The next product gets the new version identification. After Horizon 8, sorry Horizon 20.06, VMware this week released the new version of the Unified Access Gateway (UAG).
Besides the possibility to install future Photon OS updates during the boot process, the Health Monitor can now also be accessed via port 80. This is only a small part. It will be more detailed in this article.

The full release notes are here

Before you upgrade your UAGs visit the InteropMatrix to check if your installation is supported to work with UAG 20.09
VMware Product Interoperability Matrices

What is New in This Release

VMware Unified Access Gateway 20.09 provides the following new features and enhancements:

For more information about these features, see the Documentation Center

  • Photon OS Update Options
    • Added support to automatically apply future OS package updates at the boot time. VMware might publish a list of one or more package updates at to represent a list of authorized OS updates. These updates can be applied to Unified Access Gateway to address critical issues which apply to the Unified Access Gateway functionality, and for which no workaround is available. This feature is disabled by default, but the administrator can set the feature to apply updates on the next boot or on every boot. When set, Unified Access Gateway automatically checks for authorized updates at the next boot and downloads and installs the updates if present. If no updates have been published for the specific Unified Access Gateway version, then no action is taken. Customers can also mirror the repository as an alternative to connecting to over the Internet. Only authorized updates can be applied using this feature, and these updates are published at
  • Added further support for HTTP Strict Transport Security (HSTS). As a consequence of this requirement, if a load balancer is not able to perform HTTPS GET /favicon.ico health monitoring using HTTPS on port 443 and must use HTTP instead on port 80, then a new Unified Access Gateway setting ‘Enable HTTP Health Monitor’ must be enabled. This setting is disabled by default as it is rarely needed. It can be enabled using a setting in the PowerShell .ini, using the configuration REST API or from the Admin UI in the system setting ‘HTTP Health Monitor’ set to ‘Yes’.
  • Custom Settings for Secure Email Gateway
    •  The Secure Email Gateway component can now take the detailed configuration update from the UEM console without any manual configuration edits within the Unified Access Gateway. This means configuration settings like the EWS proxy and TLS settings can be provisioned through the UEM Console without interacting with every Unified Access Gateway appliance, same as the Content and Tunnel configurations.
  • Syslog Enhancements
    • Unified Access Gateway now sends events from different system processes such as cron, ssh, and the kernel. 
    • In addition to sending syslog over UDP and TLS, Unified Access Gateway now also supports sending over TCP as well.
    • Syslog events for Horizon now include device IP when known and desktop and application launches.
    • Web Revere Proxy events now include the session creation event.
  • Low-privilege Monitoring Users in Scripted Deployment
    • Low-privilege users can now be included as part of the .INI file used in PowerShell scripted Unified Access Gateway deployments.

Resolved Issues

  • When uploading SAML metadata to Unified Access Gateway, if the EntityID was not a URL, then the IdP metadata failed to upload.
  • If the Tunnel proxy settings were enabled or disabled after configuring the UEM edge services such as Content Gateway and Secure Email Gateway, then TLS port sharing did not work for the configured UEM edge services.
  • When the static routes were changed with other NIC settings such as IP address, netmask, and default gateway, the modified static route entry was not added to Unified Access Gateway.
  • When SEG on Unified Access Gateway was configured to report events to the syslog server, the ‘appname’column was blank
  • When a Horizon Universal Broker redirected session was allocated on Unified Access Gateway, it was incorrectly set to ‘authenticated’ and was therefore not released until after the maximum session timer had expired.

Known Issues

  • If a backslash (\) character is used when setting an admin password, root password, or RADIUS shared secret, then it must be escaped by using an extra backslash character. So, the admin must specify a password like Secret\123 as Secret\\123.
    Workaround:  Prefix \ with an extra backslash \ (for example, \\u).
  • When Unified Access Gateway is deployed in Microsoft Azure using DHCP allocated IP addresses and there is a conflict between any custom static routes and DHCP assigned routes, then the static routes can be removed after they have been applied. This only happens if there is a mismatch between the Unified Access Gateway hostname and the hostname assigned by Azure based on the VM name.
    Workaround: Ensure that the Azure VM name based hostname matches the uagName (hostname) set when Unified Access Gateway is deployed so that a hostname change is not performed. 
  • The location of waagent.log is /var/log/waagent.log, which is a link to /opt/waagent/log/waagent.log. However, /opt/waagent does not exist and therefore a log file is not created.
    Workaround: The log file is not needed, but if it is ever required, log into the Unified Access Gateway console as root and remove the link by using the following command: rm /var/log/waagent.log.
  • When Unified Access Gateway is deployed on Microsoft Azure, on first boot, the Microsoft Hypervisor is correctly detected by Unified Access Gateway and within the Hypervisor, based on a DHCP setting, Azure is correctly detected. However, on subsequent boot, Azure is incorrectly detected as Hyper-V and waagent is stopped. This is a minor issue as waagent is mainly used to apply configuration settings on first boot only.
    Workaround: None
  • When Horizon SAML 2.0 is used with Horizon True SSO to avoid the initial AD password prompt, if the session is manually locked or locks due to inactivity, the user must either enter their AD password to unlock the session or close the client and reconnect. The Horizon True SSO unlock mechanism currently depends on Workspace ONE Access.
    Workaround: None