Omnissa UAG via Cloudflare Tunnel
First things first…
- I would not suggest this in a production environment as its not supported
- This was for Lab testing and emergency access
- Please check your security just to limit exposure
- This will only work for HTML access or tested with this at present, the client wont work
- Again I would not recommend this but you could also point this to one of your connection brokers
Due to a constraint I will have my UAG eventually behind a load balancer but what happens if that load balancer fails or I just want someone to have some quick access in the mean time including myself if I can not connect via a VPN
I decided to try and test utilising Cloudflare tunnels to gain access to my lab via Horizon and after quite some tinkering I managed to get this to work
UAG Prep
Firstly you need to log into the UAG admin panel
Once logged in select Configure Manually
Expand out the Edge Service Settings and then select the cog for configuration
Expand out the settings and find the additional Blast External URLs and Tunnel URLs, add an alternative name that your have hosted via your Cloudflare Tunnel DNS, ensure you save the config
Connection Broker Prep
I was inspired by Carl Stalhood’s blog in this article on how to fix some of the checks which allows the HTML interface to connect
On new installations the file you need to create will be held in the following location C:\Program Files\Omnissa\Horizon\Server\sslgateway\conf\locked.properties
More information can be found over at the Omnissa KB too here but you will need the file to have the following settings as shown below
Restart your Secure Gateway service for the changes to take effect, this may take some time to come back online
Cloudflare Configuration
Login to your main Cloudflare panel and head into the Zero Trust location
Select Networks and then Connectors
From here select Create a tunnel
You want to select Cloudflared as in my example I am installing this on my primary Connection Broker as I know the required firewall ports will be open to the UAG
Name the tunnel appropriately
Download the executable and copy this to your Connection Broker and run this to install the application. Once installed copy the command as this is unique and then execute this in an elevated command prompt or elevated Powershell window
Now at the top select Publish application routes and Add a published application route
From here enter the same name you put into your UAG earlier and then expand the Additional application settings
Part way down you will want to enable the No TLS Verify so it also skips some of the checks due to the self signed certificates
Click Complete setup and then head over to the new address and you should see the UAG HTML access window and be able to test your environment
A little bit of security!
Please do not take these next steps as good security but it is a start if the above works as you do not want to have everyone being able to login to your UAG.
Expand out Access Controls and Policies
From here select Add a policy
Below is a high level example of what I use for some basic security
Now head over to Applications from the left hand panel
Select Add an application
From here Self-hosted
Enter the details you did for the tunnel earlier in the below window and select a suitable duration for your needs
Now select Policies and Select existing policies
Select the policy you created earlier and any others you may want to apply
Select Login methods and enable an required check. In my example I am happy with the One-Time PIN to my email and then finally Save Application in the lower right to confirm the configuration
Now it is time to retest, if all has gone to plan you should now see the below window and need to authenticate with a one time code that goes to your email any other domain just does not get the one time PIN
You May Also Like
