bjosoren's IT-Tech blog

IT-Tech blog about different tried and tested solutions based on vmware, microsoft, linux and more tips and tricks

Horizon – Upgrade Unified Access Gateway to v.2503

Release date: May 13th 2025

Welcome to my Omnissa Unified Access Gateway series. The new version of Unified Access Gateway, 2503, was GA April 24th 2025. In this section I will describe how I upgraded my UAG’s to v. 2503. According to Omnissa’s official documentation, this should be done as step 8 in the supported update sequence.

Horizon 8 Upgrade Overview

To check out all the new features and changes with Unified Access Gateway 2503, read the release notes from Omnissa posted here: Unified Access Gateway Release Notes. Below are some of the most important changes.

What’s New

  • Important Security Update for Horizon Deployments
    • This release resolves CVE-2025-25234. For more information on this vulnerability and its impact on Omnissa products, see OMSA-2025-0002.
    • If the HTTP requests arriving to Unified Access Gateway have a HTTP header Origin, the value of this header is now mandatorily validated against an allowed list of permitted origins in the Horizon Settings. See Mandatory Validation of Origin HTTP Header.
  • Security improvements
    • Administrators can now enable TLS 1.2 and TLS 1.3, independent of each other and the support for TLS 1.1 is removed. This is applicable only for Horizon Edge Service and Web Reverse Proxy Service.
    • Extended Master Secret support is now enabled for the Admin interface.
    • Enhancements to the default value of Content-Security-Policy HTTP header sent in HTTP responses from Unified Access Gateway.

First, I download the necessary installation media and Powershell scripts from Omnissa Customer Connect to my deployment server.

Next, I login to the Admin-GUI and export the settings before I start upgrading.

I copy the new OVA-file and the updated uagdeploy Powershell files to my working directory

Next, I edit the ini-files with new ova filename

In my previous upgrades, I have reconfigured the SSL Certificates after deployment. This time, I will use the ini-file to configure the SSL Certificate. I first export the certificates from the HAProxy server as described here: HAProxy Export certificates. Next, I need to encrypt my key with RSA, running the command documented by Omnissa here: Convert Certificate Files to One-Line PEM Format.

openssl rsa -in c:\cert\desktop\privkey.pem -check -out c:\cert\desktop\privkey_rsa.pem

I copy the “privkey_rsa.pem”-file to my working folder and adjust the SSLCert section in the ini-file

Finally, I deploy the UAG’s with the new ova-file using the existing ini-files. As we can see from the screenshot below, the script automatically shuts down the existing UAG’s and deletes them, before deploying the new UAG’s using the settings I defined in the ini-files. NOTE: When executing the uagdeploy.ps1 script, I previously used PASSWORD PASSWORD false false no as parameters, but these no longer works. I replaced PASSWORD with the passwords I wanted to use instead, which works flawlessly. For details see: Using PowerShell to Deploy Omnissa Unified Access Gateway

It is also important to check out the new demands due to the “Re-Write Origin Header” property, as documented by Omnissa here: Configure Horizon Settings

Reference: Cross-Origin Resource Sharing (CORS) with Horizon 8 and loadbalanced HTML5 access. (85801)

I adjust my locked.properties file as shown below and restart my Connection Servers

When the upgrade is complete, I log in and check that all my settings are correct,

I also login to Horizon Administrator, where I can see that the Gateways are up and running the new version

This completes the UAG upgrade, and I do a test by logging in through the HAProxy and UAG’s. With this done, I can now proceed with upgrading the MDT OSOT components prior to upgrading agents within the Horizon Desktops, covered here: Horizon – Upgrade OSOT MDT Plugin to v. 1.2.2406

Unified Access Gateway Release Notes

UAG Documentation:

Omnissa Documentation:

Unified Access Gateway – Upgrades

Unified Access Gateway planning, deployment etc.

Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.