Horizon Access Point / Unified Access Gateway (UAG) implementation tips

In 2013 I created a blog post with some tips for implementing a VMware Horizon View Security Server (link)”. Now the Unified Access Gateway (UAG) is replacing the VMware Security Server. So it’s time for a new blog post with some implementation tips about VMware Access Point / Unified Access Gateway (UAG). Here’s an overview of the tips:

  • The Unified Access Gateway (UAG) provides secure access to the following environments:
    • VMware Horizon
    • VMware Identity Manager
    • VMware AirWatch

  • In version 2.9 Access Point is renamed to Unified Access Gateway (UAG)
  • UAG is included in the Horizon standard, advanced and enterprise license
  • UAG 2.9 supports Horizon 6.2.3, 6.2.4 and 7.1.0
  • UAG includes some improvements (such as blast Extreme) that are not available in the Horizon Security Server
  • UAG is deployed in the DMZ and replaces the Horizon Security Server (Windows based)
  • UAG is packaged as an OVF.  It’s a hardened Linux appliance based on Suse Enterprise Linux. So there no need for Windows OSes in the DMZ which improves security!
  • Hardware specifications for the UAG are:
    • 2 vCPU
    • 4 GB memory
    • 20 GB harddisk
    • 1,2 or 3 Network adapters
  • Create an IP pool before deploying the UAG
  • Below is an overview of the VMware UAG firewall ports configuration:

The documentation about the the firewall ports can be found here.

(*1) When using Blast Extreme over port 443, port 8443 is not needed

  • The administration user interface (UI) can be used to set up and manage the Unified Access Gateway environment. To access to the management interface go to: https://ipaddress:9443/admin
  • Upgrading UAG is not supported. Install a new appliance. It’s highly recommend to create a PowerShell script for the deployment that can be used everytime when installinging a new UAG.
  • When deploying UAG using PowerShell, download the latest deployment scripts, link
  • The following certificates can be used:
    • Single-Server Name Certificate
    • Subject Alternative Name (SAN)
    • Wildcard Certificate
  • Convert the certificate into PEM-format files for the certificate chain and the private key, then convert the .pem files to a one-line format that includes embedded newline characters
  • If your certificate is in PKCS#12 (.p12 or .pfx) format, or after the certificate is converted to PKCS#12 format, use Openssl to convert the certificate to .pem files
  • There is NO need to pair Horizon Connection Servers with Access Point or UAG. Uncheck the boxes in the Connection Server:

  • Before configuring Radius authentication, first test if PCoIP and Blast access works:
    • Test a native Horizon Client using PCoIP.
      Test a native Horizon Client using Blast.
      Test the HTML Access Client (which also uses Blast)
  • Some browsers have problems with Client HTML access (link). To solve this problem change the checkorigin property.
    • On each Horizon Connection Server
    • Add a line in the “locked.properties” file (C:\Program Files\VMware\VMware View\Server\sslgateway\conf)
    • checkOrigin=false
    • Save
    • Restart the VMware Horizon View Connection Server service.

PowerShell example

I prefer the create a PowerShell script for the deployment of the UAG. This script deploys a single UAG with a single NIC and provide secure access to the Horizon View environment. The certificate will be generated automatically and is self-signed (in production environments use an signed certificate).

When re-deploying an UAG with PowerShell there is no need to manually remove the appliance. When the config is the same the old appliance is automatically removed.

Before using PowerShell make sure the following requirements are met, link.

PowerShell script:

# UAG virtual appliance unique name (between 1 and 32 characters).
# If name is not specified, the script will prompt for it.


# Full path filename of the UAG .ova virtual machine image
# The file can be obtained from VMware


# target refers to the vCenter username and address/hostname and the ESXi host for deployment
# Refer to the ovftool documentation for information about the target syntax.
# See https://www.vmware.com/support/developer/ovf/
# PASSWORD in upper case results in a password prompt during deployment so that passwords do not need
# to specified in this .INI file.
# In this example, the vCenter username is administrator@vsphere.local
# the vCenter server is (this can be a hostname or IP address)
# the ESXi hostname is esx1.myco.int (this can be a hostname or IP address)

# vSphere datastore name


# vSphere Network names. A vSphere Network Protocol Profile must be associated with every referenced network name. This specifies
# network settings such as IPv4 subnet mask, gateway etc.


# Setting honorCipherOrder to true forces the TLS cipher order to be the order specified by the server. This can be set on
# UAG 2.7.2 and newer to force the Forward Secrecy ciphers to be presented first to improve security.



# proxyDestinationUrl refers to the backend Connection Server to which this UAG appliance will connect.
# It can either specify the name or IP address of an individual Connection Server or of a load balanced alias to connect
# via a load balancer in front of multiple Connection Servers.


# proxyDestinationUrlThumbprints only needs to be specified if the backend Connection Servers do not have
# a trusted CA signed SSL server certificate installed (e.g. if it has the default self-signed certificate only).
# This is a comma separated list of thumbprints in the format shown here.

proxyDestinationUrlThumbprints=sha1:‎f1 c2 b8 0a 3f 7b 87 df 33 96 22 49 66 40 70 1a 11 74 9e b1


# pcoipExternalUrl must contain an IPv4 address (not a DNS name)


  • name: The name of the Unified Access Gateway (UAG)
  • source: The location of the OVF file
  • target: Specifies the vCenter Server information and target ESX host.
  • ds: datastore to deploy the UAG
  • vSphere Network names: This section contains the network settings such as:
    • Portgroup
    • IP Address
    • Subnetmask
    • Amount of NICs
    • DNS server(s)
  • honorCipherOrder: This allows forward secrecy ciphers to be presented first in the cipher list to improve security.
  • proxyDestinationUrl: URL representing the Horizon backend server (internal Connection server)
  • proxyDestinationUrlThumbprints: This contains the thumbprint of the Connection Server

  • tunnelExternalUrl: URL used by Horizon Clients to connect the secure tunnel to this UAG appliance
  • blastExternalUrl: URL used by HTML Access Clients to connect to this UAG appliance
  • pcoipExternalUrl: URL used by Horizon Clients to connect using PCoIP to this UAG appliance (external IP address)

When the UAG deployment successfully executes other configuration (UI or PowerShell) options can be added such as:

  • Trusted certificates
  • Radius authentication
  • Identity Manager




Fix orphaned vSAN objects

In the vSphere Web client an orphaned  vSAN object was listed named:


From the vSphere Web Client you cannot manage orphaned vSAN objects . To check and fix orphaned vSAN objects, the Ruby vSphere Console (RVC) is needed.  The ‘vsan.check_state’ command checks if VMs and Virtual SAN objects are valid and accessible.

After logging in the RVC (rvc administrator@vsphere.local@localhost), execute the “vsan.check_state -r” command at the cluster level:

/localhost/dc-beerens-01/computers/CL-01/vsan.check_state -r

The “-r” parameter refreshes the VMX and registers the VMs.

After running the “vsan.check_state -r” command, the vSAN object is listed as VM back again in the vSphere Web Client.

Prevent corruption of the ESXi bootable SD card

In vSphere ESXi 6.0 U3 an optimization is added to reduce the wear on the bootable SD card. Without this optimization high read load of VMware Tools ISO images might cause corruption of the flash media. You can copy all the VMware Tools data into its own ramdisk. As a result, the data can be read from the flash media only once per boot.

To activate this feature the following advanced settings must be changed on each ESXi host:

  • Set the advanced ToolsRamdisk option to 1 by using this command:
    esxcli system settings advanced set -o /UserVars/ToolsRamdisk -i 1 
  • After changing the setting reboot the host.

I created a simple PowerCLI script that sets the advanced setting `toolsRamdisk` value to ‘1’ on all the ESXi hosts.

<# Author : Ivo Beerens Blog : www.ivobeerens.nl Twitter : @ibeerens Pre-requisite : ESXi 6.0 U3 Set : Set UserVars.ToolsRamdisk to the value 1 #>

Get-Module -ListAvailable VMware* | Import-Module
    Foreach ($vmhost in Get-VMHost | where {$_.ConnectionState -eq "Connected"}) {
        Write-Host "Host: $($vmhost.name)" -ForegroundColor Green
        Get-AdvancedSetting -Entity $vmhost -Name UserVars.ToolsRamdisk | Set-AdvancedSetting -Value ‘1’ -Confirm:$false

After running this script all the ESXi hosts must be rebooted.
More information: VMware KB: High frequency of read operations on VMware Tools image may cause SD card corruption (2149257), Link