Technical Introduction to VMware Unified Access Gateway for Horizon Secure Remote Access
In this post I will give an overview of Unified Access Gateway, the VMware virtual appliance used with End-User Computing products. I will describe the main features and then drill down a little into deployment, security, high availability (HA) and scalability.
What Is Unified Access Gateway?
Unified Access Gateway (UAG) is a virtual appliance primarily designed to allow secure remote access to VMware end-user computing resources from authorized users connecting from the internet. UAG supports VMware Horizon, VMware Identity Manager and VMware AirWatch use cases but this post focuses just on the Horizon functionality. UAG provides this secure connectivity to desktops and applications that are either cloud-hosted through VMware Horizon Cloud or on-premises in a customer data center through Horizon 7.
A connection from a Horizon Client or browser on the internet, whether to on-premises or cloud-hosted end-user computing resources, presents a security challenge. An enterprise needs strong assurance of the identity of the user, and also needs to precisely control access to their entitled desktops and applications.
For those of you who are familiar with Horizon security server, UAG provides similar but enhanced functionality.
UAG virtual appliances are typically deployed in a network demilitarized zone (DMZ), and they ensure that all traffic entering the data center to desktop and application resources is traffic on behalf of a strongly authenticated user. UAG virtual appliances also ensure that the traffic for an authenticated user can be directed only to desktop and application resources to which the user is actually entitled. This level of protection involves specific inspection of desktop protocols and coordination of potentially rapid changing policies and network addresses, and so on, to be able to accurately control access.
The main difference from Horizon security server is that UAG is implemented as a hardened, locked-down, preconfigured Linux-based virtual machine, as opposed to software running on a general-purpose Windows operating system. UAG also scales differently; the restriction to pair it with a single Horizon Connection Server has been removed. You can connect a UAG appliance to an individual Horizon Connection Server, or you can connect it through a load balancer in front of multiple Horizon Connection Servers, giving improved high availability. It acts as an enforcing man-in-the-middle between Horizon Clients and backend Horizon Connection Servers, and because deployment is so fast, it can rapidly scale up or down to meet the demands of fast-changing enterprises.
How Is Unified Access Gateway Deployed?
The short answer is that UAG is deployed very quickly and very easily! UAG is packaged in Open Virtualization Format (OVF) as a single .ova file and is deployed onto a vSphere ESX or ESXi host as a pre-configured virtual appliance VM that is locked down and set up for production operation on first boot.
Figure 2: Deploying the UAG OVF Template in vSphere Web Client with vCenter
As shown in Figure 2, a basic install, where settings can be specified in a deployment wizard, can be performed through the vSphere Web Client with vCenter using the Deploy OVF Template option and selecting the UAG OVA virtual appliance image file. You are prompted for some basic settings such as its IP addresses, management interface passwords, and a forwarding URL, and UAG is then set up. The administrator can then use the UAG admin UI to configure additional settings.
For Windows administrators, PowerShell can be used to deploy UAG automatically. With the PowerShell command, all of the settings come from a .ini file. This method ensures that UAG is “Production ready on first boot” and it simplifies management as the .ini file can be re-used for future deployments. Deploying an upgraded UAG appliance then simply involves changing the source .ova file reference and re-running the deployment command. This deploys an upgraded UAG and all the initial settings are re-applied automatically. The process takes around 2 minutes depending on vSphere compute, network and storage performance, after which no manual configuration steps are required. Refer to Using PowerShell to Deploy VMware Unified Access Gateway for details including sample .ini files to help get started.
One of the unique features of UAG is the almost zero level of ongoing management required. All of its dynamic configuration settings and access-control security rules are automatically determined from the backend server systems, such as Horizon Connection Server, so that it immediately adapts to changes in entitlement policies. UAG does support a full admin UI and a management REST API for getting and setting static configuration values, but the general approach is to deploy it with all configurations applied at the outset. You deploy it, and apart from monitoring it, you just leave it alone.
Syslog-based monitoring is supported with UAG. You can use any syslog environment to capture UAG events, and full vRealize Log Insight integration is supported.
For production environment deployments, I would certainly recommend using the scripted, unattended PowerShell deployment method. This gives you a predictable and repeatable deployment for all UAG virtual appliances and takes care of any advanced settings you need to specify. On first start-up, you then know it is fully configured, fully secured, and immediately ready to operate. The scripted deployment method also makes it easier to deploy upgraded images as they become available. The script can be re-used and altered to reference a newer UAG OVA image. The original can be destroyed, and a newer replacement can be quickly deployed, and all the exact same settings will be automatically applied.
How Does User Authentication Work?
User authentication in pass-through mode is very similar to Horizon security server. Supported user authentication methods through UAG include:
- Active Directory domain password
- Kiosk mode
- RSA SecurID two-factor
- RADIUS via a number of third party, two-factor security-vendor solutions
- Smart card, CAC, or PIV X.509 user certificates
These authentication methods are supported in combination with Horizon Connection Server. There is no requirement for UAG to communicate directly with Active Directory. This communication is proxied via the Horizon Connection Server, which can directly access Active Directory.
In addition to pass-through authentication, UAG can instead be configured to perform the initial user authentication itself. This is particularly important for secure environments where proper “edge” authentication in the DMZ is required. This applies to Smart Card authentication, and two factor authentication using RSA SecurID or RADIUS. A user must pass the strong UAG two-factor authentication in the DMZ before any traffic for that user enters the data center. Any traffic that is not on behalf of a strongly authenticated user is disguarded in the DMZ.
After the user session has been authenticated according to the authentication policy, UAG is then able to forward requests for entitlement information, and desktop and application launch requests, to Horizon Connection Server. UAG is also able to manage its desktop and application protocol handlers to allow them to forward only authorized protocol traffic.
What About Scalability and High Availability?
One of the features of VMware Horizon is that deployments can avoid any single points of failure. UAG appliances scale horizontally so that as traffic load requirements increase, you add more UAG appliances behind a general-purpose load balancer. If a UAG appliance goes down for any reason, the load balancer becomes aware of this through health monitoring and directs traffic to the other UAG appliances. This response also serves to spread load across all available appliances.
UAG is also able to communicate with backend Horizon Connection Servers via a load balancer, so if a Connection Server is down for any reason, this does not reduce the capacity for desktop and application protocol handling within the DMZ.
UAG supports roughly 2,000 sessions. The actual number depends very much on the display traffic used by each user. If 2,000 sessions underperform, or place high resource demands on the appliance, then the load can be spread to say 1,000 sessions on each of two appliances, or even 500 sessions on each of four appliances. Because UAG is quick and easy to deploy, you can increase or reduce the number of UAG appliances according to demand and monitored use.
There really is no limit to the number of UAG appliances that can be deployed because there is no communication between them, and they are therefore all independent of one another.
How Is This Different from a VPN?
If you choose to use a Virtual Private Network (VPN), Horizon fully supports remote access to desktops and applications via a VPN. A VPN can certainly meet the requirement of ensuring that traffic into the internal network is forwarded only on behalf of a strongly authenticated user. In that respect, UAG and a commercial-grade VPN are similar. There are some considerations, though, that should be pointed out.
- Access control management. UAG applies access rules automatically. UAG has the additional benefit that it recognizes not only the user’s entitlements, but also the addressing needed to connect internally, which can change quickly! To some extent, a VPN can do the same, because most VPNs allow an administrator to configure network connection rules for every user or group of users individually. At first, this works well with a VPN, but usually involves significant administrative effort to keep up with the required rules. Quite often this is too much for an administrator to manage, and either too many authorized resources end up blocked, or unauthorized resources end up being allowed. The easy response for a VPN administrator is to allow unchecked access to any resource on the internal network; authenticate to the VPN, and you have complete access to the corporate network as though you were on the internal network. This is easy for the administrator, but usually a concern for corporate security. Not all, but many, VPN administrators will adopt this low-cost operational approach.
- User interface. A VPN often requires that the end user first set up the VPN software and authenticate separately before launching the Horizon Client. This may be secure, but users do not like this extra step. UAG does not alter the straightforward Horizon Client user interface at all, and eliminates the extra (VPN) step. The user launches the Horizon Client, and as long as the authentication is successful, they are into their Horizon environment, and have precisely controlled access to their desktops and applications.
- Performance. Not all, but many, VPNs are implemented as SSL VPNs. These certainly meet security requirements and, with Transport Layer Security (TLS) enabled, are usually considered secure, but the underlying protocol with SSL/TLS is just TCP-based. With modern video-remoting protocols exploiting connectionless UDP-based transports, the performance benefits can be significantly eroded when forced over a TCP-based transport. This does not apply to all VPN technologies, as those that can also operate with DTLS or IPsec instead of SSL/TLS can work well with Horizon desktop protocols. UAG is specifically designed to maximize security and maximize performance. It does not have to be a compromise between the two. With UAG, PCoIP, HTML access, and WebSocket protocols are secured without requiring additional encapsulation, and so UAG gives the best possible user experience.
I am not saying that you should not use a VPN with Horizon desktops and hosted applications, although with UAG it is unnecessary. What I am saying is to make sure the administrative effort, the user experience for setup, and the desktop protocol performance are all considered before using VPN technology with Horizon. The first concern about accurate access controls can be addressed by using VPN technology in combination with UAG. The performance degradation with a VPN can be significantly reduced by using VPN technology that efficiently handles UDP. These are typically DTLS or IPsec-based instead of SSL/TLS-based.
Does Unified Access Gateway Replace Horizon Security Server?
Horizon security server currently remains fully supported in Horizon 6 and Horizon 7. If you have deployed Horizon security server in your on-premises Horizon environment you can continue to use Horizon security server as before, or you can replace it with a UAG appliance.
As I have mentioned earlier in this article, UAG does offer enhanced functionality to Horizon security server. What we do expect, is that with significant research and development investments in UAG, we are rapidly developing improved capabilities, and this does mean that Horizon security server will probably be phased out or at least deprecated. Dates for this have not yet been decided.
For the Horizon Cloud use case with cloud-hosted desktops and applications, Horizon security server cannot be used, and therefore UAG must be used. It is built into Horizon Cloud, anyway.
Where Can I Get More Information About Unified Access Gateway?
For more information, see Deploying and Configuring Unified Access Gateway.
By Mark Benson, Senior Architect and Senior Staff Engineer, End-User-Computing CTO Office, VMware