to JDK. Else, the TLS Named Groups option is disabled. Any changes to this option results in Unified Access Gateway services getting restarted. Ongoing Unified Access Gateway sessions are not retained during the restart.

    This option can be configured during PowerShell deployment by adding the tlsNamedGroups parameter in the ini file. See Run PowerShell script to deploy.

    TLS Signature Schemes Allows the administrator to configure the supported TLS signature algorithms used for key validation during SSL handshake.

    This option allows comma-separated values. For example: some of the supported signature schemes are as follows: rsa_pkcs1_sha, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pss_rsae_sha256, and rsa_pss_rsae_sha384.

    To configure this option, ensure that the SSL Provider option is set to JDK. Else, the TLS Signature Schemes option is disabled. Any changes to this option results in Unified Access Gateway services getting restarted. Ongoing Unified Access Gateway sessions are not retained during the restart.

    This option can be configured during PowerShell deployment by adding the tlsSignatureSchemes parameter in the ini file. See Run PowerShell script to deploy.

    Allowed Host Headers Enter the IP address and/or the host name to allow as host header values. This setting applies to Horizon, Web Reverse Proxy use cases, and the Admin service on Unified Access Gateway. Validation of the Host (or X-Forwarded-Host) header is enabled by default against values configured in this field and a dynamically computed auto-allowed list based on the UAG's network settings and Edge Service Settings.

    Any hostnames used for accessing the Unified Access Gateway directly, via load balancer, or reverse proxy and are not included in the auto-allowed list should be configured in this field.

    For Unified Access Gateway deployments with Horizon, if Blast Secure Gateway (BSG) and/or VMware Tunnel are enabled and external URLs are configured, these values are automatically included in the allowed host value list. Explicit configuration of these values is not required.

    For Unified Access Gateway deployments with Web Reverse Proxy configurations, the external URL and proxy host patterns are included in the auto-allowed list of host values.

    When Unified Access Gateway is deployed with an N+1 Virtual IP (VIP), the virtual IP is included in the auto-allowed list. In addition, the UAG's non-loopback IP addresses and internal hostname are also included in this list and allowed by default.

    CA Certificate This option is enabled when a Syslog server is added. Select a valid Syslog Certificate Authority certificate.
    Health Check URL Enter a URL that the load balancer connects to and checks the health of Unified Access Gateway.
    HTTP Health Monitor By default, this toggle is turned off. The default configuration redirects HTTP health check URL requests to HTTPS. When you turn on this toggle, Unified Access Gateway responds to the health check request even on HTTP.
    Cookies to be Cached The set of cookies that Unified Access Gateway caches. The default is none.
    Session Timeout Default value is 36000000 milliseconds.
    Note: The value of Session Timeout on the Unified Access Gateway must be the same as the value of the Forcibly disconnect users setting on the Horizon Connection Server.

    The Forcibly disconnect users setting is one of the General Global Settings in the Horizon console. For more information about this setting, see Configuring Settings for Client Sessions in the VMware Horizon Administration documentation at VMware Docs.

    Quiesce Mode Turn on this toggle to pause the Unified Access Gateway appliance to achieve a consistent state to perform maintenance tasks
    Monitor Interval Default value is 60.
    Enable SAML Certificate Rollover Support Turn on this toggle to generate SAML SP metadata with entity ID based on certificate. Certificate based entity ID supports smooth certificate rollover with separate SP configurations on IDP. To change this value, you must reconfigure the IDP.
    Password Age Number of days the password is valid for the user in the ADMIN role.

    The default value is 90 days. Maximum value that can be configured is 999 days.

    For password to never expire, specify the value of this field as 0.

    Monitoring Users Password Age Number of days the password is valid for the users in the MONITORING role.

    The default value is 90 days. The maximum value that can be configured is 999 days.

    For the password to never expire, specify the value of this field as 0.

    Request Timeout Indicates the maximum time Unified Access Gateway waits for a request to be received.

    The default value is 3000.

    This timeout must be specified in milliseconds.

    Body Receive Timeout Indicates the maximum time Unified Access Gateway waits for a request body to be received.

    The default is 5000.

    This timeout must be specified in milliseconds.

    Maximum Connections per Session Maximum number of TCP connections allowed per TLS session.

    The default value is 16.

    For no limit on the allowed number of TCP connections, set the value of this field to 0.

    Note: Field value of 8 or lower causes errors in the Horizon Client .
    Client Connection Idle Timeout Specify the time (in seconds) a client connection can stay idle before the connection is closed. The default value is 360 seconds (6 minutes). A value of Zero indicates that there is no idle timeout.
    Authentication Timeout

    The maximum wait time in milliseconds before which authentication must happen. The default is 300000. If 0 is specified, it indicates no time limit for authentication.

    Clock Skew Tolerance Enter the permitted time difference in seconds between an Unified Access Gateway clock and the other clocks on the same network. The default is 600 seconds.
    Max Allowed System CPU Indicates the maximum allowed average system CPU usage in one minute.

    When the configured CPU limit is exceeded, new sessions are not allowed and the client receives an HTTP 503 error to indicate that the Unified Access Gateway appliance is temporarily overloaded. Additionally, the exceeded limit also allows a load balancer to mark the Unified Access Gateway appliance down so that new requests can be directed to other Unified Access Gateway appliances.

    Value is in percentage.

    Default value is 100%.

    Join CEIP If enabled, sends Customer Experience Improvement Program ("CEIP") information to VMware.
    Enable SNMP Turn on this toggle to enable SNMP service. Simple Network Management Protocol collects system statistics, memory, disk space usage statistics, and Tunnel edge service MIB information by Unified Access Gateway. The list of available Management Information Base (MIB),
    • UCD-SNMP-MIB::systemStats
    • UCD-SNMP-MIB::memory
    • UCD-SNMP-MIB::dskTable
    • VMWARE-TUNNEL-SERVER-MIB::vmwTunnelServerMIB
    SNMP Version Select the desired SNMP version.

    If SNMPv1+v2 is selected as the SNMP protocol, you can add a custom SNMP community name.

    Note: You must enable SNMP before configuring Tunnel. If you enable SNMP after configuring Tunnel, you must re-save the Tunnel settings for the SNMP settings to take effect.

    If you have deployed Unified Access Gateway through PowerShell, enabled SNMP, but not configured SNMPv3 settings either through PowerShell or the Unified Access Gateway Admin UI, then by default SNMPv1+SNMPV2c versions are used.

    Here are the additional steps for configuring the SNMPv3 settings in the Admin UI:
    1. Enter the SNMPv3 USM User name.
    2. Enter the SNMP Engine ID.

      This value is unique for each Unified Access Gateway appliance.

      The maximum length of the engine ID is limited to 27 characters.

    3. Select the SNMPv3 Security Level.
    4. Depending on the security level selected in the previous step, perform the following actions:
    Security Level Actions
    No Auth, No Priv

    (No Authentication, No Privacy)

    Click Save.

    No further actions are necessary.

    Auth, No Priv

    (Authentication, No Privacy)

    1. Select the SNMPv3 Auth Algorithm.
    2. Enter the SNMPv3 Auth Password.

      Password must be at least 8 characters long.

    3. Confirm Auth Password entered in the previous step.
    4. Click Save.
    Auth, Priv

    (Authentication, Privacy)

    1. Select the SNMPv3 Auth Algorithm.

      The supported values are as follows: MD5 (Not Recommended), SHA (Not Recommended), SHA-224, SHA-256, SHA-384, and SHA-512.

    2. Enter the SNMPv3 Auth Password.

      Password must be at least 8 characters long.

    3. Confirm the Auth Password entered in the previous step.
    4. Select the SNMPv3 Privacy Algorithm.

      The supported values are DES and AES.

    5. Select the SNMPv3 Privacy Password.

      Password must be at least 8 characters long.

    6. Confirm Privacy Password entered in the previous step.
    7. Click Save.
    SNMP Community Enter a custom SNMP coummity name to be used. If this field is left blank, "public" is used.
    Admin Disclaimer Text Enter the disclaimer text based on your organization's user agreement policy.

    For an administrator to successfully log into the Unified Access Gateway Admin UI, the administrator must accept the agreement policy.

    The disclaimer text can be configured either through PowerShell deployment or by using the Unified Access Gateway Admin UI. For more information about the PowerShell setting in the INI file, see Run PowerShell script to deploy.

    While using the Unified Access Gateway Admin UI to configure this text box, the administrator must first log into the Admin UI and then configure the disclaimer text. On subsequent administrator logins, the text is displayed for the administrator to accept before accessing the login page.

    DNS Enter Domain Name System addresses that are added to /run/systemd/resolve/resolv.conf configuration file. It must contain a valid DNS search address. Click '+' to add a new DNS address.
    DNS Search Enter Domain Name System search that is added to /run/systemd/resolve/resolv.conf configuration file. It must contain a valid DNS search address. Click '+' to add a new DNS search entry.
    Time Sync With Host Turn on this toggle to synchronize the time on the Unified Access Gateway appliance with the time of the ESXi host.

    By default, this toggle is turned off.

    This option uses VMware Tools for time synchronization and is supported only when Unified Access Gateway is deployed on the ESXi host.

    If you choose this option for time synchronization, then the NTP Servers and FallBack NTP Servers options are disabled.

    This option can be configured through PowerShell by adding the hostClockSyncEnabled parameter in the INI file. See Run PowerShell script to deploy.

    NTP Servers NTP servers for network time protocol synchronization. You can enter valid IP addresses and hostnames. Any per-interface NTP servers obtained from systemd-networkd.service configuration or through DHCP will take precedence over these configurations. Click '+' to add a new NTP server.

    If you choose this option for time synchronization, then the Time Sync With Host is disabled.

    FallBack NTP Servers Fallback NTP servers for network time protocol synchronization. If NTP server information is not found, these fallback NTP server host names or IP addresses will be used. Click '+' to add a new fallback NTP server.

    If you choose this option for time synchronization, then the Time Sync With Host is disabled.

    Extended Server Certificate Validation Turn on this toggle to ensure that Unified Access Gateway performs extended validation on the received SSL server certificate for outbound TLS connections to the backend servers.

    The extended checks include validating the expiry of the certificate, mismatch in the hostname, certificate revocation status, and extended key usage values.

    By default, this option is disabled.

    This option can be configured through PowerShell by adding the extendedServerCertValidationEnabled parameter in the ini file. See Run PowerShell script to deploy.

    SSH Public Keys Upload public keys to enable root user access to Unified Access Gateway virtual machine when using the public-private key pair option.

    Administrators can upload multiple, unique public keys to Unified Access Gateway.

    This field is visible on the Admin UI only when the following SSH options are set to true during deployment: Enable SSH and Allow SSH root login using key pair. For information about these options, see Deploying to vSphere using the OVF Template Wizard.

  4. Click Save.

What to do next

Configure the edge service settings for the components that Unified Access Gateway is deployed with. After the edge settings are configured, configure the authentication settings.