VMware Horizon Community
BarryUWSEFS
Enthusiast
Enthusiast
‎02-23-2020 09:39 PM
Jump to solution

UAG no DMZ Advice

We are part of a large campus network. There is a firewall between the campus network and the data center where all of the Horizon server infrastructure is. There is no "DMZ." We are currently using a Security server that is behind the firewall. It is assigned a public IP address and the appropriate ports are open to it from the Internet and the campus networks. It handles all of the connections from the Internet and the campus. I would like to replace the security server with UAG and looking for best practice. My primary question could apply to security server or UAG - since the campus networks are private is there a benefit to connecting them through the security server or UAG, taking into consideration that the UAG or security server are already behind a firewall? Could the campus network traffic connect directly to the connection server, and only internet traffic to the UAG? Or should I configure the UAG to handle campus and internet traffic as I do now with the security server? This question comes up because all documentation I have found assumes the UAG (or security server) is being deployed in a DMZ.

Tags (1)
0 Kudos
1 Solution

Accepted Solutions
sjesse
Leadership
Leadership
‎02-24-2020 08:38 AM
Jump to solution

Yes to what your saying here, and if you don't have a load balancer, look at the uag high availablity feature that was introduced in later versions so you can add two for redudancy. If users can get to the ip of where the uag is it should work just fine, for us we decided to not allow direct connections to the connection servers so we have internal and external uags. You either need to use different urls , use split dns, or source based routing to get them to the correct uags.

View solution in original post

0 Kudos
6 Replies
jonathanjabez
Hot Shot
Hot Shot
‎02-23-2020 10:07 PM
Jump to solution

UAG is mainly meant for Internet facing VDIs. This means, UAG appliances are deployed in DMZ zone with public IP address to connect from Internet. However, the same UAG can be deployed as Internal UAG. It can be placed behind a firewall in your campus network. Users connect internally can connect either to UAG or Connection server provided the required network firewall ports are allowed in the firewall. However, internal UAG deployment use case is only for users connecting from outside of organization (B2B or MPLS) where the extranet subnet is stretched to MPLS and the firewall ports are open end to end. Internal UAG is always limited only to the network it is exposed.

BarryUWSEFS
Enthusiast
Enthusiast
‎02-24-2020 08:12 AM
Jump to solution

Thank you. We are not dealing with MPLS or B2B, but it sounds like I could setup the UAG similar to how I have the security server now, assign it a public IP and configure firewall ports from Internet (Public) and from campus. Or figure out how to direct Internet traffic to the UAG and campus traffic directly to the connection server. I do not have any choice but to place it behind the firewall, about the only network configuration I can request is firewall ports.

0 Kudos
sjesse
Leadership
Leadership
‎02-24-2020 08:34 AM
Jump to solution

What your saying is incorrect in alot of ways. I have internal only uags, we actually don't have any way of directly connecting to vdi vms. The UAGs can do whatever the security server could do. It all depends on how your environment is setup.

sjesse
Leadership
Leadership
‎02-24-2020 08:38 AM
Jump to solution

Yes to what your saying here, and if you don't have a load balancer, look at the uag high availablity feature that was introduced in later versions so you can add two for redudancy. If users can get to the ip of where the uag is it should work just fine, for us we decided to not allow direct connections to the connection servers so we have internal and external uags. You either need to use different urls , use split dns, or source based routing to get them to the correct uags.

0 Kudos
BarryUWSEFS
Enthusiast
Enthusiast
‎02-24-2020 09:31 AM
Jump to solution

Thanks. I think the simplest and most secure would be to point all traffic, internal and external, through the UAG, as we do now with the security server.

0 Kudos
sjesse
Leadership
Leadership
‎02-24-2020 09:55 AM
Jump to solution

Just make sure you disable the secure gateways on the connection server and enabling them on the uags. In a security server there was a tunnel between the security server and the connection server, but that changed with the uag, so if you have any firewalls between the security server ,connection servers, or the virtual machines make sure you check all the ports. Instead of the vm connections going through the security servers and out the connection servers the connections go through the uags directly to the vms.