In this step of the wizard, specify the information required to deploy the pod with Unified Access Gateway configured. When deploying the new pod, you can choose to have an external or internal Unified Access Gateway configuration, or both types on the same pod. By default, when this wizard step displays, Yes is selected for the external Unified Access Gateway configuration.

Important: Keep in mind that in the current release, you can only add the RADIUS two-factor authentication at the same time that you configure Unified Access Gateway on the pod. If you fail to choose the Enable 2-Factor Authentication? toggle for your chosen Unified Access Gateway configuration, you will not be able to use the Administration Console later to add RADIUS two-factor authentication for that configuration. For an already deployed pod, in the Edit Pod workflow, the Administration Console's Enable 2-Factor Authentication? toggle is disabled for the pod's existing Unified Access Gateway configuration.
If you deploy with the Unified Access Gateway configuration as... Later in the Edit Pod workflow, you...
Both external and internal, but without RADIUS Cannot add RADIUS to the pod
External only, but without RADIUS Cannot add RADIUS to that external Unified Access Gateway configuration.

You will only be able to add the other, internal type of configuration.

Internal only, but without RADIUS Cannot add RADIUS to that internal Unified Access Gateway configuration.

You will only be able to add the other, external type of configuration.

External Unified Access Gateway configuration
The external Unified Access Gateway configuration gives the ability to provide access to desktops and applications for end users located outside of your corporate network. When the pod is deployed with an external Unified Access Gateway configuration, the pod includes a Microsoft Azure public load balancer and Unified Access Gateway instances deployed on the desktop tenant subnet to enable this access. In this case, the instances have three NICs each: one NIC on the management subnet, one NIC on the desktop subnet, and one NIC on the DMZ subnet.
Internal Unified Access Gateway configuration
An internal Unified Access Gateway configuration gives the ability for end users located inside your corporate network to have trusted HTML Access (Blast) connections to their desktops and applications. If the pod is not configured with an internal Unified Access Gateway configuration, end users inside your corporate network see the standard browser untrusted certificate error when they use their browsers to make HTML Access (Blast) connections to their desktops and applications. When the pod is deployed with an internal Unified Access Gateway configuration, the pod includes a Microsoft Azure internal load balancer and Unified Access Gateway instances deployed on the desktop tenant subnet to enable this access. In this case, the instances have two NICs each: one NIC on the management subnet and one NIC on the desktop subnet.

The following screenshot is an example of the step when it is initially displayed.


Horizon Cloud on Microsoft Azure: Step 3 of the pod deployment wizard when it initially displays.

Prerequisites

Verify that you have met the prerequisites described in Prerequisites for Running the Pod Deployment Wizard.

Important: To complete this step, you must have the required fully qualified domain name (FQDN) which your end users will use to access the service and have a signed SSL certificate (in PEM format) based on that FQDN. The certificate must be signed by a trusted CA. A single PEM file must contain the entire certificate chain and the private key: SSL certificate intermediate certificates, root CA certificate, private key. For details, see Convert a Certificate File to the PEM Format Required for Pod Deployment.

Verify that all certificates in the certificate chain have valid time frames. If any certificate in the chain is expired. unexpected failures can occur later in the pod onboarding process.

This FQDN cannot contain underscores. In this release, connections to the Unified Access Gateway instances will fail when the FQDN contains underscores.

Procedure

  1. If you want the external Unified Access Gateway configuration, complete the fields in the External UAG section.
    Option Description
    Enable External UAG? When Yes is selected, access to desktops and applications is enabled for users located outside of your corporate network. The pod includes a Microsoft Azure public load balancer and Unified Access Gateway instances to enable this access.
    Note: Leaving the default Yes setting is recommended.

    When set to No, clients must either connect directly to the pod and not through Unified Access Gateway, or they connect through an internal Unified Access Gateway configuration. In the case of clients connecting directly to the pod and not through Unified Access Gateway, some post-deployment steps are required. In this case, after the pod is deployed, see the information in the Horizon Cloud Administration Guide about uploading SSL certificates to the pod.

    FQDN Enter the required fully qualified domain name (FQDN), such as ourOrg.example.com, which your end users will use to access the service. You must own that domain name and have a certificate in PEM format that can validate that FQDN.
    Important: This FQDN cannot contain underscores. In this release, connections to the Unified Access Gateway instances will fail when the FQDN contains underscores.
    DMZ Subnet

    DMZ Subnet (CIDR)

    When Use Existing Subnet is set to Yes in the preceding wizard step, DMZ Subnet lists the subnets available on the VNet selected for Virtual Network. Select the existing subnet that you want to use for the pod's DMZ subnet.
    Important: Select an empty subnet, one that has no other resources attached to it. If the subnet is not empty, unexpected results might occur during the deployment process or pod operations.

    When Use Existing Subnet is set to No in the preceding wizard step, enter the subnet (in CIDR notation) for the DMZ (demilitarized zone) network that will be configured to connect the Unified Access Gateway instances to the deployed public load balancer.

    DNS Addresses Optionally enter addresses for additional DNS servers that Unified Access Gateway can use for name resolution, separated by commas. When configuring this external Unified Access Gateway configuration to use two-factor authentication with your on-premises RADIUS server, you would specify the address of a DNS server that can resolve the name of your on-premises RADIUS server.

    As described in the deployment prerequisites, a DNS server must be set up internally in your subscription and configured to provide external name resolution. The Unified Access Gateway instances use that DNS server by default. If you specify addresses in this field, the deployed Unified Access Gateway instances use the addresses in addition to the prerequisite DNS server that you configured in your subscription's virtual network.

    Routes Optionally specify custom routes to additional gateways that you want the deployed Unified Access Gateway instances to use to resolve network routing for the end user access. The specified routes are used to allow Unified Access Gateway to resolve network routing such as to RADIUS servers for two-factor authentication.

    When configuring this pod to use two-factor authentication with an on-premises RADIUS server, you must enter the correct route the Unified Access Gateway instances can use to reach the RADIUS server. For example, if your on-premises RADIUS server uses 10.10.60.20 as its IP address, you would enter 10.10.60.0/24 and your default route gateway address as a custom route. You obtain your default route gateway address from the Express Route or VPN configuration you are using for this environment.

    Specify the custom routes as a comma-separated list in the form ipv4-network-address/bits ipv4-gateway-address, for example: 192.168.1.0/24 192.168.0.1, 192.168.2.0/24 192.168.0.2.

    Certificate Upload the certificate in PEM format that Unified Access Gateway will use to allow clients to trust connections to the Unified Access Gateway instances running in Microsoft Azure. The certificate must be based on the FQDN you entered and be signed by a trusted CA. The PEM file must contain the entire certificate chain and the private key: SSL certificate intermediate certificates, root CA certificate, private key.
    The following screenshot is an example with this step completed.
    Horizon Cloud on Microsoft Azure: Pod deployment wizard Step 3 with external Unified Access Gateway fields filled out.

  2. (Optional) In the External UAG section, optionally configure two-factor authentication for the external Unified Access Gateway.
    Complete the steps in Specify Two-Factor Authentication Capability for the Pod.
    Important: Keep in mind that in the current release, you can only add the RADIUS two-factor authentication for the external configuration at this same time that you are setting that external configuration. After the external configuration is set on the pod, the Administration Console disables the toggle for adding RADIUS two-factor authentication for that external configuration.
  3. In the Internal UAG section, if you want the internal Unified Access Gateway configuration, set the Enable Internal UAG? toggle to Yes and complete the fields that appear.
    Option Description
    Enable Internal UAG? When Yes is selected, trusted access to desktops and applications is enabled for HTML Access (Blast) connections for users located inside of your corporate network. The pod includes a Microsoft Azure internal load balancer and Unified Access Gateway instances to enable this access.
    FQDN Enter the required fully qualified domain name (FQDN), such as ourOrg.example.com, which your end users will use to access the service. You must own that domain name and have a certificate in PEM format that can validate that FQDN.
    Important: This FQDN cannot contain underscores. In this release, connections to the Unified Access Gateway instances will fail when the FQDN contains underscores.
    DNS Addresses Optionally enter addresses for additional DNS servers that Unified Access Gateway can use for name resolution, separated by commas. When configuring this internal Unified Access Gateway configuration to use two-factor authentication with your on-premises RADIUS server, you would specify the address of a DNS server that can resolve the name of your on-premises RADIUS server.

    As described in the deployment prerequisites, a DNS server must be set up internally in your subscription and configured to provide name resolution. The Unified Access Gateway instances use that DNS server by default. If you specify addresses in this field, the deployed Unified Access Gateway instances use the addresses in addition to the prerequisite DNS server that you configured in your subscription's virtual network.

    Routes Optionally specify custom routes to additional gateways that you want the deployed Unified Access Gateway instances to use to resolve network routing for the end user access. The specified routes are used to allow Unified Access Gateway to resolve network routing such as to RADIUS servers for two-factor authentication.

    When configuring this pod to use two-factor authentication with an on-premises RADIUS server, you must enter the correct route the Unified Access Gateway instances can use to reach the RADIUS server. For example, if your on-premises RADIUS server uses 10.10.60.20 as its IP address, you would enter 10.10.60.0/24 and your default route gateway address as a custom route. You obtain your default route gateway address from the Express Route or VPN configuration you are using for this environment.

    Specify the custom routes as a comma-separated list in the form ipv4-network-address/bits ipv4-gateway-address, for example: 192.168.1.0/24 192.168.0.1, 192.168.2.0/24 192.168.0.2.

    Certificate Upload the certificate in PEM format that Unified Access Gateway will use to allow clients to trust connections to the Unified Access Gateway instances running in Microsoft Azure. The certificate must be based on the FQDN you entered and be signed by a trusted CA. The PEM file must contain the entire certificate chain and the private key: SSL certificate intermediate certificates, root CA certificate, private key.
  4. (Optional) In the Internal UAG section, optionally configure two-factor authentication for the internal Unified Access Gateway.
    Complete the steps in Specify Two-Factor Authentication Capability for the Pod.
    Important: Keep in mind that in the current release, you can only add the RADIUS two-factor authentication for the internal configuration at this same time that you are setting that internal configuration. After the internal configuration is set on the pod, the Administration Console disables the toggle for adding RADIUS two-factor authentication for that internal configuration.

Results

When you have provided the required information associated with your selected options, you can click Validate & Proceed to continue to the wizard's final step. See Validate and Proceed, and then Start the Pod Deployment Process.