Unified Access Gateway for end-user computing products and services needs high availability for Workspace ONE and VMware Horizon on-prem deployments. However, using third-party load balancers adds to the complexity of the deployment and troubleshooting process. This solution reduces the need for a third-party load balancer in the DMZ front-ending Unified Access Gateway .

This module will guide you through the deployment of two Unified Access Gateway appliances and the setup of High Availability in both. The deployment will use PowerShell script, and the setup of High Availability will be done through the administration console.

The Unified Access Gateway will be deployed with two NICs, one facing internet and the second one dedicated to Management and Backend access.

This manual covers Unified Access Gateway 3.4 deployment in vSphere 6.5 U1.

Virtual IP address and Group ID

Unified Access Gateway requires an IPv4 virtual IP address and a group ID from the administrator, to assign the virtual IP address to only one of the appliances (nodes) in the cluster that is configured with the the same Virtual IP address and Group ID.

When the Unified Access Gateway holding the virtual IP address fails, the Virtual IP address gets reassigned automatically to one of the nodes available in the cluster. The high availability and load distribution occurs among the nodes in the cluster that is configured with the same Group ID.

How Unified Access Gateway High Availability distribute the traffic

Multiple connections originating from the same source IP address are sent to the same Unified Access Gateway that processes the first connection from that client for Horizon and web reverse proxy, for Per-App Tunnel and Content Gateway  connections are stateless and session affinity is not required, least connection algorithm is used to distribute the traffic.

Unified Access Gateway high availability supports 10,000 concurrent connections in the cluster.

Different Unified Access Gateway services require different algorithms.

  • For VMware Horizon and Web Reverse Proxy - Source IP Affinity is used with the round robin algorithm for distribution.
  • For VMware Tunnel (Per-App VPN) and Content Gateway - There is no session affinity and least connection algorithm is used for distribution.

Methods that are used for distributing the incoming traffic:

  1. Source IP Affinity: Maintains the affinity between the client connection and Unified Access Gateway node. All connections with the same source IP address are sent to the same Unified Access Gateway node.
  2. Round Robin mode with high availability: Incoming connection requests are distributed across the group of Unified Access Gateway nodes sequentially.
  3. Least Connection mode with high availability: A new connection request is sent to the Unified Access Gateway node with the fewest number of current connections from the clients.


All of the following pre-requisites are already installed for this Module, the following information is just for your reference.

To deploy Unified Access Gateway using PowerShell script, you must use specific versions of VMware products.

  • vSphere ESX host with a vCenter Server.
  • PowerShell script runs on Windows 8.1 or later machines or Windows Server 2008 R2 or later.
  • The Windows machine running the script must have VMware OVF Tool command installed.
  • You must install OVF Tool 4.3 or later from
  • Download a version of UAG virtual appliance image from VMWare. This is an OVA file e.g. .euc-access-point-3.4.X.X-XXXXXXXXXXX.ova. Refer to VMware Product Interoperability Matrixes to determine the version to download.
  • Download the correct UAG PowerShell script version, it's named uagdeploy-VERSION.ZIP file and extract the files into a folder on your Windows machine. The scripts are host at under Unified Access Gateway product.
  • You must select the vSphere data store and the network to use.

Starting with version 3.3, you can deploy Unified Access Gateway without specifying the netmask and default gateway settings in Network Protocol Profiles(NPP). You can specify this networking information directly during deployment of your Unified Access Gateway instance.


Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.