VMware Unified Access Gateway™ is an extremely useful component within a VMware Workspace ONE® and VMware Horizon® deployment because it enables secure remote access from an external network to a variety of internal resources. Unified Access Gateway supports multiple use cases:
- Per-app Tunneling of native and web apps on mobile and desktop platforms to secure access to internal resources through the VMware Tunnel service.
- Secure on-premises email infrastructure that grants access only to authorized devices, users, and email applications based on managed policies. This capability leverages the Secure Email Gateway service integrated with Workspace ONE UEM.
- Access from VMware Workspace ONE® Content to internal file shares or SharePoint repositories by running the Content Gateway service.
- Reverse proxying of web applications.
- Identity bridging for authentication to on-premises legacy applications that use Kerberos or header-based authentication.
- Secure external access to desktops and applications on VMware Horizon® Cloud Service™ on Microsoft Azure, and VMware Horizon.
Deploying Unified Access Gateway
Unified Access Gateway is packaged as an OVF and is deployed onto a vSphere ESX or ESXi host as a pre-configured virtual appliance.
Two primary methods can be used to install the Unified Access Gateway appliance on a vSphere ESX or ESXi or host. Microsoft Server 2012 and 2016 Hyper-V roles are supported.
- The vSphere Client or vSphere Web Client can be used to deploy the Unified Access Gateway OVF template. You are prompted for basic settings, including the NIC deployment configuration, IP address, and management interface passwords. After the OVF is deployed, log in to the Unified Access Gateway admin user interface to configure Unified Access Gateway system settings, set up secure edge services in multiple use cases, and configure authentication in the DMZ. See Deploy Unified Access Gateway Using the OVF Template Wizard.
- PowerShell scripts can be used to deploy Unified Access Gateway and set up secure edge services in multiple use cases. You download the ZIP file, configure the PowerShell script for your environment, and run the script to deploy the Unified Access Gateway. See Using PowerShell to Deploy the Unified Access Gateway Appliance.
Note: For Per-App Tunnel and Proxy use cases, you can deploy Unified Access Gateway on either ESXi or Microsoft Hyper-V environments.
Note In both the above methods of deployment, if you do not provide the Admin UI password, you cannot add an Admin UI user later to enable access to either Admin UI or API. If you want to do so, you must redeploy your Unified Access Gateway instance with a valid password.
Using the OVF Template Wizard to Deploy Unified Access Gateway
To deploy Unified Access Gateway, you deploy the OVF template using the vSphere Client or vSphere Web Client, power on the appliance, and configure settings.
When you deploy the OVF, you configure how many network interfaces (NIC) are required, the IP address and set up the administrator and root passwords.
After the Unified Access Gateway is deployed, go to the administration user interface (UI) to set up the Unified Access Gateway environment. In the admin UI, configure the desktop and application resources and the authentication methods to use in the DMZ. To log in to the admin UI pages, go to https://<mycoUnifiedGatewayAppliance>.com:9443/admin/index.html.
Deploy Unified Access Gateway Using the OVF Template Wizard
You can deploy the Unified Access Gateway appliance by logging in to vCenter Server and using the Deploy OVF Template wizard.
Two versions of the Unified Access Gateway OVA are available, standard OVA and a FIPS version of the OVA.
The FIPS version of the OVA supports the following Edge services:
- Horizon (pass-through auth and certificate auth)
Note: Certificate authentication includes both smart card authentication and device certificate authentication.
- VMware Per-App Tunnel
- Secure Email Gateway