You can set up Unified Access Gateway for use in your environment.

For more information about Unified Access Gateway configuration, see VMware Unified Access Gateway documentation.


You cannot deploy a Unified Access Gateway VM from a vSphere Windows client. You must deploy it from the vSphere web client.


Default tenant appliance certificates should not be used for configuring Unified Access Gateway. Custom certificates for Tenant should be uploaded from the Service Center user interface and those certificates should be used for configuring Unified Access Gateway.


  1. Download the latest version of the Unified Access Gateway OVA file.
  2. Determine the IP addresses (DNS/Netmask/Gateway) for the required networks, as described below.



    3 NIC

    (Recommended configuration)

    Internet (NIC 1) - Any network with internet access

    Management (NIC 2) - This can be your 169 network. Since this does not have its own DNS or Gateway, you can enter any numbers for DNS and set the netmask to

    Backend (NIC 3) - Network that the Tenant uses for desktops

    2 NIC

    Internet (NIC 1) - Network the Tenant is on

    Management (NIC 2) - This can be your 169 network. Since this does not have its own DNS or Gateway, you can enter any numbers for DNS and set the netmask to

    1 NIC

    Internet (NIC 1) - Network that the Tenant is on


    If NIC 2 is present, then the administration server (port 9443) that provides the REST APIs will only listen on that NIC. This server is accessed by the "" script used in Step 5 below. If NIC 2 is not present, then that administration server listens on all of the interfaces.

  3. In the vSphere web client, follow the normal method for deploying a template. In the “Customize template” step, enter information as shown below.

    The fields below may not all appear, depending on your configuration, and may also appear in a different order than that shown below.

    Table 1.

    Networking Properties

    External IP Address

    Physical IP address of NIC 1. Note: If user access is via a NAT address, do not enter that address here.

    DNS server addresses

    IP of the DNS that the Unified Access Gateway will use to resolve Hostnames.

    Management network IP Address

    If configuration is 3 NIC or 2 NIC, enter Management Network IP from the previous step.

    Backend network IP Address

    If configuration is 3 NIC, enter Backend Network IP from the previous step.

    Password Options

    Password for the root user of this VM

    Initial password for root user. This must be a valid Linux password.

    Password for the admin user, which enables REST API access

    Password to be used for REST API Admin user. Password must be at least eight characters long and must contain:

    • At least one upper case letter

    • At least one lower case letter

    • At least one number

    • At least one special character (!, @, #, etc.)

    System Properties

    Locale to use for localized messages


    Syslog server URL

    Leave blank

    Horizon Properties

    Horizon server URL

    Leave blank

    Horizon server thumbprints

    Leave blank

  4. When you have finished the deployment process, power on the VM and wait for the login screen to appear on the console.
  5. On the tenant appliance, run the following command:
    sudo /usr/local/desktone/scripts/
  6. Enter yes or no to the initial two prompts, as described below.



    Do you want to setup this access point for internal access . . . :

    Default value is no. If you enter anything other than y or yes, it will default to no and the access point will be configured for external connections in the DMZ network. In most cases you will use the external configuration.

    Enter yes to make this an internal access point so that the PCoIP traffic goes directly to the desktops, bypassing the access point.

    Do you want to allow Horizon Air Helpdesk Console access . . . :

    Enter yes to allow the Helpdesk Console access though the access point, or no to not allow access.

    The Helpdesk Console is a console access tool that allows you to run health scans, provide remote assistance, and view history and audit information for each VM in your system.


    This is a beta feature and is not supported at this time. For more information about trying this tool, please contact your deployment representative.

    The system now proceeds to the Unified Access Gateway Configuration prompts.

  7. Enter the requested information for the Unified Access Gateway appliance:



    Admin Password:

    Password for the admin user of the Unified Access Gateway.

    Management IP:

    This is the same address you entered above for Management network IP Address.

    External IP:

    The IP address for NIC 1 or the NAT IP address of NIC 1.

    External Hostname [xx.xx.xx.xx]:

    [Default hostname in brackets]

    External PCoIP Port [4172]:

    Default PCoIP Port shown in brackets: [4172]

    External HTML Access Port [8443]:

    Default HTML Access Port in brackets: [8443]

    External Tunnel Port [443]:

    Default Tunnel Port in brackets: [443]

    The response status returned will indicate whether the configuration was successful.

    Response status



    Configuration successful


    Invalid input


    Password incorrect. Confirm that password matches admin password configured during OVA deployment.

  8. If dtRAM was in use on this environment previously, set the element.allocator.ram.use policy to false and remove the associated NAT and firewall rules.
  9. Configure NAT and firewall rules to allow access to the Unified Access Gateway appliance through Internet network.

    When you are using an edge gateway load balancer the NAT for ports 80 and 443 are not required. These ports are forwarded automatically.



    4172/tcp, 4172/udp

    PCoIP desktop access protocol


    HTML desktop access protocol


    Secure web portal access


    Insecure web portal access (will be redirected to 443)