VMware Horizon Community
IAMVirtual_Ivan
Contributor
Contributor
‎01-23-2021 08:06 AM

Horizon UAG Design Question

From checking all the docs it would seem that the connection flow for Horizon w/ UAG would be:

Client -> UAG -> Connection Server : ?Verify where to connect .. then

Client -> UAG -> Desktop

But that means you have to have a 1 to many firewall rule, mapping inbound connections from the UAG (in DMZ) to the Desktop (in LAN).

I was wondering if it makes more sense to add another 'internal' layer of UAGs, so that it would be...

Client -> UAG (DMZ) -> UAG (LAN) -> Connection Server: ?Verify where to connect .. then

Client -> UAG (DMZ) -> UAG (LAN) -> Desktop

This would give you a 1 to 1 mapping in the DMZ rule into LAN, and the Desktop connection is now not in the rule.

Would that lead to some sort of instability ?

I know there's a doc talking about a two layer DMZ model, so you can handoff one UAG to another.

Just all the docs refer to the first scenario, if you're doing it the 'normal' way.

Anyone try this ?

0 Kudos
3 Replies
fabio1975
Commander
Commander
‎01-24-2021 07:39 AM

Hello

From what I understand your idea is to have an external DMZ and an internal DMZ, where the external DMZ is the one on which I natted the Public ip, while the internal DMZ talks on the Client / Server vLAN.

If that's what you want to do I have deployed to this configuration several times without problems.

The only thing remember to put the Gateway of the external DMZ and the static routes for the internal network.

Bye 

Fabio 

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

0 Kudos
fabio1975
Commander
Commander
‎01-24-2021 07:41 AM

.... and you need deploy the UAG with 2 nic, the deploy with 1 nic is not supported in production enviroment.

 

Thank you 

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

0 Kudos
IAMVirtual_Ivan
Contributor
Contributor
‎01-24-2021 10:04 AM

Nah .. That's what I am referring to with a two layer DMZ. You can get that info from this document.

https://docs.vmware.com/en/Unified-Access-Gateway/3.4/com.vmware.uag-double-dmz-deployment.doc/GUID-...

What I am thinking here is to reduce the amount of DMZ-LAN overhead, by putting a set of UAGs in the LAN; so the ruleset is easy.

I'm thinking it may cause issues, though I guess the only way is to test it.

0 Kudos