Unified Access Gateway 3.x Troubleshooting
I recently did a proof of concept of Horizon Enterprise with App Volumes and User Environment Manager. Some of the requirements were; HA were possible and External Access. For External Access, we wanted to deploy Unified Access Gateway.
We investigated the High Availability option of UAG because their F5 environment was not supported. One of the prerequisites to setup UAG HA is 3 Public IP Addresses, because of the different traffic flows for XML API and BLAST.
The customer didn’t have 3 public IP Addresses for the POC and upgrading the F5 environment was not an option. After carefully considering the risks we decided to deploy one UAG with 2 NICs. It’s a POC after all. In a later phase, the updated F5’s can load balance the UAG traffic. Keep in mind for multi-site load balancing, you still need a Global Traffic Manager. UAG HA mode can only load balance site-local traffic.
We deployed the UAG with Powershell which is the recommended way. You can find more information on how to deploy the UAG with Powershell on this link. After the deployment, we had to add the Certificate thumbprints of the Connection Servers because they were issued by an internal CA.
When you hover over the I icon it states that you can use sha1= for SHA-1 certificates and sha256= for SHA-256 certificates. We had SHA-256 certificates and entered sha256=AE:B6… but the Connection Server URL still indicated it was not reachable. This can also happen if the certificate is not valid or the UAG can’t resolve the Horizon Connection Server URL. We checked the certificate and it was valid and the Connection Server URL could be resolved. Rebooting the UAG, redeployment, nothing solved our problem. We entered sha1= and our SHA-256 thumbprint and then everything worked. So always use sha1= even if you have a different Secure Hash Algorithm.
All the checks were green and we tried an external connection but got the error: Connection Reset.
We checked the routing table on the UAG and found that the default route on the Public Facing NIC was wrong. We deleted the route with the following command: route del default
If you get a Connection Reset Error when you access your External URL check the routing table of your UAG. Make sure that the first line is not Default with Gateway *.
I hope this helps you in troubleshooting your UAG deployment problems!