VMware Unified Access Gateway (UAG) is the security gateway for VMware Workspace ONE. It provides secure edge services and access to defined resources that reside in the internal network. This access allows authorized external users to access internally located resources in a secure manner. Today’s post covers the updates and features in the Unified Access Gateway 3.3 release.
[box type=”bio”] For more information about Unified Access Gateway Architecture, see VMware Workspace ONE and VMware Horizon 7 Enterprise Edition On-premises Reference Architecture.[/box]
Device Certificate Authentication for Reverse Proxy
Device Certificate Authentication support now includes Web Reverse Proxy. Certificate Authentication secures internal websites such as SharePoint, Outlook OWA, etc being accessed by external devices. 
Requirements
- Upload Root and Intermediate Certificate for each particular domain on the UAG Appliance.
- Set certificate-auth as Authentication Method to the Reverse Proxy instance.
- Install User Client and Root Certificate on client device.
Monitor Changes with Audit Logs
To help organizations fulfill record-keeping requirements for compliance purposes, all admin user operations are now stored in the audit.log. These operations are also included on the Log Archive file download, allowing IT Administrators to monitor changes.
Network Protocol Profile Dependency Removed
Prior to Unified Access Gateway 3.3, vSphere Network Protocol Profile or IP Pool must be associated with every referenced network name, the Network Protocol Profile specifies network settings such as IPv4 subnet mask, gateway etc.
To improve vSphere deployment flexibility, Unified Access Gateway 3.3 no longer uses vSphere Network Protocol Profiles or IP Pools for network settings. Instead, IT Administrators provide IPv4 netmask, IPv6 prefix and default gateway (as required) configurations. [learn_more caption=”Learn More”]
In situations where IP address and netmask for the NIC(s) are not provided, it defaults to DHCPV4+DHCPV6 for the IP address allocation. However, when IP Mode is set to STATICV4 or STATICV6, specify the address and netmask as follows:
- STATICV4 – Specify the IPv4 address and netmask for that NIC
- STATICV6 – Specify the IPv6 address and netmask for that NIC
- STATICV4+STATICV6 – Specify the IPv4 and IPv6 address and netmask for that NIC
As an example for deployments based on STATICV4, the following settings would be required based on the number of NICs:
defaultGateway=192.168.0.1
#deploymentOption=onenic
#ip0=192.168.0.90
#netmask0=255.255.255.0
#deploymentOption=twonic
#ip0=192.168.0.90
#ip1=192.168.0.91
#netmask0=255.255.255.0
#netmask1=255.255.255.0
deploymentOption=threenic
ip0=192.168.0.90
ip1=192.168.0.91
ip2=192.168.0.92
#netmask0=255.255.255.0
#netmask1=255.255.255.0
#netmask2=255.255.255.0
[/learn_more]
TLS Port 443 Sharing
TLS port sharing minimizes the number of non-standard ports open on DMZ and decreases the risk of exposure to cyber-attacks. Now, new UAG deployments with multiple edge service configured to use TCP port 443, have TLS port sharing enabled by default. Supported edge services include Horizon Blast, Per-App Tunnel, Content Gateway, and Web reverse proxy.
Additionally, when Content Gateway and Per-App Tunnel are enabled, the Appliance Agent automatically sets TLS SNI rule.
To further encourage TLS port sharing, vSphere OVF Wizard deployments can no longer disable this setting. However, PowerShell deployments can still disable port sharing by setting tlsPortSharingEnabled to false.
The diagram shows what happens when an end-user accesses internal resources from Content Locker or an app that uses a Per-App Tunnel. First, the app reaches out on 443 to UAG front-end (DMZ). Then, UAG front-end redirects the request to UAG back-end on 443 for Per-App Tunnel requests and 443 for Content Gateway requests.
Dual Mode Support for Horizon Infrastructure
To support real-world scenarios that require the use of IPv4 and IPv6 addresses, Unified Access Gateway now provides dual mode support for Horizon. The Unified Access Gateway Internet NIC operates in dual mode, bridging IPv4 and IPv6 Horizon Client connections to the IPv4 backend NIC.
Editable Network Settings
IT Administrators can now edit the network settings (IPv4 and IP allocation mode) for each NIC of the UAG Appliance through the Admin UI.
UAG Sizing Options
To simplify the deployment of the UAG appliance as the Workspace ONE security gateway, sizing options were added to the appliance’s deployment configurations. Previously, the Unified Access Gateway appliance came in a single, standard size which could only be altered post-deployment. Now, the new deployment configuration offers a choice between a Standard or a Large virtual machine.
- Standard – Remains recommended for Horizon deployment supporting up to 2.000 Horizon connections, aligned with the Connection Server capacity. Also recommended for Workspace ONE UEM Deployments (mobile use cases) up to 10.000 concurrent connections.
- Large – Recommended for Workspace ONE UEM Deployments, where UAG needs to support over 10.000 concurrent connections. This size allows Content Gateway, Per App Tunnel & Proxy, and Reverse Proxy to use the same UAG appliance.
