This section describes the process for setting up Unified Access Gateway (formerly known as Access Point), which replaced Remote Access Manager (dtRAM) in product deployments.
Unified Access Gateway is a VMware developed End-User Computing (EUC) appliance that acts as a specialized gateway (or reverse proxy) that manages access to enterprise EUC products deployed in a private or public cloud. It consolidates functionality that was previously implemented in various enterprise EUC products, and simplifies deployments for customers who use multiple EUC products within their environments.
- Customers who migrate to Unified Access Gateway can reduce their firewall open ports to 443, 4172 and 8443.
- Unified Access Gateway properly handles SSL certificates for HTML Access (Blast) so that a certificate will no longer be required on the virtual desktop.
Basic Functionality
The basic functionality of Unified Access Gateway is as follows.
- The client makes a connection to the reverse proxy, and when the response comes back, the client intercepts it.
- The connection can be established by either a browser or the Horizon client.
- Once a virtual desktop session is established, the PCoIP SG, Blast SG, or View Tunnel may be used for the virtual desktop traffic, depending on what protocol the user has selected. The tunnel is used for the RDP protocol as well as USB connections.
Unified Access Gateway used in a deployment has the following characteristics:
- There will be no authentication (at least for the first release). This responsibility will remain within the Tenant Appliance.
- All communication will be proxied through Unified Access Gateway if the end-user is accessing the solution from outside of the corporate network. This includes:
- All View-specific protocol handling (XMLAPI, PCoIP, etc)
- Any Tenant Appliance communication
Unified Access Gateway vs. dtRAM
The main differences between dtRAM and Unified Access Gateway are outlined in the table below.
dtRAM (no longer supported) | Unified Access Gateway |
---|---|
Tenant appliance sits in front of the dtRAM and controls its operations | Unified Access Gateway appliance sits in front of the tenant appliance so that the tenant does not know it exists. The tenant requires software changes to accommodate this new architectural shift. |
Does not make use of a PSG (or BSG or Tunnel) gateway that is installed | Makes use of a PSG (or BSG or Tunnel) gateway that is installed |
Needs to use a wide range of ports for PCoIP etc. from the client and requires customers to open all of these ports to allow access | All PCoIP traffic can come in on the standard port (4172). Other single ports are used for BSG and Tunnel. |
BSD-based and uses "pf" to forward traffic | Linux appliance with built-in proxying capabilities |
Supports HA clustering | HA clustering is possible if you choose to configure load balancers |
Has security weaknesses because it can only validate traffic based on source IP address | Uses deep protocol inspection techniques to ensure that traffic from the client is properly validated before it is passed on to the virtual desktops |
The following are some considerations regarding Unified Access Gateway performance.
- Capacity – Unified Access Gateway has been tested with as many as 2,000 concurrent sessions, but the number of sessions your system can handle depends on the amount of data being sent and received (for example, video content).
- Monitoring– Unified Access Gateway does not currently have an internal monitoring tool.
- Rebooting – Performing a reboot operation for Unified Access Gateway disconnects all active users. The user's desktop session remains active, but the user will need to reestablish the connection to regain access to the desktop. If Unified Access Gateways are deployed in a load balanced configuration with multiple Unified Access Gateways, then any active or new users will be able to immediately reconnect via the load balancer and the connection will be handled by another Unified Access Gateway while one is rebooting.
- High Availability / Failover – HA clustering is possible if you choose to configure load balancers (see example in Appendix A).