After years of relying on the VDI machines within your VMware environment it’s finally time to give it some much needed love. So we are gonna update the actual connection servers and Unified Access Gateway to a newer version.

The Connection server has a couple of functions, mainly it authenticates the users through the AD and directs them to the appropriate virtual machine.

The UAG (Or Unified Access Gateway) has a similar role as the Connection server, only is it made for remote users to connect securely. Hopefully the image below will give some clarification on the working of the Unified Access Gateway. Most of the times users connect to the virtual machines via the Connection servers inside the network and the UAG outside the network.

Side Note! Before you start the upgrade of both systems, be sure to have snapshots, backups and necessary configurations saved and ready. Always be ready for Murphy’s first law: “Anything that can go wrong will go wrong.”

First we’ll start with the download of the necessary files. We’ll need the Horizon Connection Server (64-bit) executable and the latest Unified Acces Gateway Non-fips .ova file from the VMware Customer Connect site.

Side Note! When your there don’t forget the Horizon Agent (64-bit) for later use.

The installation file will look something like VMware-viewconnectionserver-x86_64-y.y.y–xxxxxx.exe
(xxxxxx is the build nummer and y.y.y the version number)

You probably have run hundreds if not thousands of installation files so lets start with another one on the connection server, just be sure you run the first installation on the server that holds the ADAM/FSMO schema role.

Side Note! Its easy to find out the role owner if it is not known to you, just follow the VMware KB 2064157 Article. If you need to transfer a role to another server this is a easy to follow article that can be followed.

Now everything is checked and ready so we can start the executable and click next a couple of times, just follow these steps a bit if you like.

• Accept the VMware license terms.
• Accept the installation folder.
• Select the Horizon Standard Server installation option.
• Select “Install HTML Access” (This is so users can use the browser to connect to the desktop.)
• Select IPv4.
• Select Non-FIPS.
• Type the data recovery password you want to use. (if needed, this is used for the recovery of a backup.)
• Choose the “Configure Windows Firewall automatically”.
• Choose Horizon Administrators accounts.
• Select “General” where the connection server is deployed.
• Click Install to complete the setup.

After the first connection server is upgraded, the others can be upgraded as well, keep in mind that these are the Replica servers, not the Standard. Also there is no way to downgrade the system. (But off course we have a snapshot!)

Now you can open the browser and use your IP address (https://<Your_IP>/admin) to login to the Horizon Console, here we can add the new license key for instance. (Settings -> Product Licensing and Usage)

If you are gonna upgrade the UAG later (which you are probably doing to make sure everything is still working) don’t forget to register it under Settings -> Servers -> Gateways with the FQDN.

So far hopefully so good, lets go on and get the new UAG ready!

First lets collect the settings of the old Unified Access Gateway. You can export them to a JSON file in the browser using https://<Your_UAG_IP&gt;:9443/admin/index.html and store them somewhere save.

If remembered right, we downloaded the Non-fips .ova file of the Unified Access Gateway, which we can deploy in our virtual environment.
During the deploy of the OVA template select Single NIC, Thin Provision, select the right networks and fill in your IP, Subnet and Gateway with the new passwords for root and admin logins. Pretty straightforward stuff.

When you have your old settings (JSON file) from the old UAG, we can turn it off and power up the new UAG, now it’s an easy job of importing the JSON file into the browser of the new UAG and 90% of the settings is done!

Be aware that the remaining 10% is the certificate that has to be re-uploaded for the admin and internet interface, this can be done under “TLS Server Certificate Settings”. And the Thumbprint of this certificate has to be re-entered in the Horizon Settings.

Also be sure that the FQDN of the UAG is again registered in the Horizon Console and that the Horizon Agent executable is run in the golden images of the desktops.

Lastly I want to remind everyone (including myself) not to forget that there are new Group Policy templates available that can be updated in the sysvol folder.

If you have anymore questions or need more pictures and resources, it is all been perfectly described at the following links in great-great detail:


https://docs.vmware.com/en/VMware-Horizon/2209/horizon-installation/GUID-916EEE7C-C284-4D0B-9B03-0DA7A7662CF0.html

https://docs.vmware.com/en/Unified-Access-Gateway/2209/uag-deploy-config/GUID-537BD936-73B4-4902-A15D-5723295BA29E.html

https://www.carlstalhood.com/vmware-horizon-8-connection-server/

https://www.carlstalhood.com/vmware-unified-access-gateway/#upgrade



If you liked this post, learned some new things or this article helped you out please think about giving a one time donation at the Donation Page to keep the site online!