Solved: UAG 3.0 - Use Certificate-auth to restrict connect...

paradise1967 · ‎11-20-2017

Hi

I have UAG 3.0 deployed with Horizon 7.1. External access works fine but I want to lock it down so that only computers that are domain members can connect. I followed the guide for deploying with Powershell and added these lines to the ini file.

authMethods=certificate-auth && sp-auth

[CertificateAuth]

pemCerts=C:\certs\domain-cachain.pem

Both domain and non domain members get the same error message;

/opt/vmware/gateway/logs/esmanager.log shows this error when connecting

unable to retrieve client certificate from session: <sessionId>

The troubleshooting guide for UAG 3.1 says to check the client side certificate if X.509 is configured.

How should this certificate be configured?

Thanks

paradise1967 · ‎12-09-2017

An update for anyone who cares.

Tried to get this working on a LAN, with Connection Servers and UAG on the same subnet. Had the same errors.

This worked for me on the LAN connection.

The certificate template is a copy of the Workstation template. Edit template with the following

Subject Name | Subject Name Format

Changed from None to Common Name

Request new certificate

Edit certificate

Right-click certificate | All Tasks | Manage Private Keys | Add 'Domain Users' group to have Read permission

Cheers

** Update **

Having tested with the UAG through the firewall from an external connection, I can confirm this now works after the changes to the certificate.

View solution in original post

paradise1967 · ‎12-09-2017