You can deploy Unified Access Gateway with Horizon Cloud with On-Premises Infrastructure and Horizon Air cloud infrastructure. For the Horizon deployment, the Unified Access Gateway appliance replaces Horizon security server.

Prerequisites

If you want to have both Horizon and a web reverse proxy instance such as VMware Identity Manager configured and enabled on the same Unified Access Gateway instance, see Advanced Edge Service Settings.

Procedure

  1. In the admin UI Configure Manually section, click Select.
  2. In the General Settings > Edge Service Settings, click Show.
  3. Click the Horizon Settings gearbox icon.
  4. In the Horizon Settings page, change NO to YES to enable Horizon.
  5. Configure the following edge service settings resources for Horizon:
    Option Description
    Identifier Set by default to Horizon. Unified Access Gateway can communicate with servers that use the Horizon XML protocol, such as Horizon Connection Server, Horizon Air, and Horizon Cloud with On-Premises Infrastructure.
    Connection Server URL Enter the address of the Horizon server or load balancer. Enter as https://00.00.00.00.
    Connection Server URL Thumbprint Enter the list of Horizon server thumbprints.

    If you do not provide a list of thumbprints, ensure that the server certificates are issued by a trusted CA. Enter the hexadecimal thumbprint digits. For example, sha1= C3 89 A2 19 DC 7A 48 2B 85 1C 81 EC 5E 8F 6A 3C 33 F2 95 C3.

    Enable PCOIP Change NO to YES to specify whether the PCoIP Secure Gateway is enabled.
    Disable PCOIP Legacy Certificate Change NO to YES to specify to use the uploaded SSL server certificate instead of Legacy certificate. Legacy PCoIP clients will not work if this parameter is set to YES.
    PCOIP External URL

    URL used by Horizon clients to establish the Horizon PCoIP session to this Unified Access Gateway appliance. It must contain an IPv4 address and not a hostname. For example, 10.1.2.3:4172. The default is the Unified Access Gateway IP address and port 4172.

    Enable Blast To use the Blast Secure Gateway, change NO to YES.
    Connection Server IP mode Select IPv4, IPv6, or IPv4+IPv6 from the drop-down menu. Default is IPv4.
  6. To configure the authentication method rule, and other advanced settings, click More.
    Option Description
    Auth Methods

    The default is to use pass-through authentication of the user name and password. The authentication methods you configured in Unified Access Gateway are listed in the drop-down menus. RSA SecurID, RADIUS, and Device Certificate Auth methods are supported.

    Enable Windows SSO This can be enabled when Auth Methods is set to RADIUS and when the RADIUS passcode is the same as the Windows domain password. Change NO to YES to use the RADIUS username and passcode for the Windows domain login credentials to avoid the need to prompt the user again.

    If Horizon is setup on a multi domain enviornment, if the user name provided does not contain a domain name, then the doman will not be sent to CS.

    If NameID suffix is configured and if the user name provided does not contain a domain name, then the configure NameID suffix value will be appended to the username. For example, if a user provided jdoe as the username and NameIDSuffix is set to @north.int, Username sent would be jdoe@north.int.

    If NameID suffix is configured and if username provided is in UPN format, NameID suffix will be ignored. For example, if a user provided jdoe@north.int, NameIDSuffix - @south.int, Username would be jdoe@north.int

    If the username provided is in the format <DomainName\username>, for example, NORTH\jdoe, Unified Access Gateway sends the username and domain name separately to CS.

    RADIUS Class Attributes This is enabled when Auth Methods is to set to RADIUS. Click '+' to add a value for the class attribute. Enter the name of the class attribute to be used for user authentication. Click '-' to remove a class attribute.
    Note: If this field is left blank, then the additional authorization is not performed.
    Disclaimer Text

    The Horizon disclaimer message that is displayed to the user and accepted by the user in cases where Auth Method is configured.

    Smart Card Hint Prompt Change NO to YES to enable password hint for certificate authentication.
    Health Check URI Path The URI path for the connection server that Unified Access Gateway connects to, for health status monitoring.
    Blast External URL URL used by Horizon clients to establish the Horizon Blast or BEAT session to this Unified Access Gateway appliance. For example, https://uag1.myco.com or https://uag1.myco.com:443.

    If the TCP port number is not specified, the default TCP port is 8443. If the UDP port number is not specified, the default UDP port is also 8443.

    Enable UDP Server Connections are established through the UDP Tunnel server if there is a low bandwidth.
    Blast Proxy Certificate

    Proxy certificate for Blast. Click Select to upload a certificate in the PEM format and add to the BLAST trust store. Click Change to replace the existing certificate.

    If the user manually uploads the same certificate for the Unified Access Gateway to the load balancer and needs to use a different certificate for Unified Access Gateway and Blast Gateway, establishing a Blast desktop session would fail as the thumbprint between the client and the Unified Access Gateway does not match. The custom thumbprint input to Unified Access Gateway or Blast Gateway resolves this by relaying the thumbprint to establish the client session.

    Enable Tunnel If the Horizon secure tunnel is used, change NO to YES. The client uses the external URL for tunnel connections through the Horizon Secure Gateway. The tunnel is used for RDP, USB, and multimedia redirection (MMR) traffic.
    Tunnel External URL URL used by Horizon clients to establish the Horizon Tunnel session to this Unified Access Gateway appliance. For example, https://uag1.myco.com or https://uag1.myco.com:443.

    If the TCP port number is not specified, the default TCP port is 443.

    Tunnel Proxy Certificate

    Proxy certificate for Horizon Tunnel. Click Select to upload a certificate in the PEM format and add to the Tunnel trust store. Click Change to replace the existing certificate.

    If the user manually uploads the same certificate for the Unified Access Gateway to the load balancer and needs to use a different certificate for Unified Access Gateway and Horizon Tunnel, establishing a Tunnel session would fail as the thumbprint between the client and the Unified Access Gateway does not match. The custom thumbprint input to Unified Access Gateway or Horizon Tunnel resolves this by relaying the thumbprint to establish the client session.

    Endpoint Compliance Check Provider Select the endpoint compliance check provider. Default is OPSWAT.
    Proxy Pattern
    Enter the regular expression that matches the URIs that are related to the Horizon Server URL (proxyDestinationUrl). It has a default value of (/|/view-client(.*)|/portal(.*)|/appblast(.*)).
    Note: The pattern can also be used to exclude certain URLs. For example, to allow all URLs through but block /admin you can use the following expression. ^/(?!admin(.*))(.*)
    SAML SP Enter the name of the SAML service provider for the Horizon XMLAPI broker. This name must either match the name of a configured service provider metadata or be the special value DEMO.
    Match Windows User Name Change NO to YES to match RSA SecurID and Windows user name. When set to YES, securID-auth is set to true and the securID and Windows user name matching is enforced.

    If Horizon is setup on a multi domain enviornment, if the user name provided does not contain a domain name, then the doman will not be sent to CS.

    If NameID suffix is configured and if the user name provided does not contain a domain name, then the configure NameID suffix value will be appended to the username. For example, if a user provided jdoe as the username and NameIDSuffix is set to @north.int, Username sent would be jdoe@north.int.

    If NameID suffix is configured and if username provided is in UPN format, NameID suffix will be ignored. For example, if a user provided jdoe@north.int, NameIDSuffix - @south.int, Username would be jdoe@north.int

    If the username provided is in the format <DomainName\username>, for example, NORTH\jdoe, Unified Access Gateway sends the username and domain name separately to CS.

    Note: In Horizon 7 if you enable the Hide server information in client user interface and Hide domain list in client user interface settings and select two-factor authentication (RSA SecureID or RADIUS) for the Connection Server instance, do not enforce Windows user name matching. Enforcing Windows user name matching prevents users from entering domain information in the user name text box and login always fails. For more information, see the topics about two-factor authentication in the Horizon 7 Administration document.
    Gateway Location The location from where the connection request originates. The security server and Unified Access Gateway set the gateway location. The location can be external or internal.
    Trusted Certificates Add a trusted certificate to this edge service. Click '+' to select a certificate in PEM format and add to the trust store. Click "-" to remove a certificate from the trust store. By default, the alias name is the filename of the PEM certificate. Edit the alias text box to provide a different name.
    Response Security Headers Click '+' to add a header. Enter the name of the security header. Enter the value. Click '-' to remove a header. Edit an existing security header to update the name and the value of the header.
    Important: The header names and values are saved only after you click Save. Some standard security headers are present by default. The headers configured are added to the Unified Access Gateway response to client only if the corresponding headers are absent in the response from the configured back-end server.
    Note: Modify security response headers with caution. Modifying these parameters might impact the secure functioning of Unified Access Gateway .
    Host Entries Enter the details to be added in /etc/hosts file. Each entry should include an IP, a hostname, and an optional hostname alias in that order, separated by a space. For example, 10.192.168.1 example1.com, 10.192.168.2 example2.com example-alias. Click the '+" sign to add multiple host entries.
    Important: The host entries are saved only after you click Save.
    Disable HTML Access If set to YES, disables web access to Horizon. See Endpoint Compliance Checks for Horizon for details.
  7. Click Save.