VMware has released the new version of Unifed Access Gateway (UAG) on 17 March 2020. There are new features for authentification, like Third-Party SAML or the combination of Smart Card Certificate or Passthrough authentication with pre-login message configured on Horizon Connection Server.

The full release notes are here

Before you upgrade your UAGs visit the InteropMatrix to check if your installation is supported to work with UAG 3.9
VMware Product Interoperability Matrices

What is New in This Release

VMware Unified Access Gateway 3.9 provides the following new features and enhancements:

  • Added support to combine Horizon Third-Party SAML authentication with the Horizon 7 and later versions for the Unauthenticated Access feature.
    This option allows single sign-on remote access from Horizon clients or browser-based HTML Access to RDSH published applications based on entitlements using simple role-based user aliases in Active Directory. Individual user accounts in the SAML Identity Provider (IdP) are used and the user must successfully authenticate with the IdP. For this feature, only role-based user alias accounts are required in Horizon. Includes support through RADIUS and SecurID Unauthenticated methods with Horizon 7 and later versions for the Unauthenticated Access feature.
  • Extended the support for OPSWAT end-point compliance check integration
    • Allows administrators to optionally upload the OPSWAT MetaAccess on-demand agent executables for Windows and macOS on Unified Access Gateway. The executables are then downloaded and run automatically by Windows and macOS Horizon clients as needed. This option is an alternative to using the continuously running OPSWAT MetaAccess persistent agent and does not require the end user to have to install the on-demand agent manually on their client device.
    • Allows configuring periodic end-point compliance checks by Unified Access Gateway for Horizon clients during an authenticated Horizon user session. These periodic checks are optional and are in addition to the initial compliance check made when launching a desktop or application session.
  • Added support for the combination of Horizon Smart Card Certificate or Passthrough authentication when a pre-login message is also configured on Horizon Connection Server.
  • Added support for non-ASCII characters in Smart Card X.509 certificates used for authentication.
  • Added support to configure the VMware Tunnel Proxy through the PAC file path or the URL in the .ini file, which gets configured during deployment through PowerShell.
  • Qualified support for the AVI Networks load balancer used in front-ending Unified Access Gateway for Horizon and Web Reverse Proxy edge services.
  • Added support to allow SSH option configuration during deployment, which can be done through the OVF template or in the .ini file, which gets configured during deployment through PowerShell.
  • Added support for Unified Access Gateway to use the custom settings for VMware Tunnel and Content Gateway service when configured as a Key-Value pair through the Workspace ONE UEM Console.
  • Added an option to set maximum TCP connections per session in the Unified Access Gateway Admin UI.
  • TLS 1.1 is disabled by default. The Honor Cipher Order setting is no longer used as it is automatically enabled for Horizon and Web Reverse Proxy edge services.

Resolved Issues

  • If the generated build of Unified Access Gateway is more than a year old, the root user is unable to log into a newly deployed UAG appliance with this build.
  • When UAG is configured with third-party SAML identity provider authentication and a Horizon client is launched from a URI or CLI, in some cases, the previous version of Unified Access Gateway did not correctly encode the URL with parameters.
  • Tunnel Proxy leads to high memory consumption (memory leakage) under heavy load conditions.

Known Issues

  • When UAG is set up for Horizon SAML 2.0 authentication, some versions of the Horizon Client for Windows hide the client UI after the desktop or application opens. This prevents the opening of subsequent desktops or applications. However, the URL used to access Horizon through UAG can specify individual desktops or RDSH Apps.
    Workaround: Upgrade to VMware Horizon Client for Windows version 5.4 or newer.
  • When Horizon SAML 2.0 is used with Horizon True SSO to avoid the initial AD password prompt, if the session is manually locked or locks due to inactivity, the user must either enter their AD password to unlock the session or close the client and reconnect. The Horizon True SSO unlock mechanism currently depends on Workspace ONE Access.
  • UAG RADIUS settings using a local hostname can sometimes fail.
    Workaround: Use a hostname in DNS or an IP address.
  • When using Horizon SAML IDP authentication with Microsoft ADFS, users receive the HTTP ERROR 500.The SAML metadata XML file is used for configuring SAML trust on UAG. This file is obtained from Microsoft ADFS. The XML file might contain a SPSSODesriptor section. This section is not required for UAG and causes the HTTP ERROR 500.
    The UAG esmanager.log displays the Error on validating assertion with a ClassCastException as follows:java.lang.ClassCastException: org.opensaml.saml.saml2.metadata.impl.SPSSODescriptorImpl cannot be cast to org.opensaml.saml.saml2.metadata.IDPSSODescriptor 
    Workaround: Before uploading the identity provider’s SAML metadata to UAG, edit the XML file to remove the SPSSODescriptor section. This section starts with “<SPSSODescriptor” and ends with “</SPSSODescriptor>”  tags.
  • Authentication timeout on Unified Access Gateway might not work for Horizon HTML Access client.When a user enters the Username and Password and clicks Login even after the authentication timeout interval, the user can still log into the Horizon client. This issue occurs intermittently.
    Workaround: None
  • In the Unified Access Gateway Admin UI, the Auth Methods drop-down box might not appear in the IE and Edge browsers.
    Auth Methods is a field in the Horizon Settings page.
    Workaround: None