This topic explains how to configure the Unified Access Gateway instances within Horizon pods on a VMware SDDC-based platform for use with Universal Broker. Follow the procedure to configure the JSON Web Token settings in each Unified Access Gateway instance to support the tunnel server and protocol redirection required by Universal Broker.

Note: The following procedure is only required for Unified Access Gateway instances within Horizon pods on a VMware SDDC-based platform. For Horizon Cloud pods in Microsoft Azure, the JSON Web Token settings are automatically configured for you at the time of pod deployment. You do not need to perform any further configuration of the JSON Web Token for the Unified Access Gateway instances within Horizon Cloud pods in Microsoft Azure (not on a VMware SDDC-based platform).

When your tenant is configured for Universal Broker and you want your external end users to use two-factor authentication, then you must also configure the appropriate RADIUS service or RSA SecurID service (available for Horizon pods only) on all the external Unified Access Gateway instances in the pod.

Prerequisites

  • Verify that you have configured an external Unified Access Gateway instance, an internal Unified Access Gateway instance, or both, for each pod in your Universal Broker environment.
  • Ensure that you are running version 3.8 or later of Unified Access Gateway and have met all the other Unified Access Gateway requirements described in System Requirements for Universal Broker.
  • To validate the pairing of each Unified Access Gateway instance with its respective pod, connect directly to the Unified Access Gateway instance and verify that you can access virtual desktops.

Procedure

  1. Log in to the Unified Access Gateway administration console.
  2. In the Configure Manually section, click Select.
  3. Under Advanced Settings, click the gearbox for JWT Settings.
  4. To create a JWT configuration set, click Add.
  5. Specify the required settings in the JWT Settings dialog box.
    Setting Description
    Name Enter a descriptive name for the configuration set.
    Issuer Enter the cluster name of the Horizon pod, as displayed in Horizon Console.

    Cluster name of pod displayed in Horizon Console
    Dynamic Public key URL Enter https://<Horizon pod FQDN>/broker/publicKey/protocolredirection, where <Horizon pod FQDN> is replaced with the pod's unique FQDN (fully qualified domain name). The FQDN is typically defined as follows:
    • If the pod has multiple Unified Access Gateway instances, specify the address of the local load balancer as the FQDN.
    • If the pod has only one Unified Access Gateway instance, specify the address of that instance's paired Connection Server as the FQDN.
    Public key URL thumbprints To use a public key URL for authentication, enter the SHA1 thumbprint of the Horizon pod's certificate.
    Note: You can configure either Public key URL thumbprints or Trusted Certificates for authentication. You do not need to configure both options.
    Trusted Certificates To use a certificate other than the Horizon pod's certificate for authentication, click the (+) icon and add the trusted certificate.
    Note: You can configure either Trusted Certificates or Public key URL thumbprints for authentication. You do not need to configure both options.
    Public key refresh interval For best results, enter 900. This value sets the refresh interval to 900 seconds, or 15 minutes.
    Static public keys Leave this option set to its default value.
  6. Click Save and then click Close.
  7. If you want to use two-factor authentication for Universal Broker, enable the Show toggle for Authentication Settings. Then enable and configure settings for one of the security services supported by Universal Broker: RSA SecurID (available for Horizon pods only) or RADIUS.
    Note: You must configure the appropriate two-factor authentication service on the external Unified Access Gateway instance for every participating pod. The configurations of all external Unified Access Gateway instances within a participating pod must match each other and must be identical to the configurations of external Unified Access Gateway instances across every other participating pod. Otherwise, authentication to the Universal Broker service fails.

    For example, if you want to use RADIUS authentication for your Horizon pods configured with Universal Broker, you must configure the identical RADIUS service on every external Unified Access Gateway instance across all participating Horizon pods. You cannot configure RADIUS on some participating pods and RSA SecurID on other participating pods.