Hi people,
Welcome to this blog post about VMware UAG the history and what’s new.
With the VMware UAG (Unified Access Gateway) you enable secure remote access for virtual desktops, internal sites, applications and file repositories to users.
The VMware UAG is strictly an Appliance, in the past for securing connections to a VMware Horizon Environment, you typically used a Security Server for outside connections. The downside for the Security Server was the… security. The server was Windows Based and more sensitive for security threads.
VMware started with the VMware Unified Access Gateway to mitigate these security vulnerabilities.
The Appliance is a stripped Linux Based, hardened out of the box appliance which you can easily deploy and maintain.
In this post I want to go back in history and sum up the new features from one to the other in a chronological order until where we are now. Warning, it is a lot of info 🙂 VMware is doing a good job on adding new features to the Unified Access Gateway, and that my primary goal of this blog post, to give you an idea of what is added to the product since version 3.9.
After 3.10 VMware started with the new version numbers, and minor (or security) updates are given the version number with adding a 1 or a 2, the latter if it’s a second update on the primary one. For version 2111.1 the log4j issue was mitigated, so that was a very important update. VMware suggest never to use the 2111, but go ahead with 2111.1 in the first place.
The only reason for deploying an older version in our environment might be the interoperability matrix otherwise always use the latest version in your environment.
If you are still stuck on the Security Server for whatever reason, please consider the following updates and after that decide to move on the UAG
I will start from version 3.9:
- Added support to combine Horizon Third-Party SAML Authentication with the Horizon 7 and later versions for the Unauthenticated Access Feature
- Extend the support for OPSWAP end-point compliance check integration
- Added support for the combination of Horizon Smart Card Certificate or Passthrough authentication when a pre-login message is also configured on Horizon Connection Server.
- Added support for non-ASCII characters in Smart Card X.509 certificates used for authentication.
- Added support to configure the VMware Tunnel Proxy through the PAC file path or the URL in the .ini file, which gets configured during deployment through PowerShell.
- Qualified support for the AVI Networks load balancer used in front-ending Unified Access Gateway for Horizon and Web Reverse Proxy edge services.
- Added support to allow SSH option configuration during deployment, which can be done through the OVF template or in the .ini file, which gets configured during deployment through PowerShell.
- Added support for Unified Access Gateway to use the custom settings for VMware Tunnel and Content Gateway service when configured as a Key-Value pair through the Workspace ONE UEM Console.
- Added an option to set maximum TCP connections per session in the Unified Access Gateway Admin UI.
- TLS 1.1 is disabled by default. The Honor Cipher Order setting is no longer used as it is automatically enabled for Horizon and Web Reverse Proxy edge services.
Version 3.9.1
- Bugfixed
Version 3.10
- Configuration of Workspace ONE edge services VMware Tunnel, Content Gateway, and Secure Email Gateway through the Admin UI now detects errors due to configuration issues and relays the error message to Admin UI. The error messages do get captured in the logs.
- Added support to configure the maximum allowed CPU utilization to prevent an overload.
- Extended support for Horizon Client IP protocol version bridging.
- Added a capability with Web Reverse Proxy edge service configuration to proxy requests normally used for local Unified Access Gateway resources.
- The FIPS version of Unified Access Gateway now supports the Certificate-based authentication for Horizon Clients. This is for Smart Card/CAC and device certificate authentication.
- General Unified Access Gateway SAML 2.0 enhancements for third-party Identity Providers used with the Horizon authentication.
- Validated Microsoft ADFS and Shibboleth as additional SAML 2.0 Identity Providers for the Horizon authentication.
- The Horizon OPSWAT device compliance check continuous evaluation interval can now be set to a minimum of every 5 minutes.
- Added support to configure a login disclaimer agreement message for the Admin UI login.
- Extended the logs collected with system information to further aid troubleshooting.
- The origin header used with Horizon requests to Connection Server can now optionally be rewritten to use the host name from the proxyDestinationUrl setting.
- Added support for additional connection concurrency for RADIUS authentication.
- Updated TLS versions and default ciphers for connections on TCP port 443 for Horizon and Web Reverse Proxy edge services.
- The Horizon Blast Secure Gateway component on TCP port 8443 no longer uses TLS 1.1. It supports TLS 1.2 only.
- Secure Email Gateway support for Active Directory client certificate mapping authentication.
- For Secure Email Gateway, the Java version has been updated to Zulu OpenJDK JRE, version 11.0.7.
- Qualified support for the AVI Networks load balancer in front-ending Unified Access Gateway for Horizon, Web Reverse Proxy, VMware Tunnel, Content Gateway, and Secure Email Gateway edge service.
Version 2009 (new version numbering)
- Photon OS Update Options
- Added further support for HTTP Strict Transport Security (HSTS).
- Custom Settings for Secure Email Gateway
- Syslog Enhancements
- Low-privilege Monitoring Users in Scripted Deployment
Version 2009.1
- Bugfixed
Version 2012
- Admin User Interface (UI) accessibility improvements based on VPAT (Voluntary Product Accessibility Template) tests.
- Added support with Horizon Smart Card and Device Certificate authentication so that multiple issuer CA (certificate authority) certificates can now be uploaded to Unified Access Gateway even when these CA public key certificates have a duplicate subject name.
- Added the ability to set some advanced network settings at deploy time.
- SNMP monitoring can now use SNMP v3. Previous versions used SNMP v2C.
- The root password policy, such as expiry time and complexity, can now be specified at the deployment time.
- The TLS cipher list supported by the Horizon PCoIP Secure Gateway is changed to remove the ones that use an RSA key exchange, as they do not support the forward secrecy.
- Updates to Photon OS package versions and Java versions.
Version 2103
- Unified Access Gateway can now be deployed in Google Cloud as a Compute Engine VM. This deployment option is in addition to the existing support for vSphere (vCenter/ESXi), Amazon AWS EC2, Microsoft Azure, and Microsoft Hyper-V VMs.
- Edge services on Unified Access Gateway are managed by a component called esmanager.
- Added support for Horizon client device certificate authentication prior to SAML passthrough authentication used when launching Horizon sessions through Unified Access Gateway from Workspace ONE Access.
- SAML authentication for Horizon access through Unified Access Gateway now supports encrypted SAML assertions when enabled in the SAML IdP configuration.
- For Unified Access Gateway forwarding of events to an external event management system, multiple Syslog server destinations can now be specified.
- Updates to swap space location and inactivity timer have been made to meet Microsoft Azure VM compliance requirements.
- Added support for Horizon Chromebook clients using SAML authentication.
- Updates to Photon OS package versions and Java versions.
Version 2103.1
- VMware Unified Access Gateway 2103.1 includes a bug fix, which is documented in the Resolved Issues section.
- Security and other updates to Photon OS package versions. This includes an update to nxtgn-openssl 1.1.1 to address security vulnerabilities (CVE-2021-3449 and CVE-2021-3450).
Version 2106
- Added SAML authentication support for the Admin UI administrator login.
- IPv6 support is added for Unified Access Gateway deployments to Amazon AWS EC2.
- OPSWAT client device compliance checks are normally made at Horizon user login time and at desktop or application launch time.
- Added support for processing a JSON Web Key Set (JWKS) format for dynamically obtaining multiple public keys used for validating JSON Web Tokens received by Unified Access Gateway for Horizon Universal Broker use.
- Improved support for Horizon Smart Card and device certificate authentication when multiple complex certificate issuer chains are used.
- Secure Email Gateway logs are now included in the Unified Access Gateway log archive.
- Minimum length password policy is now enforced when the root password is changed using the Linux “passwd” command. The minimum root password length is configurable.
- Unified Access Gateway HTTP sessions use a session ID cookie called “ACCESSPOINTSESSIONID”. The value of this now changes after user authentication steps to further defend against session fixation attacks.
- The password expiry period of admins with the monitoring role was previously always set to the same as for the main admin role. This version allows a different value to be set for admins with the monitoring role.
- The Admin UI now has a session inactivity timer of 10 minutes by default. This value can be set to a different value at deployment time.
- Updates to Photon OS package versions and Java versions.
- User activity for applications accessed through Unified Access Gateway with the Workspace ONE Tunnel application can now be visualized in Workspace ONE Intelligence.
Version 2106.1
- Security and other updates to Photon OS packages and Java versions. The Photon Linux kernel is updated to address a security vulnerability (CVE-2021-33909) and Java is updated to address security vulnerabilities (CVE-2021-29921 and CVE-2021-2388).
Version 2106.2
- Security and other updates to Photon OS packages and Java versions.
- Added support for application sessions that run forever.
This capability can be configured on Horizon 2106 and later.
Version 2111
- TLS configuration for Horizon and Web Reverse Proxy and Identity Bridging has been extended to include specification of Named Groups (elliptic curves), Signature Schemes, and Client (outbound) Cipher Suites.
- Added a new delay timer for OPSWAT endpoint compliance checks to improve user experience in cases where the OPSWAT On-demand agent is used with Horizon access.
- Added support for Unified Access Gateway certificate authentication with client X.509 certificates that use the RSASSA-PSS signature algorithm.
- SNMPv3 now includes support for additional Auth Alogrithms SHA-224, SHA-256, SHA-384, and SHA-512 in addition to MD5 and SHA.
- Added support for Horizon Client and server data protection encryption when used with new versions of Horizon.
- Java JDK 11 is used for all Unified Access Gateway components.Java JDK 8 has been removed.
- RSA SecurID support uses a new RSA SecurID Authentication API from RSA.
- Host clock sync is now supported as an optional alternative to the default NTP protocol mechanism.
- Configuration of log level modes such as DEBUG and TRACE can now be set for individual components instead of globally for all components.
- Updates to Photon OS package versions and Java versions.
- Added support for Blast Secure Gateway host header validation.
Version 2111.1
- VMware Unified Access Gateway 2111.1 includes a fix for the critical CVE-2021-44228 vulnerability, the CVE-2021-45046 vulnerability and a fix for the uagdeploy PowerShell deployment script. Refer to the Resolved Issues section for more details.
- Updates to Photon OS package versions and Java versions.
Version 2111.2
- Fixes for several specific defects identified since the previous release. Refer to the Resolved Issues section for more details. If you are not affected by any of the issues listed in the Resolved Issues section, then there is no need to upgrade from the previous 2111.1 version.
- Updates to Photon OS package versions and inclusion of Apache log4j-core version 2.17.1 in the authbroker component. These Photon OS and log4j-core version updates are included for compliance purposes only and do not resolve any known vulnerabilities that impact Unified Access Gateway.
Version 2203
- Added support for Horizon SAML authentication flows in the FIPS version of Unified Access Gateway. Earlier versions supported Horizon SAML authentication only for the standard version.
- Improved protection to block URL Path Traversals for Horizon and Web Reverse Proxy based on proxy pattern definitions and a new configuration setting to enable canonical proxy pattern matching.
- The OPSWAT endpoint compliance feature now supports optional flag values to determine how the downloaded on-demand OPSWAT agent is run. This is supported by newer 2203 Windows Horizon lients and can allow control of whether downloaded code runs on the client in the context of the user or system.
- he CSRF feature for Horizon HTML Access introduced in Horizon 2006 did not support the combination of a pre-login message configured on Connection Server with Multi-Factor authentication configured on Unified Access Gateway. Unified Access Gateway 2203 now includes the CSRF protection requirements to support this combination.
- Improved logging and communication of analysis data to Horizon brokers for cases where a Horizon Client is detected as idle, and for cases where misrouting of Horizon Client protocols occurs.
- Improved audit logging when trusted certificates are added by the administrator. This includes comprehensive logging of the certificate details.
- Unified Access Gateway syslog events can now be sent to an MQTT server using the MQTT IoT messaging protocol. This is in addition to existing support for standard syslog protocols using UDP, TCP or TLS. Improvements to Syslog Admin UI for simplifying configurations where multiple syslog and/or MQTT servers are used.
- The UAG stats monitoring API now provides information on Unified Access Gateway uptime and version number.
- Improved control over proxyPattern configuration for Horizon. This makes it possible to block Horizon Webclient reverse proxy forwarding to the Horizon broker if required.
- Update Interval in Workspace ONE Intelligence Data settings are now pre-populated with the default value.
- Console root login idle time auto-disconnect value is now configurable.
- The Horizon Client HTTP 307 redirect feature now allows TCP port number to be used in addition to FQDN and IP address.
- Added automatic disk space monitoring so that syslog events are automatically sent if disk usage is excessively high.
- General improvements to the functionality for forwarding data to Workspace ONE Intelligence.
- Enhanced certificate-based authentication for Content Gateway Repository to support all Active Directory (AD) entities. Earlier versions supported only UPN.
- TLS_RSA ciphers have been removed by default on the Secure Email Gateway (SEG) service.
- Updates to Photon OS package versions and Java component versions. These updates include openssl version updates to remediate a potential non-critical DoS attack vulnerability CVE-2022-0778.
Version 2203.1
- Added support in Content Gateway (CG) edge service for the V4 API introduced in Workspace ONE UEM version 2204.
- Updates to Photon OS package versions and Java component versions.
Version 2207
- Added SAML authentication for the Admin interface with the FIPS version.
- Provided additional security settings required to allow the FIPS version of Unified Access Gateway to be deployed with Photon OS DISA STIG compliance. DISA is the Defense Information Systems Agency and the Photon OS STIG is the published Security Technical Implementation Guide.
- Added further ssh hardening configuration options.
- Added setting to allow the Horizon Connection Server pre-login message to be skipped.
- Added adminreset command. This is available from the root login console and sets the Admin interface settings back to default settings which is for password authentication.
- Syslog configuration improvements. Upgraded the syslog functionality to use the new syslog-ng instead of the older rsyslog.
- Endpoint compliance functionality improvements for OPSWAT integration
- Updated log rotation configuration for additional /var/log files.
- Added support during deployment to run a small script either on first boot or on every boot.
- Extended the support for automatic OS package updates to include potential non-Photon Unified Access Gateway specific rpm updates.
- Improvements in certificate revocation checks made on the received TLS server certificate for outbound TLS connections.
- Backslash character is now supported in PFX TLS server certificate passwords.
- Improved logging and communication of analysis data to Horizon brokers for cases where a Horizon Client is detected as idle, and for cases where misrouting of Horizon Client protocols (PCoIP and Tunnel) occurs.
- Improved the Tunnel’s vpnreport troubleshooting tool to include flow details based on device type and TCP/UDP, and a breakdown of most used apps.
- Updates to Photon OS package versions and Java component versions.
Version 2207.1
- VMware Unified Access Gateway 2207.1 includes bug fix for Tunnel Server.
- Updates to Photon OS package versions and Java component versions.
Version 2209
- Added uagcertutil command. This command is used to generate a new private key and a Certificate Signing Request (CSR) to get a CA signed certificate and applied to Unified Access Gateway’s admin and internet interfaces.
- Added support for handling HTTP redirect from Horizon broker. This feature can be used to simplify affinity requirements for load balancing Horizon broker.
- Powershell Enhancements:
- Added support for deployment with PowerShell 7.
- Added support for PowerShell deployment on Microsoft Azure using Az module in addition to the existing support for AzureRM module.
- Extended configuration options – session timeout, authentication timeout, and monitor interval with PowerShell deployment.
- Co-existence of SAML authentication with Basic authentication for the Admin interface.
- Added support for Certificate Based Authentication (CBA) for Network File Shares (NFS) in Content Gateway.
- Logging and monitoring improvements:
- Archiving Unified Access Gateway statistics when its health is down.
- Compression of rolled over log files.
- Logging unhealthy state of Unified Access Gateway resulting from explicit configuration of quiesce mode as an informational log instead of warning log.
- Updates to Photon OS package versions and Java component versions.
Version 2209.1
- Support for validation of admin and internet facing TLS certificate chains when the certificate is configured using
uagcertutil
utility. - Improve UDP reporting in Tunnel Access Logs.
- Updates to Photon OS package versions.
As seen above, the new added features are huge. VMware is putting a lot of effort in development of the UAG!
Stick around on my blog for updates and soon I will do an installation / implementation of the UAG!