This section describes the process for setting up Unified Access Gateway (formerly known as Access Point), which replaced Remote Access Manager (dtRAM) in DaaS deployments.

Unified Access Gateway is a VMware developed End-User Computing (EUC) appliance that acts as a specialized gateway (or reverse proxy) that manages access to enterprise EUC products deployed in a private or public cloud. It consolidates functionality that was previously implemented in various enterprise EUC products, and simplifies deployments for customers who use multiple EUC products within their environments.

The following are advantages of migrating to Unified Access Gateway:

  • Customers who migrate to Unified Access Gateway can reduce their firewall open ports to 443, 4172 and 8443.

  • Unified Access Gateway properly handles SSL certificates for HTML Access (Blast) so that a certificate will no longer be required on the virtual desktop.

Note:

For internal access not via Unified Access Gateway, desktops will still need to have SSL certificates.

Basic Functionality

The basic functionality of Unified Access Gateway is as follows.

  • The client makes a connection to the reverse proxy, and when the response comes back, the client intercepts it.

  • The connection can be established by either a browser or the Horizon client.

  • Once a virtual desktop session is established, the PCoIP SG, Blast SG, or View Tunnel may be used for the virtual desktop traffic, depending on what protocol the user has selected. The tunnel is used for the RDP protocol as well as USB connections.

Unified Access Gateway used in a Horizon DaaS deployment has the following characteristics:

  • There will be no authentication (at least for the first release). This responsibility will remain within the Tenant Appliance.

  • All communication will be proxied through Unified Access Gateway if the end-user is accessing the solution from outside of the corporate network. This includes:

    • All View-specific protocol handling (XMLAPI, PCoIP, etc)

    • Any Tenant Appliance communication

Unified Access Gateway vs. dtRAM

The main differences between dtRAM and Unified Access Gateway are outlined in the table below.

dtRAM (no longer supported)

Unified Access Gateway

Tenant appliance sits in front of the dtRAM and controls its operations

Unified Access Gateway appliance sits in front of the tenant appliance so that the tenant does not know it exists. The tenant requires software changes to accommodate this new architectural shift.

Does not make use of a PSG (or BSG or Tunnel) gateway that is installed

Makes use of a PSG (or BSG or Tunnel) gateway that is installed

Needs to use a wide range of ports for PCoIP etc. from the client and requires customers to open all of these ports to allow access

All PCoIP traffic can come in on the standard port (4172). Other single ports are used for BSG and Tunnel.

BSD-based and uses "pf" to forward traffic

Linux appliance with built-in proxying capabilities

Supports HA clustering

HA clustering is possible if you choose to configure load balancers

Has security weaknesses because it can only validate traffic based on source IP address

Uses deep protocol inspection techniques to ensure that traffic from the client is properly validated before it is passed on to the virtual desktops

The following are some considerations regarding Unified Access Gateway performance.

  • Capacity – Unified Access Gateway has been tested with as many as 2,000 concurrent sessions, but the number of sessions your system can handle depends on the amount of data being sent and received (for example, video content).

  • Monitoring– Unified Access Gateway does not currently have an internal monitoring tool.

  • Rebooting – Performing a reboot operation for Unified Access Gateway disconnects all active users. The user's desktop session remains active, but the user will need to reestablish the connection to regain access to the desktop. If Unified Access Gateways are deployed in a load balanced configuration with multiple Unified Access Gateways, then any active or new users will be able to immediately reconnect via the load balancer and the connection will be handled by another Unified Access Gateway while one is rebooting.

  • High Availability / Failover – HA clustering is possible if you choose to configure load balancers (see example in Appendix A).