BenFB's Posts

We are looking for confirmation on the cipher suites that can be configured on a UAG. We have TLS 1.0/1.1 disabled so we are only using TLS 1.2. According to Using PowerShell to Deploy VMware Unified Access Gateway and comparing to our UAG 3.0 these are the default cipher suites. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA The connection server documentation (Default Global Policies for Security Protocols and Cipher Suites) states that the following ciphers are supported. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA Our security team is requiring that we disable all AES 128 ciphers and only use elliptical curve (ECDHE) which leaves us with the following. UAG TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Connection Server TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA We've also been told that GCM is preferred as it performs better than CBC. So in a perfect world we would only use TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 but it's not one of the listed protocols for the UAG. We've found that it can be configured on the UAG but it can't be the only cipher. So I could do the following on the UAG and Connection servers but I'm unsure if this actually works. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Our connection servers are restricted to only use TLS 1.2 and the following cipher suites. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TL;DR Will the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite work on a UAG? Is it possible to only use TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 on the UAG and connection server or are a minimum of two needed? Why do the UAG and Connection Servers support different ciphers?

We are seeing an intermittent issue with remote users using Blast Extreme through a UAG where Skype thinks the user is still Away. You can not manually set it to Available and the Skye client must be quit and relaunched to set the status properly. When a user connects internally with a Dell Wyse P25/5030 zero client using PCoIP it works as expected. Skype properly detects the user is connected and sets the status to Available. We are running Horizon 7.1, Horizon Agent 7.1 on Windows 7, UAG 3.0, Horizon Client 4.5.1, Lync 2013 Standard Edition and Skype for Business 2016.

While doing a PoC of the Unified Access Gateway we discovered that it does not allow a user with a expired password to login and fails with "Access denied". We've tested this with the Horizon Client for Mac, Windows and iOS and the experience is the same. Logging in using a Dell P25 zero client or with a Horizon Client that points directly to the connection server correctly prompt the user that the password is expired and allows them to enter the old and new password to update it. We have an open support case but keep getting conflicting answers on whether this should or shouldn't work with the UAG. We do happen to have a RADIUS server configured for MFA and I suspect this is why it doesn't work. Can anyone let us know whether this should or shouldn't work?