<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Unified Access Gateway 3.6 - Load Balancing + SSL in Horizon Desktops and Apps</title>
    <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Unified-Access-Gateway-3-6-Load-Balancing-SSL/m-p/1867309#M85785</link>
    <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;I don’t see any reasons why that would not work. Clients are somewhat unaware of the&amp;nbsp; responding UAG, as from their point of view they just connect to the public VIP on the SLB, the same that the hostname resolves to.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;All the network address translations happening behind the SLB on the path are never exposed to clients. And you don’t need to worry about connection servers or their certificates. All TLS is proxied on the UAG, i.e. UAG creates an another TLS session against connection server not passthroughing the existing one.&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
    <pubDate>Wed, 28 Aug 2019 07:51:41 GMT</pubDate>
    <dc:creator>Perttu</dc:creator>
    <dc:date>2019-08-28T07:51:41Z</dc:date>
    <item>
      <title>Unified Access Gateway 3.6 - Load Balancing + SSL</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Unified-Access-Gateway-3-6-Load-Balancing-SSL/m-p/1867304#M85780</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hello folks i am in a hurry&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;I need the definition on how to configure my External Access to the Horizon Environment.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;I have two Unified Access Gateway behind a Load Balancer (F5) configured in SSL Passthrough and redirected the UAG to use port 443 for Tunneled Connections as well Blast Connections. My UAG are not configured on a domain, neither they have public IPs, only IPs on my DMZ. On the load balancer i have an IP on the same DMZ that is DNATed on my firewall.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;My doubt here is on how to configure the public certificate:&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Can i use a single certificate pointing to my external URL? (ex: horizon.company.com)&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;I am asking this because on the documentaiton it asks about configuring SAN for the two Unified Access Gateway but they are not published to the internet.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Thanks you all&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Tue, 27 Aug 2019 15:46:05 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Unified-Access-Gateway-3-6-Load-Balancing-SSL/m-p/1867304#M85780</guid>
      <dc:creator>Lalegre</dc:creator>
      <dc:date>2019-08-27T15:46:05Z</dc:date>
    </item>
    <item>
      <title>Re: Unified Access Gateway 3.6 - Load Balancing + SSL</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Unified-Access-Gateway-3-6-Load-Balancing-SSL/m-p/1867305#M85781</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Can i use a single certificate pointing to my external URL? (ex: horizon.company.com)&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Yes you can use a single certificate, but it should included the other servers in the subject alternative name fields. I use the same cert on all the uags, and connection servers, and loadbalancer&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Tue, 27 Aug 2019 15:49:22 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Unified-Access-Gateway-3-6-Load-Balancing-SSL/m-p/1867305#M85781</guid>
      <dc:creator>sjesse</dc:creator>
      <dc:date>2019-08-27T15:49:22Z</dc:date>
    </item>
    <item>
      <title>Re: Unified Access Gateway 3.6 - Load Balancing + SSL</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Unified-Access-Gateway-3-6-Load-Balancing-SSL/m-p/1867306#M85782</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Thanks for the fast response.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;The issue here is that i cannot add my Connection Server or my UAG as SAN for security reasons.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;My UAG does not have a public IP neither an FQDN configured because is in a DMZ and have no connection to my Domain Controller. &lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;My doubt again is if i can use a single certifcate BUT with a Common Name only pointing to my external URL.&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Tue, 27 Aug 2019 15:53:06 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Unified-Access-Gateway-3-6-Load-Balancing-SSL/m-p/1867306#M85782</guid>
      <dc:creator>Lalegre</dc:creator>
      <dc:date>2019-08-27T15:53:06Z</dc:date>
    </item>
    <item>
      <title>Re: Unified Access Gateway 3.6 - Load Balancing + SSL</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Unified-Access-Gateway-3-6-Load-Balancing-SSL/m-p/1867307#M85783</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Look at&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;A href="https://docs.vmware.com/en/VMware-Horizon-7/7.8/horizon-scenarios-ssl-certificates.pdf" title="https://docs.vmware.com/en/VMware-Horizon-7/7.8/horizon-scenarios-ssl-certificates.pdf"&gt;https://docs.vmware.com/en/VMware-Horizon-7/7.8/horizon-scenarios-ssl-certificates.pdf&lt;/A&gt; &lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;and&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;A href="https://www.carlstalhood.com/vmware-unified-access-gateway/" title="https://www.carlstalhood.com/vmware-unified-access-gateway/"&gt;https://www.carlstalhood.com/vmware-unified-access-gateway/&lt;/A&gt; &lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;it may be possible, but I've never needed to do it. In the uag part I think you just need to get the internal connection server thumbprint and place it in the section carl mentions&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;A href="https://www.carlstalhood.com/vmware-unified-access-gateway/" title="https://www.carlstalhood.com/vmware-unified-access-gateway/"&gt;https://www.carlstalhood.com/vmware-unified-access-gateway/&lt;/A&gt; &lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;I could swear, at least at one point there was a problem with pcoip if you didn't use the same cert on every component. Thant may have changed.&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Tue, 27 Aug 2019 16:36:08 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Unified-Access-Gateway-3-6-Load-Balancing-SSL/m-p/1867307#M85783</guid>
      <dc:creator>sjesse</dc:creator>
      <dc:date>2019-08-27T16:36:08Z</dc:date>
    </item>
    <item>
      <title>Re: Unified Access Gateway 3.6 - Load Balancing + SSL</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Unified-Access-Gateway-3-6-Load-Balancing-SSL/m-p/1867308#M85784</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;I already read that article.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;I only need to know if it is possible if i only use a Common Name, not SAN on the UAGs&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Tue, 27 Aug 2019 17:44:52 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Unified-Access-Gateway-3-6-Load-Balancing-SSL/m-p/1867308#M85784</guid>
      <dc:creator>Lalegre</dc:creator>
      <dc:date>2019-08-27T17:44:52Z</dc:date>
    </item>
    <item>
      <title>Re: Unified Access Gateway 3.6 - Load Balancing + SSL</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Unified-Access-Gateway-3-6-Load-Balancing-SSL/m-p/1867309#M85785</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;I don’t see any reasons why that would not work. Clients are somewhat unaware of the&amp;nbsp; responding UAG, as from their point of view they just connect to the public VIP on the SLB, the same that the hostname resolves to.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;All the network address translations happening behind the SLB on the path are never exposed to clients. And you don’t need to worry about connection servers or their certificates. All TLS is proxied on the UAG, i.e. UAG creates an another TLS session against connection server not passthroughing the existing one.&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Wed, 28 Aug 2019 07:51:41 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Unified-Access-Gateway-3-6-Load-Balancing-SSL/m-p/1867309#M85785</guid>
      <dc:creator>Perttu</dc:creator>
      <dc:date>2019-08-28T07:51:41Z</dc:date>
    </item>
    <item>
      <title>Re: Unified Access Gateway 3.6 - Load Balancing + SSL</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Unified-Access-Gateway-3-6-Load-Balancing-SSL/m-p/1867310#M85786</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;I don't use SAN certs with my UAGs. I use CN. I think it is however an interesting debate. I have spoken to a few people and they have different views on this. Personally, if the device is not internet facing I would not put it name in my cert. My UAGs have a public cert from a public authority. The same cert is on my load balancer. My connection servers use a SAN cert from internal CA. I think it is a security risk adding connection servers that reside on my LAN network on my cert that any intruder can read.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;This VMware resource who was on site told me it was best practice to add all UAGs and connection servers to the cert. When I ask them to show me in the document where it says that he quietly dropped the argument. Granted I do understand his argument. It makes it easier to troubleshoot. However, I personally believe it is a matter of preference and opinion. But regardless it will work either way.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="font-size: 10.5pt; font-family: 'Helvetica',sans-serif; color: #3d3d3d;"&gt;---------------------------------------------------------------------------------------------------------&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;STRONG style="color: #3d3d3d; font-size: 10.5pt; font-family: 'Helvetica',sans-serif;"&gt;Was it helpful? &lt;/STRONG&gt;&lt;SPAN style="font-size: 10.5pt; font-family: 'Helvetica',sans-serif; color: #3d3d3d;"&gt;Let us know by completing &lt;/SPAN&gt;&lt;A _jive_internal="true" href="https://communities.vmware.com/- https:/insights.vmware.com/cgi-bin/qwebcorporate.dll?idx=4RA39B&amp;amp;source=Workstation"&gt;&lt;SPAN style="font-size: 10.5pt; font-family: 'Helvetica',sans-serif; color: #2989c5;"&gt;this short survey here&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN style="font-size: 10.5pt; font-family: 'Helvetica',sans-serif; color: #3d3d3d;"&gt;.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Fri, 30 Aug 2019 03:11:44 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Unified-Access-Gateway-3-6-Load-Balancing-SSL/m-p/1867310#M85786</guid>
      <dc:creator>cbaptiste</dc:creator>
      <dc:date>2019-08-30T03:11:44Z</dc:date>
    </item>
    <item>
      <title>Re: Unified Access Gateway 3.6 - Load Balancing + SSL</title>
      <link>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Unified-Access-Gateway-3-6-Load-Balancing-SSL/m-p/1867311#M85787</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Thanks you all for your answers.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;I can see that you folks are sharing the same opinions as me regarding about of "sharing" the names of the internal servers.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;I will proceed using a simple CN name for the VIP.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Thanks you all again!&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Fri, 30 Aug 2019 12:08:55 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Unified-Access-Gateway-3-6-Load-Balancing-SSL/m-p/1867311#M85787</guid>
      <dc:creator>Lalegre</dc:creator>
      <dc:date>2019-08-30T12:08:55Z</dc:date>
    </item>
  </channel>
</rss>

