What is the Omnissa Unified Access Gateway (UAG)?
The Omnissa Unified Access Gateway (UAG) is a hardened Linux-based virtual appliance that provides secure edge access for Omnissa Horizon (VDI/RDSH), Workspace ONE, and Web Reverse Proxy services. It replaces the legacy Horizon Security Server.
UAG is deployed in a DMZ or edge network segment and acts as an authenticating proxy — it terminates client connections, performs pre-authentication (optional), and forwards only valid sessions to internal Horizon Connection Servers or other backend services. No VPN is required for end users.
Key services UAG provides: Horizon (Blast Extreme, PCoIP, HTML5), VMware Tunnel (per-app VPN), Content Gateway, Workspace ONE Web, and reverse proxy for internal web apps.
UAG Version Matrix – Supported Releases (March 2026)
| Version | Released | Type | Key Changes | Status |
|---|---|---|---|---|
| 2506 | Jun 2025 | Current Release | Enhanced TLS 1.3 enforcement, improved certificate rotation automation, Blast UDP port range expansion, improved health check endpoints, new REST API fields | ✓ Recommended |
| 2503 / 2503.1 | Mar/Aug 2025 | ESB / Long-Term | Extended support baseline (3+ years), OLM licensing alignment, Nutanix AHV deployment support, enhanced SAML IdP chaining, updated FIPS mode | ✓ Fully Supported |
| 2412 | Dec 2024 | Previous CR | Updated Workspace ONE integration, improved reverse proxy rules, TLS cipher updates | Supported |
| 2312 / 2309 | Dec 2023 / Sep 2023 | Aging | — | ⚠ Upgrade Required |
⚠ VDI Guy Note: Always align UAG version with your Horizon Connection Server version. UAG N-1 is generally supported but UAG N+1 is not. Deploy 2506 or 2503 ESB for all new or upgraded environments.
NIC Architecture: Single, Dual, and Triple NIC
UAG supports 1, 2, or 3 network interfaces. Choosing the right topology is one of the most important decisions in a UAG deployment. Here's when to use each.
Single NIC (eth0)
USE CASE
Lab, POC, or small deployments. All traffic (internet, management, backend) on one interface.
✓ PROS
- • Simplest deployment
- • Minimal firewall rules
- • Easiest to troubleshoot
✗ CONS
- • No network traffic isolation
- • Not suitable for PCI/HIPAA
- • Internet traffic same path as mgmt
TYPICAL PORTS (eth0)
443, 8443 (Blast), 4172 (PCoIP), 22443 (Tunnel)
Dual NIC (eth0 + eth1)
MOST COMMON PRODUCTION CHOICE
USE CASE
Standard enterprise DMZ. eth0 = Internet/external. eth1 = Internal/backend (Horizon CS, DNS).
✓ PROS
- • External/internal traffic separation
- • Internet-facing NIC has no backend routes
- • Meets most compliance requirements
- • Separate firewall zones for each NIC
✗ CONS
- • Mgmt traffic mixed with backend
- • Slightly more complex routing
INTERFACE ROLES
eth0 → Internet (443, 8443, 4172, 22443)
eth1 → Internal (to Conn. Server 443, 8009)
Triple NIC (eth0+1+2)
USE CASE
High-security/regulated environments. Separate management NIC from data plane. PCI-DSS, HIPAA, government.
✓ PROS
- • Full traffic isolation (3 zones)
- • Dedicated OOB management
- • Meets strictest compliance
- • Independent mgmt firewall rules
✗ CONS
- • Complex routing table required
- • Static routes must be defined in INI
- • More vSwitch/port-group config
INTERFACE ROLES
eth0 → Internet (client-facing)
eth1 → Internal (backend/CS)
eth2 → Management (admin UI 9443)
UAG NIC Configuration in uag.properties / ini
Single NIC – Minimal ini/properties example
[General]
name=uag-prod-01
deploymentOption=onenic
ip0=192.168.10.50
netmask0=255.255.255.0
gateway=192.168.10.1
dns=192.168.10.10
# All services on single NIC
# Internet gateway must NAT port 443, 8443, 4172, 22443 to this IP
Note: With single NIC, management admin UI (port 9443) is exposed on the same internet-facing IP. Always restrict 9443 to management networks via firewall — never expose to internet.
Dual NIC – Standard production ini example
[General]
name=uag-prod-01
deploymentOption=twonic
# eth0 – Internet-facing (DMZ)
ip0=203.0.113.10
netmask0=255.255.255.0
gateway=203.0.113.1
# eth1 – Internal LAN (backend)
ip1=10.10.1.50
netmask1=255.255.255.0
dns=10.10.1.10,10.10.1.11
# Management UI accessible via eth1 on port 9443
# Routes: eth0 default GW to internet, eth1 for internal subnets
routes0= # default via internet GW
routes1=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 # internal supernets
Pro Tip: Define all internal supernets in routes1. Missing a subnet here will cause Blast/PCoIP sessions to route out eth0 instead of eth1 — a common cause of session failures.
Triple NIC – Regulated/high-security ini example
[General]
name=uag-secure-01
deploymentOption=threenic
# eth0 – Internet-facing
ip0=203.0.113.20
netmask0=255.255.255.0
gateway=203.0.113.1
# eth1 – Internal backend
ip1=10.10.1.51
netmask1=255.255.255.0
# eth2 – Dedicated management (OOB network)
ip2=172.16.100.51
netmask2=255.255.255.0
dns=10.10.1.10
# Admin UI (9443) binds to eth2 only
adminInterfaceIpAddress=172.16.100.51
routes1=10.0.0.0/8
routes2=172.16.0.0/16
Key field: adminInterfaceIpAddress explicitly binds the admin console to eth2 only. Without this, in threenic mode the admin UI may be reachable from all interfaces.
All UAG Configuration Fields — Complete Reference
Covers UAG Admin UI (9443) and REST API / PowerShell deployment properties. Organized by section as they appear in the admin console.
System Configuration
| Field | Type / Values | Description & Best Practice |
|---|---|---|
| SSL Certificate | PFX/PEM upload | Upload your public-facing wildcard or SAN cert here. Must include full chain. Do not use the default self-signed cert in production — Blast HTML5 client will throw security errors. Supports Let's Encrypt via ACME (2503+). |
| TLS Named Groups | secp384r1, x25519, etc. | Controls ECDH/FFDH named groups for TLS 1.3 key exchange. Default includes secp256r1, secp384r1. For FIPS environments set secp384r1 only. Order matters — first is preferred. |
| TLS Server Ciphers | Colon-separated OpenSSL list | Restricts accepted TLS 1.2 cipher suites. Recommended: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256. Remove RC4, DES, 3DES, MD5-based ciphers. Blank = defaults (TLS 1.3 ciphers always permitted and cannot be restricted). |
| TLS 1.0 / 1.1 | true/false | Set both to false. TLS 1.0/1.1 are deprecated. Any modern Horizon client (2106+) supports TLS 1.2 minimum. Enabling these fails PCI-DSS scans immediately. |
| TLS 1.2 | true/false | Keep enabled for backward compatibility with Horizon 7.x clients (if still in environment). Disable in TLS 1.3-only environments. |
| TLS 1.3 | true/false | Always enable. TLS 1.3 is the preferred protocol for Horizon Blast Extreme connections in 2026. Cannot restrict cipher suites for TLS 1.3 (they are fixed by RFC 8446). |
| FIPS Mode | Enabled at deploy time | Set at deployment only — cannot be changed post-deploy. Enables FIPS 140-2 validated crypto modules. Required for US federal/DoD. Restricts cipher suite options significantly. Deploy with enableFIPS=true in OVF properties. |
| HTTP Response Headers | Key:Value pairs | Add security headers: Strict-Transport-Security: max-age=31536000; includeSubDomains, X-Content-Type-Options: nosniff, X-Frame-Options: DENY. UAG 2412+ supports this natively. |
| System Time / NTP | IP/FQDN list | Critical. Time skew causes certificate validation failures and SAML assertion failures. Configure at least 2 NTP servers. Match NTP sources with Connection Servers and AD. |
| Password Policy | Complexity/length settings | Applies to the local UAG admin account password. Enforce complexity. For automated deployments use OVF/REST to set strong initial password — never leave default. |
| SSH | true/false | Disabled by default. Enable only for troubleshooting. Restrict source IPs via firewall. Root SSH is never permitted — use the admin account. Disable again after use. |
| Core Dump | true/false | Disable in production. Core dumps can contain sensitive session data (certificates, credentials in memory). Only enable temporarily for crash diagnosis under TAC guidance. |
Horizon Edge Service Configuration
| Field | Type / Values | Description & Best Practice |
|---|---|---|
| Connection Server URL | https://FQDN:443 | FQDN of the Horizon Connection Server (or load balancer VIP). Use FQDN, not IP — certificate validation will fail with IP. UAG validates the CS certificate by default (honor/disregard thumbprint option available for self-signed). |
| Connection Server Thumbprint | SHA-256 hex | Required if CS uses a self-signed cert. Enter the SHA-256 thumbprint of the CS certificate. Best practice is to replace self-signed CS certs with trusted CA-signed certs and leave this blank for full chain validation. |
| Blast External URL | https://uag-fqdn:8443 | The public URL clients use for Blast Extreme. Must match the SSL certificate SANs. Port 8443 default. Common mistake: setting this to the internal CS URL — results in Blast sessions trying to connect directly to the CS, bypassing UAG. |
| PCoIP External URL | IP:4172 | Public IP:port for PCoIP UDP traffic. Note: PCoIP External URL takes an IP address (not FQDN) because PCoIP is UDP-based and does not support DNS resolution at the protocol level in this context. |
| Tunnel External URL | https://uag-fqdn:443 | Used for HTTPS tunnel (file transfer, USB redirection, client drive mapping). Often same as the primary UAG URL. Separate from Blast — do not confuse. |
| UDP Tunnel Server | true/false | Enables the QUIC/UDP tunnel for Blast Extreme. Enable for best performance — reduces TCP overhead. Requires UDP 443 or 8443 open on external firewall. 2503+ recommended for QUIC improvements. |
| Proxy Destination URL | https://cs-internal:443 | Where UAG forwards authenticated broker requests. Typically the internal Connection Server URL. If using a load balancer for CS, point here. |
| Auth Methods | Passthrough, RADIUS, SAML, RSA SecurID, Smart Card, Certificate | Passthrough = forward auth to Connection Server (most common). RADIUS/TOTP for MFA. SAML for IdP-chained auth (Workspace ONE, Okta, ADFS). Certificate for smart card/PIV. You can chain auth methods: e.g., Certificate AND RADIUS (2-factor). |
| Smart Card | Required/Optional/Off | Controls client certificate / smart card authentication. "Required" terminates connection if no valid cert presented. Requires trusted CA certificates uploaded to UAG's trusted certificate store. |
| Workspace ONE Mode | true/false | Enables WS1 Access integration — redirects unauthenticated users to WS1 Access for IdP auth before proxying to Horizon. Required for SAML-based SSO with Workspace ONE. |
| Health Check URI | /favicon.ico (default) | URI that load balancers probe to check Horizon service health. Default works. For custom health check, use /broker/xml or configure a dedicated endpoint. Must return HTTP 200. |
| Match Windows User Name | true/false | When smart card auth is used, validates that the CN in the client certificate matches the Windows username. Enable for strict certificate binding in regulated environments. |
| Redirect to HTTPS | true/false | Redirects HTTP (port 80) to HTTPS (443). Enable — there is no reason to accept cleartext HTTP in production. |
RADIUS / MFA Authentication Settings
| Field | Type / Values | Description |
|---|---|---|
| Auth Server IP/FQDN | IP or FQDN | RADIUS server address. For HA, configure primary and secondary. Use internal FQDN — UAG must resolve it via eth1 DNS. |
| Auth Port | 1812 (default) | Standard RADIUS authentication port. Some NPS/Cisco ISE deployments use 1645 (legacy). Confirm with your RADIUS admin. |
| Shared Secret | String (stored encrypted) | RADIUS shared secret. Use a strong, long random string (>32 chars). This is stored encrypted in the UAG config. Rotate annually or on staff changes. |
| Number of Authentication Attempts | 1–5 (default 3) | Max RADIUS auth retries before lockout. Set to 1 for TOTP (one-time codes are single-use). Set to 3 for push-based MFA where user may dismiss and retry. |
| Password Authentication | PAP/CHAP/MSCHAPv2 | PAP is required for most TOTP/OTP integrations (Duo, Azure MFA, RSA) as the OTP is sent as plaintext RADIUS password. MSCHAPv2 for NPS when authenticating with AD passwords. |
| RADIUS Timeout | Seconds (default 5) | Increase to 30–60s for push-based MFA (Duo Push, Microsoft Authenticator) where user must approve on phone. Default 5s will time out before user can respond. |
Advanced Edge Service & System Settings
| Field | Type / Values | Description & Notes |
|---|---|---|
| Blast TCP/UDP Port | 8443 (TCP+UDP) | Blast Extreme uses TCP 8443 (control) and UDP 8443 (media). Ensure both TCP and UDP 8443 are open on the external firewall. Some environments move to 443/UDP for restrictive client networks. |
| PCoIP UDP Port | 4172 (UDP) | PCoIP requires UDP 4172 open bidirectionally. Asymmetric firewall rules (allow outbound but not inbound UDP) are a common cause of PCoIP session failures through UAG. |
| Client Connection Idle Timeout | Minutes | Disconnects idle sessions. Set per organizational security policy. Should be ≤ the Connection Server session timeout to avoid session lingering on the broker after UAG disconnects. |
| Connection Server Session Timeout | Minutes (480 default) | Time a user can stay connected through UAG after initial authentication. Reauthentication forced on expiry. For persistent desktop users set higher (8h+). For kiosk/shared desktops set lower. |
| Max Sessions | Integer | Per-UAG concurrent session limit. Standard UAG VM (4 vCPU / 8GB RAM) supports ~2,000 concurrent Blast sessions. Large (8 vCPU / 16GB) ~5,000. Cluster multiple UAGs behind a load balancer for scale. |
| Syslog Server | IP:port (UDP/TCP) | Forward UAG logs to SIEM. Critical for security monitoring. Use TCP syslog over UDP to avoid log loss. UAG logs authentication events, TLS handshakes, and edge service errors. |
| Monitoring API Token | Token string | Secures the REST monitoring endpoint (/rest/v1/monitor). Used by Horizon Management Console and external monitoring tools (Prometheus, Zabbix) to pull UAG health metrics. |
| Admin Password | String (bcrypt) | Admin console password (9443). Stored as bcrypt hash. Change from default immediately post-deploy. For automated deployments, set via OVF property adminPassword at deploy time. |
| Root Password | String | Linux root account password (not the admin UI password). Required for SSH access. Set strong, store in vault. Root SSH login is not permitted — must sudo from admin account. |
| Trusted Certificates | PEM upload | CA certificates UAG should trust for backend connections (Connection Server, RADIUS, LDAP). Upload your internal CA chain here so UAG can validate backend server certificates. |
| X-Forwarded-For | true/false | Inserts client IP in X-Forwarded-For header forwarded to Connection Server. Enable for accurate client IP logging and geo-based access policies. Ensure CS is configured to trust UAG as a proxy. |
| Proxy Pattern | Regex (e.g. /.*) | URL path pattern this edge service handles. For Horizon use (/|/broker/xml|/broker/tunnel|/broker/resources/.*|/appblast/.*|/tunnel|/favicon.ico). Overly broad patterns can interfere with reverse proxy rules on same UAG. |
TLS Hardening Checklist (2026)
Production TLS Settings
- ✓TLS 1.0 = false, TLS 1.1 = false
- ✓TLS 1.2 = true (for client compatibility), TLS 1.3 = true
- ✓Cipher suites: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
- ✓CA-signed cert with full chain on eth0 interface
- ✓HSTS header: Strict-Transport-Security: max-age=31536000
- ✓Remove RC4, DES, EXPORT, NULL, anon ciphers
- ✓Redirect HTTP → HTTPS enabled
- ✓Named groups: secp256r1, secp384r1 minimum
FIPS Mode Notes
- • FIPS mode is set at OVF deployment only — you cannot toggle it post-deploy without redeploying
- • FIPS restricts to: AES-256-GCM, AES-128-GCM, SHA-256, SHA-384 only
- • FIPS mode disables: RC4, MD5, 3DES, DH < 2048-bit automatically
- • Required for US federal, DoD, FedRAMP environments
- • Performance impact ~5-8% on session establishment — negligible in production
- • Verify with: openssl version -f from UAG SSH — should show "with-fips"
Blast Extreme vs PCoIP vs Tunnel Through UAG
| Protocol | Ports (External) | Transport | UAG Config Field | Notes |
|---|---|---|---|---|
| Blast Extreme TCP | 443, 8443 | TCP | blastExternalUrl | Control channel, fallback when UDP unavailable. Always enable even when using UDP Blast. |
| Blast Extreme UDP | 8443/UDP (or 443/UDP) | UDP/QUIC | udpTunnelServer=true | Preferred for low-latency media. Falls back to TCP if UDP blocked. Verify UDP 8443 open on external FW. |
| PCoIP | 4172/UDP + 4172/TCP | UDP (primary) | pcoipExternalUrl | Takes IP:port (not FQDN). Requires asymmetric UDP allowed. Legacy — Blast preferred for new deployments. |
| HTTPS Tunnel | 443 | TCP/HTTPS | tunnelExternalUrl | USB, CDR, file transfer. Works everywhere 443/TCP is open. |
| VMware Tunnel (Per-App VPN) | 443, 8443, 22443 | TCP/HTTPS | VMware Tunnel Edge Service | Workspace ONE UEM per-app VPN. Separate edge service from Horizon. Configure via Workspace ONE UEM console. |
Known UAG Bugs & Workarounds (2024–2026)
These are bugs I've personally hit in production or seen confirmed in Omnissa community and TAC cases. Always verify current status in Omnissa release notes.
Blast UDP Sessions Drop After ~2 Hours (UAG 2312–2412)
Fixed: 2503UDP Blast sessions established via UAG drop after approximately 2 hours due to a UDP NAT keepalive timer issue on the UAG side. Users experience sudden disconnection without warning.
WORKAROUND (pre-2503)
Set Blast to TCP-only by removing UDP Blast support (udpTunnelServer=false) until upgrading to 2503+. Performance degradation is minimal for most use cases.
Certificate Upload Fails Silently with 4096-bit RSA Keys (UAG <2412)
Fixed: 2412When uploading PFX certificates with 4096-bit RSA private keys via the admin UI, the upload appears to succeed but the old cert remains in use. No error is displayed. Affects versions < 2412.
WORKAROUND
Use 2048-bit or 3072-bit RSA keys, or ECDSA P-256/P-384 (recommended). Or deploy via REST API where the error is returned and visible. Upgrade to 2412+ resolves.
Dual NIC: Routes Not Persisted After UAG Restart (Various versions)
IntermittentIn dual-NIC deployments, manually added static routes (not defined in the original INI/OVF properties) are lost after a UAG reboot. Sessions to backend subnets fail after restart until routes are re-added.
WORKAROUND / FIX
Always define all static routes in the original OVF deployment properties (routes0, routes1) rather than adding post-deployment. Never rely on runtime route changes.
SAML Auth Loop with Workspace ONE Access (UAG 2409)
Fixed: 2412SAML authentication with Workspace ONE Access enters an infinite redirect loop when the WS1 Access instance is behind a load balancer with affinity disabled. UAG 2409 specific.
WORKAROUND
Enable source-IP affinity on the WS1 Access load balancer temporarily, or upgrade to UAG 2412+. Also verify the SAML SP metadata entityID in UAG matches exactly (including trailing slash) what WS1 Access expects.
Admin UI (9443) Becomes Unresponsive Under High Session Load
Ongoing — by designThe management interface on port 9443 shares CPU resources with the data plane. Under very high session load (near max concurrent sessions), admin UI becomes slow or unresponsive. Not technically a bug but a known limitation.
WORKAROUND
Use triple-NIC deployment with dedicated management NIC (eth2) for admin traffic. This separates management plane resource contention. Never perform config changes during peak hours on heavily loaded UAGs.
⚠ NTP Misconfiguration Causes Intermittent SAML Failures
Configuration IssueNot a bug but the #1 cause of "random" SAML/auth failures reported to TAC. SAML assertions have a validity window (<5 min). If UAG clock drifts >2 minutes from the IdP, assertions will appear expired. Always configure at least 2 NTP servers matching your AD/IdP infrastructure.
⚠ PCoIP External URL Must Be IP, Not FQDN
Design LimitationPCoIP protocol embeds the connection address in the session data. UAG requires an IP address (not FQDN) for pcoipExternalUrl. Using a hostname here will cause PCoIP clients to fail connection after initial broker handshake. Use the public NAT IP of the UAG.
UAG Sizing & High Availability
| Size | vCPU | RAM | Disk | Max Concurrent Sessions | Use Case |
|---|---|---|---|---|---|
| Standard | 4 vCPU | 8 GB | 20 GB | ~2,000 | SMB, branch offices, dev/test |
| Large | 8 vCPU | 16 GB | 20 GB | ~5,000 | Enterprise, recommended baseline |
| Extra Large | 16 vCPU | 32 GB | 20 GB | ~10,000 | Large enterprise, high-density |
HA Best Practices
- • Deploy minimum 2 UAGs per site (N+1)
- • Use external load balancer (F5, NSX ALB, Azure LB) with TCP health checks on port 443
- • UAGs are stateless — no session affinity needed for most protocols
- • Exception: RADIUS/SAML may need affinity during active auth flow
- • Place in separate hosts (anti-affinity DRS rules) for true HA
- • Monitor health endpoint: GET /favicon.ico returns 200 when healthy
Load Balancer Firewall Rules
Internet → LB VIP:
TCP 443 (HTTPS/Blast fallback)
TCP 8443 (Blast Extreme)
UDP 8443 (Blast UDP/QUIC)
UDP 4172 (PCoIP)
TCP 4172 (PCoIP TCP)
TCP 22443 (VMware Tunnel)
LB → UAG eth0:
Same as above (pass-through)
UAG eth1 → Connection Server:
TCP 443 (broker)
TCP 8009 (JK connector, if used)
Management (restricted):
TCP 9443 (UAG admin UI)