You can deploy Unified Access Gateway with Horizon Cloud with On-Premises Infrastructure and Horizon Air cloud infrastructure. For the Horizon deployment, the Unified Access Gateway appliance replaces Horizon security server.

Prerequisites

If you want to have both Horizon and a web reverse proxy instance such as VMware Identity Manager configured and enabled on the same Unified Access Gateway instance, see Advanced Edge Service Settings.

Procedure

  1. In the admin UI Configure Manually section, click Select.
  2. In the General Settings > Edge Service Settings, click Show.
  3. Click the Horizon Settings gearbox icon.
  4. In the Horizon Settings page, change NO to YES to enable Horizon.
  5. Configure the following edge service settings resources for Horizon:

    Option

    Description

    Identifier

    Set by default to Horizon. Unified Access Gateway can communicate with servers that use the Horizon XML protocol, such as Horizon Connection Server, Horizon Air, and Horizon Cloud with On-Premises Infrastructure.

    Connection Server URL

    Enter the address of the Horizon server or load balancer. Enter as https://00.00.00.00.

    Connection Server URL Thumbprint

    Enter the list of Horizon server thumbprints.

    If you do not provide a list of thumbprints, ensure that the server certificates are issued by a trusted CA. Enter the hexadecimal thumbprint digits. For example, sha1= C3 89 A2 19 DC 7A 48 2B 85 1C 81 EC 5E 8F 6A 3C 33 F2 95 C3.

    Enable PCOIP

    Change NO to YES to specify whether the PCoIP Secure Gateway is enabled.

    PCOIP External URL

    URL used by Horizon clients to establish the Horizon PCoIP session to this Unified Access Gateway appliance. It must contain an IPv4 address and not a hostname. For example, 10.1.2.3:4172. The default is the Unified Access Gateway IP address and port 4172.

    Enable Blast

    To use the Blast Secure Gateway, change NO to YES.

    Connection Server IP mode

    Select IPv4, IPv6, or IPv4+IPv6 from the drop-down menu. Default is IPv4.

  6. To configure the authentication method rule, and other advanced settings, click More.

    Option

    Description

    Auth Methods

    Select the authentication methods to use.

    The default is to use pass-through authentication of the user name and password. The authentication methods you configured in Unified Access Gateway are listed in the drop-down menus. Currently, RSA SecurID and RADIUS authentication methods are supported.

    To configure authentication that includes applying a second authentication method if the first authentication attempt fails.

    1. Select one authentication method from the first drop-down menu.

    2. Click the + and select either AND or OR.

    3. Select the second authentication method from the third drop-down menu.

    To require users to authenticate through two authentication methods, change OR to AND in the drop-down.

    Note:
    • With PowerShell deployment, for RSA SecurID authentication, configure this option to use securid-auth AND sp-auth to display the passcode screen.

    • With vSphere deployment, for RSA SecurID authentication, configure this option to use securid-auth to display the passcode screen.

    • Add the following lines to the Horizon section of the INI file.

      authMethods=securid-auth && sp-auth
      matchWindowsUserName=true

      Add a new section at the bottom of your INI file.

      [SecurIDAuth]
      serverConfigFile=C:\temp\sdconf.rec
      externalHostName=192.168.0.90
      internalHostName=192.168.0.90

      The IP addresses should both be set to the IP address of Unified Access Gateway. The sdconf.rec file is obtained from RSA Authentication Manager which must be fully configured. Verify that you are using Access Point 2.5 or later (or Unified Access Gateway 3.0 or later) and that the RSA Authentication Manager server is accessible on the network from Unified Access Gateway. Rerun the uagdeploy PowerShell command to redeploy the Unified Access Gateway configured for RSA SecurID.

    Health Check URI Path

    The URI path for the connection server that Unified Access Gateway connects to, for health status monitoring.

    Blast External URL

    URL used by Horizon clients to establish the Horizon Blast or BEAT session to this Unified Access Gateway appliance. For example, https://uag1.myco.com or https://uag1.myco.com:443.

    If the TCP port number is not specified, the default TCP port is 8443. If the UDP port number is not specified, the default UDP port is also 8443.

    Enable Tunnel

    If the Horizon secure tunnel is used, change NO to YES. The client uses the external URL for tunnel connections through the Horizon Secure Gateway. The tunnel is used for RDP, USB, and multimedia redirection (MMR) traffic.

    Tunnel External URL

    URL used by Horizon clients to establish the Horizon tunnel session to this Unified Access Gateway appliance. For example, https://uag1.myco.com or https://uag1.myco.com:443.

    If the TCP port number is not specified, the default TCP port is 443.

    Endpoint Compliance Check Provider

    Select the endpoint compliance check provider. Default is OPSWAT.

    Proxy Pattern

    Enter the regular expression that matches the URIs that are related to the Horizon Server URL (proxyDestinationUrl). It has a default value of (/|/view-client(.*)|/portal(.*)|/appblast(.*)).

    SAML SP

    Enter the name of the SAML service provider for the Horizon XMLAPI broker. This name must either match the name of a configured service provider metadata or be the special value DEMO.

    Match Windows User Name

    Change NO to YES to match RSA SecurID and Windows user name. When set to YES, securID-auth is set to true and the securID and Windows user name matching is enforced.

    Gateway Location

    The location from where the connection request originates. The security server and Unified Access Gateway set the gateway location. The location can be external or internal.

    Trusted Certificates

    Add a trusted certificate to this edge service. Click '+' to select a certificate in PEM format and add to the trust store. Click "-" to remove a certificate from the trust store. By default, the alias name is the filename of the PEM certificate. Edit the alias text box to provide a different name.

    Host Entries

    Enter the details to be added in /etc/hosts file. Each entry should include an IP, a hostname, and an optional hostname alias in that order, separated by a space. For example, 10.192.168.1 example1.com, 10.192.168.2 example2.com example-alias. Click the '+" sign to add multiple host entries.

    Important:

    The host entries are saved only after you click Save.

    Disable HTML Access

    If set to YES, disables web access to Horizon. See Endpoint Compliance Checks for Horizon for details.

  7. Click Save.