In a production deployment, we won't suggest placing the Horizon Connection Server facing Internet directly. Rather than that, a Unified Access Gateway (UAG) will be a good choice.
UAG equips remote workers anywhere, anytime with secure accesses to Horizon virtual desktops and applications. UAG is designed to be Internet facing in DMZ network to enhance Horizon security by adding extra security measurement like multi-factors or SAML authentication. This sharing will walk you through the basic on setting up a UAG as Horizon Edge.
The setup will involves 2 major steps.
1. Deploy the OVF of UAG
To deploy the UAG, you may download the latest UAG OVF file from your VMware download account.
Logon to the vCenter. Click the "Actions" button and select "Deploy OVF Template".
Check "Local files" and click "Upload Files" to select the OVF file. Click "Next".
Assign a machine name for the UAG. Select the corresponding location for the UAG. Click "Next
Select corresponding resources group to place the UAG. Click "Next".
Click "Next".
Base on the sizing of your Horizon infrastructure and network topology, you will have several deployment types available.
Since this deployment is for testing, a "Single NIC" option is good for the purpose. In production, you may select a larger options. UAG also support setting up Internet, management and back end network with 3 different vSphere networks.
Click "Next".
Select corresponding datastore to place the UAG. Click "Next".
Select corresponding vSphere network for different purposes. Since my previous deployment option is single NIC, here I will assign same network for all. Click "Next".
Select "Staticv4" for IPMode. Assign an IP for NIC1 (eth0) IPv4 address.
Input the DNS server IP to DNS server address.
Input subnet mask to NIC1 (eth0) IPv4 netmask.
Input gateway IP to IPv4 Default Gateway.
Input the UAG name to Unified Gateway Appliance Name.
Assign a password to Password for the root user of this VM.
Assign a password to Password for the adminuser, which enables REST API access.
Click "Next".
Click "Finish" to start the deployment.
Once the deployment completed, you may start the UAG VM.
2. Extra Configuration on Connection
Before configuring the UAG appliance, there have corresponding configuration required on Connection Server.
Logon to the Connection Server Admin UI.
Click "Servers" on left pane. Click "Connection Servers" tab. Select the Connection Server. Click "Edit" button.
Make sure the configuration is same as below. Click "OK".
Open the file explorer of Connection Server. Navigate to following path:
c:\Program Files\VMware\VMware View\Server\sslgateway\conf\
Right click and create a new file. Right click the "New Text Documents" and select "Rename".
Change the file name to "locked.properties". Make sure the file name extension is ".properties".
Edit the newly created locked.properties file.
Make sure the file has line of "checkOrigin=false" at the beginning of the file.
Then adding all web links that can access the VDI service with format "portalHost.x=[URL Link]".
For example, if the VDI service can be accessed from both connection link and UAG link (e.g. connect.testing.com & usg.testing.com). Then you have to add 2 more lines as follow.
The next step will retrieve the certificate thumbprint for upcoming UAG configuration. This step will be performed through a web browser. I am using Firefox as an example.
Launch Firefox and access the Connection Server web portal.
Click the "Lock" icon. Select "Connection secure".
Click "More information".
Scroll down the certificate detail page until reaching the Fingerprints section. Copy down the SHA-1 fingerprint for later use.
3. Integrating UAG with Horizon
Once you have deployed the OVF template, you can logon to the UAG for configuration.
The UAG admin UI is only accessible with port 9443 only. The URL to access the UI will similar to following:
https://[UAG FQDN]:9443
Logon to the UAG admin UI.
Click "Select" button under Configure Manually.
The UAG appliance is deployed with a self signed certificate. You can replace this to a 3rd party signed certificate to avoid any certificate error showing on user connection.
To do this, click the "Gear" button next to the TLS Server Certificate Settings.
In my testing, I am using a wildcard certificate on the testing domain name. And I am accessing the admin and internet interface with same domain suffix. So I imported "Admin Interface" and "Internet Interface" at the same time.
If you are using different domain name suffix to access 2 different interfaces, please remember to do this procedure one by one for each interface.
Check "Admin Interface" and "Internet Interface".
Select corresponding certificate type. My certificate used for the testing is PFX format.
Provide the password of the certificate.
Click "Save".
Click and show the Edge Service Setting.
Click the "Gear" button next to Horizon Setting.
Check the "Enable Horizon".
Provide the Connection Server URL. It should be the FQND of Connection Server which is resolvable from UAG. Please also provide the thumbprint of the certificate on Connection Server. The input value will require a specific format like "sha1=xx xx xx xx xx xx xx......".
Check and enable Blast
Provide the Blast External URL. It should be the FQND accessing the Horizon from Internet. Don't forget to put :443 at the end of the URL.
Since I am not planning to use PCoIP for client access, i am not enabling it.
Check and enable UDP Tunnel Server.
Check and enable Tunnel.
Provide the Tunnel External URL. It should be the FQND accessing the Horizon from Internet. Don't forget to put :443 at the end of the URL.
Click "Save".
Please wait for about 5 minutes until the setting applied. All corresponding Horizon setting will be shown in green when setting applied.
----- END -----
Good morning.. Coudl you please suggest any articles how to create the UAG certificates?