bjosoren's IT-Tech blog

IT-Tech blog about different tried and tested solutions based on vmware, microsoft, linux and more tips and tricks

VMware Unified Access Gateway – Upgrade to v. 2306

Release date: September 25th 2023

Welcome to my VMware Unified Access Gateway series. The new version of Unified Access Gateway, 2306, was GA on July 6th 2023. In this section I will describe how I upgraded my UAG’s to v. 2306. According to VMware’s official documentation, this should be done as step 8 in the supported update sequence.

Update sequence for Horizon 7, Horizon 8, and compatible VMware products (78445)

To check out all the new features and changes with VMware Unified Access Gateway 2306, read the release notes from VMware posted here: Unified Access Gateway 2306 Release Notes. Below are some of the most important changes.

VMware Unified Access Gateway 2306 provides the following new features and enhancements:

  • Added compatibility with Horizon Connection Server’s support for setting enforcement state from clients with the same or a higher certificate checking mode.
  • Added support for PKG file type to Custom Executable distribution.
  • Support for enforcing virtual channel restrictions with Blast protocol. This list overrides any settings applied through the Horizon Agent.
  • Improved compatibility with Web Reverse Proxying to web services using NTLM authentication.
  • Enhancements in SAML authentication for the Admin UI administrator login.
    • Configuration of static Service Provider entity id that is included in the Service Provider’s metadata.
    • Option to sign SAML AuthNRequest with TLS certificate installed on admin interface.
  • Added support to Tunnel Edge Service for optional Configuration ID parameter (used in future UEM release).
  • Logging improvements and troubleshooting enhancements.
  • Updates to Photon OS package versions and Java component versions.

First, I download the necessary installation media and Powershell scripts from VMware Customer Connect to my deployment server.

Next, I login to the admin-gui and export the settings before I start upgrading.

I copy the new OVA-file and the updated uagdeploy Powershell files to my working directory

Next, I edit the ini-files with new ova filename

In my previous upgrades, I have reconfigured the SSL Certificates after deployment. This time, I will use the ini-file to configure the SSL Certificate. I first export the certificates from the HAProxy server as described here: HAProxy Export certificates. Next, I need to encrypt my key with RSA, running the command documented by VMware here: Convert Certificate Files to One-Line PEM Format. 

openssl rsa -in c:\cert\desktop\privkey.pem -check -out c:\cert\desktop\privkey_rsa.pem

I copy the “privkey_rsa.pem”-file to my working folder and adjust the SSLCert section in the ini-file

Finally, I deploy the UAG’s with the new ova-file using the existing ini-files. As we can see from the screenshot below, the script automatically shuts down the existing UAG’s and deletes them, before deploying the new UAG’s using the settings I defined in the ini-files. NOTE: When executing the uagdeploy.ps1 script, I previously used PASSWORD PASSWORD false false no as parameters, but these no longer works. I replaced PASSWORD with the passwords I wanted to use instead, which works flawlessly. For details see: Using PowerShell to Deploy the Unified Access Gateway Appliance

It is also important to check out the new demands due to the “Re-Write Origin Header” property, as documented by VMware here: Configure Horizon Settings

Reference: Cross-Origin Resource Sharing (CORS) with Horizon 8 and loadbalanced HTML5 access. (85801)

I adjust my locked.properties file as shown below and restart my Connection Servers

When the upgrade is complete, I log in and check that all my settings are correct,

I also login to VMware Horizon Administrator, where I can see that the Gateways are up and running the new version

This completes the UAG upgrade, and I do a test by logging in through the HAProxy and UAG’s. With this done, I can now proceed with upgrading the MDT OSOT components prior to upgrading agents within the Horizon Desktops, covered here: VMware Horizon – Upgrade OSOT MDT Plugin to v. 2306

VMware Unified Access Gateway – Upgrades

VMware Unified Access Gateway planning, deployment etc.

Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.