This week VMware released version 3.10 of Unified Access Gateway (UAG).

The possibilities of error detection in the configuration of edge services such as VMware Tunnel, Content Gateway or Secure Email Gateway (SEG) or the overload protection through configurable CPU utilization limits are only a small part of this update.

The full release notes are here

Before you upgrade your UAGs visit the InteropMatrix to check if your installation is supported to work with UAG 3.9
VMware Product Interoperability Matrices

What is New in This Release

VMware Unified Access Gateway 3.10 provides the following new features and enhancements:

For more information about these features, see the Documentation Center

  1. Configuration of Workspace ONE edge services VMware Tunnel, Content Gateway, and Secure Email Gateway through the Admin UI now detects errors due to configuration issues and relays the error message to Admin UI. The error messages do get captured in the logs.
     
  2. Added support to configure the maximum allowed CPU utilization to prevent an overload. Previous versions set this limit to a fixed 90%. When this level is exceeded, Unified Access Gateway responds to HTTP requests with a 503 error to indicate it is unable to handle the request due to temporary overloading. The support for this configuration allows a load balancer to allocate new sessions to alternative appliances. The default value is 100% so will never be exceeded, but a lower value can be configured in system settings using PowerShell or the Admin UI.
     
  3. Extended support for Horizon Client IP protocol version bridging. Earlier versions supported IPv6 and IPv4 clients to connect to an IPv4 Horizon infrastructure. Support has been added to allow IPv6 and IPv4 clients to also connect to an IPv6 Horizon infrastructure.
     
  4. Added a capability with Web Reverse Proxy edge service configuration to proxy requests normally used for local Unified Access Gateway resources. This capability was needed to support the download of the OPSWAT on-demand agent when Unified Access Gateway is used in a Horizon double-hop DMZ configuration. To support this case, the proxyPattern configured on the Web Reverse Proxy edge service must include /gateway/resources/(.*) so that these requests are forwarded to the Horizon Unified Access Gateway appliance. 
     
  5. The FIPS version of Unified Access Gateway now supports the Certificate-based authentication for Horizon Clients. This is for Smart Card/CAC and device certificate authentication.
     
  6. General Unified Access Gateway SAML 2.0 enhancements for third-party Identity Providers used with the Horizon authentication.
     
  7. Validated Microsoft ADFS and Shibboleth as additional SAML 2.0 Identity Providers for the Horizon authentication.
     
  8. The Horizon OPSWAT device compliance check continuous evaluation interval can now be set to a minimum of every 5 minutes. Previously the minimum interval between checks was 30 minutes. By default, the continuous evaluation interval is still set to 0 meaning disabled. In this case, a continuous check is not performed but is still checked every time the user starts a Horizon desktop or application session. 
     
  9. Added support to configure a login disclaimer agreement message for the Admin UI login. The admin user must accept this agreement message before login. The Admin Disclaimer Text can be configured in the Admin UI or in the PowerShell .ini file.
     
  10. Extended the logs collected with system information to further aid troubleshooting. The system_logs_archive directory has the following log files: cpu.info, mem.info, sysctl.log, and journalctl_archive.
     
  11. The origin header used with Horizon requests to Connection Server can now optionally be rewritten to use the host name from the proxyDestinationUrl setting. In many cases, by rewriting the origin header with the host name can avoid the need to configure the locked.properties file on Connection Server to allow certain browsers to connect to Horizon.
     
  12. Added support for additional connection concurrency for RADIUS authentication. In previous versions, this might cause delays in a Horizon user being prompted for RADIUS credentials during peak login rates when used with certain configurations of the on-premises version of Microsoft Azure Multi-Factor Authentication Server. The increased connection concurrency avoids this delay.
     
  13. Updated TLS versions and default ciphers for connections on TCP port 443 for Horizon and Web Reverse Proxy edge services. Values are configurable. The non-FIPS Unified Access Gateway version defaults for these edge services are now:

    TLS 1.3
    TLS_AES_128_GCM_SHA256
    TLS_AES_256_GCM_SHA384
    TLS_CHACHA20_POLY1305_SHA256

    TLS 1.2
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

    The FIPS Unified Access Gateway version defaults for these edge services are now:

    TLS 1.2 only
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    ​TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     
  14. The Horizon Blast Secure Gateway component on TCP port 8443 no longer uses TLS 1.1. It supports TLS 1.2 only. 
     
  15.  Secure Email Gateway support for Active Directory client certificate mapping authentication. For customers that publish client certificates to their user objects in Active Directory, this feature can be used when the certificate either does not have a UPN present, or the UPN does not match the UPN value in Active Directory.
     
  16. For Secure Email Gateway, the Java version has been updated to Zulu OpenJDK JRE, version 11.0.7.
     
  17. Qualified support for the AVI Networks load balancer in front-ending Unified Access Gateway for Horizon, Web Reverse Proxy, VMware Tunnel, Content Gateway, and Secure Email Gateway edge service.

Resolved Issues

  • When using Horizon SAML IDP authentication with Microsoft ADFS on earlier versions, users might receive an HTTP ERROR 500 unless the metadata from ADFS was manually modified before being uploaded to Unified Access Gateway. Version 3.10 adds full support for Microsoft ADS so this modification is no longer required.
  • Authentication timeout policy is now fully supported when using Horizon HTML Access client.
  • In the Unified Access Gateway Admin UI, the Auth Methods drop-down is now fully supported with Microsoft IE and Edge browsers.
  • When user authentication disclaimer text is added on Horizon Connection Server and later removed, this cached message on Unified Access Gateway is now removed automatically within 5 mins and then no longer displayed to users.
  • OPSWAT MetaAccess on-demand agent download now works when the Windows SSO is enabled on Unified Access Gateway.
  • Unified Access Gateway console screen occasionally did not show the root login prompt after boot. This is resolved.
  • An intermittent TCP FIN_WAIT2 timeout issue might occur for TCP connections to the haproxy component of Unified Access Gateway. These connections are now automatically removed when complete.
  • The Secure Email Gateway (SEG) edge service hyperlinks in Tasks sync are now correctly transformed to remove AWB/AWBS for Workspace ONE Web.
  • Failure to configure SEG service on Unified Access Gateway when certain responses were received from the email server is resolved.
  • SEG service error in Kerberos flow when setting proxy.email.request.on.kerberos.error parameter to false is resolved.

Known Issues

  • If a backslash (\) character is used when setting an admin password, root password, or RADIUS shared secret, then it must be escaped by using an extra backslash character. So a password of Secret\123 should be specified by the admin as Secret\\123.
    Workaround:  Prefix \ with an extra backslash \ (for example, \\u).
  • When Unified Access Gateway is deployed in Microsoft Azure using DHCP allocated IP addresses and there is a conflict between any custom static routes and DHCP assigned routes, then the static routes can be removed after they have been applied. This only happens if there is a mismatch between the UAG hostname and the hostname assigned by Azure based on the VM name.
    Workaround: Ensure that the Azure VM name based hostname matches the uagName (hostname) set when Unified Access Gateway is deployed so that a hostname change is not performed. 
  • The location of waagent.log is /var/log/waagent.log, which is a link to /opt/waagent/log/waagent.log. However, /opt/waagent does not exist and therefore a log file is not created.
    Workaround: The log file is not needed, but if it is ever required, log into the Unified Access Gateway console as root and remove the link by using the following command: rm /var/log/waagent.log.
  • On first boot, Microsoft Hypervisor is correctly detected by Unified Access Gateway and within the Hypervisor, based on a DHCP setting, Azure is detected instead of Hyper-V. However, on subsequent boot, Azure is incorrectly detected as Hyper-V and waagent is stopped.
    Workaround: None
  • When the static route is changed with other NIC settings such as IP address, netmask, and default gateway, the modified static route entry is not added to Unified Access Gateway.
    Workaround: 
    1. Configure the IP address, netmask, and default gateway of the Unified Access Gateway and save.
    2. Configure the static routes and save.
  • When Horizon SAML 2.0 is used with Horizon True SSO to avoid the initial AD password prompt, if the session is manually locked or locks due to inactivity, the user must either enter their AD password to unlock the session or close the client and reconnect. The Horizon True SSO unlock mechanism currently depends on Workspace ONE Access.
    Workaround: None
  • If Tunnel proxy settings are enabled or disabled after configuring the UEM edge services such as Content Gateway and Secure Email Gateway, then TLS port sharing does not work for the configured UEM edge services.
    Workaround:
    1. Configure Tunnel Proxy followed by other UEM edge services such as Content Gateway and Secure Email Gateway on Unified Access Gateway.
    2. If Tunnel Proxy is disabled or enabled later, save the previously configured UEM edge service settings again on the Unified Access Gateway Admin UI.