A Unified Access Gateway appliance is a default gateway for secure access to remote desktops and applications from outside the corporate firewall.
For the latest version of Unified Access Gateway documentation, see the Deploying and Configuring VMware Unified Access Gateway document in https://docs.vmware.com/en/Unified-Access-Gateway/index.html.
A Unified Access Gateway appliance resides within a network demilitarized zone (DMZ) and acts as a proxy host for connections inside a trusted network, providing an additional layer of security by shielding virtual desktops, application hosts, and servers from the public-facing Internet.
Configure a Unified Access Gateway Appliance
Unified Access Gateway and generic VPN solutions are similar as they both ensure that traffic is forwarded to an internal network only on behalf of strongly authenticated users.
Unified Access Gateway advantages over generic VPN include the following.
- Access Control Manager. Unified Access Gateway applies access rules automatically. Unified Access Gateway recognizes the entitlements of the users and the addressing required to connect internally. A VPN does the same, because most VPNs allow an administrator to configure network connection rules for every user or group of users individually. At first, this works well with a VPN, but requires significant administrative effort to maintain the required rules.
- User Interface. Unified Access Gateway does not alter the straightforward Horizon Client user interface. With Unified Access Gateway, when the Horizon Client is launched, authenticated users are in their View environment and have controlled access to their desktops and applications. A VPN requires that you must set up the VPN software first and authenticate separately before starting the Horizon Client.
- Performance. Unified Access Gateway is designed to maximize security and performance. With Unified Access Gateway, PCoIP, HTML access, and WebSocket protocols are secured without requiring additional encapsulation. VPNs are implemented as SSL VPNs. This implementation meets security requirements and, with Transport Layer Security (TLS) enabled, is considered secure, but the underlying protocol with SSL/TLS is just TCP-based. With modern video remoting protocols exploiting connectionless UDP-based transports, the performance benefits can be significantly eroded when forced over a TCP-based transport. This does not apply to all VPN technologies, as those that can also operate with DTLS or IPsec instead of SSL/TLS can work well with Horizon 7 desktop protocols.
Enhance Horizon Security with Unified Access Gateway
- See Configuring Certificate or Smart Card Authentication on the Unified Access Gateway appliance in the Deploying and Configuring VMware Unified Access Gateway document in https://docs.vmware.com/en/Unified-Access-Gateway/index.html.
- The Endpoint Compliance Checks feature provides an extra layer of security for accessing Horizon desktops in addition to the other user authentication services that are available on Unified Access Gateway. See Endpoint Compliance Checks for Horizon in the Deploying and Configuring VMware Unified Access Gateway document in https://docs.vmware.com/en/Unified-Access-Gateway/index.html.
Double-hop DMZ
For cases where a double-hop DMZ between the Internet and the internal network is required, you can deploy a Unified Access Gateway appliance in the outer DMZ as a Web Reverse Proxy with Unified Access Gateway in the inner DMZ to create a double-hop DMZ configuration. Traffic passes through a specific reverse proxy in each DMZ layer and cannot bypass a DMZ layer. For configuration details, see the Deploying and Configuring VMware Unified Access Gateway document.