Unified Access Gateway 2106: Delivering a More Intelligent Experience

The Unified Access Gateway (UAG) has been rapidly evolving to be a revolutionary security appliance. In UAG 2106, a few more amazing features have hit to move the needle. Today, we will cover 3 features that I am very excited about that have surfaced over the last 3-ish versions that every company should implement. We will talk about moving away from basic authentication in the Admin Console, WS1 Intelligence Integration, and automated patching.

Tightening Authentication Patterns on UAG

Today, Admin UI security is a bit of a joke. Let’s count the ways that its bad for most places:

  • Admin and Root credentials are commonly the same
  • The sessions never time out
  • They use basic authentication
  • Single shared login

I’m sure there’s plenty more, so let’s keep it simple. We know that they’re bad and we need to fix it! Let’s talk about how UAG 2106 fixes them.

First, you now get a setting during template customization to set the admin session idle timeout:

Additionally, in the last few releases they now let you set password policies around the root password/admin password:

These are some truly great advancements on the password and account hardening, but now with 2106 we have moved it a step further!

UAG Admin SSO

In 2106, we now have the ability to deliver Single Sign-On for the Admin GUI powered by SAML. It’s a huge advancement that lets you deliver a stronger security mechanism around your admin access to lock down Admin Access stronger than ever before. Check out my video on setting up Admin SSO:

The setup as you saw is pretty simple. Once you import the metadata and turn things on, you just need to set your SSO URL, SP Entity ID, and SP Issuer similar to this table below:

OptionDescription
Single sign on URLEnter the assertion consumer service URL as https://{{uag-fqdn}}:9443/login/saml2/sso/admin
Audience URI (SP Entity ID)Enter the audience URL as https://{{uag-fqdn}}:9443/admin
SP IssuerIf required, enter the SP issuer as https://{{uag-fqdn}}:9443/admin

The main concern that I do have with this new setup is your Identity Provider controls who can access things now. So unlike most SAML apps where your database in your application is the source of truth/accounts, you now allow your IDP to do it. It’s not the end of the world, but I would prefer something where you have to add users into the UAG and set roles to properly setup and secure access.

For those who use UAGDeploy, some of the settings you will want to add in are:

##For Importing IDP Metadata##
[IDPExternalMetadata1]
metadataXmlFile=C:\UAGDeploy\VIDM.xml
entityId=https://workspaceoneaccessURL/SAAS/API/1.0/GET/metadata/idp.xml
forceAuthN=false
allowUnencrypted=false
##for the Admin Password Expiration##
[General]
adminPasswordExpirationDays=90
adminSessionIdleTimeoutMinutes=10
##For enabling SSO##
[adminSAMLSettings]
enable=true
entityId=https://workspaceoneaccessURL/SAAS/API/1.0/GET/metadata/idp.xml

Automated Patching on the UAG

The next area to focus on are Photon OS automatic patching. This new capability will let you automatically patch/apply OS package updates when the device boots. Basically, VMware will post packages at packages.vmware.com when new updates arrive. On reboot, the UAG will automatically apply new updates as long as you have set things up accordingly.

Some customers may choose to build their own patch locations internally that mirror the VMware package repositories, but for the most part you can use the default settings and apply those packages easily. Check out the video for more, but its a super easy setup:

For those who use UAGDeploy, some of the settings you will want to add in are:


[PackageUpdates]
packageUpdatesOSURL=https://packages.vmware.com/photon
packageUpdatesScheme=ON_NEXT_BOOT
packageUpdatesURL=https://packages.vmware.com/uag

Workspace ONE Intelligence Integration

One of the more exciting things to hit recently is the Intelligence Integration for the UAG. First, check out the video below to see how easy the integration is:

So, you might be asking why is this good? One of the major ways you can benefit from the Workspace ONE Intelligence integration are the user activity features out in UAG 2106.

In UAG 2106, you can now feed Intelligence with data like:

  • What Applications are being used in the Tunnel
  • What Users are most active
  • Websites that are frequently visited
  • Risk Scores

You will now be able to use that data to build policies, reporting, and automation to get a deeper level of how to impact the digital employee experience. As SASE, UAG, and the entire security platform matures you can build deeper integrations for a full security solution. One of the things I am still looking forward to is the just-in-time security compliance enforcement of the tunnel, which is a similar idea.

For those who use UAGDeploy, some of the settings you will want to add in are:

[WorkspaceOneIntelligenceSettings1]
encodedCredentialsFile=C:\UAGDeploy\uag.credentials.json
name=UAGIntegration

[WorkspaceOneIntelligenceDataSettings]
enabled=true
name=UAGIntegration
updateInterval=3600

Final Thoughts

One of the big challenges many of us have today is justifying the cost of Workspace ONE Intelligence. This is no simple feat, but with major advancements in WS1 Intelligence we are building toward a great story that we can tell. I have written extensively on the UAG like my article from last year. The biggest hurdle on the UAG in general is how challenging it can be to manage.

VMware is making some major improvements here to build a better story. Security is the whole focus for the UAG and by strengthening its accessibility, integrating with the VMware ecosystem, and keeping vulnerabilities patched it becomes stronger.

1 thought on “Unified Access Gateway 2106: Delivering a More Intelligent Experience”

  1. Pingback: Unified Access Gateway 2106: Delivering a More Intelligent Experience

Leave a Reply

Scroll to Top
%d bloggers like this: