Professional Documents
Culture Documents
Unified Access Gateway Architecture Noindex
Unified Access Gateway Architecture Noindex
Unified Access Gateway Architecture Noindex
Please visit
https://techzone.vmware.com/resource/unified-access-gateway-architecture for the latest version.
Table of contents
Introduction ............................................................................................................................................... 4
Design ...................................................................................................................................................... 6
Scalability .............................................................................................................................................. 6
Deployment Model .................................................................................................................................. 7
Load Balancing ...................................................................................................................................... 8
High Availability ..................................................................................................................................... 8
Authentication .......................................................................................................................................... 16
Introduction
VMware Unified Access Gateway™ is an extremely useful component within a VMware Workspace ONE® and VMware Horizon®
deployment because it enables secure remote access from an external network to a variety of internal resources. Unified Access
Gateway supports multiple use cases:
Per-app tunneling of native and web apps on mobile and desktop platforms to secure access to internal resources
through the VMware Tunnel service.
Secure on-premises email infrastructure that grants access only to authorized devices, users, and email applications
based on managed policies. This capability leverages the Secure Email Gateway service integrated with VMware
Workspace ONE® Unified Endpoint Management (UEM).
Access from VMware Workspace ONE® Content to internal file shares or SharePoint repositories by running the
Content Gateway service.
Reverse proxying of web applications.
Identity bridging for authentication to on-premises legacy applications that use Kerberos or header-based
authentication.
Secure external access to desktops and applications on VMware Horizon® Cloud Service™ on Microsoft Azure, and
VMware Horizon® on vSphere.
When providing access to internal resources, Unified Access Gateway can be deployed within the corporate DMZ or internal
network, and acts as a proxy host for connections to your company’s resources. Unified Access Gateway directs authenticated
requests to the appropriate resource and discards any unauthenticated requests. It also can perform the authentication itself,
leveraging additional authentication methods when enabled.
Decision Multiple Unified Access Gateway appliances were deployed on vSphere to support the whole Workspace ONE environment.
This strategy provides external access for Workspace ONE users to internal resources, such as web applications, file
Justification
repositories, and virtual desktops and applications.
On Horizon Cloud Service on Microsoft Azure, Unified Access Gateway appliances can be deployed as part of the Horizon Cloud
pod’s gateway configuration. See Specify the Pod's Gateway Configuration in the Horizon Cloud Deployment Guide.
Table 2: Implementation Strategy for External Access to the Horizon Cloud Service Component
Decision Unified Access Gateway was deployed as part of Horizon Cloud Service on Microsoft Azure.
This strategy provides external access for Workspace ONE users of the Horizon Cloud desktops and
Justification applications.
Deployment is automated when selected as part of the Horizon Cloud pod’s gateway configuration
Design
A successful deployment of Unified Access Gateway is dependent on good planning and a robust understanding of the platform.
The following sections discuss the design options and detail the design decisions that were made to satisfy the design
requirements.
Scalability
Unified Access Gateway gives three sizing options during deployment.
Table 3: Unified Access Gateway Sizing Options
CPU (cores) 2 4 8
Because multiple Workspace ONE UEM services can be enabled on a single appliance, during the design phase, consider which use
cases require Workspace ONE UEM services. For example, consider the number of concurrent connections required, the desired
network throughput, and how critical each one is for the business. This key information helps determine the number of appliances
you will need and how to distribute services across the appliances.
As an example, in a large deployment, although all Workspace ONE UEM services might be needed, not all users will need to
consume all services equally. Identifying the number of users that will consume each service is key to helping determine the
number of appliances to use.
Unified Access Gateway provides the flexibility to design your deployment based on your specific business needs. You have the
following options:
1. All Workspace ONE UEM services can be enabled in each appliance.
2. Multiple services can be enabled (any two or all three Workspace ONE UEM services) per appliance.
3. A single service can be enabled per appliance.
Take into consideration what the business impact would be if users could not get access to an email or one of their business-
critical applications through one of the services. To help mitigate this type of risk, you might choose to have all services enabled in
each appliance rather than spreading different services across different sets of appliances.
Note: To satisfy high-availability requirements, the proposed solution in our reference architecture was deployed based on the best
practice of using n+1 appliances. It is possible to deploy only a single Unified Access Gateway appliance as part of a smaller
deployment. However, VMware recommends deploying at least two load-balanced appliances.
Table 4: Implementation Strategy for Accommodating Workspace ONE UEM Service Connections
Three large-sized Unified Access Gateway appliances were deployed to satisfy the requirement for 50,000
devices that leverage VMware Tunnel, Content Gateway, and Web Reverse Proxy with Identity Bridging.
Decision
Secure Email Gateway was not enabled because the email infrastructure was hosted in the cloud. Instead, we
used Workspace ONE Mobile Email Management using a direct model via PowerShell with Microsoft Office 365.
Each service is designed to support 50,000 sessions, which gives a total of 100,000 sessions. Two appliances
Justification
satisfy the load demand and a third provides high availability (n+1).
For Horizon services, use a standard-sized appliance which will support up to 2,000 Horizon connections.
Table 5: Implementation Strategy for Accommodating Horizon Desktop and App Connections
Five standard-sized Unified Access Gateway appliances were deployed to satisfy the requirement for 8,000
Decision
concurrent external connections to Horizon desktops and applications.
Justification Four appliances can satisfy the load demand, and a fifth provides high availability (n+1).
For detailed sizing information based on single or multiple combinations of edge services enabled on Unified Access Gateway, visit
the VMware Configuration Maximums tools.
Deployment Model
Unified Access Gateway offers basic and cascade-mode architecture models for deployment. Both configurations support load-
balancing for high availability and SSL/TLS offloading.
In the basic deployment model, Unified Access Gateway is typically deployed in the DMZ network, behind a load
balancer.
The cascade-mode deployment model includes front-end and backend instances of the Unified Access Gateway, which
have separate roles. The Unified Access Gateway front-end appliance resides in the DMZ and can be accessed from
public DNS over the configured ports.
Figure 2: Example Basic and Cascade Deployment of VMware Tunnel and Content
The Unified Access Gateway backend appliance is deployed in the internal network, which hosts internal resources. Edge services
enabled on the front-end can forward valid traffic to the backend appliance after authentication is complete. The front-end
appliance must have an internal DNS record that the backend appliance can resolve. This deployment model separates the
publicly available appliance from the appliance that connects directly to internal resources, providing an added layer of security.
Cascade mode is supported only for the following edge services: Horizon, VMware Tunnel and Content Gateway.
Reasons to adopt cascade mode for VMware Tunnel and Content Gateway edge services, are:
An organization might have limited or no DNS access in the DMZ, which makes it difficult to resolve the internal FQDN
or host name that the edge service requires.
The organization’s security policies might restrict access from the DMZ directly to internal resources.
In a Horizon deployment, cascade mode does not require a double DMZ, but for environments where a double DMZ is mandated,
the front-end Unified Access Gateway appliance can act as the Web Reverse Proxy in the DMZ, and the backend appliance can
have the Horizon edge service enabled.
Basic deployment mode was used to deploy all Unified Access Gateway appliances, which were located behind
Decision
load balancers.
DNS was available in the DMZ and was able to resolve internal host names. Access to the internal network was
Justification restricted to the Unified Access Gateway backend NIC by means of firewall rules. Incoming traffic was
restricted to the Internet NIC by means of load balancers.
Load Balancing
It is strongly recommended that users connect to Unified Access Gateway using a load-balanced virtual IP (VIP). This ensures that
user load is evenly distributed across all available Unified Access Gateway appliances. Using a load balancer also facilitates greater
flexibility by enabling IT administrators to perform maintenance, upgrades, and configuration changes without impacting users.
High Availability
Unified Access Gateway provides, out-of-the-box, a high-availability solution for the Unified Access Gateway edge services
deployed in vSphere environments. The solution supports up to 10,000 concurrent connections in a high-availability (HA) cluster
and simplifies HA deployment and configuration of the services.
The HA component of Unified Access Gateway requires an administrator to specify an IPv4 virtual IP address (VIP) and a group
ID. Unified Access Gateway assigns this VIP address to only one of the nodes in the cluster. If that node fails, the VIP address gets
reassigned automatically to one of the other available nodes in the cluster. HA and load distribution occur among all the nodes in
the cluster that share the same group ID.
Figure 3: Virtual IP Address and Group ID Configuration for HA in Two Separate Clusters
Unified Access Gateway leverages different algorithms to balance traffic and session affinity:
For Horizon and web reverse proxy, source IP affinity is used with a round-robin algorithm for distribution.
For VMware Tunnel (Per-App Tunnel), Content Gateway, and Secure Email Gateway, there is no session affinity, and a
least-connection algorithm is used for distribution.
Regarding IP address requirements, n+1 public IP addresses are required for Horizon components:
One IP address for the load-balanced floating VIP used for the XML-API
An additional one per Unified Access Gateway appliance for the secondary protocols (tunnel, Blast, PCoIP), which is the
IP assigned to NIC 1 (eth0) and will not use HA
The XML-API traffic is routed to the current primary (VIP) and represents less than 1 percent of the Horizon Client traffic. The rest of
the traffic goes directly from the client to the assigned Unified Access Gateway during XML-API authentication.
Figure 5: Unified Access Gateway HA Flow for VMware Tunnel and Content Gateway Edge Services
For Secure Email Gateway in an HA scenario, it is important to enable SEG Clustering on the Workspace ONE UEM console. SEG
Clustering ensures that all the Secure Email Gateways that are part of the cluster receive updated policies from Workspace ONE
UEM in a synchronized fashion.
The SEG Cluster configuration on the Workspace ONE UEM Console requires the administrator to add all Secure Email Gateway IP
address, rather than using hostnames. If you deploy Unified Access Gateway with multiple NICs, you must inform the IP address of
the management NIC. SEG clustering on ports 5701 and 41232 are restricted to the management NIC.
Figure 6: Unified Access Gateway HA Flow for Secure Email Gateway Edge Service
Administrators can use the Unified Access Gateway administration UI to access the SEG Health Diagnostic Page, located on the
Edge Service Session tab. This page displays the real-time status of the Secure Email Gateway service, including the SEG Cluster.
Administrators also have the option of accessing the SEG REST API at the following URL, where <UAG-hostname> is the hostname
of the appliance:
https://<UAG-hostname>:9443/rest/v1/monitor/seg/diagnostics/diagnostic
For more information on the Unified Access Gateway High Availability component and configuration of edge services in HA, see the
following resources:
VMware Unified Access Gateway: High Availability - Feature Walk-through
Configure High Availability Settings
Unified Access Gateway Configured with Horizon
VMware Tunnel (Per-App VPN) Connection with Basic Configuration
VMware Tunnel (Per-App VPN) Connections in Cascade Mode
Content Gateway with Basic Configuration
Content Gateway with Relay and Endpoint Configuration
Secure Email Gateway on Unified Access Gateway
Unified Access Gateway continues to support third-party load balancers, for organizations who prefer this mode of deployment. For
more information, see:
Unified Access Gateway Load Balancing Topologies
Load Balancing Unified Access Gateway for Horizon
When deploying Unified Access Gateway on Amazon Web Services or Microsoft Azure, VMware strongly recommends leveraging
the native HA/load balancing solution offered by the cloud provider.
Table 7: Load-Balancing Strategy for Unified Access Gateway Appliances
Decision An external third-party load balancer was deployed in front of the Unified Access Gateway appliances.
Justification To meet the goals of scalability and availability, multiple Unified Access Gateway appliances are required.
Service Design
A Unified Access Gateway appliance is capable of running multiple edge services on the same appliance. In larger environments,
be sure to separate Horizon traffic from Workspace ONE UEM services, and have discrete sets of Unified Access Gateway
appliances for each. The Web Reverse Proxy edge service is the only exception. It can be enabled in conjunction with Horizon and
Workspace ONE UEM services.
Table 8: Strategy for Separating Horizon Traffic from Workspace ONE UEM Services
Separate sets of Unified Access Gateway appliances were deployed for on-premises services. One set provided
Decision
Horizon services, and a second supported Workspace ONE UEM services (Content and Tunnel).
A best practice for large deployments is to separate the network traffic and load required for Horizon from
Justification
other uses.
Because multiple edge services can be enabled on the same appliance, by default each one of them runs on a separate port,
which can require opening multiple ports and creating additional firewall rules. In order to avoid that situation, Unified Access
Gateway introduced TLS port sharing, which allows VMware Tunnel (Per-App Tunnel), Content Gateway, Secure Email Gateway,
and Web Reverse Proxy edge services to all use TCP port 443.
For VMware Tunnel, only the Per-App Tunnel component was used to support access to the internal web. Workspace ONE UEM
provides two related solutions that are part of the Unified Access Gateway software appliance:
Tunnel Proxy (obsolete) – Enables SDK-built applications to set up an app-level proxy connection to internal sites,
leveraging HTTPS encryption and certificate authentication. The Workspace ONE Web app embeds proxy support by
default.
Per-App Tunnel – Enables an SSL/TLS VPN connection on a per-app basis for any public or internal application for
managed devices. The Workspace ONE Tunnel application resides on a device, and an administrator explicitly specifies
which apps are enabled for Tunnel. Workspace ONE also offers a new Tunnel SDK module as part of the Workspace
ONE SDK, which serves as a replacement to the Tunnel Proxy solution. Generally speaking, the Per-App Tunnel solution
is more secure, has better performance, and has more features than Tunnel Proxy.
Therefore, all Tunnel Proxy use cases have been consolidated into the Tunnel edge service, app, and SDK. Use of Tunnel Proxy is
no longer recommended.
The consolidation of all Tunnel use cases under VMware Tunnel (Per-App Tunnel) edge service on Unified Access Gateway brings
some additional benefits:
Reduces the number of non-standard ports opened on DMZ.
Enables the use of the Unified Access Gateway High Availability component to load balance Tunnel traffic on port 443.
Enables the use of multiple edge services (Web Reverse Proxy, Content Gateway, Secure Email Gateway) on the same
appliance using a single port (443).
For organizations looking to migrate from Tunnel Proxy to Per-App Tunnel, see the Migrating from Tunnel Proxy to Per-App Tunnel
article on Tech Zone.
Table 9: Strategy for Using VMware Tunnel
Only the Per-App Tunnel component was enabled as part of VMware Tunnel edge service to support use cases
Decision
on MDM and registered mode.
Tunnel Proxy is obsolete and is therefore no longer recommended. All use cases are now supported by VMware
Justification
Tunnel (Per-App Tunnel).
When sharing TCP port 443, ensure that each configured edge service has a unique external DNS entry pointing to the Unified
Access Gateway external NIC IP address.
For services that do not share TCP port 443, a single DNS entry can be shared across those services.
For step-by-step instructions on how to configure each of the Unified Access Gateway edge services, see the following articles on
Tech Zone:
Configuring the VMware Tunnel Edge Service and Deploying VMware Workspace ONE Tunnel
Configuring the Content Gateway Edge Service
Secure Email Gateway: Feature Walk-Through
Configuring Web Reverse Proxy and Identity Bridging
Configuring the Horizon Edge Service
Table 10: Strategy for Port Sharing by Edge Services
Identity bridging, VMware Tunnel, and Content edge services were enabled on the same appliance. The
Decision services shared TCP port 443, but a unique DNS entry was created for each service. The DNS entry pointed to
the load balancer, which forwarded traffic to the pool of external Unified Access Gateway IP addresses.
This strategy leverages TLS port sharing for identity bridging, Tunnel, and Content services to minimize the
Justification
number of nonstandard ports and firewall rules required.
The Horizon edge service was configured to use TCP port 443 to perform authentication and TCP port 8443
Decision and UDP port 8443 to access internal desktops and RDSH-published applications using the Blast Extreme
display protocol.
Best practice is to use Blast Extreme with TCP 8443 and UDP 8443, which are the defaults. When a client
Justification environment has UDP blocked, Blast Extreme still works; however, when UDP 8443 is allowed, communication
is more efficient.
Network Segments
Unified Access Gateway can be deployed with one, two, or three network interface controllers (NICs). The choice is determined by
your network requirements and discussions with your security teams to ensure compliance with company policy.
Single-NIC Deployment
In a single-NIC deployment, all traffic (Internet, backend, and management) uses the same network interface. Authorized traffic is
then forwarded by Unified Access Gateway through the inner firewall to resources on the internal network using the same NIC.
Unauthorized traffic is discarded by Unified Access Gateway.
Two-NIC Deployment
A two-NIC deployment separates the Internet traffic onto its own NIC, while the management and backend network data still share
a NIC.
The first NIC still used for Internet facing unauthenticated access, but the backend authenticated traffic and management traffic
are separated onto a different network. This type of deployment is suitable for production environments.
Three-NIC Deployment
A three-NIC deployment separates the Internet traffic onto its own NIC, and separates management and backend network data
onto dedicated networks. HTTPS management traffic to port 9443 is then only possible from the management LAN. This type of
deployment is suitable for production environments.
Justification This strategy meets the requirements of separating Internet traffic from management and backend data.
Authentication
Unified Access Gateway supports multiple authentication options, for example, pass-through, RSA SecurID, RADIUS, SAML, and
certificates, including smart cards. Pass-through authentication forwards the request to the internal server or resource. Other
authentication types enable authentication at the Unified Access Gateway, before passing authenticated traffic through to the
internal resource.
These options are depicted in the following diagrams.
Users can authenticate through Workspace ONE and Workspace ONE Access. Having authentication performed
Justification
by Unified Access Gateway would force users to authenticate to resources a second time.
Deployment Methods
In this section, we briefly discuss the two supported methods of deploying Unified Access Gateway and then detail the optimal
solution to satisfy the design requirements.
VMware vSphere OVF® template and administration console – With this option, you run the Import OVF (Open
Virtualization Format) wizard and respond to various deployment questions. This method requires responses from an IT
administrator during deployment. If you use this method, the Unified Access Gateway is not production ready on first
boot and requires post-deployment configuration using the administration console. The required configuration tasks can
be performed either manually or by importing a configuration file from another Unified Access Gateway appliance.
PowerShell script – The PowerShell method ensures that the Unified Access Gateway virtual appliance is production
ready on first boot. This method uses the VMware OVF Tool command-line utility in the background when deploying on
vSphere. The IT administrator updates an INI file with the required configuration settings and then deploys the Unified
Access Gateway by entering a simple deployment command in PowerShell (.\uagdeploy.ps1 .\<name>.ini) . For
deployments on Microsoft Azure, Hyper-V, and Amazon Web Services (AWS), the OVF tool is not required because
Unified Access Gateway leverages the PowerShell module for the respective hypervisor.
Table 14: Strategy for Deploying and Configuring Unified Access Gateway Appliances
This option does not require the IT administrator to manually enter settings during deployment and so is less
Justification prone to input error.
This option also makes upgrading and deploying additional appliances easier.
More information on using the PowerShell method is available on the Using PowerShell to Deploy VMware Unified Access Gateway
community page. The PowerShell script and sample INI files can be downloaded from the Unified Access Gateway product
download page. For step-by-step instructions on how to deploy Unified Access Gateway, see the following articles on Tech Zone:
Deploying Unified Access Gateway on vSphere with One NIC Through vSphere Web Client
Deploying Unified Access Gateway on vSphere with Two NICs Through PowerShell
Deploying Unified Access Gateway on Amazon Web Services
Deploying Unified Access Gateway on Microsoft Azure
For deployment of Unified Access Gateway on vSphere and configuration of any of the edge services through PowerShell, see the
Edge Services section of the Mastering Unified Access Gateway product activity path on VMware Digital Workspace Tech Zone.
Certificates
TLS/SSL certificates are used to secure communications for the user between the endpoint and the Unified Access Gateway and
between the Unified Access Gateway and internal resources. Although Unified Access Gateway generates default self-signed
certificates during deployment, for production use, you should replace the default certificates with certificates that have been
signed by a trusted certificate authority (CA-signed certificates).
You can replace certificates either during deployment or as part of the initial configuration. The same certificate or separate
certificates can be used for the user and the administrative interfaces, as desired.
The default certificates generated by Unified Access Gateway apply only to the administrative UI, Horizon, and Web Reverse Proxy
edge service. For more information, see the Certificates section of Deploying VMware Unified Access Gateway.
For the Workspace ONE UEM edge services, self-signed certificates are generated by the AirWatch CA through the Workspace ONE
UEM console. These can also be configured to use public third-party certificates.
The following types of certificates are supported:
Single-server-name certificates, which means using a unique server certificate for each Unified Access Gateway
appliance
Subject alternate name (SAN) certificates
Wildcard certificates
Certificate files can be provided in either PFX or PEM format.
For guidance on how to configure and update Unified Access Gateway to use TLS/SSL for the administrative UI, Horizon, and Web
Reverse Proxy edge services, see Configuring Unified Access Gateway Using TLS/SSL Certificates and Update TLS Server Signed
Certificates.
For guidance on how to configure and update Unified Access Gateway to use TLS/SSL for Workspace ONE UEM Edge Service, see:
Configure VMware Tunnel
Deploy Content Gateway on Unified Access Gateway
Configure the SEG V2
Security protocols and cipher suites are configured on a per-service basis on Unified Access Gateway. Administrators can update
the security protocols and cipher suites any time after deployment using the Unified Access Gateway administration console or
REST API. For more information see Security Protocols and Cipher Suites on Deploying VMware Unified Access Gateway.
Passwords
Unified Access Gateway requires the IT administrator to define two passwords during installation: The first secures access to the
REST API, and the second secures access to the Unified Access Gateway appliance console. The passwords must meet the
minimum requirements documented Modify User Account Setting.
Users with administrator privileges can reset their password through the Unified Access Gateway admin UI. However, If the admin
user password is forgotten, the user can log in to the Unified Access Gateway console (command line) using the root user
credentials and reset the admin UI password. For more information, see Reset the Admin Password using the Unified Access
Gateway Console.
Overview chapters provide understanding of business drivers, use cases, and service definitions.
Architecture chapters give design guidance on the products you are interested in including in your platform, including
Workspace ONE UEM, Workspace ONE Access, Workspace ONE Assist, Workspace ONE Intelligence, Horizon Cloud
Service, Horizon, App Volumes, Dynamic Environment Manager, and Unified Access Gateway.
Integration chapters cover the integration of products, components, and services you need to create the platform
capable of delivering the services that you want to deliver to your users.
Configuration chapters provide reference for specific tasks as you build your platform, such as installation,
deployment, and configuration processes for Workspace ONE, Horizon Cloud Service, Horizon, App Volumes, Dynamic
Environment Management, and more.
Additional Resources
For more information about VMware Unified Access Gateway, you can explore the following resources:
VMware Unified Access Gateway Activity Path
VMware Unified Access Gateway documentation
VMware Knowledge Base
VMware Product Interoperability Matrix
VMware Professional Services
Changelog
The following updates were made to this guide:
2023-07-24
chapter.
design
each
within
contributors
and
authors,
changelog,
list
to
section
Resources
Additional
and
Summary
this
Added
•
2020-07-01
Proxy.
Tunnel
of
instead
Tunnel
Per-App
use
to
recommendation
Updated
guidance.•
sizing
Updated
•
2020-02-27
SEG.
for
option
XL
sizing
new
Added
(SEG).•
Gateway
Email
Secure
for
support
Added
•
Author and Contributors
This chapter was written by:
Andreano Lanusse, Staff End-User-Computing (EUC) Architect in End-User-Computing Technical Marketing, VMware.
Graeme Gordon, Senior Staff End-User-Computing (EUC) Architect in End-User-Computing Technical Marketing,
VMware.
Feedback
Your feedback is valuable.
To comment on this paper, contact VMware End-User-Computing Technical Marketing at
euc_tech_content_feedback@vmware.com.