AllBlack
Expert
Expert

Remote access to Horizon Connection Admin Console via UAG

Hi there

Is it allowed to connect to the connection server admin console via UAG?
I have a unified URL whether I am remote or on orem. If remote it the requests goes to the UAG loadbalanced VIP and then hits the internal connection servers.
On-prem everything goes directly to connection servers. There is no issue using the admin console.

When I am off-site I can connect fine to the portal client via UAG but not admin console.
I am trying to figure out where issue lies and I wonder if the UAG block access the horizon connection admin console somehow? I could understand if they did from a security point of view but just trying to understand and cannot find anything on this

Cheers

Please consider marking my answer as "helpful" or "correct"
0 Kudos
2 Replies
Lalegre
Commander
Commander

Hey AllBlack​,

So basically UAG has another admin console and is not the same one as the Connection Server and the purpose of the UAG is to proxy the connections and made them secure when connecting to the VDI.

Also if you are connecting over the WAN you are probably doing a DNAT to the private IP of the UAG and not to to the Connection Server IP, however the Connection Server is for administering the platform so this should never be published to the internet.

0 Kudos
JesperA89
Contributor
Contributor

There is no issue here, everything is working as it is supposed to do.
But apparently, this is not how you would like it to work.

😉

The UAG is an appliance built to allow for secure remote connections to (among others) VMware Horizon, within the secure part this also means to not allow access to /admin of the Connection Server(s).

If this is something you would like to achieve, which is something I would not recommend, you could add a proxy pattern on your UAG’s.

You can add one under Horizon Settings > Proxy Pattern. On my fresh version 2006 UAG this looks like:

(/|/view-client(.*)|/portal(.*)|/appblast(.*))

But if you want the admin portal enabled externally you could change it to something like:

(/|/view-client(.*)|/portal(.*)|/appblast(.*)|/admin(.*))

Again, not recommending this!

0 Kudos