The Unified Access Gateway (UAG) is a VMware developed End-User Computing (EUC) appliance that acts as a specialized gateway (or reverse proxy) that manages access to enterprise EUC products deployed in a private or public cloud. It is a hardened (Linux-based) appliance from VMware which is used for many VMware Horizon families, such as:

  • Horizon 7
  • VMware Cloud on AWS
  • VMware Cloud on IBM Cloud
  • VMware Cloud on Azure
  • VMware Horizon DaaS

This blog post will cover the installation process of the UAG appliance for Horizon DaaS specifically.

Formal installation procedure

By following the formal installation procedure for Horizon DaaS, the administrator is required to manually import the .OVA template into vCenter, configuring the network interfaces, storage, and all IP address and host information. The next step is to log on with SSH connection to the Primary Service Provider appliance, and from there hop on through the tenant appliance. From the tenant appliance, the administrator needs to run a script and follow a wizard to complete the installation.

As you can read, the deployment of the UAG appliance for Horizon DaaS can be a somewhat time-consuming process. It also leaves much room for manual errors during the input of the wizards.

With this blog post, I will show you how to automate the installation with PowerShell. This procedure eliminates the manual import and tenant script steps, therefore saving implementation time and creating a stable, consistent and working solution in the Horizon DaaS environment.

Configuration requirements

Before we are installing anything, we need to acquire information about the configuration. Without this information, it’s not possible to deploy the UAG for Horizon DaaS.

Mandatory configuration items are:

  • Download the correct .OVA version
  • vSphere information
    • vCenter name, DataCentre name, Cluster name
    • Datastore name
  • UAG appliance name
  • Network Interface Card (NIC) deployment option
    • There are three deployment options; Three NIC, Two NIC, and one NIC
  • VM Network name(s)
  • IP Address(es)
    • IP address(es) of the appliance itself
    • Default Gateway of the Internet-facing network
    • Subnet Mask(s)
    • DNS IP Address of the Tenant network
    • Floating IP address of the Tenant Appliances
    • Public IP address from the user portal FQDN
  • Certificate information
    • Server certificate thumbprint from the User Portal
    • Certificate chain and key files in .pem format, or use the .P12 or .PFX extension
  • User Portal FQDN
  • Tenant Active Directory NetBIOS name

Installation Requirements

The installation is not very difficult, but has a few requirements:

2019-09-30 13_12_15-VMware Unified Access Gateway - My VMware
2019-09-30 13_13_45-OVF Tool Documentation
  • Create a UAG Configuration File – See below chapter

You can follow this VMware Community page as a reference for the installation procedure. This page will also explain all configuration item settings, including a full list of advanced configuration settings, should this be required for your organization.

Creating the Configuration File

You can use the below example configuration file for implementing the UAG for Horizon DaaS -> Copy entire configuration, starting from [General]

# UAG virtual appliance VM name and hostname.
# If name is not specified, the script will prompt for it.

name=[UAG VM name in vCenter]
uagName=[UAG OS hostname]

# Full path filename of the UAG .ova virtual machine image
# The file can be obtained from VMware

source=[Location to UAG .OVA Template]
# vSphere environment information. Enter your domain (service) account credentials in UPN or a local vsphere account as shown in the example.
# Do NOT fill in the password. The script will prompt for the password.

target=vi://[administrator@vsphere.local]:PASSWORD@[vCenter Server Name]/[DataCenter Name]/host/[Cluster Name]/[ESXi Host Name]

# vSphere datastore name and provisioning mode example

ds=[Datastore Name]
# Deployment Option – onenic, twonic or threenic – Below is an example of a twonic configuration. Please discuss with Security & # Network teams which configuration suits your organization the best.


# Supply VM Network names

netInternet=[VM Network Name – Internet facing network]
#netManagementNetwork=[VM Network Name – Management network]
#netBackendNetwork=[VM Network Name – Tenant network]

# IP Addresses – Note; nic0 is always the internet facing network!!

ip0=[ip0 address]
netmask0=[netmask ip0]
routes0= [default gateway ip0]
#ip1=[ip1 address]
#netmask1=[netmask ip1]
#ip2=[ip2 address]
#netmask2=[netmask ip2]
defaultGateway=[default gateway ip0]
dns=[dns ip] [dns2 ip]
dnsSearch=[domain fqdn]
ntpServers=[ntp ip or fqdn] [ntp2 ip or fqdn]

# Security & Misc Settings – Cipher Suite will give an A rating on SSLLabs – Please review settings based on company Security Requirements

#Admin Password Expire date. The default is 90. Specify 0 to never expire

# SSH Access – Default is false. Enables console ssh access on TCP port 22. This is NOT recommended for production deployments


# Logging & Monitoring.
# Syslog – Provide an external Syslog server
# SNMP – Enables SNMP GET and GETNEXT support on UDP port 161. This is to provide basic information and monitoring data such as sysDescr, sysName, sysUptimeInstance and CPU and memory information using the SNMP protocol.


# SSL Certificate for the User Portal – use PEM format or P12/PFX – below is an example of PFX
# The PEM file should contain the SSL Server certifacte and any intermediate and root certificates

pfxCerts=[Location to .P12 or .PFX certificate file]
#pemCerts=[Location to SSL certificate .PEM file]
#pemPrivKey=[Location to SSL certificate key file]

# SSL Certificate for the Admin Portal – use PEM format or P12/PFX – below is an example of PFX
# The PEM file should contain the SSL Server certifacte and any intermediate and root certificates

pfxCerts=[Location to .P12 or .PFX certificate file]
#pemCerts=[Location to SSL certificate .PEM file]
#pemPrivKey=[Location to SSL certificate key file]

# Horizon DaaS 9.x Settings

# Console Access (HACA) for Horizon DaaS 9.x

proxyDestinationUrl=https://[Floating IP Address Tenant Appliances]
proxyDestinationUrlThumbprints=[Certificate Thumbprint User Portal]
securityHeaders={"X-Frame-Options":"SAMEORIGIN","Strict-Transport-Security":"max-age=63072000; includeSubdomains; preload","X-Content-Type-Options":"nosniff","Content-Security-Policy":"default-src 'self';font-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';img-src 'self' blob: data:;frame-src 'self' awjade:","X-XSS-Protection":"1; mode=block"}

# The UAG will use these settings to access the tenant appliances.

proxyDestinationUrl=https://[Floating IP Address Tenant Appliances]
samlSP=[Tenant Active Directory NetBIOS Name]
proxyDestinationUrlThumbprints=[Certificate Thumbprint User Portal]
tunnelExternalUrl=[User Portal FQDN]:443
blastExternalUrl=[User Portal FQDN]:443
pcoipExternalUrl=[Public IP Address User Portal]:4172

# UAG High Availability Settings – Note: Optional, see for configuration and limitations.

#virtualIPAddress=[vip ip0 address]
#groupID=[group id]

Installation procedure

So, now we have met all configuration and installation requirements, it’s time to install the UAG appliance!

Once we have downloaded and installed the OVF Tool and created the Configuration File, we can start the PowerShell command by specifying the script name and the configuration file name as shown in this example:

  • .\UAGDeploy.ps1 .\UAG-DaaS.ini

The script will prompt you for the following input:

  • Admin and Root account passwords
  • Join CEIP: yes/no
  • vCenter administrator password
  • Certificate password (If specified .P12 or .PFX file – a certificate and key file provided in .PEM format will not ask for a password)

After this input is correctly filled in, the script will start to import the .OVA template (using the OVF Tool) into vCenter. You can track the progress directly via the script or from within vCenter.

2019-04-30 12_48_18-DED-S19-VDI100

After some minutes the import is complete. The UAG will then initialize and automatically configures the IP addresses specified in the Configuration File.

2019-04-30 12_51_28-DED-S19-VDI100

After the UAG is deployed successfully, you can check/verify if the implementation is working as expected!

Failed to send http data?

Getting the error “failed to send http data”?

First, check the “target=vi:/” line in the script, to verify there aren’t any typo’s.

Still not working? In that case, this could be related to your (self-signed) certificate of the ESXi host. Connect to the configured ESXi host (which is specified in the target section of the configuration file) via a browser and accept the certificate. After this step, try to run the script again!

Console Access not working?

In Horizon DaaS 9.x, the TCP Forward Rule is no longer needed, this is only required for Horizon DaaS 8.0.x.

Please be sure to check my section [WebReverseProxy], this contains configuration for the HACA Reverse Proxy Settings.

If correctly configured, you should see the following in the UAG admin portal (green means successfully configured and connected!)


PowerShell is a very powerful, fast and reliable way to deploy the UAG in Horizon DaaS. The deployment has some configuration and deployment requirements, but once you have met all this, the deployment is relatively easy and fast.

In addition, you have the benefit to re-use the Configuration File as a template for other tenant environments.