VMware Horizon Community
epa80
Hot Shot
Hot Shot
‎12-19-2018 04:45 AM

Certs on the UAGs

We are utilizing UAGs for external access into our Horizon environment. Have been for about a year and a half. The wildcard cert utilize in our environment is coming close to expiring, so we started the process to renew it/replace it where needed.

One part of our environment setup we've been unsure about, is the need for the wildcard cert (or whatever cert) you use out on your load balancer, and whether that same cert needs to be on the UAGs themselves. We've see inconsistent behavior when testing this, so, I'm just trying to find out if that's actually a needed step.

The brokers on our internal network all have their own certs from our on site CA. We then planned to swap out our wild card cert out on the load balancer, leaving the UAGs (between the LB and the brokers) with just their out of box self signed certs. Out on the load balancer today we are doing SSL bridging.

I'm also opening a ticket with support, but, wanted to see what the forums knew about this topic as well.

Thanks in advance.

0 Kudos
2 Replies
epa80
Hot Shot
Hot Shot
‎12-19-2018 08:03 AM

Support resonded. We indeed do need the certs from the load balancer to also be on the UAGs. They also provided this link and comment:

https://docs.vmware.com/en/Unified-Access-Gateway/3.4/com.vmware.uag-double-dmz-deployment.doc/GUID-...

Similarly, if a load balancer is used in DMZ 1 in front of multiple Unified Access Gateway appliances, then if that load balancer is also terminating TLS (TLS bridging), then the same certificate must be present on UAG 2 and the load balancer so that the thumbprint validation succeeds.

0 Kudos
BenFB
Virtuoso
Virtuoso
‎12-19-2018 08:57 AM

That's one way to do it. I don't like the idea of sharing a certificate so in our environment we have one unique cert on each of the following.

  • Load balancer VIP for external UAG connections
  • Each UAG
  • Load balancer VIP for external connection servers
  • Load balancer VIP for internal connection servers
  • Each external and internal connection server.

We also do not as a policy use any wildcard certs and I would advise against them. There is a security risk of using wildcards and some applications will not allow for them.

We leverage the Method 3 - Multiple VIPs session affinity.

Load Balancing across VMware Unified Access Gateway Appliances

0 Kudos